Security hardening¶
OpenStack Compute can be integrated with various third-party technologies to increase security. For more information, see the OpenStack Security Guide.
Encrypt Compute metadata traffic¶
Enabling SSL encryption
OpenStack supports encrypting Compute metadata traffic with HTTPS. Enable SSL
encryption in the metadata_agent.ini
file.
Enable the HTTPS protocol.
nova_metadata_protocol = https
Determine whether insecure SSL connections are accepted for Compute metadata server requests. The default value is
False
.nova_metadata_insecure = False
Specify the path to the client certificate.
nova_client_cert = PATH_TO_CERT
Specify the path to the private key.
nova_client_priv_key = PATH_TO_KEY
Securing live migration streams with QEMU-native TLS¶
It is strongly recommended to secure all the different live migration streams of a nova instance—i.e. guest RAM, device state, and disks (via NBD) when using non-shared storage. For further details on how to set this up, refer to the Secure live migration with QEMU-native TLS document.
Mitigation for MDS (Microarchitectural Data Sampling) security flaws¶
It is strongly recommended to patch all compute nodes and nova instances against the processor-related security flaws, such as MDS (and other previous vulnerabilities). For details on applying mitigation for the MDS flaws, refer to Mitigation for MDS (“Microarchitectural Data Sampling”) Security Flaws.