Home » Security hardening for OpenStack-Ansible

Getting started

The openstack-ansible-security role can be used along with the OpenStack-Ansible project or as a standalone role that can be used along with other Ansible playbooks.

Using with OpenStack-Ansible

Starting with the Mitaka release, OpenStack-Ansible installs the openstack-ansible-security role automatically. It’s disabled by default for deployments and can be enabled with an Ansible variable:

apply_security_hardening: true

If the variable is set, the security hardening configurations will be applied automatically on new builds that use the scripts/run_playbooks.sh script provided with OpenStack-Ansible. However, the role can be applied anytime by using the playbook provided with OpenStack-Ansible:

cd /opt/openstack-ansible/playbooks/
openstack-ansible -e "apply_security_hardening=true" security-hardening.yml

For more information, refer to the OpenStack-Ansible documentation on configuring security hardening.

Using as a standalone role

There are several options for using openstack-ansible-security as a standalone role or along with another existing project. Here are two fairly easy methods:

  • Add openstack-ansible-security as a git submodule in the roles directory of an existing Ansible project
  • Clone the role into /etc/ansible/roles/ on any system and write a custom playbook and hosts inventory file

The playbook for openstack-ansible-security can be fairly simple, depending on the configuration of the systems:

---

- name: Run openstack-ansible-security
  hosts: webservers
  user: root
  roles:
    - openstack-ansible-security

This playbook will run the tasks in the openstack-ansible-security role against all hosts in the webservers group (as defined in an inventory file).

Table Of Contents

Previous topic

Configuration

Next topic

Security hardening controls in detail

Project Source

This Page