Home » Security hardening for OpenStack-Ansible

Getting started

The openstack-ansible-security role can be used along with the OpenStack-Ansible project or as a standalone role that can be used along with other Ansible playbooks.

Using with OpenStack-Ansible

Starting with the Mitaka release, OpenStack-Ansible installs the openstack-ansible-security role automatically. It’s disabled by default for deployments and can be enabled with an Ansible variable:

apply_security_hardening: true

If the variable is set, the security hardening configurations will be applied automatically on new builds that use the scripts/run_playbooks.sh script provided with OpenStack-Ansible. However, the role can be applied anytime by using the playbook provided with OpenStack-Ansible:

cd /opt/openstack-ansible/playbooks/
openstack-ansible -e "apply_security_hardening=true" security-hardening.yml

For more information, refer to the OpenStack-Ansible documentation on configuring security hardening.

Using as a standalone role

There are several options for using openstack-ansible-security as a standalone role or along with another existing project. Here are two fairly easy methods:

• Add openstack-ansible-security as a git submodule in the roles directory of an existing Ansible project
• Clone the role into /etc/ansible/roles/ on any system and write a custom playbook and hosts inventory file

The playbook for openstack-ansible-security can be fairly simple, depending on the configuration of the systems:

---

- name: Run openstack-ansible-security
  hosts: webservers
  user: root
  roles:
    - openstack-ansible-security

This playbook will run the tasks in the openstack-ansible-security role against all hosts in the webservers group (as defined in an inventory file).