Block Storage

OpenStack Block Storage (cinder) is a service that provides software (services and libraries) to self-service manage persistent block-level storage devices. This creates on-demand access to Block Storage resources for use with OpenStack Compute (nova) instances. This creates software-defined storage via abstraction by virtualizing pools of block storage to a variety of back-end storage devices which can be either software implementations or traditional hardware storage products. The primary functions of this is to manage the creation, attaching and detaching of the block devices. The consumer requires no knowledge of the type of back-end storage equipment or where it is located.

Compute instances store and retrieve block storage via industry-standard storage protocols such as iSCSI, ATA over Ethernet, or Fibre-Channel. These resources are managed and configured via OpenStack native standard HTTP RESTful API. For more details on the API see the OpenStack Block Storage documentation.

• Volume Wiping
• Checklist
  • Check-Block-01: Is user/group ownership of config files set to root/cinder?
  • Check-Block-02: Are strict permissions set for configuration files?
  • Check-Block-03: Is keystone used for authentication?
  • Check-Block-04: Is TLS enabled for authentication?
  • Check-Block-05: Does cinder communicate with nova over TLS?
  • Check-Block-06: Does cinder communicate with glance over TLS?
  • Check-Block-07: Is NAS operating in a secure environment?
  • Check-Block-08: Is max size for the body of a request set to default (114688)?
  • Check-Block-09: Is the volume encryption feature enabled?

Note

Whilst this chapter is currently sparse on specific guidance, it is expected that standard hardening practices will be followed. This section will be expanded with relevant information.