Red Hat Training
A Red Hat training course is available for Red Hat OpenStack Platform
Chapter 8. Managing Policies
Policies are used to manage your virtual environment. There are two types of policies available: compliance and control. Compliance policies are used to harden your virtual infrastructure, making sure that your security requirements are adhered to. Control policies are used to check for a specific condition and perform an action based on the outcome. For example:
- Prevent virtual machines from running without an administrator account.
- Prevent virtual machines from starting if certain patches are not applied.
- Configure the behavior of a production virtual machine to only start if it is running on a production host.
- Force a SmartState Analysis when a host is added or removed from a cluster.
CloudForms policies are associated with cloud instances using virtual machine analysis profiles. These are the steps required to create a custom virtual machine analysis profile, and assigning it to a cloud instance for use with SmartState analysis, via a control policy.
For more detailed information about CloudForms policies, see Assigning a Custom Analysis Profile to a Virtual Machine and Policies and Profiles Guide.
The following subsections demonstrate how to create host compliance and instance control policies.
8.1. Creating a Host Compliance Policy
The following procedure describes how to create a compliance policy that checks whether firewalls are enabled on infrastructure provider nodes. Nodes with disabled firewalls are marked non-compliant.
- Navigate to → .
- Expand the Policies accordion, and click Compliance Policies.
- Select Host Compliance Policies.
-
Click
(Configuration),
(Add a New Host/Node Compliance Policy).
Type in a Description for the policy.
- Uncheck Active if you do not want this policy processed even when assigned to a resource.
Add Host / Node.Firewall Rules : Active CONTAINS "true" to the scope of the policy . To do so:
- In drop-down below the Scope section, choose Field. When you do, a new drop-down will appear below it; from there, select Host/Node.Firewall.Rules: Active.
- A new drop-down will appear; from there, select true.
-
Click
(Commit expression element changes) to add the scope.
- In the Notes area, add a detailed explanation of the policy.
- Click Add. The policy will be added and listed under Host Compliance Policies in the Policies accordion.
Next, create a policy profile and assign this new compliance policy to it:
- Navigate to → .
-
Click on the Policy Profiles accordion, then click
(Configuration), then
(Add a New Policy Profile).
In the Basic Information area, type in a unique description for the policy profile.
From Available Policies in the Policy Selection area select all the policies you need to apply to this policy profile. Use the
Ctrlkey to select multiple policies.
Click
to add the Policies.
- Add to the Notes area if required.
- Click Add.
At this point, you can now add the new policy profile to the infrastructure provider hosts:
- Navigate to → → , verify the provider you need to assign the policy profiles to.
-
Click
(Policy), and then click
(Manage Policies).
- From the Select Policy Profiles area, you can click on the triangle next to a desired policy profile to expand it and see its member policies.
- Check the policy profiles you require to apply to the provider. It turns blue to show its assignment state has changed.
- Click Save.
8.2. Creating a Virtual Machine Control Policy
The process of creating a control policy is similar to that of a compliance policy. A control policy is driven by events after certain conditions are met. The following control policy will start a SmartState analysis on an instance every 24 hours:
- Navigate to → .
- Expand the Policies accordion, and click Control Policies.
- Select Vm Control Policies.
-
Click
(Configuration), then
(Add a New VM and Instance Control Policy).
- Enter a Description. This will be the name given to your VM control policy.
- Uncheck Active if you do not want this policy processed even when assigned to a resource.
Add VM and Instance : Last Analysis Time IS "Yesterday" to the scope of the policy. To do so:
- In drop-down below the Scope section, choose Field. When you do, a new drop-down will appear below it; from there, select VM and Instance : Last Analysis Time.
- A new drop-down will appear; from there, select true.
-
Click
(Commit expression element changes) to add the scope.
- Click Add. The policy is added and listed under Vm Control Policies in the Policies accordion.
You can now associate events, conditions, and actions to this control policy. To do so:
- Navigate to → .
- Click the Policies accordion, and select the control policy you just created.
-
Click
(Configuration),
(Edit this Policy’s Condition assignments).
- In the VM Operation section, select VM Power On.
- Click Save. The VM Power On event should appear under your policy.
You can now associate an action to the VM Power On event. To do so:
- Select the VM Power On event.
-
Click
(Configuration), then
(Edit Actions for this Policy Event).
- In the Order of Actions if ALL Conditions are True section, select Generate Log Message and Initiate SmartState Analysis for VM.
- Click Save.
Next, create a policy profile and assign this new control policy to it:
- Navigate to → .
-
Click on the Policy Profiles accordion, then click
(Configuration), then
(Add a New Policy Profile).
-
Enter
Most Recent SmartStatein the Description field. - In the Policy Selection area, choose the control policy you created earlier. This should have VM and Instance Control in its name. Add this policy to the Profile Policies box.
- Click Add.
At this point, you should now be able to add the policy profile to the cloud providers.
- Navigate to → → .
- Select the overcloud you added in Chapter 5, Adding an OpenStack Cloud Provider.
-
Click
(Policy), then
(Manage Policies).
- Under Select Policy Profiles, select Most Recent SmartState.
- Click Save.
