Chapter 13. Configuring instance security

As a cloud administrator, you can configure the following security features for the instances that run on your cloud:

13.1. Securing connections to the VNC console of an instance

You can secure connections to the VNC console for an instance by configuring the allowed TLS ciphers and the minimum protocol version to enforce for incoming client connections to the VNC proxy service.

Procedure

  1. Log in to the undercloud as the stack user.
  2. Source the stackrc file:

    [stack@director ~]$ source ~/stackrc
  3. Open your Compute environment file.
  4. Configure the minimum protocol version to use for VNC console connections to instances:

    parameter_defaults:
      ...
      NovaVNCProxySSLMinimumVersion: <version>

    Replace <version> with the minimum allowed SSL/TLS protocol version. Set to one of the following valid values:

    • default: Uses the underlying system OpenSSL defaults.
    • tlsv1_1: Use if you have clients that do not support a later version.

      Note

      TLS 1.0 and TLS 1.1 are deprecated in RHEL 8, and not supported in RHEL 9.

    • tlsv1_2: Use if you want to configure the SSL/TLS ciphers to use for VNC console connections to instances.
    • tlsv1_3: Use if you want to use the standard cipher library for TLSv1.3. Configuration of the NovaVNCProxySSLCiphers parameter is ignored.
  5. If you set the minimum allowed SSL/TLS protocol version to tlsv1_2, then configure the SSL/TLS ciphers to use for VNC console connections to instances:

    parameter_defaults:
      NovaVNCProxySSLCiphers: <ciphers>

    Replace <ciphers> with a colon-delimited list of the cipher suites to allow. Retrieve the list of available ciphers from openssl.

  6. Add your Compute environment file to the stack with your other environment files and deploy the overcloud:

    (undercloud)$ openstack overcloud deploy --templates \
      -e [your environment files]  \
      -e /home/stack/templates/<compute_environment_file>.yaml

13.2. Configuring Compute nodes to provide emulated Trusted Platform Module (TPM) devices for instances

As a cloud administrator, you can provide cloud users the ability to create instances that have emulated virtual Trusted Platform Module (vTPM) devices.

To enable your cloud users to create instances that have vTPM devices, you must perform the following tasks:

  1. Enable support for instances with vTPM devices and deploy the overcloud.
  2. Create a flavor or image for launching instances with vTPM devices.

Prerequisites

Limitations of instances with vTPM devices

  • You cannot live migrate or evacuate instances that have vTPM devices.
  • You cannot rescue or shelve instances that have vTPM devices.
  • The instance must have the Q35 machine type.

13.2.1. Enabling support for instances with vTPM devices

To enable your cloud users to create instances that have vTPM devices, you must configure the overcloud to enable vTPM devices for instances.

Procedure

  1. Open your Compute environment file.
  2. Enable support for vTPM devices:

    parameter_defaults:
      ComputeParameters:
        ...
        NovaEnableVTPM: True
  3. Save the updates to your Compute environment file.
  4. Add your Compute environment file to the stack with your other environment files and deploy the overcloud:

    (undercloud)$ openstack overcloud deploy --templates \
     -e /home/stack/templates/overcloud-baremetal-deployed.yaml \
     -e /home/stack/templates/node-info.yaml \
     -e [your environment files] \
     -e /home/stack/templates/<compute_environment_file>.yaml

13.2.2. Creating an image for vTPM devices

When the overcloud is enabled to create instances that have vTPM devices, you can create a vTPM device instance image that your cloud users can use to launch instances that have vTPM devices.

Note

If both the flavor and the image specify a TPM device model and the two values do not match, scheduling fails.

Procedure

  1. Create a new image for vTPM devices:

    (overcloud)$ openstack image create ...  \
     --property hw_tpm_version=2.0 vtpm-image
    Note

    TPM version 1.2 is not supported.

  2. Optional: Specify the TPM model to use:

    (overcloud)$ openstack image set \
     --property hw_tpm_model=<tpm_model> \
     vtpm-image
    • Replace <tpm_model> with the model of TPM device to use. Set to one of the following valid values:

      • tpm-tis: (Default) TPM Interface Specification.
      • tpm-crb: Command-Response Buffer.
    Note

    The Compute service ignores the configuration of the hw_tpm_model property if the hw_tpm_version property is not set.

Verification

  1. Create an instance by using the vTPM image:

    (overcloud)$ openstack server create --flavor m1.small \
     --image vtpm-image vtpm-instance
  2. Log in to the instance as a cloud user.
  3. To verify that the instance has access to a vTPM device, enter the following command from the instance:

    $ dmesg | grep -i tpm

13.2.3. Creating a flavor for vTPM devices

When the overcloud is enabled to create instances that have vTPM devices, you can create one or more vTPM device flavors that your cloud users can use to launch instances that have vTPM devices.

Note

A vTPM device flavor is necessary only when the hw_tpm_model and hw_tpm_version properties are not set on an image. If both the flavor and the image specify a TPM device model and the two values do not match, scheduling fails.

Procedure

  1. Create a flavor for vTPM devices:

    (overcloud)$ openstack flavor create --vcpus 1 --ram 512 --disk 2  \
     --property hw:tpm_version=2.0 \
     vtpm-flavor
    Note

    TPM version 1.2 is not supported.

  2. Optional: Specify the TPM model to use:

    (overcloud)$ openstack flavor set \
     --property hw:tpm_model=<tpm_model> \
     vtpm-flavor
    • Replace <tpm_model> with the model of TPM device to use. Set to one of the following valid values:

      • tpm-tis: (Default) TPM Interface Specification.
      • tpm-crb: Command-Response Buffer. Compatible only with TPM version 2.0.

        Note

        The Compute service ignores the configuration of the hw:tpm_model property if the hw:tpm_version property is not set.

Verification

  1. Create an instance by using the vTPM flavor:

    (overcloud)$ openstack server create --flavor vtpm-flavor \
     --image rhel-image vtpm-instance
  2. Log in to the instance as a cloud user.
  3. To verify that the instance has access to a vTPM device, enter the following command from the instance:

    $ dmesg | grep -i tpm