Chapter 2. Security enhancements

The following sections provide some suggestions to harden the security of your overcloud.

2.1. Using secure root user access

The overcloud image automatically contains hardened security for the root user. For example, each deployed overcloud node automatically disables direct SSH access to the root user. You can still access the root user on overcloud nodes. Each overcloud node has a tripleo-admin user account. This user account contains the undercloud public SSH key, which provides SSH access without a password from the undercloud to the overcloud node.

Prerequisites

  • You have an installed Red Hat OpenStack Platform director environment.
  • You are logged into the director as stack.

Procedure

  1. On the undercloud node, log in to the an overcloud node through SSH as the tripleo-admin user.
  2. Switch to the root user with sudo -i.

2.2. Adding services to the overcloud firewall

When you deploy Red Hat OpenStack Platform, each core service is deployed with a default set of firewall rules on each overcloud node. You can use the ExtraFirewallRules parameter to create rules to open ports for additional services, or create rules to restrict services.

Each rule name becomes the comment for the respective iptables rule. Each rule name starts with a three-digit prefix to help Puppet order the rules in the final iptables file. The default Red Hat OpenStack Platform rules use prefixes in the 000 to 200 range. When you create rules for new services, prefix the name with a three-digit number higher than 200.

Procedure

  1. Use a string to define each rule name under the ExtraFireWallRules parameter. You can use the following parameters under the rule name to define the rule:

    • dport:: The destination port associated to the rule.
    • proto:: The protocol associated to the rule. Defaults to tcp.
    • action:: The action policy associated to the rule. Defaults to accept.

    • source:: The source IP address associated to the rule.

      The following example shows how to use rules to open additional ports for custom applications: 

      cat > ~/templates/firewall.yaml <<EOF
parameter_defaults:
  ExtraFirewallRules:
    '300 allow custom application 1':
      dport: 999
      proto: udp
    '301 allow custom application 2':
      dport: 8081
      proto: tcp
EOF
      Note

      When you do not set the action parameter, the result is accept. You can only set the action parameter to drop, insert, or append.

  2. Include the ~/templates/firewall.yaml file in the openstack overcloud deloy command. Include all templates that are necessary for your deployment: 

    openstack overcloud deploy --templates /
...
-e /home/stack/templates/firewall.yaml /
....

2.3. Removing services from the overcloud firewall

You can use rules to restrict services. The number that you use in the rule name determines where in iptables the rule will be inserted. The following procedure shows how to restrict the rabbitmq service to the InternalAPI network.

Procedure

  1. On a Controller node, find the number of the default iptables rule for rabbitmq: 

    [tripleo-admin@overcloud-controller-2 ~]$ sudo iptables -L | grep rabbitmq
ACCEPT     tcp  --  anywhere             anywhere             multiport dports vtr-emulator,epmd,amqp,25672,25673:25683 state NEW /* 109 rabbitmq-bundle ipv4 */

  2. In an environment file uder parameter_defaults, use the ExtraFirewallRules parameter to restrict rabbitmq to the InternalApi network. The rule is given a lower number thant the default rabbitmq rule number or 109: 

    cat > ~/templates/firewall.yaml <<EOF
parameter_defaults:
  ExtraFirewallRules:
    '098 allow rabbit from internalapi network':
      dport:
      - 4369
      - 5672
      - 25672
      proto: tcp
      source: 10.0.0.0/24
    '099 drop other rabbit access':
      dport:
      - 4369
      - 5672
      - 25672
      proto: tcp
      action: drop
EOF
    Note

    When you do not set the action parameter, the result is accept. You can only set the action parameter to drop, insert, or append.

  3. Include the ~/templates/firewall.yaml file in the openstack overcloud deloy command. Include all templates that are necessary for your deployment: 

    openstack overcloud deploy --templates /
...
-e /home/stack/templates/firewall.yaml /
....

2.4. Changing the Simple Network Management Protocol (SNMP) strings

Director provides a default read-only SNMP configuration for your overcloud. It is advisable to change the SNMP strings to mitigate the risk of unauthorized users learning about your network devices.

Note

When you configure the ExtraConfig interface with a string parameter, you must use the following syntax to ensure that heat and Hiera do not interpret the string as a Boolean value: '"<VALUE>"'.

Set the following hieradata using the ExtraConfig hook in an environment file for your overcloud:

SNMP traditional access control settings

snmp::ro_community
IPv4 read-only SNMP community string. The default value is public.
snmp::ro_community6
IPv6 read-only SNMP community string. The default value is public.
snmp::ro_network
Network that is allowed to RO query the daemon. This value can be a string or an array. Default value is 127.0.0.1.
snmp::ro_network6
Network that is allowed to RO query the daemon with IPv6. This value can be a string or an array. The default value is ::1/128.
tripleo::profile::base::snmp::snmpd_config
Array of lines to add to the snmpd.conf file as a safety valve. The default value is []. See the SNMP Configuration File web page for all available options.

For example: 

parameter_defaults:
  ExtraConfig:
    snmp::ro_community: mysecurestring
    snmp::ro_community6: myv6securestring

This changes the read-only SNMP community string on all nodes.

SNMP view-based access control settings (VACM)

snmp::com2sec
An array of VACM com2sec mappings. Must provide SECNAME, SOURCE and COMMUNITY.
snmp::com2sec6
An array of VACM com2sec6 mappings. Must provide SECNAME, SOURCE and COMMUNITY.

For example: 

parameter_defaults:
  ExtraConfig:
    snmp::com2sec: ["notConfigUser default mysecurestring"]
    snmp::com2sec6: ["notConfigUser default myv6securestring"]

This changes the read-only SNMP community string on all nodes.

For more information, see the snmpd.conf man page.

2.5. Using the Open vSwitch firewall

You can configure security groups to use the Open vSwitch (OVS) firewall driver in Red Hat OpenStack Platform director. Use the NeutronOVSFirewallDriver parameter to specify firewall driver that you want to use:

  • iptables_hybrid - Configures the Networking service (neutron) to use the iptables/hybrid based implementation.
  • openvswitch - Configures the Networking service to use the OVS firewall flow-based driver.

The openvswitch firewall driver includes higher performance and reduces the number of interfaces and bridges used to connect guests to the project network.

Important

Multicast traffic is handled differently by the Open vSwitch (OVS) firewall driver than by the iptables firewall driver. With iptables, by default, VRRP traffic is denied, and you must enable VRRP in the security group rules for any VRRP traffic to reach an endpoint. With OVS, all ports share the same OpenFlow context, and multicast traffic cannot be processed individually per port. Because security groups do not apply to all ports (for example, the ports on a router), OVS uses the NORMAL action and forwards multicast traffic to all ports as specified by RFC 4541.

Note

The iptables_hybrid option is not compatible with OVS-DPDK. The openvswitch option is not compatible with OVS Hardware Offload.

Configure the NeutronOVSFirewallDriver parameter in the network-environment.yaml file: 

NeutronOVSFirewallDriver: openvswitch
  • NeutronOVSFirewallDriver : Configures the name of the firewall driver that you want to use when you implement security groups. Possible values depend on your system configuration. Some examples are noop, openvswitch, and iptables_hybrid. The default value of an empty string results in a supported configuration.