How to design OpenStack for Security

Hello, My friends who visit to my blog.

 

How have you been these days? In my case, I have been working OpenStack project nowadays. so I am very busy and tired now. Actually, I wanted to post in English on my blog continue. but I have to had solving the virous problems everyday and everytime. so I didn't have any time for posting in English on my blog.

 

Today, I will share about how to design OpenStack for security before I forget that I get my OpenStack experiance. 

I visited openstack.org site for checking OpenStack deployment methods. and I discoverd OpenStack architecture is changed. Now OpenStack is not using only virtual machines. We can use various resources like bare metal, virtual machines and containers.

What is OpenStack?

So how can we use our cloud resources more security? Openstack use REST API for using cloud resources. So it have http or https uri. Https is hypertext transfer protocol over secure. So https encrypted session data through ssl or tls protocol. ssl is secure socket layer. It needs certificate and secure key like below diagram.

 

Most OpenStack environment configured in data center. so it need many servers and there are many servers. Therefore we need to manage a lot of server's secure key and certification. How can we manage these keys and certifications?

 

Red Hat Openstack 13 can install ssl/tls using IDM server. IDM Server provides to manage users, domains, certificates and servers. For using ssl/tls with IDM Server, it needs domain of all Openstack  networks like below architecture.

Everywhere SSL/TLS with IDM Server

It has installed openstack packages in the director nodes. The packages are for installing openstack to other baremetal nodes. Let's see the process. 1. First, the director node registered domain to the IDM server. 2. And director will install controller and compute nodes with IDM server. 3. IDM server will check domain of overcloud's nodes and give the certificate to overcloud nodes.

 

If it finish to install openstack by director node, its system architecture is like below.

Nowadays OpenStack System Architecture

IDM server has apache httpd, ntp, dns, kerberos KDC, certmonger and SSSD(System Security Service Daemon)

Theses services provides features about manage overcloud nodes, domains, certificates and etc.

Director has openstack packages for overcloud(openstack for service) and docker. Because Openstack 13 version(queens) changed overcloud components. Previous openstack was installed only packages. Nowadays openstack main services are working in docker container.

If it install OpenStack with everywhere SSL/TLS, users can access by https based external network only. And each services can communicate with SSL/TLS only. The resources of OpenStack must certify by Keystone. If the certification is succesful, users can use OpenStack services. Also all networks of OpenStack isolated by network purpose. so If we design like below network, this OpenStack services will be secure. 

How to connect OpenStack Resources

How is this posting? If you have any opinion, please let me know it.

If I have free time, I will post about docker containers of openstack.