安全

安全

OpenStack services support various security methods including password, policy, and encryption. Additionally, supporting services including the database server and message broker support password security.

To ease the installation process, this guide only covers password security where applicable. You can create secure passwords manually, but the database connection string in services configuration file cannot accept special characters like “@”. We recommend you generate them using a tool such as pwgen, or by running the following command:

$ openssl rand -hex 10

对 OpenStack 服务而言,本指南使用``SERVICE_PASS`` 表示服务帐号密码,使用``SERVICE_DBPASS`` 表示数据库密码。

The following table provides a list of services that require passwords and their associated references in the guide.

密码
密码名称 描述
数据库密码(不能使用变量) 数据库的root密码
ADMIN_PASS admin 用户密码
CINDER_DBPASS 块设备存储服务的数据库密码
CINDER_PASS 块设备存储服务的 cinder 密码
DASH_DBPASS Database password for the Dashboard
DEMO_PASS demo 用户的密码
GLANCE_DBPASS 镜像服务的数据库密码
GLANCE_PASS 镜像服务的 glance 用户密码
KEYSTONE_DBPASS 认证服务的数据库密码
METADATA_SECRET Secret for the metadata proxy
NEUTRON_DBPASS 网络服务的数据库密码
NEUTRON_PASS 网络服务的 neutron 用户密码
NOVA_DBPASS 计算服务的数据库密码
NOVA_PASS 计算服务中``nova``用户的密码
PLACEMENT_PASS Password of the Placement service user placement
RABBIT_PASS RabbitMQ的guest用户密码

OpenStack and supporting services require administrative privileges during installation and operation. In some cases, services perform modifications to the host that can interfere with deployment automation tools such as Ansible, Chef, and Puppet. For example, some OpenStack services add a root wrapper to sudo that can interfere with security policies. See the OpenStack Administrator Guide for more information.

The Networking service assumes default values for kernel network parameters and modifies firewall rules. To avoid most issues during your initial installation, we recommend using a stock deployment of a supported distribution on your hosts. However, if you choose to automate deployment of your hosts, review the configuration and policies applied to them before proceeding further.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.