The OpenStack Compute service (nova) runs in many locations throughout the cloud and interacts with a variety of internal services. The OpenStack Compute service offers a variety of configuration options which may be deployment specific.
In this chapter we will call out general best practice around Compute
security as well as specific known configurations that can lead to
security issues. The
nova.conf file and the
should be secured. Controls like centralized logging, the
file, and a mandatory access control framework should be implemented.
- Hypervisor selection
- Hypervisors in OpenStack
- Selection criteria
- Team expertise
- Product or project maturity
- Certifications and attestations
- Common criteria
- Cryptography standards
- FIPS 140-2
- Hardware concerns
- Hypervisor versus bare metal
- Hypervisor memory optimization
- KVM Kernel Samepage Merging
- XEN transparent page sharing
- Security considerations for memory optimization
- Additional security features
- Hardening the virtualization layers
- Hardening Compute deployments
- Vulnerability awareness
- How to select virtual consoles
- Check-Compute-01: Is user/group ownership of config files set to root/nova?
- Check-Compute-02: Are strict permissions set for configuration files?
- Check-Compute-03: Is keystone used for authentication?
- Check-Compute-04: Is secure protocol used for authentication?
- Check-Compute-05: Does Nova communicate with Glance securely?