[ English | русский | Indonesia ]
Применение ansible-hardening¶
Роль ansible-hardening применима к физическим хостам любого типа внутри развертывания OpenStack-Ansible - как инфраструктурного, так и вычислительного. По умолчанию роль включена. Вы можете выключить ее установив значение переменной apply_security_hardening в файле user_variables.yml в false:
apply_security_hardening: false
Вы можете применить настройки усиления безопасности к существующему окружению или провести аудит окружения при помощи предоставляемого OpenStack-Ansible-ом плейбука:
# Apply security hardening configurations
openstack-ansible openstack.osa.security_hardening
# Perform a quick audit by using Ansible's check mode
openstack-ansible --check openstack.osa.security_hardening
Дополнительную информацию о конфигурациях безопасности см. в документации Роль усиления безопасности.
Deployment Host Hardening¶
You can extend security hardening to the deployment host by defining the
security_host_group variable in your openstack_user_variables file.
Include localhost along with your other hosts, like this:
security_host_group: localhost, hosts
Then apply the hardening with:
openstack-ansible openstack.osa.security_hardening
Or alternatively, you can also supply this variable as extra variable during runtime, for example:
openstack-ansible openstack.osa.security_hardening -e security_host_group=localhost
Предупреждение
After applying security hardening, root login via password will be disabled. Make sure you configure SSH key authentication or set up a non-root user with sudo privileges before applying the changes, otherwise you may lose access to the host.
Including the deployment host can be useful to reduce its attack surface and ensure that the host running OpenStack-Ansible follows the same security best practices as your other nodes.
Hiding Secrets in OpenStack-Ansible¶
OpenStack-Ansible roles use variables like _oslodb_setup_nolog,
_service_setup_nolog, and _oslomsg_nolog to control whether
task output is hidden in logs.
By default, this prevents sensitive values (such as passwords) from being written to log files. Disabling these variables can make debugging easier, but it also risks exposing secrets in plain text.
Предупреждение
Use them with caution: keep logging enabled for troubleshooting, but remember that passwords may appear in the logs if protection is turned off.
