Compliance and Security for OpenStack Deployments
Transcript of Compliance and Security for OpenStack Deployments
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted
Compliance and Security for OpenStack Deployments
Joost Pronk van Hoogeveen Tech Lead Solaris Product Management, Director Oracle Solaris Engineering, Systems Group November 18, 2015
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Agenda
Goal – Secure, Compliant Application Deployement
Introduction to OpenStack
Secure Installation
Compliant Runtime
1
2
3
4
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
YOUR APP
Simple, Secure Cloud Scale Deployment and Compliance From Development to Production
5
Secure deployment
Set Compliance Policy
Compliance Audit
Create your application VMs
1-step secure image creation
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
First – We talk about OpenStack
Oracle Confidential – Internal/Restricted/Highly Restricted 6
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 7
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
OpenStack Integrated into Oracle Solaris
Horizon Centralized Cloud Management
Zones and Kernel Zones
Nova / Ironic Self-Service Compute
and Bare Metal
Elastic Virtual Switch and Open vSwitch
Neutron Software Defined
Networking
ZFS File System
Cinder / Swift Cloud Scale Storage
Unified Archives
Heat / Glance Murano / Trove
Platform as a Service
Built into the Infrastructure
8
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 9
General Cloud Architecture with OpenStack Controller
OpenStack Physical Layout
Network Node
Storage Node
Storage Network
Cloud Network
Op
enSt
ack
Net
wo
rk
Compute Node
Compute Node
Compute Node
Compute Node
OpenStack Controller
Compute Node
Public Network
11/19/2015 Confidential - For Internal Use Only
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
OpenStack Services
Component Description Component Description
Nova Compute virtualization Glance Image management and deployment
Cinder Block storage Swift Object storage
Neutron Software defined networking Heat Application and VM orchestration
Keystone Authentication between cloud services Murano Application catalog
Horizon Web based dashboard Trove Database as a Service
Overview of Core Components
10
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
OpenStack Logical Layout
Oracle Confidential – Internal/Restricted/Highly Restricted 11
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Second – We talk about installing OpenStack
Oracle Confidential – Internal/Restricted/Highly Restricted 12
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Remember this?
Oracle Confidential – Internal/Restricted/Highly Restricted 13
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Secure and seamless software delivery mechanism
• Impossible to install mismatched software, including firmware
• No modifications to running OS, complete safety with BEs
• Fully integrated with Zones
14
Oracle Solaris 11 Packaging
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
11.2 SRU 1
Image Packaging System
• Seamless integration with IPS – Full dependency management
– Fail proof updates with rollback
• Integrated with Oracle Solaris Zones and Unified Archives for seamless lifecycle management
• Foundation for cloud update strategy – Configuration and database schemas updated
through SMF update services with full rollback
Easy and fast cloud update
11.3 Clone
15
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Service Management Facility
• OpenStack services run with minimum privileges necessary, and don’t run as root
– Create users for different OpenStack services
– Leverage RBAC to enable privileged actions
• Automatic service restart from failure – Integrated with Oracle Solaris fault
management
– Full dependency checking for precise and efficient cloud start up
Secure and Highly available and reliable cloud services
SMF Services
16
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
OpenStack Cinder/Swift Data Management – ZFS
• ZFS is foundation for Cinder and Swift – iSCSI or FC LUN provisioning
– Leverage integrated data services including snapshots, compression and encryption
– These data services are completely transparent to the guests
• Integrated OpenStack support for ZFSSA
Production ready data management, no compromises
Virtual Environments
Cinder Volume
ISCSI LUN ISCSI LUN ISCSI LUN
17
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Third – We talk about OpenStack at Runtime
Oracle Confidential – Internal/Restricted/Highly Restricted 18
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• OpenStack instances on Oracle Solaris are based on Zones and Kernel Zones
– Common Criteria Evaluation includes Zones as a secure boundary
• Network and Storage lockdown
– Isolated networking (VLAN & VXLAN) and antispoofing
– Encrypted Cinder volumes
• Locking down the OS namespaces with Immutable Zones
– Both for undercloud as well as guest instances
19
Oracle Solaris Zones and Kernel Zones
Infiniband Fabric
10GbE Network
Oracle Solaris 11.3
Solaris 11.3 Zone
DATABASE
Solaris 11.2 Zone
WEBLOGIC SERVER
Virtual Router
SRU9
iSCSI 1
iSCSI N
Solaris 11.4 Zone
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Immutable Zones – Security Policies
Policy Use Cases Install
Packages
Edit Config /etc
Modify SMF
Services
Write to /var
Audit/Log Location
Create Zones
none (default) Development Yes Yes Yes Yes Local/Remote Yes
flexible-
configuration
High Touch Applications
No Yes No Yes Local/Remote No
fixed-
configuration
Applications, Services,
Infrastructure No No No Yes Local/Remote No
dynamic-zone OpenStack
Nova No No No No Local/Remote Yes
strict Ephemeral
Applications No No No No Remote No
20
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Apply Security Policy – How to Configure
# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’
# zoneadm -z myzone boot
21
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Modify Security Policy – Zone Login + Attempted Change
# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’
# zoneadm -z myzone boot
# zlogin myzone
[Connected to zone 'myzone' pts/3]
myzone# rm /etc/passwd
rm: /etc/passwd: override protection 644 (yes/no)? y
rm: /etc/passwd not removed: Read-only file system
myzone# pkg install emacs
pkg install: Could not complete the operation on /var/pkg/lock:
read-only filesystem.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Modify Security Policy - Trusted Path from Global Zone
# zlogin myzone
[Connected to zone 'myzone' pts/3]
myzone# rm /etc/passwd
rm: /etc/passwd: override protection 644 (yes/no)? y
rm: /etc/passwd not removed: Read-only file system
# zlogin –T myzone
[Connected to zone 'myzone' pts/3]
myzone# rm /etc/passwd
myzone#
baduser$ zlogin –T myzone
zlogin: baduser is not authorized for failsafe, trusted path or non-interactive login to myzone zone.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle Solaris
Immutable Guest
#
Immutable Guest
Firewall
• The undercloud locked down
– OpenStack nova-compute nodes run with dynamic-zone policy
– Allowing only Zones to be installed and run but otherwise completely locked
• The guest instances – Through OpenStack flavors as part of
nova the tenant user can choose to use any of the other policy
– Use none for development and strict for production for exmaple
24
Using Immutable Zones in OpenStack
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Next generation golden images
– Single archive for physical and virtual environments – seamless P2V and V2P
– Leverages ZFS, IPS and SMF
– Fast to develop, fast to deploy
• Secure and compliant deployment – Secure archives that can be validated
– Maintain settings in the clone image to maintain compliance level
– Develop/clone from base images
Oracle Confidential – Internal/Restricted/Highly Restricted 25
Unified Archives
Oracle Solaris 11.3
11.3 11.4 11.2.1
VM VM
11.2.1 11.2
11.4 11.3
Deploy clone archive
V2P V2V
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Fourth – We talk about Compliance Checking
Oracle Confidential – Internal/Restricted/Highly Restricted 26
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Security Content Automation Protocol
• NIST standard
• express security policies with machine readable code
• XCCDF and OVAL are the main components
• OpenSCAP is open source version supported by wide community
• Reports are interchangeable on other platforms
• Oracle Solaris ships with OpenSCAP and has several policies bundled – Example is PCI-DSS for credit card
industry
– Possibility to write your own policy
Oracle Confidential – Internal/Restricted/Highly Restricted 27
General Compliance Checking - OpenSCAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Simple Compliance Reporting
28
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Compliance Benchmarks and Profiles
# compliance list -b
pci-dss solaris
# compliance list -p
Benchmarks:
pci-dss: Solaris_PCI-DSS
solaris: Baseline, Recommended
Assessments: No assessments available
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Compliance Assesment
# pfexec compliance assess -b solaris -p Baseline -a baseline
Title Package integrity is verified
Rule OSC-54005
Result pass
....
# pfexec compliance list -vp
Benchmarks:
pci-dss: Solaris_PCI-DSS
Payment Card Industry Data Security Standard
solaris: Baseline, Recommended
Oracle Solaris Security Policy
Assessments:
baseline: log report.html results.xccdf.xml
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
OpenStack Demo
31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Checking the Undercloud
• Keep auditors happy and minimize impact on cloud admins
• OpenStack installs secure by default
• OpenSCAP helps with: – Further lockdown in the development
phase
– Ongoing validation of complaint setup
Checking the Guest Instances
• Cloud tenants can easily verify compliance of their own instances – Improves image hardening during
development phase
– Allows tenants to monitor ongoing compliance while in production
• Optionally the cloud vendor can offer compliance reports initiated from the undercloud
Oracle Confidential – Internal/Restricted/Highly Restricted 32
Compliance Checking with OpenStack
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Secure and Compliant Lifecycle
• Secure multi-tenant environments – Guaranteed VM integrity
– Read-only VM lockdown
– Complete network isolation
– Secure key management
– Fine grained authentication
• Comprehensive cloud ready compliance – Fully compliant out the box
– Easy compliance tailoring
Secure end-to-end deployment and comprehensive compliance checks
Oracle Solaris 11.3
11.3 11.4 11.2.1
33
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
YOUR APP
Simple, Secure Cloud Scale Deployment and Compliance From Development to Production
34
Secure deployment
Set Compliance Policy
Compliance Audit
Create your application VMs
1-step secure image creation
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Q&A
Oracle Corporation - Confidential 35
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 36