Overview
The course is providing practical knowledge on OpenStack and private cloud security. It starts from the introduction to the system, then the participants are getting practical knowledge on security in private clouds and securing OpenStack installation. During the course, each of the core OpenStack modules is presented, participants are building up virtual identity, image, network, compute and storage resources while discussing relevant security topics. Each participant is getting their own training environment with a complete OpenStack installation based on selected cloud architecture (eg. storage, networking). The training could be highly customized based on the needs of the client.
Customization options
The training can be contracted to 2 days, focusing on core aspects relevant for the customer. The training can be also extended regarding administrative, design, networking and/or troubleshooting topics concerning OpenStack deployments
Requirements
- Basic networking knowledge
- Basic knowledge of cloud computing paradigm
- Practical knowledge of administering Linux operating systems
Course Outline
1. Introduction to OpenStack
- History of the cloud and OpenStack
- Cloud features
- Cloud models
- private, public, hybrid
- on-premise, IaaS, PaaS, SaaS
- Public and private cloud deployments based on OpenStack
- Open source and commercial OpenStack distributions
- OpenStack deployment models
- OpenStack ecosystem
- Modules
- Underlying tools
- Integrations
- OpenStack lifecycle
- OpenStack certification
2. Cloud security and OpenStack
- Security domains in private clouds
- Threat classification and attack types
- System and network documentation
- System management
- Vulnerability management
- Configuration management and policies
- System backup and recovery
- Server hardening
- OpenStack Management interfaces
- Dashboard
- API
- SSH
- OOB
- Secure communication
- TLS and HTTPS
- Reference architectures
3. OpenStack architecture and security
- Keystone – Identity Service
- Keystone architecture
- Authentication and available backends
- Token types and token management
- Authorization in OpenStack – roles and oslo.policy
- Keystone resources – domains, projects, users
- Openrc and clouds.yaml – CLI clients configuration
- OpenStack service catalog
- Quota system in OpenStack
- Glance – Image Service
- Glance architecture
- Images adjusted to the cloud
- Adding new image
- Securing image service deployment
- Image metadata
- Neutron – Networking Service
- Neutron architecture
- Neutron service distribution
- Networks in OpenStack deployment
- Network isolation in Neutron
- Basic resources in Neutron
- Compute node networking
- Tenant (self-service) networks and subnets
- Routing for tenant networks (East-West routing)
- Provider networks
- Accessing external resources (North-South routing)
- Network namespaces
- Physical traffic in Neutron nodes
- Floating IPs
- Security Groups
- Role based access control (RBAC)
- Nova – Compute Service
- Nova architecture
- Hypervisors in the compute service
- QEMU vs. KVM
- Keypair management
- Flavour management
- Instance metadata
- Instance features
- Creating, verifying and managing virtual instance
- Inspecting VM at compute node
- Assigning Security Groups and Floating IPs
- Tapping into instance ports
- Anti-spoofing (port security) in OpenStack
- L3 virtual resources (router functions for instance traffic)
- Nova-scheduler – compute node selection
- Metadata service and configuration drive
- Instance migration
- Hardening compute service
- Cinder – Block Storage Service
- Cinder architecture
- Volume features
- Creating a volume
- Attaching and accessing the volume
- Storage backends – iSCSI, Ceph
- Volume wipe
- Barbican – Key Management Service
- Barbican architecture
- Storing passphrases
- Generating and storing symmetric encryption keys
- Volume encryption mechanisms
- Configuring Cinder storage type for volume encryption
- Limitations of volume encryption
- Storing X.509 certificate bundles
4. Other aspects related to architecture & security
- Tenant data privacy
- Instance security
- Oslo.policy – creating custom role and API authorization
- High Availability in OpenStack