Ansble-hardening role is not applied to containers
Bug #1901619 reported by
Jeff Albert
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Undecided
|
Dmitriy Rabotyagov |
Bug Description
The ansible-hardening role is applied to OSA-managed bare-metal hosts, and provides a suite of valuable security improvements over OS defaults. However, this role is not applied to the containers that OSA creates to operate its services in, which end up less secure than the bare metal hosts they're running on. Can the ansible_hardening role be applied to all OSA-managed hosts, both bare-metal and container?
To post a comment you must log in.
Hi Jeff,
I'm not sure how hardening applicable to the containers, since we do not connect to containers via SSH and they shouldn't be accessible directly.
However, security- hardening. yml allows to explicitly set against which set of hosts you want to run it. The only caveat here, is that hardening is launched before containers are created, so you will need to re-run it manually after containers are created.
Group against which play will be executed is controlled with security_host_group variavble.