Ansble-hardening role is not applied to containers

Hi Jeff,

I'm not sure how hardening applicable to the containers, since we do not connect to containers via SSH and they shouldn't be accessible directly.

However, security-hardening.yml allows to explicitly set against which set of hosts you want to run it. The only caveat here, is that hardening is launched before containers are created, so you will need to re-run it manually after containers are created.

Group against which play will be executed is controlled with security_host_group variavble.

Fix proposed to branch: master
Review: https://review.opendev.org/759907

Hi Dmitriy,
The LXC containers that OSA creates are fairly "thick" containers, in that they include many of the components of a full Linux installation, including their own systemd stack, their own SSH daemons, etc. In my view that attack surface should certainly be minimized, even if the intention is that these containers aren't directly accessible, as a matter of defense in depth. Especially given the easy accessibility of the ansible_hardening role, it just makes sense to apply it by default to the containers, I would think.

Reviewed: https://review.opendev.org/759907
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=857169a8a8f9595db2006d14434e55ceef4188c9
Submitter: Zuul
Branch: master

commit 857169a8a8f9595db2006d14434e55ceef4188c9
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Oct 27 19:03:16 2020 +0200

    Run hardening after container deployment

    Groups against which hardening is run can be defined
    with variable `security_host_group`. However, since container creation
    is run after hardening, it is not possible to run role against containers
    during their setup.

    Simply changing the order allow deployer to run hardening against
    containers as well.

    Change-Id: If7e59991c90fb2821e8d66c76af42dfc8b5ec8ad
    Closes-Bug: #1901619