Learn how to automate security and network in this tutorial from Aditya Patawari and Vikas Aggarwal.

Learn how to automate OpenStack security and network with Ansible 2 in this tutorial from Aditya Patawari, a systems engineer and dev ops practitioner and Vikas Aggarwal, an infrastructure engineer.

OpenStack for cloud

One of the biggest advantages of using a third-party cloud provider is that you can get started in minutes, provisioning the actual hardware is no longer your problem. However, there is a major drawback: the cloud is not customized to your needs. It may lack flexibility, which you can gain if you control the underlying hardware and network. OpenStack can help you address this problem.

OpenStack is software that can help you build a system similar to popular cloud providers, such as Amazon Web Services or Google Cloud Platform. OpenStack provides an API and a dashboard to manage the resources that it controls. Basic operations, such as creating and managing virtual machines, block storage, object storage, identity management, and so on, are supported out of the box.

With OpenStack, you can control the underlying hardware and network, which comes with its own pros and cons.
Keep the following points in mind while managing the OpenStack setup:

  • You need to maintain the underlying hardware. Consequently, you’ve to do capacity planning since your ability to scale resources would be limited by underlying hardware. However, since you control the hardware, you can get customized resources in virtual machines.
  • You can use custom network solutions. You can use economical equipment or high-end devices, depending upon the actual need. This can help you get the features that you want and may end up saving money.
  • You need to regularly update the hypervisor and other OpenStack dependencies, especially in the case of a security-related issue. This can be a time-consuming task because you might need to move the running virtual machines around to ensure that users do not face a lot of trouble.
  • OpenStack can be helpful in cases where strict compliance requirements might not allow you to use a third-party cloud provider. A typical example of this is that certain countries require financial and medical data to stay inside their jurisdiction. If any third-party cloud is not able to fulfill this condition, then OpenStack is a great choice.

This article will focus on the security and network solutions aspect of OpenStack and help you manage them. It’s also worth noting that although OpenStack can be hosted on premises, several cloud providers provide OpenStack as a service. Sometimes these cloud providers may choose to turn off certain features or provide add-on features. Sometimes, even while configuring OpenStack on a self-hosted environment, you may choose to toggle certain features or configure a few things differently. Therefore, inconsistencies may occur. All the code examples in this article are tested on a self-hosted OpenStack released in August 2017, named Pike. The underlying operating system was CentOS 7.4.

Managing OpenStack security groups

Security groups are the firewalls that can be used to allow or disallow the flow of traffic. They can be applied to virtual machines. Security groups and virtual machines have a many-to-many relationship. A single security group can be applied to multiple virtual machines and a single virtual machine can have multiple security groups.

  •  To get started, create a security group as follows:
- name: create a security group for web servers
 os_security_group:
 name: web-sg
 state: present
 description: security group for web servers

The name parameter has to be unique. The description parameter is optional, but it is recommended to use it to state the purpose of the security group. The preceding task will create a security group for you, but there are no rules attached to it. A firewall without any rules is of little use. So, go ahead and add a rule to allow access to port 80 as follows:

 - name: allow port 80 for http
 os_security_group_rule:
 security_group: web-sg
 protocol: tcp
 port_range_min: 80
 port_range_max: 80
 remote_ip_prefix: 0.0.0.0/0
  • You’ll also need an SSH access to this server, so you should allow port 22 as well:
 - name: allow port 80 for SSH
 os_security_group_rule:
 security_group: web-sg
 protocol: tcp
 port_range_min: 22
 port_range_max: 22
 remote_ip_prefix: 0.0.0.0/0

You need to specify the name of the security group for this module. The rule that you create will be associated with this group. You’ve to supply the protocol and the port range information. If you just want to whitelist only one port, then that would be the upper and lower bound of the range. Lastly, you need to specify the allowed addresses in the form of CIDR. The address 0.0.0.0/0 signifies that port 80 is open for everyone. This task will add an ingress type rule and allow traffic on port 80 to reach the instance. Similarly, you’ve to add a rule to allow traffic on port 22 as well.

In the next section, you’ll learn how to manage network resources

Managing Openstack network resources

A network is a basic building block of the infrastructure. Most cloud providers will supply a sample or default network. While setting up a self-hosted OpenStack instance, a single network is typically created automatically. However, if the network is not created, or if you want to create another network for the purpose of isolation or compliance, you can do so using the os_network module.

  • To get started, create an isolated network and name it private, as follows:
 - name: creating a private network
 os_network:
 state: present
 name: private
  • Now, a logical network with no subnets has been created. A network with no subnets is of little use, so the next step would be to create a subnet:
 - name: creating a private subnet
 os_subnet:
 state: present
 network_name: private
 name: app
 cidr: 192.168.0.0/24
 dns_nameservers:
 - 8.8.4.4
 - 8.8.8.8
 host_routes:
 - destination: 0.0.0.0/0
 nexthop: 104.131.86.234
 - destination: 192.168.0.0/24
 nexthop: 192.168.0.1

The preceding task will create a subnet named app in the network called private. You’ll also need to supply a CIDR for the subnet, 192.168.0.0/24. Google DNS has been used as a nameserver in the example here, but this information should be obtained from the IT department of the organization. Similarly, you’ll need to set up the example host routes, but this information should be obtained from the IT department as well.

After you’ve successfully completed this step, your network is ready to use.

If you found this article helpful, explore Ansible 2 Cloud Automation Cookbook to be able to deploy an application to demonstrate various usage patterns and utilities of resources. This book gives a recipe-based approach to install and configure cloud resources using Ansible.