OpenStack Security Training Course

1. Introduction to OpenStack

• History of the cloud and OpenStack
• Cloud features
• Cloud models
  • private, public, hybrid
  • on-premise, IaaS, PaaS, SaaS
• Public and private cloud deployments based on OpenStack
• Open source and commercial OpenStack distributions
• OpenStack deployment models
• OpenStack ecosystem
  • Modules
  • Underlying tools
  • Integrations
• OpenStack lifecycle
• OpenStack certification

2. Cloud security and OpenStack

• Security domains in private clouds
• Threat classification and attack types
• System and network documentation
• System management
  • Vulnerability management
  • Configuration management and policies
  • System backup and recovery
• Server hardening
• OpenStack Management interfaces
  • Dashboard
  • API
  • SSH
  • OOB
• Secure communication
  • TLS and HTTPS
  • Reference architectures

3. OpenStack architecture and security

• Keystone - Identity Service
  • Keystone architecture
  • Authentication and available backends
  • Token types and token management
  • Authorization in OpenStack - roles and oslo.policy
  • Keystone resources - domains, projects, users
  • Openrc and clouds.yaml - CLI clients configuration
  • OpenStack service catalog
  • Quota system in OpenStack
• Glance - Image Service 
  • Glance architecture
  • Images adjusted to the cloud
  • Adding new image
  • Securing image service deployment
  • Image metadata
• Neutron - Networking Service
  • Neutron architecture
  • Neutron service distribution
  • Networks in OpenStack deployment
  • Network isolation in Neutron
  • Basic resources in Neutron
  • Compute node networking
  • Tenant (self-service) networks and subnets
  • Routing for tenant networks (East-West routing)
  • Provider networks
  • Accessing external resources (North-South routing)
  • Network namespaces
  • Physical traffic in Neutron nodes
  • Floating IPs
  • Security Groups
  • Role based access control (RBAC)
• Nova - Compute Service
  • Nova architecture
  • Hypervisors in the compute service
  • QEMU vs. KVM
  • Keypair management
  • Flavour management
  • Instance metadata
  • Instance features
  • Creating, verifying and managing virtual instance
  • Inspecting VM at compute node
  • Assigning Security Groups and Floating IPs
  • Tapping into instance ports
  • Anti-spoofing (port security) in OpenStack
  • L3 virtual resources (router functions for instance traffic)
  • Nova-scheduler - compute node selection
  • Metadata service and configuration drive
  • Instance migration
  • Hardening compute service
• Cinder - Block Storage Service
  • Cinder architecture
  • Volume features
  • Creating a volume
  • Attaching and accessing the volume 
  • Storage backends - iSCSI, Ceph
  • Volume wipe
• Barbican - Key Management Service
  • Barbican architecture
  • Storing passphrases
  • Generating and storing symmetric encryption keys
  • Volume encryption mechanisms
  • Configuring Cinder storage type for volume encryption
  • Limitations of volume encryption
  • Storing X.509 certificate bundles

4. Other aspects related to architecture & security

• Tenant data privacy
• Instance security
• Oslo.policy - creating custom role and API authorization
• High Availability in OpenStack