Course Outline

1. Introduction to OpenStack

  • History of the cloud and OpenStack
  • Cloud features
  • Cloud models
    • private, public, hybrid
    • on-premise, IaaS, PaaS, SaaS
  • Public and private cloud deployments based on OpenStack
  • Open source and commercial OpenStack distributions
  • OpenStack deployment models
  • OpenStack ecosystem
    • Modules
    • Underlying tools
    • Integrations
  • OpenStack lifecycle
  • OpenStack certification

2. Cloud security and OpenStack

  • Security domains in private clouds
  • Threat classification and attack types
  • System and network documentation
  • System management
    • Vulnerability management
    • Configuration management and policies
    • System backup and recovery
  • Server hardening
  • OpenStack Management interfaces
    • Dashboard
    • API
    • SSH
    • OOB
  • Secure communication
    • TLS and HTTPS
    • Reference architectures

3. OpenStack architecture and security

  • Keystone - Identity Service
    • Keystone architecture
    • Authentication and available backends
    • Token types and token management
    • Authorization in OpenStack - roles and oslo.policy
    • Keystone resources - domains, projects, users
    • Openrc and clouds.yaml - CLI clients configuration
    • OpenStack service catalog
    • Quota system in OpenStack
  • Glance - Image Service 
    • Glance architecture
    • Images adjusted to the cloud
    • Adding new image
    • Securing image service deployment
    • Image metadata
  • Neutron - Networking Service
    • Neutron architecture
    • Neutron service distribution
    • Networks in OpenStack deployment
    • Network isolation in Neutron
    • Basic resources in Neutron
    • Compute node networking
    • Tenant (self-service) networks and subnets
    • Routing for tenant networks (East-West routing)
    • Provider networks
    • Accessing external resources (North-South routing)
    • Network namespaces
    • Physical traffic in Neutron nodes
    • Floating IPs
    • Security Groups
    • Role based access control (RBAC)
  • Nova - Compute Service
    • Nova architecture
    • Hypervisors in the compute service
    • QEMU vs. KVM
    • Keypair management
    • Flavour management
    • Instance metadata
    • Instance features
    • Creating, verifying and managing virtual instance
    • Inspecting VM at compute node
    • Assigning Security Groups and Floating IPs
    • Tapping into instance ports
    • Anti-spoofing (port security) in OpenStack
    • L3 virtual resources (router functions for instance traffic)
    • Nova-scheduler - compute node selection
    • Metadata service and configuration drive
    • Instance migration
    • Hardening compute service
  • Cinder - Block Storage Service
    • Cinder architecture
    • Volume features
    • Creating a volume
    • Attaching and accessing the volume 
    • Storage backends - iSCSI, Ceph
    • Volume wipe
  • Barbican - Key Management Service
    • Barbican architecture
    • Storing passphrases
    • Generating and storing symmetric encryption keys
    • Volume encryption mechanisms
    • Configuring Cinder storage type for volume encryption
    • Limitations of volume encryption
    • Storing X.509 certificate bundles

4. Other aspects related to architecture & security

  • Tenant data privacy
  • Instance security
  • Oslo.policy - creating custom role and API authorization
  • High Availability in OpenStack

Requirements

  • Basic networking knowledge
  • Basic knowledge of cloud computing paradigm
  • Practical knowledge of administering Linux operating systems
  14 Hours
 

Testimonials (3)

Related Courses

CRISC - Certified in Risk and Information Systems Control

  21 Hours

Cloud Computing Security Knowledge (CCSK) Preparation Course

  21 Hours

Standard Java Security

  14 Hours

Related Categories