Messaging¶

OpenStack components uses the OSLO messaging security library to communicate with worker processes running on compute nodes and a cloud controller node. For best possible performance and scalability OSLO library does not employ signing or encryption. As a result, messaging security depends on message broker’s security. You need to protect a messaging broker. Mirantis OpenStack uses the RabbitMQ messaging broker.

Recommendations for messaging security and RabbitMQ:

• Delete the RabbitMQ guest user.

• Separate API functional publishers (Nova, Cinder, Neutron, and others) by leveraging rabbit_virtual_host configuration setting for each API and creating appropriate Rabbit virtual host:

  rabbitmqctl add_vhost
  

• For each RabbitMQ virtual host create unique credentials along with appropriate permissions:

  rabbitmqctl add_user
  rabbitmqctl set_permissions
  

• Monitor RabbitMQ network activity with iptables or other monitoring tool to get accounting information.

• Forward the RabbitMQ and HAProxy logs to the central syslog server.

• Use TLS for messaging transport security.