Block storage

Block storage

To secure the block storage:

  • Set strict access permissions (at least 640) for the following configuration files in /etc/cinder/: cinder.conf, api-paste.ini, policy.json, rootwrap.conf.

  • Do not set the noauth value to parameter auth_strategy under the [DEFAULT] section.

  • Enable TLS for authentication.

  • Enable secure file permissions for Network-attached storage (NAS) by the following setting in /etc/cinder/cinder.conf:

    [DEFAULT]
    nas_secure_file_permissions = auto
    
  • To avoid a DoS attack when an attacker sends an oversized request, verify osapi_max_request_body_size or max_request_body_size under the [oslo_middleware] section in /etc/cinder/cinder.conf is set to 114688:

    [DEFAULT]
    osapi_max_request_body_size = 114688
    
    [oslo_middleware]
    max_request_body_size = 114688