Merge branch 'stable-2.6'

[ganeti-local] / doc / security.rst

diff --git a/doc/security.rst b/doc/security.rst
index c16ccdd..10010ab 100644 (file)
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -93,12 +93,22 @@ Remote API
 ----------
 
 Starting with Ganeti 2.0, Remote API traffic is encrypted using SSL/TLS
 ----------
 
 Starting with Ganeti 2.0, Remote API traffic is encrypted using SSL/TLS

-by default. It supports Basic authentication as per RFC2617.
+by default. It supports Basic authentication as per :rfc:`2617`.

 
 Paths for certificate, private key and CA files required for SSL/TLS
 will be set at source configure time. Symlinks or command line
 parameters may be used to use different files.
 
 
 Paths for certificate, private key and CA files required for SSL/TLS
 will be set at source configure time. Symlinks or command line
 parameters may be used to use different files.
 

+Inter-cluster instance moves
+----------------------------
+
+To move instances between clusters, different clusters must be able to
+communicate with each other over a secure channel. Up to and including
+Ganeti 2.1, clusters were self-contained entities and had no knowledge
+of other clusters. With Ganeti 2.2, clusters can exchange data if tokens
+(an encryption certificate) was exchanged by a trusted third party
+before.
+

 KVM Security
 ------------
 
 KVM Security
 ------------
 

@@ -112,11 +122,11 @@ only one available before Ganeti 2.1.2.
 
 Under security model 'user' an instance is run as the user specified by
 the hypervisor parameter 'security_domain'. This makes it easy to run
 
 Under security model 'user' an instance is run as the user specified by
 the hypervisor parameter 'security_domain'. This makes it easy to run

-all instances as non privileged users, and allows to manually allocate
-specific users to specific instances or sets of instances. If the
-specified user doesn't have permissions a jail broken instance will need
-some local privilege escalation before being able to take over the node
-and the cluster. It's possible though for a jail broken instance to
+all instances as non privileged users, and allows one to manually
+allocate specific users to specific instances or sets of instances. If
+the specified user doesn't have permissions a jail broken instance will
+need some local privilege escalation before being able to take over the
+node and the cluster. It's possible though for a jail broken instance to

 affect other ones running under the same user.
 
 Under security model 'pool' a global cluster-level uid pool is used to
 affect other ones running under the same user.
 
 Under security model 'pool' a global cluster-level uid pool is used to