Revision 0a689f79

b/doc/security.rst
7 7 
security model is all-or-nothing.
8 8 

  		





  9
  9
  
    
Up to version 2.3 all Ganeti code ran as root. Since version 2.4 it is


  		





  10
  
  
    
possible to run all daemons except the node daemon as non-root users by


  		





  11
  
  
    
specifying user names and groups at build time. The node daemon


  		





  12
  
  
    
continues to require root privileges to create logical volumes, DRBD


  		





  13
  
  
    
devices, start instances, etc. Cluster commands can be run as root or by


  		





  14
  
  
    
users in a group specified at build time.


  		





  
  10
  
    
possible to run all daemons except the node daemon and the monitoring daemon


  		





  
  11
  
    
as non-root users by specifying user names and groups at build time.


  		





  
  12
  
    
The node daemon continues to require root privileges to create logical volumes,


  		





  
  13
  
    
DRBD devices, start instances, etc. Cluster commands can be run as root or by


  		





  
  14
  
    
users in a group specified at build time. The monitoring daemon requires root


  		





  
  15
  
    
privileges in order to be able to access and present information that are only


  		





  
  16
  
    
avilable to root (such as the output of the ``xm`` command of Xen).


  		





  15
  17
  
    

  		





  16
  18
  
    
Host issues


  		





  17
  19
  
    
-----------


  		





  ......




  141
  143
  
    
It is planned to split the two functionalities (local/remote querying)


  		





  142
  144
  
    
of confd into two separate daemons in a future Ganeti version.


  		





  143
  145
  
    

  		





  
  146
  
    
Monitoring daemon


  		





  
  147
  
    
-----------------


  		





  
  148
  
    

  		





  
  149
  
    
The monitoring daemon provides information about the status and the


  		





  
  150
  
    
performance of the cluster over HTTP.


  		





  
  151
  
    
It is currently unencrypted and non-authenticated, therefore it is strongly


  		





  
  152
  
    
advised to set proper firewalling rules to prevent unwanted access.


  		





  
  153
  
    

  		





  
  154
  
    
The monitoring daemon runs as root, because it needs to be able to access


  		





  
  155
  
    
privileged information (such as the state of the instances as provided by


  		





  
  156
  
    
the Xen hypervisor). Nevertheless, the security implications are mitigated


  		





  
  157
  
    
by the fact that the agent only provides reporting functionalities,


  		





  
  158
  
    
without the ability to actually modify the state of the cluster.


  		





  
  159
  
    

  		





  144
  160
  
    
Remote API


  		





  145
  161
  
    
----------


  		





  146
  162
  
    

  		












Also available in:
  Unified diff