Revision 0a689f79 doc/security.rst
b/doc/security.rst | ||
---|---|---|
7 | 7 |
security model is all-or-nothing. |
8 | 8 |
|
9 | 9 |
Up to version 2.3 all Ganeti code ran as root. Since version 2.4 it is |
10 |
possible to run all daemons except the node daemon as non-root users by |
|
11 |
specifying user names and groups at build time. The node daemon |
|
12 |
continues to require root privileges to create logical volumes, DRBD |
|
13 |
devices, start instances, etc. Cluster commands can be run as root or by |
|
14 |
users in a group specified at build time. |
|
10 |
possible to run all daemons except the node daemon and the monitoring daemon |
|
11 |
as non-root users by specifying user names and groups at build time. |
|
12 |
The node daemon continues to require root privileges to create logical volumes, |
|
13 |
DRBD devices, start instances, etc. Cluster commands can be run as root or by |
|
14 |
users in a group specified at build time. The monitoring daemon requires root |
|
15 |
privileges in order to be able to access and present information that are only |
|
16 |
avilable to root (such as the output of the ``xm`` command of Xen). |
|
15 | 17 |
|
16 | 18 |
Host issues |
17 | 19 |
----------- |
... | ... | |
141 | 143 |
It is planned to split the two functionalities (local/remote querying) |
142 | 144 |
of confd into two separate daemons in a future Ganeti version. |
143 | 145 |
|
146 |
Monitoring daemon |
|
147 |
----------------- |
|
148 |
|
|
149 |
The monitoring daemon provides information about the status and the |
|
150 |
performance of the cluster over HTTP. |
|
151 |
It is currently unencrypted and non-authenticated, therefore it is strongly |
|
152 |
advised to set proper firewalling rules to prevent unwanted access. |
|
153 |
|
|
154 |
The monitoring daemon runs as root, because it needs to be able to access |
|
155 |
privileged information (such as the state of the instances as provided by |
|
156 |
the Xen hypervisor). Nevertheless, the security implications are mitigated |
|
157 |
by the fact that the agent only provides reporting functionalities, |
|
158 |
without the ability to actually modify the state of the cluster. |
|
159 |
|
|
144 | 160 |
Remote API |
145 | 161 |
---------- |
146 | 162 |
|
Also available in: Unified diff