Revision 4e9dcb8a
b/doc/security.rst | ||
---|---|---|
99 | 99 |
will be set at source configure time. Symlinks or command line |
100 | 100 |
parameters may be used to use different files. |
101 | 101 |
|
102 |
KVM Security |
|
103 |
------------ |
|
104 |
|
|
105 |
When running KVM instances under Ganeti three security models ara |
|
106 |
available: 'none', 'user' and 'pool'. |
|
107 |
|
|
108 |
Under security model 'none' instances run by default as root. This means |
|
109 |
that, if an instance gets jail broken, it will be able to own the host |
|
110 |
node, and thus the ganeti cluster. This is the default model, and the |
|
111 |
only one available before Ganeti 2.1.2. |
|
112 |
|
|
113 |
Under security model 'user' an instance is run as the user specified by |
|
114 |
the hypervisor parameter 'security_domain'. This makes it easy to run |
|
115 |
all instances as non privileged users, and allows to manually allocate |
|
116 |
specific users to specific instances or sets of instances. If the |
|
117 |
specified user doesn't have permissions a jail broken instance will need |
|
118 |
some local privilege escalation before being able to take over the node |
|
119 |
and the cluster. It's possible though for a jail broken instance to |
|
120 |
affect other ones running under the same user. |
|
121 |
|
|
122 |
Under security model 'pool' a global cluster-level uid pool is used to |
|
123 |
start each instance on the same node under a different user. The uids in |
|
124 |
the cluster pool can be set with ``gnt-cluster init`` and ``gnt-cluster |
|
125 |
modify``, and must correspond to existing users on all nodes. Ganeti |
|
126 |
will then allocate one to each instance, as needed. This way a jail |
|
127 |
broken instance won't be able to affect any other. Since the users are |
|
128 |
handed out by ganeti in a per-node randomized way, in this mode there is |
|
129 |
no way to make sure a particular instance is always run as a certain |
|
130 |
user. Use mode 'user' for that. |
|
131 |
|
|
132 |
In addition to these precautions, if you want to avoid instances sending |
|
133 |
traffic on your node network, you can use an iptables rule such as:: |
|
134 |
|
|
135 |
iptables -A OUTPUT -m owner --uid-owner <uid>[-<uid>] -j LOG \ |
|
136 |
--log-prefix "ganeti uid pool user network traffic" |
|
137 |
iptables -A OUTPUT -m owner --uid-owner <uid>[-<uid>] -j DROP |
|
138 |
|
|
139 |
This won't affect regular instance traffic (that comes out of the tapX |
|
140 |
allocated to the instance, and can be filtered or subject to appropriate |
|
141 |
policy routes) but will stop any user generated traffic that might come |
|
142 |
from a jailbroken instance. |
|
143 |
|
|
102 | 144 |
.. vim: set textwidth=72 : |
103 | 145 |
.. Local Variables: |
104 | 146 |
.. mode: rst |
Also available in: Unified diff