Revision 4e9dcb8a
| b/doc/security.rst | ||
|---|---|---|
| 99 | 99 |
will be set at source configure time. Symlinks or command line |
| 100 | 100 |
parameters may be used to use different files. |
| 101 | 101 |
|
| 102 |
KVM Security |
|
| 103 |
------------ |
|
| 104 |
|
|
| 105 |
When running KVM instances under Ganeti three security models ara |
|
| 106 |
available: 'none', 'user' and 'pool'. |
|
| 107 |
|
|
| 108 |
Under security model 'none' instances run by default as root. This means |
|
| 109 |
that, if an instance gets jail broken, it will be able to own the host |
|
| 110 |
node, and thus the ganeti cluster. This is the default model, and the |
|
| 111 |
only one available before Ganeti 2.1.2. |
|
| 112 |
|
|
| 113 |
Under security model 'user' an instance is run as the user specified by |
|
| 114 |
the hypervisor parameter 'security_domain'. This makes it easy to run |
|
| 115 |
all instances as non privileged users, and allows to manually allocate |
|
| 116 |
specific users to specific instances or sets of instances. If the |
|
| 117 |
specified user doesn't have permissions a jail broken instance will need |
|
| 118 |
some local privilege escalation before being able to take over the node |
|
| 119 |
and the cluster. It's possible though for a jail broken instance to |
|
| 120 |
affect other ones running under the same user. |
|
| 121 |
|
|
| 122 |
Under security model 'pool' a global cluster-level uid pool is used to |
|
| 123 |
start each instance on the same node under a different user. The uids in |
|
| 124 |
the cluster pool can be set with ``gnt-cluster init`` and ``gnt-cluster |
|
| 125 |
modify``, and must correspond to existing users on all nodes. Ganeti |
|
| 126 |
will then allocate one to each instance, as needed. This way a jail |
|
| 127 |
broken instance won't be able to affect any other. Since the users are |
|
| 128 |
handed out by ganeti in a per-node randomized way, in this mode there is |
|
| 129 |
no way to make sure a particular instance is always run as a certain |
|
| 130 |
user. Use mode 'user' for that. |
|
| 131 |
|
|
| 132 |
In addition to these precautions, if you want to avoid instances sending |
|
| 133 |
traffic on your node network, you can use an iptables rule such as:: |
|
| 134 |
|
|
| 135 |
iptables -A OUTPUT -m owner --uid-owner <uid>[-<uid>] -j LOG \ |
|
| 136 |
--log-prefix "ganeti uid pool user network traffic" |
|
| 137 |
iptables -A OUTPUT -m owner --uid-owner <uid>[-<uid>] -j DROP |
|
| 138 |
|
|
| 139 |
This won't affect regular instance traffic (that comes out of the tapX |
|
| 140 |
allocated to the instance, and can be filtered or subject to appropriate |
|
| 141 |
policy routes) but will stop any user generated traffic that might come |
|
| 142 |
from a jailbroken instance. |
|
| 143 |
|
|
| 102 | 144 |
.. vim: set textwidth=72 : |
| 103 | 145 |
.. Local Variables: |
| 104 | 146 |
.. mode: rst |
Also available in: Unified diff