Revision 73100cf5

b/Makefile.am
115 115
	doc/design-2.0-locking.rst \
116 116
	doc/design-2.0-master-daemon.rst \
117 117
	doc/design-2.0-os-interface.rst \
118
	doc/design-2.0-rapi-changes.rst
118
	doc/design-2.0-rapi-changes.rst \
119
	doc/security.rst
119 120

  
120 121
doc_DATA = \
121 122
	$(patsubst %.rst,%.html,$(docrst)) \
/dev/null
1
Security in Ganeti
2
~~~~~~~~~~~~~~~~~~
3

  
4
Ganeti was developed to run on internal, trusted systems. As such, the
5
security model is all-or-nothing.
6

  
7
All the Ganeti code runs as root, because all the operations that Ganeti
8
is doing require privileges: creating logical volumes, drbd devices,
9
starting instances, etc. Running as root does not mean setuid, but that
10
you need to be root to run the cluster commands.
11

  
12
Host issues
13
-----------
14

  
15
For a host on which the Ganeti software has been installed, but not joined to a
16
cluster, there are no changes to the system.
17

  
18
For a host that has been joined to the cluster, there are very important
19
changes:
20
  - The host will have its SSH host key replaced with the one of the
21
    cluster (which is the one the initial node had at the cluster
22
    creation)
23
  - A new public key will be added to root's authorized_keys file, granting
24
    root access to all nodes of the cluster. The private part of the key
25
    is also distributed to all nodes. Old files are renamed.
26
  - Communication between nodes is encrypted using SSL/TLS. A common
27
    key and certificate combo is shared between all nodes of the cluster.
28
    At this time, no CA is used.
29
  - The Ganeti node daemon will accept RPC requests from any host within the
30
    cluster with the correct certificate, and the operations it will do as a
31
    result of these requests are:
32
      - running commands under the /etc/ganeti/hooks directory
33
      - creating DRBD disks between it and the IP it has been told
34
      - overwrite a defined list of files on the host
35

  
36
As you can see, as soon as a node is joined, it becomes equal to all
37
other nodes in the cluster, and the security of the cluster is
38
determined by the weakest node.
39

  
40
Note that only the SSH key will allow other machines to run random
41
commands on this node; the RPC method will run only:
42
  - well defined commands to create, remove, activate logical volumes,
43
    drbd devices, start/stop instances, etc;
44
  - run SSH commands on other nodes in the cluster, again well-defined
45
  - scripts under the /etc/ganeti/hooks directory
46

  
47
It is therefore important to make sure that the contents of the
48
/etc/ganeti/hooks directory is supervised and only trusted sources can
49
populate it.
50

  
51
Cluster issues
52
--------------
53

  
54
As told above, there are multiple ways of communication between cluster
55
nodes:
56
  - SSH-based, for high-volume traffic like image dumps or for low-level
57
    command, e.g. restarting the Ganeti node daemon
58
  - RPC communication between master and nodes
59
  - DRBD real-time disk replication traffic
60

  
61
The SSH traffic is protected (after the initial login to a new node) by
62
the cluster-wide shared SSH key.
63

  
64
RPC communication between the master and nodes is protected using SSL/TLS
65
encryption. Both the client and the server must have the cluster-widely
66
shared SSL/TLS certificate and verify it when establishing the connection
67
by comparing fingerprints. We decided not to use a CA to simplify the
68
key handling.
69

  
70
The DRBD traffic is not protected by encryption. DRBD does not support
71
traffic encryption. It's therefore recommended to implement host-level
72
firewalling or to use a separate range of IP addresses for the DRBD
73
traffic (this is supported in Ganeti) which is not routed outside the
74
cluster. DRBD connections are protected from connecting to random other
75
machines by using a shared secret exchanged via RPC requests when
76
starting the device.
77

  
78
Remote API
79
----------
80

  
81
Starting with Ganeti 2.0, Remote API traffic is encrypted using SSL/TLS by
82
default. It supports Basic authentication as per RFC2617.
83

  
84
Paths for certificate, private key and CA files required for SSL/TLS will
85
be set at source configure time. Symlinks or command line parameters may
86
be used to use different files.
b/doc/design-2.0-index.rst
29 29
The various changes brought in by the master daemon model and the
30 30
read-write RAPI will require changes to the cluster security; we move
31 31
away from Twisted and use http(s) for intra- and extra-cluster
32
communications. For more details, see the SECURITY document in the top
33
directory.
32
communications. For more details, see the security document in the
33
doc/ directory.
34 34

  
35 35

  
36 36
Functionality changes
b/doc/security.rst
1
Security in Ganeti
2
~~~~~~~~~~~~~~~~~~
3

  
4
Ganeti was developed to run on internal, trusted systems. As such, the
5
security model is all-or-nothing.
6

  
7
All the Ganeti code runs as root, because all the operations that Ganeti
8
is doing require privileges: creating logical volumes, drbd devices,
9
starting instances, etc. Running as root does not mean setuid, but that
10
you need to be root to run the cluster commands.
11

  
12
Host issues
13
-----------
14

  
15
For a host on which the Ganeti software has been installed, but not joined to a
16
cluster, there are no changes to the system.
17

  
18
For a host that has been joined to the cluster, there are very important
19
changes:
20
  - The host will have its SSH host key replaced with the one of the
21
    cluster (which is the one the initial node had at the cluster
22
    creation)
23
  - A new public key will be added to root's authorized_keys file, granting
24
    root access to all nodes of the cluster. The private part of the key
25
    is also distributed to all nodes. Old files are renamed.
26
  - Communication between nodes is encrypted using SSL/TLS. A common
27
    key and certificate combo is shared between all nodes of the cluster.
28
    At this time, no CA is used.
29
  - The Ganeti node daemon will accept RPC requests from any host within the
30
    cluster with the correct certificate, and the operations it will do as a
31
    result of these requests are:
32
      - running commands under the /etc/ganeti/hooks directory
33
      - creating DRBD disks between it and the IP it has been told
34
      - overwrite a defined list of files on the host
35

  
36
As you can see, as soon as a node is joined, it becomes equal to all
37
other nodes in the cluster, and the security of the cluster is
38
determined by the weakest node.
39

  
40
Note that only the SSH key will allow other machines to run random
41
commands on this node; the RPC method will run only:
42
  - well defined commands to create, remove, activate logical volumes,
43
    drbd devices, start/stop instances, etc;
44
  - run SSH commands on other nodes in the cluster, again well-defined
45
  - scripts under the /etc/ganeti/hooks directory
46

  
47
It is therefore important to make sure that the contents of the
48
/etc/ganeti/hooks directory is supervised and only trusted sources can
49
populate it.
50

  
51
Cluster issues
52
--------------
53

  
54
As told above, there are multiple ways of communication between cluster
55
nodes:
56
  - SSH-based, for high-volume traffic like image dumps or for low-level
57
    command, e.g. restarting the Ganeti node daemon
58
  - RPC communication between master and nodes
59
  - DRBD real-time disk replication traffic
60

  
61
The SSH traffic is protected (after the initial login to a new node) by
62
the cluster-wide shared SSH key.
63

  
64
RPC communication between the master and nodes is protected using SSL/TLS
65
encryption. Both the client and the server must have the cluster-widely
66
shared SSL/TLS certificate and verify it when establishing the connection
67
by comparing fingerprints. We decided not to use a CA to simplify the
68
key handling.
69

  
70
The DRBD traffic is not protected by encryption. DRBD does not support
71
traffic encryption. It's therefore recommended to implement host-level
72
firewalling or to use a separate range of IP addresses for the DRBD
73
traffic (this is supported in Ganeti) which is not routed outside the
74
cluster. DRBD connections are protected from connecting to random other
75
machines by using a shared secret exchanged via RPC requests when
76
starting the device.
77

  
78
Remote API
79
----------
80

  
81
Starting with Ganeti 2.0, Remote API traffic is encrypted using SSL/TLS by
82
default. It supports Basic authentication as per RFC2617.
83

  
84
Paths for certificate, private key and CA files required for SSL/TLS will
85
be set at source configure time. Symlinks or command line parameters may
86
be used to use different files.

Also available in: Unified diff