Revision b51e14c0 doc/security.rst
| b/doc/security.rst | ||
|---|---|---|
| 124 | 124 |
and works on Linux, but is not-portable; however, Ganeti doesn't work on |
| 125 | 125 |
non-Linux system at the moment. |
| 126 | 126 |
|
| 127 |
Luxi daemon |
|
| 128 |
----------- |
|
| 129 |
|
|
| 130 |
The ``luxid`` daemon (automatically enabled if ``confd`` is enabled at |
|
| 131 |
build time) serves local (UNIX socket) queries about the run-time |
|
| 132 |
configuration. Answering these means talking to other cluster nodes, |
|
| 133 |
exactly as ``masterd`` does. See the notes for ``masterd`` regarding |
|
| 134 |
permission-based protection. |
|
| 135 |
|
|
| 127 | 136 |
Conf daemon |
| 128 | 137 |
----------- |
| 129 | 138 |
|
| 130 | 139 |
In Ganeti 2.8, the ``confd`` daemon (if enabled at build time), serves |
| 131 |
both network-originated queries (about the static configuration) and |
|
| 132 |
local (UNIX socket) queries (about the run-time configuration; answering |
|
| 133 |
these means talking to other cluster nodes, which makes use of the |
|
| 134 |
internal RPC SSL certificate). This makes it a bit more sensitive to |
|
| 135 |
bugs (a remote attacker could get direct access to the intra-cluster |
|
| 136 |
RPC), so to harden security it's recommended to: |
|
| 137 |
|
|
| 138 |
- disable confd at build time if it's not needed in your setup |
|
| 139 |
- otherwise, configure Ganeti (at build time) to use separate users, so |
|
| 140 |
that the confd daemon doesn't also have access to the server SSL/TLS |
|
| 140 |
network-originated queries about parts of the static cluster |
|
| 141 |
configuration. |
|
| 142 |
|
|
| 143 |
If Ganeti is not configured (at build time) to use separate users, |
|
| 144 |
``confd`` has access to all Ganeti related files (including internal RPC |
|
| 145 |
SSL certificates). This makes it a bit more sensitive to bugs (a remote |
|
| 146 |
attacker could get direct access to the intra-cluster RPC), so to harden |
|
| 147 |
security it's recommended to: |
|
| 148 |
|
|
| 149 |
- disable confd at build time if it (and ``luxid``) is not needed in |
|
| 150 |
your setup. |
|
| 151 |
- configure Ganeti (at build time) to use separate users, so that the |
|
| 152 |
confd daemon doesn't also have access to the server SSL/TLS |
|
| 141 | 153 |
certificates. |
| 142 |
|
|
| 143 |
NB: the second suggestion is not valid since Ganeti 2.8.0~beta1, because confd |
|
| 144 |
needs access to the certificate in order to communicate on the network. |
|
| 145 |
This will be fixed when the planned split of the two functionalities |
|
| 146 |
(local/remote querying) of confd into two separate daemons will take place, |
|
| 147 |
in a future Ganeti version. |
|
| 154 |
- add firewall rules to protect the ``confd`` port or bind it to a |
|
| 155 |
trusted address. Make sure that all nodes can access the daemon, as |
|
| 156 |
the monitoring daemon requires it. |
|
| 148 | 157 |
|
| 149 | 158 |
Monitoring daemon |
| 150 | 159 |
----------------- |
Also available in: Unified diff