root / doc / security.rst @ b7d7876b
History | View | Annotate | Download (6.6 kB)
1 | 28cc354f | Iustin Pop | Security in Ganeti |
---|---|---|---|
2 | 6884c0ca | Iustin Pop | ================== |
3 | 28cc354f | Iustin Pop | |
4 | 28cc354f | Iustin Pop | Ganeti was developed to run on internal, trusted systems. As such, the |
5 | 28cc354f | Iustin Pop | security model is all-or-nothing. |
6 | 28cc354f | Iustin Pop | |
7 | 28cc354f | Iustin Pop | All the Ganeti code runs as root, because all the operations that Ganeti |
8 | bd028152 | Iustin Pop | is doing require privileges: creating logical volumes, drbd devices, |
9 | 28cc354f | Iustin Pop | starting instances, etc. Running as root does not mean setuid, but that |
10 | 28cc354f | Iustin Pop | you need to be root to run the cluster commands. |
11 | 28cc354f | Iustin Pop | |
12 | 28cc354f | Iustin Pop | Host issues |
13 | 28cc354f | Iustin Pop | ----------- |
14 | 28cc354f | Iustin Pop | |
15 | 7faf5110 | Michael Hanselmann | For a host on which the Ganeti software has been installed, but not |
16 | 7faf5110 | Michael Hanselmann | joined to a cluster, there are no changes to the system. |
17 | 28cc354f | Iustin Pop | |
18 | 28cc354f | Iustin Pop | For a host that has been joined to the cluster, there are very important |
19 | 28cc354f | Iustin Pop | changes: |
20 | 6884c0ca | Iustin Pop | |
21 | 6884c0ca | Iustin Pop | - The host will have its SSH host key replaced with the one of the |
22 | 6884c0ca | Iustin Pop | cluster (which is the one the initial node had at the cluster |
23 | 6884c0ca | Iustin Pop | creation) |
24 | 6884c0ca | Iustin Pop | - A new public key will be added to root's authorized_keys file, |
25 | 6884c0ca | Iustin Pop | granting root access to all nodes of the cluster. The private part of |
26 | 6884c0ca | Iustin Pop | the key is also distributed to all nodes. Old files are renamed. |
27 | 6884c0ca | Iustin Pop | - Communication between nodes is encrypted using SSL/TLS. A common key |
28 | 6884c0ca | Iustin Pop | and certificate combo is shared between all nodes of the cluster. At |
29 | 6884c0ca | Iustin Pop | this time, no CA is used. |
30 | 6884c0ca | Iustin Pop | - The Ganeti node daemon will accept RPC requests from any host within |
31 | 6884c0ca | Iustin Pop | the cluster with the correct certificate, and the operations it will |
32 | 6884c0ca | Iustin Pop | do as a result of these requests are: |
33 | 6884c0ca | Iustin Pop | |
34 | 6884c0ca | Iustin Pop | - running commands under the /etc/ganeti/hooks directory |
35 | 6884c0ca | Iustin Pop | - creating DRBD disks between it and the IP it has been told |
36 | 6884c0ca | Iustin Pop | - overwrite a defined list of files on the host |
37 | 28cc354f | Iustin Pop | |
38 | 28cc354f | Iustin Pop | As you can see, as soon as a node is joined, it becomes equal to all |
39 | 28cc354f | Iustin Pop | other nodes in the cluster, and the security of the cluster is |
40 | 28cc354f | Iustin Pop | determined by the weakest node. |
41 | 28cc354f | Iustin Pop | |
42 | 4fbe765c | Michael Hanselmann | Note that only the SSH key will allow other machines to run random |
43 | 28cc354f | Iustin Pop | commands on this node; the RPC method will run only: |
44 | 6884c0ca | Iustin Pop | |
45 | 6884c0ca | Iustin Pop | - well defined commands to create, remove, activate logical volumes, |
46 | 6884c0ca | Iustin Pop | drbd devices, start/stop instances, etc; |
47 | 6884c0ca | Iustin Pop | - run SSH commands on other nodes in the cluster, again well-defined |
48 | 6884c0ca | Iustin Pop | - scripts under the /etc/ganeti/hooks directory |
49 | 28cc354f | Iustin Pop | |
50 | 28cc354f | Iustin Pop | It is therefore important to make sure that the contents of the |
51 | 28cc354f | Iustin Pop | /etc/ganeti/hooks directory is supervised and only trusted sources can |
52 | 28cc354f | Iustin Pop | populate it. |
53 | 28cc354f | Iustin Pop | |
54 | 28cc354f | Iustin Pop | Cluster issues |
55 | 28cc354f | Iustin Pop | -------------- |
56 | 28cc354f | Iustin Pop | |
57 | 28cc354f | Iustin Pop | As told above, there are multiple ways of communication between cluster |
58 | 28cc354f | Iustin Pop | nodes: |
59 | 6884c0ca | Iustin Pop | |
60 | 6884c0ca | Iustin Pop | - SSH-based, for high-volume traffic like image dumps or for low-level |
61 | 6884c0ca | Iustin Pop | command, e.g. restarting the Ganeti node daemon |
62 | 6884c0ca | Iustin Pop | - RPC communication between master and nodes |
63 | 6884c0ca | Iustin Pop | - DRBD real-time disk replication traffic |
64 | 28cc354f | Iustin Pop | |
65 | 4fbe765c | Michael Hanselmann | The SSH traffic is protected (after the initial login to a new node) by |
66 | 4fbe765c | Michael Hanselmann | the cluster-wide shared SSH key. |
67 | 28cc354f | Iustin Pop | |
68 | 7faf5110 | Michael Hanselmann | RPC communication between the master and nodes is protected using |
69 | 7faf5110 | Michael Hanselmann | SSL/TLS encryption. Both the client and the server must have the |
70 | 7faf5110 | Michael Hanselmann | cluster-wide shared SSL/TLS certificate and verify it when establishing |
71 | 7faf5110 | Michael Hanselmann | the connection by comparing fingerprints. We decided not to use a CA to |
72 | 7faf5110 | Michael Hanselmann | simplify the key handling. |
73 | 28cc354f | Iustin Pop | |
74 | 6884c0ca | Iustin Pop | The DRBD traffic is not protected by encryption, as DRBD does not |
75 | 6884c0ca | Iustin Pop | support this. It's therefore recommended to implement host-level |
76 | 888891c7 | Michael Hanselmann | firewalling or to use a separate range of IP addresses for the DRBD |
77 | 888891c7 | Michael Hanselmann | traffic (this is supported in Ganeti) which is not routed outside the |
78 | 6884c0ca | Iustin Pop | cluster. DRBD connections are protected from connecting due to bugs to |
79 | 6884c0ca | Iustin Pop | other machines, and from accepting connections from other machines, by |
80 | 6884c0ca | Iustin Pop | using a shared secret, exchanged via RPC requests from the master to the |
81 | 6884c0ca | Iustin Pop | nodes when configuring the device. |
82 | 6884c0ca | Iustin Pop | |
83 | 6884c0ca | Iustin Pop | Master daemon |
84 | 6884c0ca | Iustin Pop | ------------- |
85 | 6884c0ca | Iustin Pop | |
86 | 7faf5110 | Michael Hanselmann | The command-line tools to master daemon communication is done via an |
87 | 7faf5110 | Michael Hanselmann | UNIX socket, whose permissions are reset to ``0600`` after listening but |
88 | 7faf5110 | Michael Hanselmann | before serving requests. This permission-based protection is documented |
89 | 7faf5110 | Michael Hanselmann | and works on Linux, but is not-portable; however, Ganeti doesn't work on |
90 | 7faf5110 | Michael Hanselmann | non-Linux system at the moment. |
91 | 4fbe765c | Michael Hanselmann | |
92 | 4fbe765c | Michael Hanselmann | Remote API |
93 | 4fbe765c | Michael Hanselmann | ---------- |
94 | 4fbe765c | Michael Hanselmann | |
95 | 7faf5110 | Michael Hanselmann | Starting with Ganeti 2.0, Remote API traffic is encrypted using SSL/TLS |
96 | a4978169 | Michael Hanselmann | by default. It supports Basic authentication as per :rfc:`2617`. |
97 | 4fbe765c | Michael Hanselmann | |
98 | 7faf5110 | Michael Hanselmann | Paths for certificate, private key and CA files required for SSL/TLS |
99 | 7faf5110 | Michael Hanselmann | will be set at source configure time. Symlinks or command line |
100 | 7faf5110 | Michael Hanselmann | parameters may be used to use different files. |
101 | 558fd122 | Michael Hanselmann | |
102 | 5b2069a9 | Michael Hanselmann | Inter-cluster instance moves |
103 | 5b2069a9 | Michael Hanselmann | ---------------------------- |
104 | 5b2069a9 | Michael Hanselmann | |
105 | 5b2069a9 | Michael Hanselmann | To move instances between clusters, different clusters must be able to |
106 | 5b2069a9 | Michael Hanselmann | communicate with each other over a secure channel. Up to and including |
107 | 5b2069a9 | Michael Hanselmann | Ganeti 2.1, clusters were self-contained entities and had no knowledge |
108 | 5b2069a9 | Michael Hanselmann | of other clusters. With Ganeti 2.2, clusters can exchange data if tokens |
109 | 5b2069a9 | Michael Hanselmann | (an encryption certificate) was exchanged by a trusted third party |
110 | 5b2069a9 | Michael Hanselmann | before. |
111 | 5b2069a9 | Michael Hanselmann | |
112 | 4e9dcb8a | Guido Trotter | KVM Security |
113 | 4e9dcb8a | Guido Trotter | ------------ |
114 | 4e9dcb8a | Guido Trotter | |
115 | 4e9dcb8a | Guido Trotter | When running KVM instances under Ganeti three security models ara |
116 | 4e9dcb8a | Guido Trotter | available: 'none', 'user' and 'pool'. |
117 | 4e9dcb8a | Guido Trotter | |
118 | 4e9dcb8a | Guido Trotter | Under security model 'none' instances run by default as root. This means |
119 | 4e9dcb8a | Guido Trotter | that, if an instance gets jail broken, it will be able to own the host |
120 | 4e9dcb8a | Guido Trotter | node, and thus the ganeti cluster. This is the default model, and the |
121 | 4e9dcb8a | Guido Trotter | only one available before Ganeti 2.1.2. |
122 | 4e9dcb8a | Guido Trotter | |
123 | 4e9dcb8a | Guido Trotter | Under security model 'user' an instance is run as the user specified by |
124 | 4e9dcb8a | Guido Trotter | the hypervisor parameter 'security_domain'. This makes it easy to run |
125 | f7b769b1 | Iustin Pop | all instances as non privileged users, and allows one to manually |
126 | f7b769b1 | Iustin Pop | allocate specific users to specific instances or sets of instances. If |
127 | f7b769b1 | Iustin Pop | the specified user doesn't have permissions a jail broken instance will |
128 | f7b769b1 | Iustin Pop | need some local privilege escalation before being able to take over the |
129 | f7b769b1 | Iustin Pop | node and the cluster. It's possible though for a jail broken instance to |
130 | 4e9dcb8a | Guido Trotter | affect other ones running under the same user. |
131 | 4e9dcb8a | Guido Trotter | |
132 | 4e9dcb8a | Guido Trotter | Under security model 'pool' a global cluster-level uid pool is used to |
133 | 4e9dcb8a | Guido Trotter | start each instance on the same node under a different user. The uids in |
134 | 4e9dcb8a | Guido Trotter | the cluster pool can be set with ``gnt-cluster init`` and ``gnt-cluster |
135 | 4e9dcb8a | Guido Trotter | modify``, and must correspond to existing users on all nodes. Ganeti |
136 | 4e9dcb8a | Guido Trotter | will then allocate one to each instance, as needed. This way a jail |
137 | 4e9dcb8a | Guido Trotter | broken instance won't be able to affect any other. Since the users are |
138 | 4e9dcb8a | Guido Trotter | handed out by ganeti in a per-node randomized way, in this mode there is |
139 | 4e9dcb8a | Guido Trotter | no way to make sure a particular instance is always run as a certain |
140 | 4e9dcb8a | Guido Trotter | user. Use mode 'user' for that. |
141 | 4e9dcb8a | Guido Trotter | |
142 | 4e9dcb8a | Guido Trotter | In addition to these precautions, if you want to avoid instances sending |
143 | 4e9dcb8a | Guido Trotter | traffic on your node network, you can use an iptables rule such as:: |
144 | 4e9dcb8a | Guido Trotter | |
145 | 4e9dcb8a | Guido Trotter | iptables -A OUTPUT -m owner --uid-owner <uid>[-<uid>] -j LOG \ |
146 | 4e9dcb8a | Guido Trotter | --log-prefix "ganeti uid pool user network traffic" |
147 | 4e9dcb8a | Guido Trotter | iptables -A OUTPUT -m owner --uid-owner <uid>[-<uid>] -j DROP |
148 | 4e9dcb8a | Guido Trotter | |
149 | 4e9dcb8a | Guido Trotter | This won't affect regular instance traffic (that comes out of the tapX |
150 | 4e9dcb8a | Guido Trotter | allocated to the instance, and can be filtered or subject to appropriate |
151 | 4e9dcb8a | Guido Trotter | policy routes) but will stop any user generated traffic that might come |
152 | 4e9dcb8a | Guido Trotter | from a jailbroken instance. |
153 | 4e9dcb8a | Guido Trotter | |
154 | 558fd122 | Michael Hanselmann | .. vim: set textwidth=72 : |
155 | c71a1a3d | Iustin Pop | .. Local Variables: |
156 | c71a1a3d | Iustin Pop | .. mode: rst |
157 | c71a1a3d | Iustin Pop | .. fill-column: 72 |
158 | c71a1a3d | Iustin Pop | .. End: |