Revision d70571bb doc/security.rst
b/doc/security.rst | ||
---|---|---|
50 | 50 |
drbd devices, start/stop instances, etc; |
51 | 51 |
- run well-defined SSH commands on other nodes in the cluster |
52 | 52 |
- scripts under the ``/etc/ganeti/hooks`` directory |
53 |
- scripts under the ``/etc/ganeti/restricted-commands`` directory, if |
|
54 |
this feature has been enabled at build time (see below) |
|
53 | 55 |
|
54 | 56 |
It is therefore important to make sure that the contents of the |
55 |
``/etc/ganeti/hooks`` directory is supervised and only trusted sources |
|
56 |
can populate it. |
|
57 |
``/etc/ganeti/hooks`` and ``/etc/ganeti/restricted-commands`` |
|
58 |
directories are supervised and only trusted sources can populate them. |
|
59 |
|
|
60 |
Restricted commands |
|
61 |
~~~~~~~~~~~~~~~~~~~ |
|
62 |
|
|
63 |
The restricted commands feature is new in Ganeti 2.7. It enables the |
|
64 |
administrator to run any commands in the |
|
65 |
``/etc/ganeti/restricted-commands`` directory, if the feature has been |
|
66 |
enabled at build time, subject to the following restrictions: |
|
67 |
|
|
68 |
- No parameters may be passed |
|
69 |
- No absolute or relative path may be passed, only a filename |
|
70 |
- The ``/etc/ganeti/restricted-commands`` directory must |
|
71 |
be owned by root:root and have mode 0755 or stricter |
|
72 |
- Executables must be regular files or symlinks, and must be executable |
|
73 |
by root:root |
|
74 |
|
|
75 |
Note that it's not possible to list the contents of the directory, and |
|
76 |
there is an intentional delay when trying to execute a non-existing |
|
77 |
command (to slow-down dictionary attacks). |
|
78 |
|
|
79 |
Since for Ganeti itself this functionality is not needed, and is only |
|
80 |
provided as a way to help administrate or recover nodes, it is a local |
|
81 |
site decision whether to enable or not the restricted commands feature. |
|
82 |
|
|
83 |
By default, this feature is disabled. |
|
84 |
|
|
57 | 85 |
|
58 | 86 |
Cluster issues |
59 | 87 |
-------------- |
... | ... | |
94 | 122 |
and works on Linux, but is not-portable; however, Ganeti doesn't work on |
95 | 123 |
non-Linux system at the moment. |
96 | 124 |
|
125 |
Conf daemon |
|
126 |
----------- |
|
127 |
|
|
128 |
In Ganeti 2.7, the ``confd`` daemon (if enabled at build time), serves |
|
129 |
both network-originated queries (about the static configuration) and |
|
130 |
local (UNIX socket) queries (about the run-time configuration; answering |
|
131 |
these means talking to other cluster nodes, which makes use of the |
|
132 |
internal RPC SSL certificate). This makes it a bit more sensitive to |
|
133 |
bugs (a remote attacker could get direct access to the intra-cluster |
|
134 |
RPC), so to harden security it's recommended to: |
|
135 |
|
|
136 |
- disable confd at build time if it's not needed in your setup |
|
137 |
- otherwise, configure Ganeti (at build time) to use separate users, so |
|
138 |
that the confd daemon doesn't also have access to the server SSL/TLS |
|
139 |
certificates |
|
140 |
|
|
141 |
It is planned to split the two functionalities (local/remote querying) |
|
142 |
of confd into two separate daemons in a future Ganeti version. |
|
143 |
|
|
97 | 144 |
Remote API |
98 | 145 |
---------- |
99 | 146 |
|
Also available in: Unified diff