Revision d70571bb doc/security.rst
| b/doc/security.rst | ||
|---|---|---|
| 50 | 50 |
drbd devices, start/stop instances, etc; |
| 51 | 51 |
- run well-defined SSH commands on other nodes in the cluster |
| 52 | 52 |
- scripts under the ``/etc/ganeti/hooks`` directory |
| 53 |
- scripts under the ``/etc/ganeti/restricted-commands`` directory, if |
|
| 54 |
this feature has been enabled at build time (see below) |
|
| 53 | 55 |
|
| 54 | 56 |
It is therefore important to make sure that the contents of the |
| 55 |
``/etc/ganeti/hooks`` directory is supervised and only trusted sources |
|
| 56 |
can populate it. |
|
| 57 |
``/etc/ganeti/hooks`` and ``/etc/ganeti/restricted-commands`` |
|
| 58 |
directories are supervised and only trusted sources can populate them. |
|
| 59 |
|
|
| 60 |
Restricted commands |
|
| 61 |
~~~~~~~~~~~~~~~~~~~ |
|
| 62 |
|
|
| 63 |
The restricted commands feature is new in Ganeti 2.7. It enables the |
|
| 64 |
administrator to run any commands in the |
|
| 65 |
``/etc/ganeti/restricted-commands`` directory, if the feature has been |
|
| 66 |
enabled at build time, subject to the following restrictions: |
|
| 67 |
|
|
| 68 |
- No parameters may be passed |
|
| 69 |
- No absolute or relative path may be passed, only a filename |
|
| 70 |
- The ``/etc/ganeti/restricted-commands`` directory must |
|
| 71 |
be owned by root:root and have mode 0755 or stricter |
|
| 72 |
- Executables must be regular files or symlinks, and must be executable |
|
| 73 |
by root:root |
|
| 74 |
|
|
| 75 |
Note that it's not possible to list the contents of the directory, and |
|
| 76 |
there is an intentional delay when trying to execute a non-existing |
|
| 77 |
command (to slow-down dictionary attacks). |
|
| 78 |
|
|
| 79 |
Since for Ganeti itself this functionality is not needed, and is only |
|
| 80 |
provided as a way to help administrate or recover nodes, it is a local |
|
| 81 |
site decision whether to enable or not the restricted commands feature. |
|
| 82 |
|
|
| 83 |
By default, this feature is disabled. |
|
| 84 |
|
|
| 57 | 85 |
|
| 58 | 86 |
Cluster issues |
| 59 | 87 |
-------------- |
| ... | ... | |
| 94 | 122 |
and works on Linux, but is not-portable; however, Ganeti doesn't work on |
| 95 | 123 |
non-Linux system at the moment. |
| 96 | 124 |
|
| 125 |
Conf daemon |
|
| 126 |
----------- |
|
| 127 |
|
|
| 128 |
In Ganeti 2.7, the ``confd`` daemon (if enabled at build time), serves |
|
| 129 |
both network-originated queries (about the static configuration) and |
|
| 130 |
local (UNIX socket) queries (about the run-time configuration; answering |
|
| 131 |
these means talking to other cluster nodes, which makes use of the |
|
| 132 |
internal RPC SSL certificate). This makes it a bit more sensitive to |
|
| 133 |
bugs (a remote attacker could get direct access to the intra-cluster |
|
| 134 |
RPC), so to harden security it's recommended to: |
|
| 135 |
|
|
| 136 |
- disable confd at build time if it's not needed in your setup |
|
| 137 |
- otherwise, configure Ganeti (at build time) to use separate users, so |
|
| 138 |
that the confd daemon doesn't also have access to the server SSL/TLS |
|
| 139 |
certificates |
|
| 140 |
|
|
| 141 |
It is planned to split the two functionalities (local/remote querying) |
|
| 142 |
of confd into two separate daemons in a future Ganeti version. |
|
| 143 |
|
|
| 97 | 144 |
Remote API |
| 98 | 145 |
---------- |
| 99 | 146 |
|
Also available in: Unified diff