root / SECURITY @ 4fbe765c
History | View | Annotate | Download (3.6 kB)
1 |
Security in Ganeti |
---|---|
2 |
~~~~~~~~~~~~~~~~~~ |
3 |
|
4 |
Ganeti was developed to run on internal, trusted systems. As such, the |
5 |
security model is all-or-nothing. |
6 |
|
7 |
All the Ganeti code runs as root, because all the operations that Ganeti |
8 |
is doing require privileges: creating logical volumes, drbd devices, |
9 |
starting instances, etc. Running as root does not mean setuid, but that |
10 |
you need to be root to run the cluster commands. |
11 |
|
12 |
Host issues |
13 |
----------- |
14 |
|
15 |
For a host on which the Ganeti software has been installed, but not joined to a |
16 |
cluster, there are no changes to the system. |
17 |
|
18 |
For a host that has been joined to the cluster, there are very important |
19 |
changes: |
20 |
- The host will have its SSH host key replaced with the one of the |
21 |
cluster (which is the one the initial node had at the cluster |
22 |
creation) |
23 |
- A new public key will be added to root's authorized_keys file, granting |
24 |
root access to all nodes of the cluster. The private part of the key |
25 |
is also distributed to all nodes. Old files are renamed. |
26 |
- Communication between nodes is encrypted using SSL/TLS. A common |
27 |
key and certificate combo is shared between all nodes of the cluster. |
28 |
At this time, no CA is used. |
29 |
- The Ganeti node daemon will accept RPC requests from any host within the |
30 |
cluster with the correct certificate, and the operations it will do as a |
31 |
result of these requests are: |
32 |
- running commands under the /etc/ganeti/hooks directory |
33 |
- creating DRBD disks between it and the IP it has been told |
34 |
- overwrite a defined list of files on the host |
35 |
|
36 |
As you can see, as soon as a node is joined, it becomes equal to all |
37 |
other nodes in the cluster, and the security of the cluster is |
38 |
determined by the weakest node. |
39 |
|
40 |
Note that only the SSH key will allow other machines to run random |
41 |
commands on this node; the RPC method will run only: |
42 |
- well defined commands to create, remove, activate logical volumes, |
43 |
drbd devices, start/stop instances, etc; |
44 |
- run SSH commands on other nodes in the cluster, again well-defined |
45 |
- scripts under the /etc/ganeti/hooks directory |
46 |
|
47 |
It is therefore important to make sure that the contents of the |
48 |
/etc/ganeti/hooks directory is supervised and only trusted sources can |
49 |
populate it. |
50 |
|
51 |
Cluster issues |
52 |
-------------- |
53 |
|
54 |
As told above, there are multiple ways of communication between cluster |
55 |
nodes: |
56 |
- SSH-based, for high-volume traffic like image dumps or for low-level |
57 |
command, e.g. restarting the Ganeti node daemon |
58 |
- RPC communication between master and nodes |
59 |
- DRBD real-time disk replication traffic |
60 |
|
61 |
The SSH traffic is protected (after the initial login to a new node) by |
62 |
the cluster-wide shared SSH key. |
63 |
|
64 |
RPC communication between the master and nodes is protected using SSL/TLS |
65 |
encryption. Both the client and the server must have the cluster-widely |
66 |
shared SSL/TLS certificate and verify it when establishing the connection |
67 |
by comparing fingerprints. We decided not to use a CA to simplify the |
68 |
key handling. |
69 |
|
70 |
The DRBD traffic is not protected by encryption. DRBD does not support |
71 |
traffic encryption. It's therefore recommended to implement host-level |
72 |
firewalling or to use a separate range of IP addresses for the DRBD |
73 |
traffic (this is supported in Ganeti) which is not routed outside the |
74 |
cluster. DRBD connections are protected from connecting to random other |
75 |
machines by using a shared secret exchanged via RPC requests when |
76 |
starting the device. |
77 |
|
78 |
Remote API |
79 |
---------- |
80 |
|
81 |
Starting with Ganeti 2.0, Remote API traffic is encrypted using SSL/TLS by |
82 |
default. It supports Basic authentication as per RFC2617. |
83 |
|
84 |
Paths for certificate, private key and CA files required for SSL/TLS will |
85 |
be set at source configure time. Symlinks or command line parameters may |
86 |
be used to use different files. |