Statistics
| Branch: | Tag: | Revision:

root / doc / security.rst @ 54f834df

History | View | Annotate | Download (6.6 kB)

1 28cc354f Iustin Pop
Security in Ganeti
2 6884c0ca Iustin Pop
==================
3 28cc354f Iustin Pop
4 28cc354f Iustin Pop
Ganeti was developed to run on internal, trusted systems. As such, the
5 28cc354f Iustin Pop
security model is all-or-nothing.
6 28cc354f Iustin Pop
7 28cc354f Iustin Pop
All the Ganeti code runs as root, because all the operations that Ganeti
8 bd028152 Iustin Pop
is doing require privileges: creating logical volumes, drbd devices,
9 28cc354f Iustin Pop
starting instances, etc. Running as root does not mean setuid, but that
10 28cc354f Iustin Pop
you need to be root to run the cluster commands.
11 28cc354f Iustin Pop
12 28cc354f Iustin Pop
Host issues
13 28cc354f Iustin Pop
-----------
14 28cc354f Iustin Pop
15 7faf5110 Michael Hanselmann
For a host on which the Ganeti software has been installed, but not
16 7faf5110 Michael Hanselmann
joined to a cluster, there are no changes to the system.
17 28cc354f Iustin Pop
18 28cc354f Iustin Pop
For a host that has been joined to the cluster, there are very important
19 28cc354f Iustin Pop
changes:
20 6884c0ca Iustin Pop
21 6884c0ca Iustin Pop
- The host will have its SSH host key replaced with the one of the
22 6884c0ca Iustin Pop
  cluster (which is the one the initial node had at the cluster
23 6884c0ca Iustin Pop
  creation)
24 6884c0ca Iustin Pop
- A new public key will be added to root's authorized_keys file,
25 6884c0ca Iustin Pop
  granting root access to all nodes of the cluster. The private part of
26 6884c0ca Iustin Pop
  the key is also distributed to all nodes. Old files are renamed.
27 6884c0ca Iustin Pop
- Communication between nodes is encrypted using SSL/TLS. A common key
28 6884c0ca Iustin Pop
  and certificate combo is shared between all nodes of the cluster.  At
29 6884c0ca Iustin Pop
  this time, no CA is used.
30 6884c0ca Iustin Pop
- The Ganeti node daemon will accept RPC requests from any host within
31 6884c0ca Iustin Pop
  the cluster with the correct certificate, and the operations it will
32 6884c0ca Iustin Pop
  do as a result of these requests are:
33 6884c0ca Iustin Pop
34 6884c0ca Iustin Pop
  - running commands under the /etc/ganeti/hooks directory
35 6884c0ca Iustin Pop
  - creating DRBD disks between it and the IP it has been told
36 6884c0ca Iustin Pop
  - overwrite a defined list of files on the host
37 28cc354f Iustin Pop
38 28cc354f Iustin Pop
As you can see, as soon as a node is joined, it becomes equal to all
39 28cc354f Iustin Pop
other nodes in the cluster, and the security of the cluster is
40 28cc354f Iustin Pop
determined by the weakest node.
41 28cc354f Iustin Pop
42 4fbe765c Michael Hanselmann
Note that only the SSH key will allow other machines to run random
43 28cc354f Iustin Pop
commands on this node; the RPC method will run only:
44 6884c0ca Iustin Pop
45 6884c0ca Iustin Pop
- well defined commands to create, remove, activate logical volumes,
46 6884c0ca Iustin Pop
  drbd devices, start/stop instances, etc;
47 6884c0ca Iustin Pop
- run SSH commands on other nodes in the cluster, again well-defined
48 6884c0ca Iustin Pop
- scripts under the /etc/ganeti/hooks directory
49 28cc354f Iustin Pop
50 28cc354f Iustin Pop
It is therefore important to make sure that the contents of the
51 28cc354f Iustin Pop
/etc/ganeti/hooks directory is supervised and only trusted sources can
52 28cc354f Iustin Pop
populate it.
53 28cc354f Iustin Pop
54 28cc354f Iustin Pop
Cluster issues
55 28cc354f Iustin Pop
--------------
56 28cc354f Iustin Pop
57 28cc354f Iustin Pop
As told above, there are multiple ways of communication between cluster
58 28cc354f Iustin Pop
nodes:
59 6884c0ca Iustin Pop
60 6884c0ca Iustin Pop
- SSH-based, for high-volume traffic like image dumps or for low-level
61 6884c0ca Iustin Pop
  command, e.g. restarting the Ganeti node daemon
62 6884c0ca Iustin Pop
- RPC communication between master and nodes
63 6884c0ca Iustin Pop
- DRBD real-time disk replication traffic
64 28cc354f Iustin Pop
65 4fbe765c Michael Hanselmann
The SSH traffic is protected (after the initial login to a new node) by
66 4fbe765c Michael Hanselmann
the cluster-wide shared SSH key.
67 28cc354f Iustin Pop
68 7faf5110 Michael Hanselmann
RPC communication between the master and nodes is protected using
69 7faf5110 Michael Hanselmann
SSL/TLS encryption. Both the client and the server must have the
70 7faf5110 Michael Hanselmann
cluster-wide shared SSL/TLS certificate and verify it when establishing
71 7faf5110 Michael Hanselmann
the connection by comparing fingerprints. We decided not to use a CA to
72 7faf5110 Michael Hanselmann
simplify the key handling.
73 28cc354f Iustin Pop
74 6884c0ca Iustin Pop
The DRBD traffic is not protected by encryption, as DRBD does not
75 6884c0ca Iustin Pop
support this. It's therefore recommended to implement host-level
76 888891c7 Michael Hanselmann
firewalling or to use a separate range of IP addresses for the DRBD
77 888891c7 Michael Hanselmann
traffic (this is supported in Ganeti) which is not routed outside the
78 6884c0ca Iustin Pop
cluster. DRBD connections are protected from connecting due to bugs to
79 6884c0ca Iustin Pop
other machines, and from accepting connections from other machines, by
80 6884c0ca Iustin Pop
using a shared secret, exchanged via RPC requests from the master to the
81 6884c0ca Iustin Pop
nodes when configuring the device.
82 6884c0ca Iustin Pop
83 6884c0ca Iustin Pop
Master daemon
84 6884c0ca Iustin Pop
-------------
85 6884c0ca Iustin Pop
86 7faf5110 Michael Hanselmann
The command-line tools to master daemon communication is done via an
87 7faf5110 Michael Hanselmann
UNIX socket, whose permissions are reset to ``0600`` after listening but
88 7faf5110 Michael Hanselmann
before serving requests. This permission-based protection is documented
89 7faf5110 Michael Hanselmann
and works on Linux, but is not-portable; however, Ganeti doesn't work on
90 7faf5110 Michael Hanselmann
non-Linux system at the moment.
91 4fbe765c Michael Hanselmann
92 4fbe765c Michael Hanselmann
Remote API
93 4fbe765c Michael Hanselmann
----------
94 4fbe765c Michael Hanselmann
95 7faf5110 Michael Hanselmann
Starting with Ganeti 2.0, Remote API traffic is encrypted using SSL/TLS
96 a4978169 Michael Hanselmann
by default. It supports Basic authentication as per :rfc:`2617`.
97 4fbe765c Michael Hanselmann
98 7faf5110 Michael Hanselmann
Paths for certificate, private key and CA files required for SSL/TLS
99 7faf5110 Michael Hanselmann
will be set at source configure time. Symlinks or command line
100 7faf5110 Michael Hanselmann
parameters may be used to use different files.
101 558fd122 Michael Hanselmann
102 5b2069a9 Michael Hanselmann
Inter-cluster instance moves
103 5b2069a9 Michael Hanselmann
----------------------------
104 5b2069a9 Michael Hanselmann
105 5b2069a9 Michael Hanselmann
To move instances between clusters, different clusters must be able to
106 5b2069a9 Michael Hanselmann
communicate with each other over a secure channel. Up to and including
107 5b2069a9 Michael Hanselmann
Ganeti 2.1, clusters were self-contained entities and had no knowledge
108 5b2069a9 Michael Hanselmann
of other clusters. With Ganeti 2.2, clusters can exchange data if tokens
109 5b2069a9 Michael Hanselmann
(an encryption certificate) was exchanged by a trusted third party
110 5b2069a9 Michael Hanselmann
before.
111 5b2069a9 Michael Hanselmann
112 4e9dcb8a Guido Trotter
KVM Security
113 4e9dcb8a Guido Trotter
------------
114 4e9dcb8a Guido Trotter
115 4e9dcb8a Guido Trotter
When running KVM instances under Ganeti three security models ara
116 4e9dcb8a Guido Trotter
available: 'none', 'user' and 'pool'.
117 4e9dcb8a Guido Trotter
118 4e9dcb8a Guido Trotter
Under security model 'none' instances run by default as root. This means
119 4e9dcb8a Guido Trotter
that, if an instance gets jail broken, it will be able to own the host
120 4e9dcb8a Guido Trotter
node, and thus the ganeti cluster. This is the default model, and the
121 4e9dcb8a Guido Trotter
only one available before Ganeti 2.1.2.
122 4e9dcb8a Guido Trotter
123 4e9dcb8a Guido Trotter
Under security model 'user' an instance is run as the user specified by
124 4e9dcb8a Guido Trotter
the hypervisor parameter 'security_domain'. This makes it easy to run
125 f7b769b1 Iustin Pop
all instances as non privileged users, and allows one to manually
126 f7b769b1 Iustin Pop
allocate specific users to specific instances or sets of instances. If
127 f7b769b1 Iustin Pop
the specified user doesn't have permissions a jail broken instance will
128 f7b769b1 Iustin Pop
need some local privilege escalation before being able to take over the
129 f7b769b1 Iustin Pop
node and the cluster. It's possible though for a jail broken instance to
130 4e9dcb8a Guido Trotter
affect other ones running under the same user.
131 4e9dcb8a Guido Trotter
132 4e9dcb8a Guido Trotter
Under security model 'pool' a global cluster-level uid pool is used to
133 4e9dcb8a Guido Trotter
start each instance on the same node under a different user. The uids in
134 4e9dcb8a Guido Trotter
the cluster pool can be set with ``gnt-cluster init`` and ``gnt-cluster
135 4e9dcb8a Guido Trotter
modify``, and must correspond to existing users on all nodes. Ganeti
136 4e9dcb8a Guido Trotter
will then allocate one to each instance, as needed. This way a jail
137 4e9dcb8a Guido Trotter
broken instance won't be able to affect any other. Since the users are
138 4e9dcb8a Guido Trotter
handed out by ganeti in a per-node randomized way, in this mode there is
139 4e9dcb8a Guido Trotter
no way to make sure a particular instance is always run as a certain
140 4e9dcb8a Guido Trotter
user. Use mode 'user' for that.
141 4e9dcb8a Guido Trotter
142 4e9dcb8a Guido Trotter
In addition to these precautions, if you want to avoid instances sending
143 4e9dcb8a Guido Trotter
traffic on your node network, you can use an iptables rule such as::
144 4e9dcb8a Guido Trotter
145 4e9dcb8a Guido Trotter
  iptables -A OUTPUT -m owner --uid-owner <uid>[-<uid>] -j LOG \
146 4e9dcb8a Guido Trotter
    --log-prefix "ganeti uid pool user network traffic"
147 4e9dcb8a Guido Trotter
  iptables -A OUTPUT -m owner --uid-owner <uid>[-<uid>] -j DROP
148 4e9dcb8a Guido Trotter
149 4e9dcb8a Guido Trotter
This won't affect regular instance traffic (that comes out of the tapX
150 4e9dcb8a Guido Trotter
allocated to the instance, and can be filtered or subject to appropriate
151 4e9dcb8a Guido Trotter
policy routes) but will stop any user generated traffic that might come
152 4e9dcb8a Guido Trotter
from a jailbroken instance.
153 4e9dcb8a Guido Trotter
154 558fd122 Michael Hanselmann
.. vim: set textwidth=72 :
155 c71a1a3d Iustin Pop
.. Local Variables:
156 c71a1a3d Iustin Pop
.. mode: rst
157 c71a1a3d Iustin Pop
.. fill-column: 72
158 c71a1a3d Iustin Pop
.. End: