Revision d14c222a
| b/doc/design-2.3.rst | ||
|---|---|---|
| 723 | 723 |
============================ =================== ==================== |
| 724 | 724 |
|
| 725 | 725 |
|
| 726 |
Privilege Separation |
|
| 727 |
-------------------- |
|
| 728 |
|
|
| 729 |
Current state and short comings |
|
| 730 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
| 731 |
|
|
| 732 |
As of Ganeti 2.2 we introduced privilege separation. This was affecting |
|
| 733 |
just Ganeti RAPI and also that just in a quickly short term solution. In |
|
| 734 |
this release we iterate again over it and make it more advanced and |
|
| 735 |
stable. This also means we'll remove the privilege separation again from |
|
| 736 |
the core and put it completely external so the daemons will be started |
|
| 737 |
on the final user already. |
|
| 738 |
|
|
| 739 |
Additionally this involves removing SSH code out auf bootstrap and core |
|
| 740 |
component and put it into a separate script. This means every |
|
| 741 |
daemon/script will assume that a working ssh setup is in place. |
|
| 742 |
|
|
| 743 |
Implementation |
|
| 744 |
~~~~~~~~~~~~~~ |
|
| 745 |
|
|
| 746 |
We need to partially revert changes done in Ganeti 2.2 to move on the |
|
| 747 |
long term solution. This involves removing the drop privileges code in |
|
| 748 |
``daemons.py`` as this is already done on startup time by |
|
| 749 |
``start-stop-daemon`` util. |
|
| 750 |
|
|
| 751 |
The ssh code will be separated into one single script called upon |
|
| 752 |
``gnt-node add`` which guarantees that the SSH setup is done and |
|
| 753 |
functioning. |
|
| 754 |
|
|
| 755 |
Additionally some of the utils.WriteFile calls needs to be adjusted |
|
| 756 |
for the new permissions and ownerships. |
|
| 757 |
|
|
| 758 |
Security Domains |
|
| 759 |
~~~~~~~~~~~~~~~~ |
|
| 760 |
|
|
| 761 |
In order to separate the permissions of file sets we separate them |
|
| 762 |
into the following 3 overall security domain chunks: |
|
| 763 |
|
|
| 764 |
1. Public: ``0755`` respectively ``0644`` |
|
| 765 |
2. Ganeti wide: shared between the daemons (gntdaemons) |
|
| 766 |
3. Secret files: shared just between a specified set of daemons/users |
|
| 767 |
|
|
| 768 |
So for point 3 this tables shows the correlation of the sets to groups |
|
| 769 |
and their users: |
|
| 770 |
|
|
| 771 |
=== ========== ============================== ========================== |
|
| 772 |
Set Group Users Description |
|
| 773 |
=== ========== ============================== ========================== |
|
| 774 |
A gntrapi gntrapi, gntmasterd Share data between |
|
| 775 |
gntrapi & gntmasterd |
|
| 776 |
B gntadmins gntrapi, gntmasterd, *users* Shared between users who |
|
| 777 |
needs to call gntmasterd |
|
| 778 |
C gntconfd gntconfd, gntmasterd Share data between |
|
| 779 |
gntconfd & gntmasterd |
|
| 780 |
D gntmasterd gntmasterd masterd only; Currently |
|
| 781 |
only to redistribute the |
|
| 782 |
configuration, has access |
|
| 783 |
to all files under |
|
| 784 |
``lib/ganeti`` |
|
| 785 |
E gntdaemons gntmasterd, gntrapi, gntconfd Shared between the various |
|
| 786 |
Ganeti daemons to exchange |
|
| 787 |
data |
|
| 788 |
=== ========== ============================== ========================== |
|
| 789 |
|
|
| 790 |
Restricted commands |
|
| 791 |
~~~~~~~~~~~~~~~~~~~ |
|
| 792 |
|
|
| 793 |
The following commands needs still root to fulfill their functions: |
|
| 794 |
|
|
| 795 |
:: |
|
| 796 |
|
|
| 797 |
gnt-cluster {init|destroy|command|copyfile|rename|masterfailover|renew-crypto}
|
|
| 798 |
gnt-node {add|remove}
|
|
| 799 |
gnt-instance {console}
|
|
| 800 |
|
|
| 801 |
Directory structure & permissions |
|
| 802 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
| 803 |
|
|
| 804 |
Here's how we propose to change the filesystem hierachy and their |
|
| 805 |
permissions. |
|
| 806 |
|
|
| 807 |
Assuming it follows the defaults: ``gnt${daemon}`` for user and
|
|
| 808 |
the groups from the section `Security Domains`_:: |
|
| 809 |
|
|
| 810 |
${localstatedir}/lib/ganeti/ (0755; gntmasterd:gntmasterd)
|
|
| 811 |
cluster-domain-secret (0600; gntmasterd:gntmasterd) |
|
| 812 |
config.data (0640; gntmasterd:gntconfd) |
|
| 813 |
hmac.key (0440; gntmasterd:gntconfd) |
|
| 814 |
known_host (0644; gntmasterd:gntmasterd) |
|
| 815 |
queue/ (0700; gntmasterd:gntmasterd) |
|
| 816 |
archive/ (0700; gntmasterd:gntmasterd) |
|
| 817 |
* (0600; gntmasterd:gntmasterd) |
|
| 818 |
* (0600; gntmasterd:gntmasterd) |
|
| 819 |
rapi.pem (0440; gntrapi:gntrapi) |
|
| 820 |
rapi_users (0640; gntrapi:gntrapi) |
|
| 821 |
server.pem (0440; gntmasterd:gntmasterd) |
|
| 822 |
ssconf_* (0444; root:gntmasterd) |
|
| 823 |
uidpool/ (0750; root:gntmasterd) |
|
| 824 |
watcher.data (0600; root:gntmasterd) |
|
| 825 |
${localstatedir}/run/ganeti/ (0770; gntmasterd:gntdaemons)
|
|
| 826 |
socket/ (0750; gntmasterd:gntadmins) |
|
| 827 |
ganeti-master (0770; gntmasterd:gntadmins) |
|
| 828 |
${localstatedir}/log/ganeti/ (0770; gntmasterd:gntdaemons)
|
|
| 829 |
master-daemon.log (0600; gntmasterd:gntdaemons) |
|
| 830 |
rapi-daemon.log (0600; gntrapi:gntdaemons) |
|
| 831 |
conf-daemon.log (0600; gntconfd:gntdaemons) |
|
| 832 |
node-daemon.log (0600; gntnoded:gntdaemons) |
|
| 833 |
|
|
| 834 |
|
|
| 726 | 835 |
Feature changes |
| 727 | 836 |
=============== |
| 728 | 837 |
|
Also available in: Unified diff