root / SECURITY @ f3e513ad
History | View | Annotate | Download (3.1 kB)
| 1 | 28cc354f | Iustin Pop | Security in Ganeti |
|---|---|---|---|
| 2 | 28cc354f | Iustin Pop | ~~~~~~~~~~~~~~~~~~ |
| 3 | 28cc354f | Iustin Pop | |
| 4 | 28cc354f | Iustin Pop | Ganeti was developed to run on internal, trusted systems. As such, the |
| 5 | 28cc354f | Iustin Pop | security model is all-or-nothing. |
| 6 | 28cc354f | Iustin Pop | |
| 7 | 28cc354f | Iustin Pop | All the Ganeti code runs as root, because all the operations that Ganeti |
| 8 | 28cc354f | Iustin Pop | is doing require privileges: creating logical volumes, md arrays, |
| 9 | 28cc354f | Iustin Pop | starting instances, etc. Running as root does not mean setuid, but that |
| 10 | 28cc354f | Iustin Pop | you need to be root to run the cluster commands. |
| 11 | 28cc354f | Iustin Pop | |
| 12 | 28cc354f | Iustin Pop | Host issues |
| 13 | 28cc354f | Iustin Pop | ----------- |
| 14 | 28cc354f | Iustin Pop | |
| 15 | 28cc354f | Iustin Pop | For a host on which the Ganeti software has been installed but which has |
| 16 | 28cc354f | Iustin Pop | not been joined in a cluster, there are no changes to the system. |
| 17 | 28cc354f | Iustin Pop | |
| 18 | 28cc354f | Iustin Pop | For a host that has been joined to the cluster, there are very important |
| 19 | 28cc354f | Iustin Pop | changes: |
| 20 | 28cc354f | Iustin Pop | - the host will have its ssh host key replaced with the one of the |
| 21 | 28cc354f | Iustin Pop | cluster (which is the one the initial node had at the cluster |
| 22 | 28cc354f | Iustin Pop | creation) |
| 23 | 28cc354f | Iustin Pop | - root will have added to its authorized_keys file a public key which |
| 24 | 28cc354f | Iustin Pop | grants access to all other nodes in the cluster, and furthermore it |
| 25 | 28cc354f | Iustin Pop | will also get the private part of this key, which will allow it to |
| 26 | 28cc354f | Iustin Pop | login to the other nodes in the cluster (its previous private key |
| 27 | 28cc354f | Iustin Pop | will be backed up) |
| 28 | 28cc354f | Iustin Pop | - the Ganeti node daemon will accept RPC requests from any host which |
| 29 | 28cc354f | Iustin Pop | has the cluster shared secret, and the operations it will do as a |
| 30 | 28cc354f | Iustin Pop | result of these requests are: |
| 31 | 28cc354f | Iustin Pop | - running commands under the /etc/ganeti/hooks directory |
| 32 | 28cc354f | Iustin Pop | - creating DRBD disks between it and the IP it has been told |
| 33 | 28cc354f | Iustin Pop | - overwrite a defined list of files on the host |
| 34 | 28cc354f | Iustin Pop | |
| 35 | 28cc354f | Iustin Pop | As you can see, as soon as a node is joined, it becomes equal to all |
| 36 | 28cc354f | Iustin Pop | other nodes in the cluster, and the security of the cluster is |
| 37 | 28cc354f | Iustin Pop | determined by the weakest node. |
| 38 | 28cc354f | Iustin Pop | |
| 39 | 28cc354f | Iustin Pop | Note that only the ssh key will allow other machines to run random |
| 40 | 28cc354f | Iustin Pop | commands on this node; the RPC method will run only: |
| 41 | 28cc354f | Iustin Pop | - well defined commands to create, remove, activate logical volumes, |
| 42 | 28cc354f | Iustin Pop | DRBD disks, md arrays, start/stop instances, etc; |
| 43 | 28cc354f | Iustin Pop | - run ssh commands on other nodes in the cluster, again well-defined |
| 44 | 28cc354f | Iustin Pop | - scripts under the /etc/ganeti/hooks directory |
| 45 | 28cc354f | Iustin Pop | |
| 46 | 28cc354f | Iustin Pop | It is therefore important to make sure that the contents of the |
| 47 | 28cc354f | Iustin Pop | /etc/ganeti/hooks directory is supervised and only trusted sources can |
| 48 | 28cc354f | Iustin Pop | populate it. |
| 49 | 28cc354f | Iustin Pop | |
| 50 | 28cc354f | Iustin Pop | Cluster issues |
| 51 | 28cc354f | Iustin Pop | -------------- |
| 52 | 28cc354f | Iustin Pop | |
| 53 | 28cc354f | Iustin Pop | As told above, there are multiple ways of communication between cluster |
| 54 | 28cc354f | Iustin Pop | nodes: |
| 55 | 28cc354f | Iustin Pop | - ssh-based, for high-volume traffic (image dumps) or for low-level |
| 56 | 28cc354f | Iustin Pop | command (restart the Ganeti node daemon) |
| 57 | 28cc354f | Iustin Pop | - python-twisted based, for the usual operation |
| 58 | 28cc354f | Iustin Pop | - DRBD traffic, for real-time disk replication traffic |
| 59 | 28cc354f | Iustin Pop | |
| 60 | 28cc354f | Iustin Pop | The ssh traffic is protected (after the initial login to a new node) by |
| 61 | 28cc354f | Iustin Pop | the cluster-wide shared ssh key. |
| 62 | 28cc354f | Iustin Pop | |
| 63 | 28cc354f | Iustin Pop | The python-twisted traffic is secured by SSL and two pre-conditions: the |
| 64 | 28cc354f | Iustin Pop | client will refuse to connect to servers which don't have the |
| 65 | 28cc354f | Iustin Pop | cluster-wide shared SSL certificate, and server will not allow clients |
| 66 | 28cc354f | Iustin Pop | which don't have the cluster-wide shared secret. |
| 67 | 28cc354f | Iustin Pop | |
| 68 | 28cc354f | Iustin Pop | The DRBD traffic is not protected by anything, as the version of DRBD we |
| 69 | 28cc354f | Iustin Pop | require (0.7) does not have any protections. It's therefore recommended |
| 70 | 28cc354f | Iustin Pop | to implement host-level firewalling or to use a separate range of IP |
| 71 | 28cc354f | Iustin Pop | addresses for the DRBD traffic (this is supported in Ganeti) which is |
| 72 | 28cc354f | Iustin Pop | not routed outside the cluster. |