security.rst 4.02 KB
Newer Older
1
Security in Ganeti
Iustin Pop's avatar
Iustin Pop committed
2
==================
3
4
5
6
7

Ganeti was developed to run on internal, trusted systems. As such, the
security model is all-or-nothing.

All the Ganeti code runs as root, because all the operations that Ganeti
8
is doing require privileges: creating logical volumes, drbd devices,
9
10
11
12
13
14
starting instances, etc. Running as root does not mean setuid, but that
you need to be root to run the cluster commands.

Host issues
-----------

15
16
For a host on which the Ganeti software has been installed, but not joined to a
cluster, there are no changes to the system.
17
18
19

For a host that has been joined to the cluster, there are very important
changes:
Iustin Pop's avatar
Iustin Pop committed
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

- The host will have its SSH host key replaced with the one of the
  cluster (which is the one the initial node had at the cluster
  creation)
- A new public key will be added to root's authorized_keys file,
  granting root access to all nodes of the cluster. The private part of
  the key is also distributed to all nodes. Old files are renamed.
- Communication between nodes is encrypted using SSL/TLS. A common key
  and certificate combo is shared between all nodes of the cluster.  At
  this time, no CA is used.
- The Ganeti node daemon will accept RPC requests from any host within
  the cluster with the correct certificate, and the operations it will
  do as a result of these requests are:

  - running commands under the /etc/ganeti/hooks directory
  - creating DRBD disks between it and the IP it has been told
  - overwrite a defined list of files on the host
37
38
39
40
41

As you can see, as soon as a node is joined, it becomes equal to all
other nodes in the cluster, and the security of the cluster is
determined by the weakest node.

42
Note that only the SSH key will allow other machines to run random
43
commands on this node; the RPC method will run only:
Iustin Pop's avatar
Iustin Pop committed
44
45
46
47
48

- well defined commands to create, remove, activate logical volumes,
  drbd devices, start/stop instances, etc;
- run SSH commands on other nodes in the cluster, again well-defined
- scripts under the /etc/ganeti/hooks directory
49
50
51
52
53
54
55
56
57
58

It is therefore important to make sure that the contents of the
/etc/ganeti/hooks directory is supervised and only trusted sources can
populate it.

Cluster issues
--------------

As told above, there are multiple ways of communication between cluster
nodes:
Iustin Pop's avatar
Iustin Pop committed
59
60
61
62
63

- SSH-based, for high-volume traffic like image dumps or for low-level
  command, e.g. restarting the Ganeti node daemon
- RPC communication between master and nodes
- DRBD real-time disk replication traffic
64

65
66
The SSH traffic is protected (after the initial login to a new node) by
the cluster-wide shared SSH key.
67

68
RPC communication between the master and nodes is protected using SSL/TLS
Iustin Pop's avatar
Iustin Pop committed
69
encryption. Both the client and the server must have the cluster-wide
70
71
72
shared SSL/TLS certificate and verify it when establishing the connection
by comparing fingerprints. We decided not to use a CA to simplify the
key handling.
73

Iustin Pop's avatar
Iustin Pop committed
74
75
The DRBD traffic is not protected by encryption, as DRBD does not
support this. It's therefore recommended to implement host-level
76
77
firewalling or to use a separate range of IP addresses for the DRBD
traffic (this is supported in Ganeti) which is not routed outside the
Iustin Pop's avatar
Iustin Pop committed
78
79
80
81
82
83
84
85
86
87
88
89
90
cluster. DRBD connections are protected from connecting due to bugs to
other machines, and from accepting connections from other machines, by
using a shared secret, exchanged via RPC requests from the master to the
nodes when configuring the device.

Master daemon
-------------

The command-line tools to master daemon communication is done via an UNIX
socket, whose permissions are reset to ``0600`` after listening but before
serving requests. This permission-based protection is documented and works on
Linux, but is not-portable; however, Ganeti doesn't work on non-Linux system at
the moment.
91
92
93
94
95
96
97
98
99
100

Remote API
----------

Starting with Ganeti 2.0, Remote API traffic is encrypted using SSL/TLS by
default. It supports Basic authentication as per RFC2617.

Paths for certificate, private key and CA files required for SSL/TLS will
be set at source configure time. Symlinks or command line parameters may
be used to use different files.