Commit b51e14c0 authored by Thomas Thrainer's avatar Thomas Thrainer

Update security doc and NEWS for luxid

Document the split of luxid from confd in security.rst and in the NEWS
file.
Signed-off-by: default avatarThomas Thrainer <thomasth@google.com>
Reviewed-by: default avatarGuido Trotter <ultrotter@google.com>
parent 13f04c08
......@@ -21,6 +21,9 @@ Incompatible/important changes
- hail now honors network restrictions when allocating nodes. This led to an
update of the IAllocator protocol. See the IAllocator documentation for
details.
- confd now only answers static configuration request over the network. luxid
was extracted, listens on the local LUXI socket and responds to live queries.
This allows finer grained permissions if using separate users.
New features
~~~~~~~~~~~~
......
......@@ -124,27 +124,36 @@ before serving requests. This permission-based protection is documented
and works on Linux, but is not-portable; however, Ganeti doesn't work on
non-Linux system at the moment.
Luxi daemon
-----------
The ``luxid`` daemon (automatically enabled if ``confd`` is enabled at
build time) serves local (UNIX socket) queries about the run-time
configuration. Answering these means talking to other cluster nodes,
exactly as ``masterd`` does. See the notes for ``masterd`` regarding
permission-based protection.
Conf daemon
-----------
In Ganeti 2.8, the ``confd`` daemon (if enabled at build time), serves
both network-originated queries (about the static configuration) and
local (UNIX socket) queries (about the run-time configuration; answering
these means talking to other cluster nodes, which makes use of the
internal RPC SSL certificate). This makes it a bit more sensitive to
bugs (a remote attacker could get direct access to the intra-cluster
RPC), so to harden security it's recommended to:
- disable confd at build time if it's not needed in your setup
- otherwise, configure Ganeti (at build time) to use separate users, so
that the confd daemon doesn't also have access to the server SSL/TLS
network-originated queries about parts of the static cluster
configuration.
If Ganeti is not configured (at build time) to use separate users,
``confd`` has access to all Ganeti related files (including internal RPC
SSL certificates). This makes it a bit more sensitive to bugs (a remote
attacker could get direct access to the intra-cluster RPC), so to harden
security it's recommended to:
- disable confd at build time if it (and ``luxid``) is not needed in
your setup.
- configure Ganeti (at build time) to use separate users, so that the
confd daemon doesn't also have access to the server SSL/TLS
certificates.
NB: the second suggestion is not valid since Ganeti 2.8.0~beta1, because confd
needs access to the certificate in order to communicate on the network.
This will be fixed when the planned split of the two functionalities
(local/remote querying) of confd into two separate daemons will take place,
in a future Ganeti version.
- add firewall rules to protect the ``confd`` port or bind it to a
trusted address. Make sure that all nodes can access the daemon, as
the monitoring daemon requires it.
Monitoring daemon
-----------------
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment