Hi Jose, On Thu, Nov 14, 2013 at 11:02 AM, Jose A. Lopes <[email protected]> wrote: > On Wed, Nov 13, 2013 at 09:57:35AM +0100, Michele Tartara wrote: >> On Tue, Nov 12, 2013 at 2:13 PM, Guido Trotter <[email protected]> wrote: >> > On Tue, Nov 12, 2013 at 12:41 PM, Michele Tartara <[email protected]> >> > wrote: >> >> Add the document describing a new design for the OS installation process >> >> for >> >> new instances. >> >> >> >> Signed-off-by: Michele Tartara <[email protected]> >> >> --- >> >> doc/design-draft.rst | 1 + >> >> doc/design-os.rst | 318 >> >> ++++++++++++++++++++++++++++++++++++++++++++++++++ >> >> 2 files changed, 319 insertions(+) >> >> create mode 100644 doc/design-os.rst >> >> >> >> diff --git a/doc/design-draft.rst b/doc/design-draft.rst >> >> index c821292..3ed3852 100644 >> >> --- a/doc/design-draft.rst >> >> +++ b/doc/design-draft.rst >> >> @@ -20,6 +20,7 @@ Design document drafts >> >> design-daemons.rst >> >> design-hsqueeze.rst >> >> design-ssh-ports.rst >> >> + design-os.rst >> >> >> >> .. vim: set textwidth=72 : >> >> .. Local Variables: >> >> diff --git a/doc/design-os.rst b/doc/design-os.rst >> >> new file mode 100644 >> >> index 0000000..7a42a7f >> >> --- /dev/null >> >> +++ b/doc/design-os.rst >> >> @@ -0,0 +1,318 @@ >> >> +=============================== >> >> +Ganeti OS installation redesign >> >> +=============================== >> >> + >> >> +.. contents:: :depth: 3 >> >> + >> >> +This is a design document detailing a new OS installation procedure, more >> >> +secure, able to provide more features and easier to use for many common >> >> tasks >> >> +w.r.t. the current one. >> >> + >> >> +Current state and shortcomings >> >> +============================== >> >> + >> >> +As of Ganeti 2.10, each instance is associated with an OS definition. An >> >> OS >> >> +definition is a set of scripts (``create``, ``export``, ``import``, >> >> ``rename``) >> >> +that are executed with root privileges on the primary host of the >> >> instance to >> >> +perform all the OS-related functionality (setting up an operating system >> >> inside >> >> +the disks of the instance being created, exporting/importing the >> >> instance, >> >> +renaming it). >> >> + >> >> +These scripts receive, as environment variables, a fixed set of >> >> parameters >> >> +describing the instance (such as the hypervisor, the name of the >> >> instance, the >> >> +number of disks, and their location) and a set of user defined >> >> parameters. Each >> >> +of these parameters is also written into the configuration file of >> >> Ganeti, to >> >> +allow for future reinstalls of the instance, and in various log files, >> >> namely: >> >> + >> >> +* node daemon log file: contains DEBUG strings of the ``/os_validate``, >> >> + ``/instance_os_add`` and ``/instance_start`` RPC calls. >> >> + >> >> +* master daemon log file: DEBUG strings related to the same RPC calls >> >> are stored >> >> + here as well. >> >> + >> >> +* commands log: the CLI commands that create a new instance, including >> >> their >> >> + parameters, are logged here. >> >> + >> >> +* RAPI log: the RAPI commands that create a new instances, including >> >> their >> >> + parameters, are logged here. >> >> + >> >> +* job logs: the job files stored in the job queue or in its archive >> >> contain the >> >> + parameters. >> >> + >> >> +The current situation presents a number of shortcomings: >> >> + >> >> +* Having the installation scripts run with root power on the nodes is a >> >> huge >> >> + security issue. >> >> + >> > >> > s/is a huge security issue/doesn't allow user-defined os scripts, as >> > they would pose a huge security issue/ >> > >> > Note that there's no security issue *per se* in the current situation, >> > if the OS scripts are trusted. >> > (except perhaps for export, if the os script mounts the instance disk, >> > which is also not necessarily the case) >> >> Yes, that's what I meant. I'll reword it as you suggest. >> >> > >> > That said it could be a safety issue in the sense that an eventual >> > bug/error in the os script could risk disrupting the node. >> >> ACK >> >> > >> >> +* Ganeti cannot be used to create instances starting from user provided >> >> disk >> >> + images: even in the (hypothetical) case where the scripts are >> >> completely >> >> + secure and run not by root but by an unprivileged user with only the >> >> power to >> >> + mount arbitrary files as disk images, this is a security issue. It has >> >> been >> >> + proven that a carefully crafted file system might exploit kernel >> >> + vulnerabilities to gain control of the system. Therefore, directly >> >> mounting >> >> + images on the Ganeti nodes is not an option. > > We can look at libfsimage, a library that is part of the Xen project. > This library provides userspace access to several filesystem types, > namely, ext2, fat, iso9660, reiserfs, ufs, xfs, and zfs. This library > is currently used by PyGrub, also from the Xen project. An instance > can be configured to receive a disk from which PyGrub can extract a > Kernel and an initrd. > > I don't think this covers all our use cases, in particular because > this is only for Xen. We can, however, extract libfsimage. From the > API, this library can open a filesystem image of the beforementioned > formats and open/read files within that filesystem. This library is > written in C but there are Python bindings in the PyGrub source tree. > This might be an option worth exploring. >
libfsimage looks like an interesting library indeed. Unfortunately, it doesn't seem to be packaged independently for most distributions, which would make its usage quite complicated for many users. Furthermore, one of the reasons of accessing the disks of the instance to be created through a virtual appliance is a security measure aiming to add an extra layer a hypothetical attacker has to overcome. Accessing the filesystems through a library is safer than mounting them, but still less safe than mounting them inside a VM. We can definitely remember it for future usage, though. Thanks, Michele -- Google Germany GmbH Dienerstr. 12 80331 München Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores
