[Openstack] [trove] Securing access to compute nodes from instances

Mark Kirkwood mark.kirkwood at catalyst.net.nz
Fri Feb 13 03:16:04 UTC 2015


We are looking to implement Trove, and as part of the exercise I'm 
examining some security aspects for the guest image setup.

In a previous mail I'd mentioned that *if* you can break into the guest 
vm then potentially some information that shouldn't be readily available 
can be disclosed (rabbit password for instance).

So how likely is this in fact?

1/ Inside a running Trove mysql instance

Not easily - in a standard Ubuntu image apparmor stops mysql reading any 
files outside of /etc/mysql or /var/lib/mysql. So the 'usual' trick of 
reading (say) /etc/trove/trove_guestagent.conf with LOAD DATA INFILE is 
not possible. So provided apparmor is installed all is good (maybe 
should shut the door even more firmly and amend default mysql config to 
set secure_file_priv variable).

2/ Manipulation of guest image

Given that the guest image is publicly available, it can be downloaded, 
and (if needed) converted to raw and mounted. From this either:

- config can be immediately read if guestagent is pre-installed (or)
- rsync command and ip + location of config files can be gleaned from 
the init script

In the second case it is then pretty easy to boot a vm on the 
appropriate network and rsync the config files using the above glenaed 
command(s) as required (e.g add keys to the previously downloaded trove 
guest image, upload it to glance then run it directly from nova and ssh 

So am I missing something here - is there any way to avoid this?



More information about the Openstack mailing list