[Openstack] [trove] Securing access to compute nodes from instances
mark.kirkwood at catalyst.net.nz
Fri Feb 13 03:16:04 UTC 2015
We are looking to implement Trove, and as part of the exercise I'm
examining some security aspects for the guest image setup.
In a previous mail I'd mentioned that *if* you can break into the guest
vm then potentially some information that shouldn't be readily available
can be disclosed (rabbit password for instance).
So how likely is this in fact?
1/ Inside a running Trove mysql instance
Not easily - in a standard Ubuntu image apparmor stops mysql reading any
files outside of /etc/mysql or /var/lib/mysql. So the 'usual' trick of
reading (say) /etc/trove/trove_guestagent.conf with LOAD DATA INFILE is
not possible. So provided apparmor is installed all is good (maybe
should shut the door even more firmly and amend default mysql config to
set secure_file_priv variable).
2/ Manipulation of guest image
Given that the guest image is publicly available, it can be downloaded,
and (if needed) converted to raw and mounted. From this either:
- config can be immediately read if guestagent is pre-installed (or)
- rsync command and ip + location of config files can be gleaned from
the init script
In the second case it is then pretty easy to boot a vm on the
appropriate network and rsync the config files using the above glenaed
command(s) as required (e.g add keys to the previously downloaded trove
guest image, upload it to glance then run it directly from nova and ssh
So am I missing something here - is there any way to avoid this?
More information about the Openstack