xCAT/xcat-core
2
0
Fork 0
mirror of https://github.com/xcat2/xcat-core.git synced 2024-11-23 18:10:14 +00:00
Code Issues Releases Wiki Activity
Page: Secure root support
Pages
2014_10_01_Bash_vulnerability 2014_11_04_Poodle_Attack AIX_NIM_NFSv4_support Add_Extra_Parameters_for_confignics_Postscript CRHS like_function CRHS like_function_enhancements CSM_CFM like_function_to_sync_config_files_to_the_nodes Capture_Linux_Image_from_running_node_to_create_a_stateless statelite_image Chef_databag_support_for_deploying_openstack_in_xCAT Cluster_config_file Conserver_Replacement Coordinated_Cluster_Shutdown_and_Bringup Copycds_enhancement Coral PDU supports Create_osimage_definition_for_Management_Node Cumulus_OS_Upgrade_Support_Test DFM_Service_Node_Hierarchy_support DHCPv6_management DNS_Enhancments DNS_master_slave_support Def_commands_to_display set_nic_attributes_more_easily Deploying_OpenStack_Baremetal_Nodes_Using_xCAT Disable_ssh_root_passwordless_node to node_access Document_large_cluster_tunables,_etc. Dynamic_node_groups_support Energy_Management_for_Flex Energy_management_support_for_blade Enhance_NTP_setup_support Enhancement_of_lsslp_ flexdiscover Enhancement_on_makeroutes_and_snmove_commands Exporting_more_table_attributes_to_nodes Filling_the_osimage_attributes_with_the_files_that_are_found_in_the_search_path Full_Automation_of_DB2_Setup_on_Service_Nodes Function Verification Test Design of xCAT High Availability GPFS_statelite_nodes Getmacs_and_rnetboot_enhancement Getnodetype_performance_imprvoments_ _phase_I HA_NFS_on_AIX_service_nodes HA_Service_Nodes_for_AIX HA_Service_Nodes_for_AIX_ _using_External_NFS_Server HFI_MAC_address_failover HPC_Integration_Phase_1 Hardware_Inventory_for_Node Health_Check_Script_Framework Hierarchical_Design Home Image_Provisioning Image_import_and_export_enhancement_for_Linux Improve_perl_array_search_efficiency_for_scalability Improvement_of_pre creating_mypostscripts_on_linux Initrd_Enhancement_separate_initrd_hacking_from_noteset_get_drivers_from_os_update_distro Kdump_for_Linux_diskless_nodes Linux_AIX_mixed_Clusters_postscripts_cleanup Local_Disk_support_for_statelite Lstree_for_Servicenode_Hardware_and_VM_hierarchies Management_Node_Pool Management_Node_Setup_Verification Managing_Multiple_Sites_and_Clusters Mellanox_Switch_Support Mini design for openbmc python framework Mini design_of_updating_pre defined_groups_for_nodes Minimize_the_install setup_steps_of_xcat_on_the_MN Mkvlan_enhancements Multiple_Zone_Support2 Multiple_pkgdir_support_with_full_installation NFS_Redundancy_Investigation NFS_redundancy New_Cloud_Tables_in_xCAT Node_Status_and_Application_Status Node_definition_installation_service_node_setup_verification Nodeset_defaults_when_node_provmethod=osimage_is_set OS_Deployment_Monitoring_And_Automatic_Retry OS_Distro_Update_xCAT_command_osdistroupdate OpenStack Chef Cookbook_xCAT_Integration OpenStack_Deployment_using_Chef OpenStack_Deployment_using_Puppet Ospkgs_enhancements_to_install upgrade_OS_packages_from_Updates Overview_of_HA_Services_for_Diskless_AIX_Nodes Power8_BE_support Predict_long_nicname_for_RH7 Proposal_for_docker_Support_in_xCAT RHEL7_Support RHEV_support Rcons_hierachy_support Redfish_support Refine_the_usage_of_installnic_and_primarynic_attributes Release processs automation investigation Resolving_Nodenames_for_System_p_HW_Ctrl Run_parallel_commands_for_Ethernet_switches Run_postbootscripts_after_each_diskful_reboot SLES12_Support SLES_11_SP1_SDK_support Secure root support Sequential_Discovery Sequential_Discovery_phase_2 Service_Node_Scenarios_and_Retry_Logic_in_Postscript_Process Service_node_manual_takeover_on_AIX Service_node_take_over Setup_IP_routes_between_the_MN_and_the_CNs Shared data based xCAT MN HA mini design Shared data based xCAT MN HA user case Shared data based xCAT MN HA Specify_the_disk_partitions_during_diskfull_install Steps to install xcat_openbmc_py3 on RH8 Support uploading openbmc firmware in parallel Support_Management_Node_in_the_servicenode_table Support_for_Redundant_BPAs_and_FSPs Support_multiple_hardware_control_points Support_osimage.pkgdir_with_multiple_paths_in_genimage_and_diskfull_installation Support_postscripts_associated_with_rsync_files_to_be_run_after_rsync_in_xdcp Support_to_inject_drivers_from_Driver_RPM_Package Support_xcatd_running_user_defined_sql_scripts_on_start_and_foreign_keys Supporting_driver_update_disk_for_Linux Supporting_the_scalable_functions_for_HX5_blade Switch_Discovery_And_Switch_Management System_p_Discovery_Enhancements System_z_hierarchical_tree Test Design of HA Test Design of TestCase Label Test Design of `goconserver` Regression Testing Test Design of `goconserver` Support Test Design of configib Test Design of cumulus osimage Test Design of cumulus_osimage Test Design of gonconserver redirect logs Test Design of hardware control commands regression Test Design of makegocons option l Test Design of rbeacon python version Test Design of rcons based goconserver Test Design of revenlog python version Test Design of rflash python version Test Design of rinv python version Test Design of rpower python version Test Design of rsetboot python version Test Design of rspconfig python version Test Design of rvitals python version Test Design of syncfiles Test Design of xcat inventory diff Test Design of xcat inventory export import performance Test Design of xcat inventory option e Test Design of xcat inventory osimage environment variables export part Test Design of xcat inventory osimage environment variables Test Design of xcat inventory osimage phase2 Test Design of xcat inventory osimage support share file directory Test Design of xcat inventory osimage Test Design of xcat inventory phase 1 Test Design of xcat inventory regular expression Test Design of xcat inventory save keys Test Design of xcat inventory user case Test Design of xcat terraform provider phase1 Test Report of `goconserver` Test cases against nodeset error handling Test_Case_Designs_FVT The mini design of osimage version control(initial draft) The mini design of syncfiles for cumulus The mini design of using xcat inventory templates to setup xCAT cluster with ansible The_remote_console_support_of_hmc Trace_Facility_for_xCAT Ubuntu_supports_internet_repository Updatenode_Performance_Enhancements Updatenode_Sync_Service_Nodes_for_install Updatenode_enhancement_for_security_keys_and_certificates Updatenode_support_to_run_mypostscript_sections Updatenode_to_the_Management_Node Updates_to_xcatsetup_and_Cluster_Config_File Windows_Multiple_Disks_Partitions_Configuration Windows_Multiple_Nics_Configuration Windows_Multiple_Winpes Windows_Support_to_Run_Postscripts_Postbootscripts_in_Windows_Deployment Wish_List_for_xCAT_2 Wish_List_for_xCAT_FVT XCAT 2 Mini Designs for New Features XCAT_2.10_Release_Notes XCAT_2.11.1_Release_Notes XCAT_2.11_ESP_Release_Notes XCAT_2.11_Release_Notes XCAT_2.12.1_Release_Notes XCAT_2.12.2_Release_Notes XCAT_2.12.3_Release_Notes XCAT_2.12.4_Release_Notes XCAT_2.12.5_Release_Notes XCAT_2.12_Release_Notes XCAT_2.13.10_Release_Notes XCAT_2.13.11_Release_Notes XCAT_2.13.1_Release_Notes XCAT_2.13.2_Release_Notes XCAT_2.13.3_Release_Notes XCAT_2.13.4_Release_Notes XCAT_2.13.5_Release_Notes XCAT_2.13.6_Release_Notes XCAT_2.13.7_Release_Notes XCAT_2.13.8_Release_Notes XCAT_2.13.9_Release_Notes XCAT_2.13_Release_Notes XCAT_2.14.1_Release_Notes XCAT_2.14.2_Release_Notes XCAT_2.14.3_Release_Notes XCAT_2.14.4_Release_Notes XCAT_2.14.5_Release_Notes XCAT_2.14.6_Release_Notes XCAT_2.14_Release_Notes XCAT_2.15.1_Release_Notes XCAT_2.15_Release_Notes XCAT_2.16.1_Release_Notes XCAT_2.16.2_Release_Notes XCAT_2.16.3_Release_Notes XCAT_2.16.4_Release_Notes XCAT_2.16.5_Release_Notes XCAT_2.16_Release_Notes XCAT_2.17_Release_Notes XCAT_2.9.2_Release_Notes XCAT_2.9.2_aix_Release_Notes XCAT_2.9.3_Release_Notes XCAT_2.9.4_Release_Notes XCAT_Cluster_in_SoftLayer XCAT_HPC_Integration_Files_per_OS,_Architecture,_Product XCAT_Health_Check XCAT_IPv6_support_on_AIX XCAT_IPv6_support_on_Linux XCAT_Mini Design_Template XCAT_Monitoring_Failure_Analysis_Conditions_Batched_Events XCAT_Postscripts_framework_enhancements XCAT_Provisioning_OS_on_consistent_disk XCAT_REST_API_enhancements XCAT_Support_for_Kits_and_Kit_Components XCAT_probe XCAT_support_for_multiple_network_domains Xcatexport_and_xcatimport_commands Xcatmon_and_appstatus_for_HPC_products Xeon_Phi_support cofignetwork_for_RH7 confignetwork integrate confignics_configeth_configib functions usage determine_install_disk diskdiscover_and_configraid docker_instances_lifecycle_management enhancement_for_rinstall_command logging pre script to make debug easy makedhcp_append_statement_automatically_rather_than_get_statement_from_nodeset mini design of ZTP based onie switch discovery and configuration minidesign Switch based switch discovery minidesign_xcatprobe node status enhancement ntp_enhancement openbmc_support post.xcat_restructure rflash_streamline_procedure rscan command for hypervisor rspconfig network rspconfig ntpservers rspconfig password scaleup_basedon_xcat_in_openshift_cluster supporting_partitionfile_for_Ubuntu supporting_persistent_kernel_cmdline_after_diskful_installation test_sidebar the mini design of xcat inventory export and import for osimage use fifo pipe to enhance getadapter xCAT Build Schedule xCAT_2.12_ReleaseInformation xCAT_2.13_ReleaseInformation xCAT_2.14_ReleaseInformation xCAT_2.15_ReleaseInformation xCAT_Docker_Image xcatprobe_framework xcatprobe_requests
9 Secure root support
Bin Xu edited this page 2019-03-29 15:43:40 +08:00
Table of Contents

Design_Warning

Background

xCAT stateful provisioning (kickstart file for RHEL) and stateless provisioning (image tarball) include the root password hash inside, and they are exposed to a HTTP server. Here might be security issue.

To enforce the security consideration, it is required xCAT to offer a capability to send the root password hash in a secure method during the provisioning only.

Platform

stateful provision

In existing implementation for RHEL7, when run nodeset <cn> osimage=xxx, xCAT will generate the kickstart file and it will contains a line

rootpw --iscrypted <root password hash>

During the provisioning, anaconda will get the kickstart file and generate the corresponding root in /etc/shadow

And with the 'secure root support' enhancement, nodeset will do the following:

  • To check if Secure root is enabled (define secureroot=1 in table site), if not, same as previous.
If yes, then there are possible two option:
 1, User define `install` temporary password in `passwd` table, `nodeset` write temporary hash into kickstart file.  [**Current not support**]

2, No `install` temporary password defined, no root password hash into kickstart file.

When the node is in the end of provisioning and running xCAT default postscript, remoteshell will do the following:

  • To check if Secure root is enabled (define secureroot=1 in table site), if not, same as previous.
If yes, then it send `getcredential xcat_secure_pw:root` to xCAT master, and update the `/etc/shadow` with the right hash

stateless provision

In existing implementation for RHEL7, when run packimage xxx, xCAT will update the <rootimagedir>/etc/shadow with the and pack it into image, so the image contains the root password hash directly.

And with the 'secure root support' enhancement, packimage will do the following:

  • To check if Secure root is enabled (define secureroot=1 in table site), if not, same as previous.
If yes, then there are possible two option:
 1, User define `install` temporary password in `passwd` table, `packimage` write temporary hash into `/etc/shadow`. [**Current not support**]

 2, No `install` temporary password defined, no root password hash into `/etc/shadow` file.

When the node is in the end of provisioning and running xCAT default postscript, remoteshell will do the following:

  • To check if Secure root is enabled (define secureroot=1 in table site), if not, same as previous.
If yes, then it send `getcredential xcat_secure_pw:root` to xCAT master, and update the `/etc/shadow` with the right hash

Note: if you define /etc/shadow file in the synclist of the osimage, you must use packiamge --nosyncfiles xxx

getcredential is the existing API for compute node to get sensitive information form MN, it is secure enough, we just need to extend it to return the password hash per requesting.

DB related

Add a new site entry secureroot for this feature.

secureroot:  Using secure mode to transfer root password hash during the installation. (Only supports RHEL7.x)  Default is 0.

Platform

  • Support it for RHEL7 first
  • Other Platform will use the same design, but lower priority

Other Design Considerations

  • The interface to get the password hash must be secure enough

    • The client had to be verified to make sure it is from a managed compute node and with the privilege.

  • The interface must be extensible to support other user

  • To keep compatible, secure root capability is not enabled by default.

  • For some of the case, user might define shadow file into synclist. In such case, syncfiles will be run after remoteshell and override the /etc/shadow

  • As we may need to support user change password after installation for stateful, so not to change password when run updatenode.

Limitation

In secure root mode, as no root password, the console cannot be login via the real password before remoteshell executed. And just mentioned in above, a workaround is to set install temporary password for it. This password is not work during the provisioning.

Document

Out of Scope

Statelite provisioning other user password - Not support it now, just leave the API compatible.

News

History

  • Oct 22, 2010: xCAT 2.5 released.
  • Apr 30, 2010: xCAT 2.4 is released.
  • Oct 31, 2009: xCAT 2.3 released.
    xCAT's 10 year anniversary!
  • Apr 16, 2009: xCAT 2.2 released.
  • Oct 31, 2008: xCAT 2.1 released.
  • Sep 12, 2008: Support for xCAT 2
    can now be purchased!
  • June 9, 2008: xCAT breaths life into
    (at the time) the fastest
    supercomputer on the planet
  • May 30, 2008: xCAT 2.0 for Linux
    officially released!
  • Oct 31, 2007: IBM open sources
    xCAT 2.0 to allow collaboration
    among all of the xCAT users.
  • Oct 31, 1999: xCAT 1.0 is born!
    xCAT started out as a project in
    IBM developed by Egan Ford. It
    was quickly adopted by customers
    and IBM manufacturing sites to
    rapidly deploy clusters.