Yesterday was not the success we were hoping for with development. Things were very hectic in Hawk Host last yesterday and with us not having a full team of developers this sort of thing causes delays in any development processes. What was completed yesterday was the operating system handling system which I had talked about yesterday. Besides that we were discussing the best options on how to approach the safety of the slave servers.
The biggest worry among people is that the master has root access to all the slave servers in order to perform commands. If it does not have access you then need a daemon of some kind to take commands and execute them. With this method you then rely on the daemons being up to date (latest version) and having all the right commands available to be executed by the master. Even with this method if a malicious user gains access to the master they can issue a mass delete of all VM’s on the node which is the big scare everyone has. This unfortunately is not possible to solve because if you give access to run vzctl commands you run this risk. Everyone is suggesting using daemons even though it does not solve the fear anyways thus over complicating things.
The SSH protocol is a secure protocol and has capability of doing keys. What many seem to not be aware of is the fact it also have the ability to restrict IP access on a key as well. It even also has the ability to restrict commands but it is down to the parameter so that’s not an option. The IP restriction though is useful because you can restrict the key to just the master’s IP. So the only risk you now have is your master becoming compromised and a malicious user executing commands on the nodes. Now doesn’t that sound familiar? This is the exact issue a daemon service as that if the master is compromised the nodes are as well which makes sense. The only difference is the fact with SSH you could wipe the entire system rather than just the virtual machines. But at this point I’d say this is a small difference because if the virtual machines are gone the system is essentially worthless anyways.
Based on all of this I think we’re going to use restrictive SSH to accomplish everything. There does not seem to be a necessity to have a daemon to handle the commands. We can issue all the commands from the master we’ll just need to make sure with commands that take a significant amount of time to not execute them within anything web viewable. So the best way to probably approach this is when a command like a OS rebuild is issued it will be executed by a cron within one minute.
Hopefully this provides some insight to what we’re doing and why.