-
Notifications
You must be signed in to change notification settings - Fork 173
Secure root support
xCAT stateful provisioning (kickstart file for RHEL) and stateless provisioning (image tarball) include the root password hash inside, and they are exposed to a HTTP server. Here might be security issue.
To enforce the security consideration, it is required xCAT to offer a capability to send the root password hash in a secure method during the provisioning only.
In existing implementation for RHEL7,
when run nodeset <cn> osimage=xxx
, xCAT will generate the kickstart file and it will contains a line
rootpw --iscrypted <root password hash>
During the provisioning, anaconda
will get the kickstart file and generate the corresponding root in /etc/shadow
And with the 'secure root support' enhancement, nodeset
will do the following:
- To check if Secure root is enabled (define
secureroot=1
in tablesite
), if not, same as previous.
If yes, then there are possible two option:
1, User define `install` temporary password in `passwd` table, `nodeset` write temporary hash into kickstart file.
2, No `install` temporary password defined, no root password hash into kickstart file.
When the node is in the end of provisioning and running xCAT default postscript, remoteshell
will do the following:
- To check if Secure root is enabled (define
secureroot=1
in tablesite
), if not, same as previous.
If yes, then it send `getcredential xcat_secure_pw:root` to xCAT master, and update the `/etc/shadow` with the right hash
In existing implementation for RHEL7,
when run packimage xxx
, xCAT will update the <rootimagedir>/etc/shadow
with the and pack it into image, so the image contains the root password hash directly.
And with the 'secure root support' enhancement, packimage
will do the following:
- To check if Secure root is enabled (define
secureroot=1
in tablesite
), if not, same as previous.
If yes, then there are possible two option:
1, User define `install` temporary password in `passwd` table, `packimage` write temporary hash into `/etc/shadow`.
2, No `install` temporary password defined, no root password hash into `/etc/shadow` file.
When the node is in the end of provisioning and running xCAT default postscript, remoteshell
will do the following:
- To check if Secure root is enabled (define
secureroot=1
in tablesite
), if not, same as previous.
If yes, then it send `getcredential xcat_secure_pw:root` to xCAT master, and update the `/etc/shadow` with the right hash
Note: if you define /etc/shadow
file in the synclist of the osimage, you must use packiamge --nosyncfiles xxx
getcredential
is the existing API for compute node to get sensitive information form MN, it is secure enough, we just need to extend it to return the password hash per requesting.
Add a new site entry secureroot
for this feature.
secureroot: Using secure mode to transfer root password hash during the installation. (Only supports RHEL7.x) Default is 0.
- Support it for RHEL7 first
- Other Platform will use the same design, but lower priority
-
The interface to get the password hash must be secure enough
- The client had to be verified to make sure it is from a managed compute node and with the privilege.
-
The interface must be extensible to support other user
-
To keep compatible, secure root capability is not enabled by default.
-
For some of the case, user might define
shadow
file into synclist. In such case,syncfiles
will be run afterremoteshell
and override the/etc/shadow
-
As we may need to support user change password after installation for stateful, so not to change password when
run updatenode
.
In secure root mode, as no root password, the console cannot be login via the real password before remoteshell
executed.
And just mentioned in above, a workaround is to set install
temporary password for it. This password is not work during the provisioning.
- man page for
site
- additional section for it in https://xcat-docs.readthedocs.io/en/stable/advanced/security/security.html#password-management
Statelite provisioning other user password - Not support it now, just leave the API compatible.
- Nov 13, 2024: xCAT 2.17 released.
- Mar 08, 2023: xCAT 2.16.5 released.
- Jun 20, 2022: xCAT 2.16.4 released.
- Nov 17, 2021: xCAT 2.16.3 released.
- May 25, 2021: xCAT 2.16.2 released.
- Nov 06, 2020: xCAT 2.16.1 released.
- Jun 17, 2020: xCAT 2.16 released.
- Mar 06, 2020: xCAT 2.15.1 released.
- Nov 11, 2019: xCAT 2.15 released.
- Mar 29, 2019: xCAT 2.14.6 released.
- Dec 07, 2018: xCAT 2.14.5 released.
- Oct 19, 2018: xCAT 2.14.4 released.
- Aug 24, 2018: xCAT 2.14.3 released.
- Jul 13, 2018: xCAT 2.14.2 released.
- Jun 01, 2018: xCAT 2.14.1 released.
- Apr 20, 2018: xCAT 2.14 released.
- Mar 14, 2018: xCAT 2.13.11 released.
- Jan 26, 2018: xCAT 2.13.10 released.
- Dec 18, 2017: xCAT 2.13.9 released.
- Nov 03, 2017: xCAT 2.13.8 released.
- Sep 22, 2017: xCAT 2.13.7 released.
- Aug 10, 2017: xCAT 2.13.6 released.
- Jun 30, 2017: xCAT 2.13.5 released.
- May 19, 2017: xCAT 2.13.4 released.
- Apr 14, 2017: xCAT 2.13.3 released.
- Feb 24, 2017: xCAT 2.13.2 released.
- Jan 13, 2017: xCAT 2.13.1 released.
- Dec 09, 2016: xCAT 2.13 released.
- Dec 06, 2016: xCAT 2.9.4 (AIX only) released.
- Nov 11, 2016: xCAT 2.12.4 released.
- Sep 30, 2016: xCAT 2.12.3 released.
- Aug 19, 2016: xCAT 2.12.2 released.
- Jul 08, 2016: xCAT 2.12.1 released.
- May 20, 2016: xCAT 2.12 released.
- Apr 22, 2016: xCAT 2.11.1 released.
- Mar 11, 2016: xCAT 2.9.3 (AIX only) released.
- Dec 11, 2015: xCAT 2.11 released.
- Nov 11, 2015: xCAT 2.9.2 (AIX only) released.
- Jul 30, 2015: xCAT 2.10 released.
- Jul 30, 2015: xCAT migrates from sourceforge to github
- Jun 26, 2015: xCAT 2.7.9 released.
- Mar 20, 2015: xCAT 2.9.1 released.
- Dec 12, 2014: xCAT 2.9 released.
- Sep 5, 2014: xCAT 2.8.5 released.
- May 23, 2014: xCAT 2.8.4 released.
- Jan 24, 2014: xCAT 2.7.8 released.
- Nov 15, 2013: xCAT 2.8.3 released.
- Jun 26, 2013: xCAT 2.8.2 released.
- May 17, 2013: xCAT 2.7.7 released.
- May 10, 2013: xCAT 2.8.1 released.
- Feb 28, 2013: xCAT 2.8 released.
- Nov 30, 2012: xCAT 2.7.6 released.
- Oct 29, 2012: xCAT 2.7.5 released.
- Aug 27, 2012: xCAT 2.7.4 released.
- Jun 22, 2012: xCAT 2.7.3 released.
- May 25, 2012: xCAT 2.7.2 released.
- Apr 20, 2012: xCAT 2.7.1 released.
- Mar 19, 2012: xCAT 2.7 released.
- Mar 15, 2012: xCAT 2.6.11 released.
- Jan 23, 2012: xCAT 2.6.10 released.
- Nov 15, 2011: xCAT 2.6.9 released.
- Sep 30, 2011: xCAT 2.6.8 released.
- Aug 26, 2011: xCAT 2.6.6 released.
- May 20, 2011: xCAT 2.6 released.
- Feb 14, 2011: Watson plays on Jeopardy and is managed by xCAT!
- xCAT OS And Hw Support Matrix
- Oct 22, 2010: xCAT 2.5 released.
- Apr 30, 2010: xCAT 2.4 is released.
- Oct 31, 2009: xCAT 2.3 released. xCAT's 10 year anniversary!
- Apr 16, 2009: xCAT 2.2 released.
- Oct 31, 2008: xCAT 2.1 released.
- Sep 12, 2008: Support for xCAT 2 can now be purchased!
- June 9, 2008: xCAT breaths life into (at the time) the fastest supercomputer on the planet
- May 30, 2008: xCAT 2.0 for Linux officially released!
- Oct 31, 2007: IBM open sources xCAT 2.0 to allow collaboration among all of the xCAT users.
- Oct 31, 1999: xCAT 1.0 is born!
xCAT started out as a project in IBM developed by Egan Ford. It was quickly adopted by customers and IBM manufacturing sites to rapidly deploy clusters.