-
Notifications
You must be signed in to change notification settings - Fork 173
Secure root support
xCAT stateful provisioning (kickstart file for RHEL) and stateless provisioning (image tarball) include the root password hash inside, and they are exposed to a HTTP server. Here might be security issue.
To enforce the security consideration, it is required xCAT to offer a capability to send the root password hash in a secure method during the provisioning only.
In existing implementation for RHEL7,
when run nodeset <cn> osimage=xxx, xCAT will generate the kickstart file and it will contains a line
rootpw --iscrypted <root password hash>
During the provisioning, anaconda will get the kickstart file and generate the corresponding root in /etc/shadow
And with the 'secure root support' enhancement, nodeset will do the following:
- To check if
secure rootis enabled, if not, same as previous.
If yes, then there are possible two option:
1, User define `install` temporary password in `passwd` table, `nodeset` write temporary hash into kickstart file.
2, No `install` temporary password defined, no root password hash into kickstart file.
When the node is in the end of provisioning and running xCAT default postscript, remoteshell will do the following:
- To check if
secure rootis enabled, if not, same as previous.
If yes, then it send `getcredential xcat_secure_passwd [user]` to xCAT master, and update the `/etc/shadow` with the right hash
In existing implementation for RHEL7,
when run packimage xxx, xCAT will update the <rootimagedir>/etc/shadow with the and pack it into image, so the image contains the root password hash directly.
And with the 'secure root support' enhancement, packimage will do the following:
- To check if
secure rootis enabled, if not, same as previous.
If yes, then there are possible two option:
1, User define `install` temporary password in `passwd` table, `packimage` write temporary hash into `/etc/shadow`.
2, No `install` temporary password defined, no root password hash into `/etc/shadow` file.
When the node is in the end of provisioning and running xCAT default postscript, remoteshell will do the following:
- To check if
secure rootis enabled, if not, same as previous.
If yes, then it send `getcredential xcat_secure_passwd [user]` to xCAT master, and update the `/etc/shadow` with the right hash
Note: if you define /etc/shadow file in the synclist of the osimage, you must use packiamge --nosyncfiles xxx
- Support it for RHEL7 first
- Other Platform will use the same design, but lower priority
-
The interface to get the password hash must be secure enough
- The client had to be verified to make sure it is from a managed compute node and with the privilege.
-
The interface must be extensible to support other user
-
To keep compatible, secure root capability is not enabled by default.
Statelite provisioning other user password - Not support it now, just leave the API compatible.
- Nov 13, 2024: xCAT 2.17 released.
- Mar 08, 2023: xCAT 2.16.5 released.
- Jun 20, 2022: xCAT 2.16.4 released.
- Nov 17, 2021: xCAT 2.16.3 released.
- May 25, 2021: xCAT 2.16.2 released.
- Nov 06, 2020: xCAT 2.16.1 released.
- Jun 17, 2020: xCAT 2.16 released.
- Mar 06, 2020: xCAT 2.15.1 released.
- Nov 11, 2019: xCAT 2.15 released.
- Mar 29, 2019: xCAT 2.14.6 released.
- Dec 07, 2018: xCAT 2.14.5 released.
- Oct 19, 2018: xCAT 2.14.4 released.
- Aug 24, 2018: xCAT 2.14.3 released.
- Jul 13, 2018: xCAT 2.14.2 released.
- Jun 01, 2018: xCAT 2.14.1 released.
- Apr 20, 2018: xCAT 2.14 released.
- Mar 14, 2018: xCAT 2.13.11 released.
- Jan 26, 2018: xCAT 2.13.10 released.
- Dec 18, 2017: xCAT 2.13.9 released.
- Nov 03, 2017: xCAT 2.13.8 released.
- Sep 22, 2017: xCAT 2.13.7 released.
- Aug 10, 2017: xCAT 2.13.6 released.
- Jun 30, 2017: xCAT 2.13.5 released.
- May 19, 2017: xCAT 2.13.4 released.
- Apr 14, 2017: xCAT 2.13.3 released.
- Feb 24, 2017: xCAT 2.13.2 released.
- Jan 13, 2017: xCAT 2.13.1 released.
- Dec 09, 2016: xCAT 2.13 released.
- Dec 06, 2016: xCAT 2.9.4 (AIX only) released.
- Nov 11, 2016: xCAT 2.12.4 released.
- Sep 30, 2016: xCAT 2.12.3 released.
- Aug 19, 2016: xCAT 2.12.2 released.
- Jul 08, 2016: xCAT 2.12.1 released.
- May 20, 2016: xCAT 2.12 released.
- Apr 22, 2016: xCAT 2.11.1 released.
- Mar 11, 2016: xCAT 2.9.3 (AIX only) released.
- Dec 11, 2015: xCAT 2.11 released.
- Nov 11, 2015: xCAT 2.9.2 (AIX only) released.
- Jul 30, 2015: xCAT 2.10 released.
- Jul 30, 2015: xCAT migrates from sourceforge to github
- Jun 26, 2015: xCAT 2.7.9 released.
- Mar 20, 2015: xCAT 2.9.1 released.
- Dec 12, 2014: xCAT 2.9 released.
- Sep 5, 2014: xCAT 2.8.5 released.
- May 23, 2014: xCAT 2.8.4 released.
- Jan 24, 2014: xCAT 2.7.8 released.
- Nov 15, 2013: xCAT 2.8.3 released.
- Jun 26, 2013: xCAT 2.8.2 released.
- May 17, 2013: xCAT 2.7.7 released.
- May 10, 2013: xCAT 2.8.1 released.
- Feb 28, 2013: xCAT 2.8 released.
- Nov 30, 2012: xCAT 2.7.6 released.
- Oct 29, 2012: xCAT 2.7.5 released.
- Aug 27, 2012: xCAT 2.7.4 released.
- Jun 22, 2012: xCAT 2.7.3 released.
- May 25, 2012: xCAT 2.7.2 released.
- Apr 20, 2012: xCAT 2.7.1 released.
- Mar 19, 2012: xCAT 2.7 released.
- Mar 15, 2012: xCAT 2.6.11 released.
- Jan 23, 2012: xCAT 2.6.10 released.
- Nov 15, 2011: xCAT 2.6.9 released.
- Sep 30, 2011: xCAT 2.6.8 released.
- Aug 26, 2011: xCAT 2.6.6 released.
- May 20, 2011: xCAT 2.6 released.
- Feb 14, 2011: Watson plays on Jeopardy and is managed by xCAT!
- xCAT OS And Hw Support Matrix
- Oct 22, 2010: xCAT 2.5 released.
- Apr 30, 2010: xCAT 2.4 is released.
- Oct 31, 2009: xCAT 2.3 released. xCAT's 10 year anniversary!
- Apr 16, 2009: xCAT 2.2 released.
- Oct 31, 2008: xCAT 2.1 released.
- Sep 12, 2008: Support for xCAT 2 can now be purchased!
- June 9, 2008: xCAT breaths life into (at the time) the fastest supercomputer on the planet
- May 30, 2008: xCAT 2.0 for Linux officially released!
- Oct 31, 2007: IBM open sources xCAT 2.0 to allow collaboration among all of the xCAT users.
- Oct 31, 1999: xCAT 1.0 is born!
xCAT started out as a project in IBM developed by Egan Ford. It was quickly adopted by customers and IBM manufacturing sites to rapidly deploy clusters.