[ClusterLabs] Coming in Pacemaker 2.0.1: Security enhancements

Ken Gaillot kgaillot at redhat.com
Mon Feb 25 13:17:22 EST 2019


I thought I'd round up a collection of security enhancements that will
be in Pacemaker 2.0.1:

* Pacemaker Remote connection security:

Previously, Pacemaker hard-coded a prime length of 1024 bits when
generating Diffie-Hellman parameters for a TLS server. This value was
chosen in 2007, but the ideal value increases over time. Some of the
latest operating system versions would reject this value as being too
small when certain security profiles were enabled.

The 2.0.1 version will query the local GnuTLS library for the preferred
prime length, thus it will improve over time as GnuTLS is updated.

Additionally, users can now set lower and upper bounds on the prime
length using the PCMK_dh_min_bits and PCMK_dh_max_bits environment
variables (set in /etc/sysconfig/pacemaker or a distro equivalent).
This is generally unnecessary and should be avoided, but may be
required when mixing older and newer operating systems in a cluster
with Pacemaker Remote, as differing GnuTLS library versions may support
different minimum and maximum lengths.

* In the highly unlikely case that the operating system is unable to
provide information about a valid user account (for example, complete
loss of the disk containing /etc), ACLs will now assume the user has no
privileges. Previously, Pacemaker would assert and crash.

* Previously, Pacemaker on Linux systems would enable the magic SysRq
keys for dumping process information and rebooting or crashing the
system. This was unnecessary for Pacemaker's operation because it only 
applies to SysRq sequences initiated from the keyboard, so now
Pacemaker no longer does this.
-- 
Ken Gaillot <kgaillot at redhat.com>






More information about the Users mailing list