[ClusterLabs] Question regarding the security of corosync

Jan Friesse jfriesse at redhat.com
Wed Jun 22 03:26:12 EDT 2022

On 22/06/2022 07:12, Andrei Borzenkov wrote:
> On 22.06.2022 02:27, Antony Stone wrote:
>> On Friday 17 June 2022 at 11:39:14, Mario Freytag wrote:
>>> I’d like to ask about the security of corosync. We’re using a Proxmox HA
>>> setup in our testing environment and need to confirm it’s compliance with
>>> PCI guidelines.
>>> We have a few questions:
>>> Is the communication encrypted?
>>> What method of encryption is used?
>>> What method of authentication is used?
>>> What is the recommended way of separation for the corosync network? VLAN?
>> Your first three questions are probably well-answered by
>> https://github.com/fghaas/corosync/blob/master/SECURITY
> This is thirteen years old file which is not present in the current
> corosync sources. I hesitate to use it as the answer to anything
> *today*. If it is still relevant, why it was removed?

Yup, the file is no longer relevant. The main reason to remove it was 
that corosync no longer does encryption itself - it's now knet problem. 
Also file was pretty much outdated since removal of tomcrypt and move to 
just using nss (so corosync 2 era).

So really authoritative source is knet source code 
(https://github.com/kronosnet/kronosnet/blob/main/libknet/crypto.c and 
other crypto*.c files).


>> For the fourth, I agree with Jan Friesse - a dedicated physical network is
>> best; a dedicated VLAN is second best.
>> Antony.
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list