OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
-
Upload
netcetera -
Category
Health & Medicine
-
view
236 -
download
4
description
Transcript of OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
“Remote Desktop for big data + DevOps + Encryption Everywhere”Deploying trusted developer sandboxes in Amazon’s cloud
Jason Brazile, Remi Locherer, Ronnie Brunner 10 June 2014
Open Cloud Day
Netcetera | 2
A case for…• remote desktop w/“big data in the cloud”
• automated immutable system images
• not-too-inconvenient encryption everywhere
Open Cloud Day
Netcetera | 3
ESA Study: 2009-2011potential use-cases:• …• Cloud for free* data
access• Cloud for remote
development• …
Background:
(*)https://www.google.com/?q=ESA+Earth+Observation+Data+Policy ESRIN/Contract Nr. 227700/09/I-SB final report (245 pages)
Open Cloud Day
Netcetera | 4
• Big, free-ish, Data• Distinct, proprietary,
software devs• Slow test data
distribution to code developers
• Devs nervous about their code leaking
ESA CIOP
Proprietary Algorithm A dev’d by X
Proprietary Algorithm B dev’d by Y
Instead, bring the devs to the data
(in the cloud)Soln?
Open Cloud Day
Netcetera | 5
• hacking science data• brand damage• Leaking developer’s
algorithms Summary• Data = not sensitive• Dev’s Code = sensitive• Soln à easy for devs
(non-)Priorities…Zzz
Open Cloud Day
Netcetera | 6
1. Hide in the network (Tor)2. Encrypt communications3. Encrypt data 4. Be suspicious of commercial
encryption from large vendors5. Use public-domain encryption
Schneier’s “NSA” Recommendations
Open Cloud Day
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Image source: Wikipedia
w/ESA CIOP 4 of 5 are
built-in to system
Netcetera | 7
/data
sandbox a
/home/a
sandbox b
sandbox c
portal
catalog
ESA private net
ESA/CIOP DMZ
NFS ldap
encfs sshd
encfs sshd
encfs sshd
user a
Admin
user b
user c
Existing X.509 certsCloud Sandbox Prototype
X.509 derivedssh key
ldap config limits user c to sandbox c
nfs mount of encfsencrypted /home/a
sandbox images basically read-only
Open Cloud Day
/home/b
/home/c
knows no CIOP secrets
Netcetera | 8
Getting big data into the cloud
Open Cloud Day
http://aws.amazon.com/importexport/faqs/
http://calculator.s3.amazonaws.com/index.html?s=importexport
http://docs.aws.amazon.com/AWSImportExport/latest/DG/GSCreateSampleEBSImportRequest.html
1. Net or Post?2. Est. Cost3. Submit job
Netcetera | 9
Easy? First Time Usage Single encfspassphrase
decrypts both dev’s /home and shared /validate
Open Cloud Day
ssh identity derived from
existing X.509 certificate
1.
2.
Netcetera | 10|
Easy? Daily Usage
ssh identity derived from
existing X.509 certificate
Single encfspassphrase
decrypts both dev’s /home and shared /validate
ldap directory centralized access control to machines
and nfs mounts Open Cloud Day
1.
2.
Netcetera | 11
Details:Encrypted File systemchoices SL6
Open Cloud Day
Netcetera | 12
name: fedora-xfcesummary: Fedora with xfceos:
name: fedoraversion: 16
hardware:partitions:
"/":size: 5
packages:- @base- @base-x- @fonts- @xfce-desktop- @critical-path-xfce
access_key: yourawsaccesskeysecret_access_key: youawssecretkeyaccount_number: youramazonaccountnumbercert_file: /root/.ec2/yourcertificate.pemkey_file: /root/.ec2/yourprivatekey.pem
Details: just the OS
The only change needed:name: slversion: 6
Note: boxgrinder is “sleeping”. Now we use appliance-creator(~150 line shell script)
Open Cloud Dayhttps://github.com/netceteragroup/esa-beam/blob/master/beam-3dveglab-vlab/src/main/scripts/build_fedora_virtual_image.sh
Netcetera | 13
Details: server script (~500 lines)# local firewall rules for inbound trafficlokkit --nostart --enabled \--service=ssh \--port=111:tcp \--port=111:udp \--port=514:tcp \--port=636:tcp \--port=662:tcp \--port=662:udp \--port=2049:tcp \--port=2049:udp \--port=32803:tcp \--port=32769:udp
# 111 rpc (for nfs)# ldap-ssl (port 636)# 514 rsyslog# 662 statd (for nfs) # 2049 nfs4# 32803,32769 lockd (for nfs)
Nice-to-have: rsyslog à TLS rsyslog
# ldap configurationyum install -y openldap-clients openldap-servers nss-pam-ldapd
# prepare ldap certcd /etc/openldap/cacertsopenssl genrsa -out cert.key 2048…openssl req -new -key cert.key -out cert.csr -subj \"/C=IT/L=Default City/O=Default Company Ltd/CN=192.168.11.10"
…/usr/sbin/cacertdir_rehash /export/certs/
cat <<EOF> /etc/openldap/slapd.d/cn=config.ldif…cat <<EOF> /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif…cat <<EOF> /etc/openldap/slapd.d/cn=config/cn=schema/cn={12}autofs.ldif…cat <<EOF> /etc/openldap/slapd.d/cn=config/cn=schema/cn={14}ldappubkey.ldif…cat <<EOF> /etc/openldap/g-pod.ldif…slapadd -l /etc/openldap/g-pod.ldif
• Firewall• Nfs/autofs• Certificates• Ldap• Syslog
Open Cloud Day
Netcetera | 14
Details: sandbox script (~250 lines)…chmod +x /etc/profile.d/encfs.sh
# load fuse kernel module at bootcat <<EOF> /etc/sysconfig/modules/encfs.modules#!/bin/bashexec /sbin/modprobe fuse >/dev/null 2>&1EOFchmod +x /etc/sysconfig/modules/encfs.modules
yum install -y openssh-ldapecho 'AuthorizedKeysCommand \/usr/libexec/openssh/ssh-ldap-wrapper' >> /etc/ssh/sshd_config
# for ssh-ldap-helperln -s /etc/openldap/ldap.conf /etc/ssh/ldap.conf
# encrypt temporary filesystemsyum install -y cryptsetup-luks# swap space# (use "cryptsetup status /dev/mapper/swap" after reboot)echo 'swap /dev/mapper/VolGroup-lv_swap /dev/urandom \cipher=aes-cbc-essiv:sha256,size=128,swap' > /etc/crypttabsed -i 's/.*swap.*/\/dev\/mapper\/swap swap swap defaults 0 0/' /etc/fstab# temporary file systemsecho 'none /tmp tmpfs defaults,size=64m 0 0' >> /etc/fstabecho 'none /var/tmp tmpfs defaults,size=128m 0 0' >> /etc/fstab
[…]
# home directory encryption# fuse-2.8.3-1.el6 works, fuse-2.8.3-3.el6_1 "fusermount -u" does not work.yum install -y \fuse-2.8.3-1.el6 \fuse-encfs-1.7.4-1.el6.i686 \pwgen
• Firewall• Nfs/autofs/fuse-encfs• Encrypted /tmp & swap• Openssh-ldap• Syslog
Open Cloud Day
Netcetera | 15
Takeaways…• remote desktop w/“big data in the cloud”
• automated immutable system images
• not-too-inconvenient encryption everywhere
Open Cloud Day
github.com/netceteragroup/esa-ciop-sandbox-image-proto