Virtual Machine Image Endorsement
Description
Goal
Set up a process assuring that a Virtual Machine Image (VMI)/ Virtual Appliance (VA) published in AppDB is well-configured, secure and up-to-date.
Members
- Enol Fernandez [EF]
- Vincenzo Spinoso [VS]
Contacts
SSO group available: vm-image-endorsement@mailman.egi.eu
Image types
Type | Description | Managed by |
---|---|---|
EGI | General purpose images. Based on largely used Oses | EGI |
VO-specific | VO specific images, available to a specific VO and customized for specific purposes | VO-expert |
Activities and workflow
Activity | Description |
---|---|
A1. Image setup |
Set up an image ready to be used by a Resource Provider |
A2. Image hardening |
Procedure that provides first configuration, security and updates to a given image output of A1 |
A3. Image publishing |
Procedure that takes and image ready from A2 and makes it available on AppDB with proper tags, metadata, links |
Configuration
First configuration assures that no dangerous default configurations are left for any applications/services. Updates will be provided by the OS package manager or even manually if needed. Security is provided by applying CSIRT guidelines for the VMI Endorsement.
Documents and Policies
Policies are defined by the SPG group and are published in the https://wiki.egi.eu/wiki/SPG:Documents
It is particularly relevant the Security Policy for the Endorsement and Operation of Virtual Machine Images and a draft of a Virtualisation Policy.
Hardening guidelines
ACTION NEEDED : link to external wiki containing hardening guidelines from CSIRT
Procedures for EGI images
Activity | Initial activity | Ongoing activity |
---|---|---|
A1. Image creation | Set up the procedure for a given image [EF] | Apply the procedure to maintain the image up to date according to a given policy (on security issue, on request, every X days… ) [VS] |
A2. Image configuration | Apply VMI configuration procedure to a given image [VS] | Apply VMI configuration procedure to a given image [VS] |
A3. Image publishing | Publish the image on AppDB [VS] | Publish the image on AppDB [VS] |
Ubuntu
Setup
Hardening
CentOS7
Setup
Hardening
Procedures for VO images
The procedure is similar as to EGI images, but a VO expert (endorser) is fully responsible for the process of the endorsement of a specific VM. For the fedcloud.egi.eu VO the VO expert will get special help from EGI experts.