Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Virtual Machine Image Endorsement

From EGIWiki
Jump to navigation Jump to search

Description

Goal

Set up a process assuring that a Virtual Machine Image (VMI)/ Virtual Appliance (VA) published in AppDB is well-configured, secure and up-to-date.

Members

  • Enol Fernandez [EF]
  • Vincenzo Spinoso [VS]

Contacts

SSO group available: vm-image-endorsement@mailman.egi.eu

Image types

Type Description Managed by
EGI General purpose images. Based on largely used Oses EGI
VO-specific VO specific images, available to a specific VO and customized for specific purposes VO-expert

Activities and workflow

Endorsement-activities-process.png

Activity Description
A1. Creation Set up an image ready to be used by a Resource Provider
A2. Configuration Configuration assures that packages are up to date and no wrong default configurations are left for any applications/services
A3. Hardening Security is provided by applying CSIRT guidelines for the VMI Endorsement
A4. Publishing Make image available on AppDB with proper tags, metadata, links

Endorsement-workflow-process.png

Configuration

First configuration assures that no dangerous default configurations are left for any applications/services. Updates will be provided by the OS package manager or even manually if needed. Security is provided by applying CSIRT guidelines for the VMI Endorsement.

Documents and Policies

Policies are defined by the SPG group and are published in the https://wiki.egi.eu/wiki/SPG:Documents

It is particularly relevant the Security Policy for the Endorsement and Operation of Virtual Machine Images and a draft of a Virtualisation Policy.

SPG Drafts under development

Hardening guidelines

ACTION NEEDED : link to external wiki containing hardening guidelines from CSIRT


Procedures for EGI images

Activity Initial activity Ongoing activity
A1. Image creation Set up the procedure for a given image [EF] Apply the procedure to maintain the image up to date according to a given policy (on security issue, on request, every X days… ) [VS]
A2. Image configuration Apply VMI configuration procedure to a given image [VS] Apply VMI configuration procedure to a given image [VS]
A3. Image publishing Publish the image on AppDB [VS] Publish the image on AppDB [VS]

Ubuntu

Setup

Hardening

CentOS7

Setup

Hardening

Procedures for VO images

The procedure is similar as to EGI images, but a VO expert (endorser) is fully responsible for the process of the endorsement of a specific VM. For the fedcloud.egi.eu VO the VO expert will get special help from EGI experts.