Security

clusterducks aims to make security more accessible, with less work.

The control panel is a Certificate Authority that can generate, renew and revoke certificates.

Server usage

Storage, compute and tunnel servers all have a unique SSL certificate generated by the control panel during installation.

This is done so devices may authenticate the server they are connecting to. Self-signed certificates may not be validated by clients and are not supported.

Device usage

iPXE is compiled with the control panel's certificate chain emedded as the root of trust. During boot, the device will verify the identity of the server; the connection will fail if the server is unknown.

Device images can have the clusterducks CA chain embedded so that SSL communications may be verified during runtime requests, such as one to the metadata service to retrieve extra iSCSI assignments.

User certificates

User certificates are not strictly necessary as of v0.9.4 and are experimental. Only a single certificate per user is allowed, users who prefer one certificate per device are encouraged to submit a patch.

Certificate authentication

The default clusterducks/panel Docker container is built with optional user SSL certificate authentication. This is because the user must first login to generate their certificate in the account settings page.

It is planned to optionally disable certain actions in the UI + API unless the user has connected with a valid SSL certificate. This could be overridden by CLI tools for Administrators who lose their private key.

Tunnel service exception

Tunnel servers do not use SSL certificate authentication; SSH keys are managed transparently. HTTPS is not used for panel-to-tunnel interaction, and no certificate validation is done because the CommonName will not match the tunnel service IP. Combatting this is problematic. Use IPSEC if your hosts are not on the same logical network.