[Beowulf] anyone using SALT on your clusters?
Joe Landman
landman at scalableinformatics.com
Tue Jul 2 19:05:53 PDT 2013
On 7/2/2013 7:18 PM, Greg Lindahl wrote:
> On Tue, Jul 02, 2013 at 10:54:14AM -0400, Joe Landman wrote:
>
>> One argument which is easy to make for salt, which I didn't see anyone
>> make is, it lets you lower your risk by removing the ssh daemon.
> You mean raise your risk, because the ssh equivalent in the pub-sub
> world is going to be less audited and more risky.
I am talking about removing an attack surface (removal of the ssh
daemon), not specifically increasing the attack surface and probability
of compromise by the mechanism you indicate.
My point was to set up a specific case, and point out its relative
weakness as an argument, as you have to replace the sshd with something
which eventually performs similar function. My argument was that this
is a silly way to approach, and there's no real benefit to doing this.
As you point out below, there is indeed a cost to doing so.
>
> To quote the article:
>
> | 0mq does not natively support encryption, so Salt includes its own AES
> | implementation that it uses to protect its payloads. Recently, a flaw
> | was discovered in this code along with several other remote
> | vulnerabilities. Ansible is largely immune to such issues because its
> | default configuration uses standard SSH
To a degree, this was implicit in my point. ssh solves a number of
these issues quite well, so building upon it makes sense. Replacing it,
for the sake of replacing it, is a fools game, as it provides no
significant benefit, and several specific costs (insecurity, etc.).
More information about the Beowulf
mailing list