[Beowulf] anyone using SALT on your clusters?

Joe Landman landman at scalableinformatics.com
Tue Jul 2 19:05:53 PDT 2013


On 7/2/2013 7:18 PM, Greg Lindahl wrote:
> On Tue, Jul 02, 2013 at 10:54:14AM -0400, Joe Landman wrote:
>
>> One argument which is easy to make for salt, which I didn't see anyone
>> make is, it lets you lower your risk by removing the ssh daemon.
> You mean raise your risk, because the ssh equivalent in the pub-sub
> world is going to be less audited and more risky.

I am talking about removing an attack surface (removal of the ssh 
daemon), not specifically increasing the attack surface and probability 
of compromise by the mechanism you indicate.

My point was to set up a specific case, and point out its relative 
weakness as an argument, as you have to replace the sshd with something 
which eventually performs similar function.  My argument was that this 
is a silly way to approach, and there's no real benefit to doing this.

As you point out below, there is indeed a cost to doing so.

>
> To quote the article:
>
> | 0mq does not natively support encryption, so Salt includes its own AES
> | implementation that it uses to protect its payloads. Recently, a flaw
> | was discovered in this code along with several other remote
> | vulnerabilities. Ansible is largely immune to such issues because its
> | default configuration uses standard SSH

To a degree, this was implicit in my point.  ssh solves a number of 
these issues quite well, so building upon it makes sense.  Replacing it, 
for the sake of replacing it, is a fools game, as it provides no 
significant benefit, and several specific costs (insecurity, etc.).





More information about the Beowulf mailing list