Harden Hadoop profiles against automated cryptocurrency compromises
This needs to be done in such a way that:
- Profiles we maintain are adequately secure out of the box
- Other users can easily apply the same techniques to their own profiles, whether derived from ours or independent. (So that when we say "fix your experiment or we'll kick you out", it's reasonable for them to comply.)
iptablesglue to block most network traffic by default and allow whitelists. This needs to be image independent (see requirements above); the approach will be to use geni-lib, profile parameters, and install/execute services so as to be readily portable. This is applicable beyond just Hadoop.
nginxreverse proxying with HTTP basic authentication to permit restricted access to the web services blocked above.
Think about ways to make the
nginxbasic auth generic so it too can be reused in non-Hadoop profiles.
- Document all of this on a Wiki page with an example users can copy-and-paste into their profiles.