Harden Hadoop profiles against automated cryptocurrency compromises
This needs to be done in such a way that:
- Profiles we maintain are adequately secure out of the box
- Other users can easily apply the same techniques to their own profiles, whether derived from ours or independent. (So that when we say "fix your experiment or we'll kick you out", it's reasonable for them to comply.)
-
Add iptables
glue to block most network traffic by default and allow whitelists. This needs to be image independent (see requirements above); the approach will be to use geni-lib, profile parameters, and install/execute services so as to be readily portable. This is applicable beyond just Hadoop. -
Add nginx
reverse proxying with HTTP basic authentication to permit restricted access to the web services blocked above. -
Think about ways to make the nginx
basic auth generic so it too can be reused in non-Hadoop profiles. -
Document all of this on a Wiki page with an example users can copy-and-paste into their profiles.
Edited by Gary Wong