Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Does FUSE (sshfs) require host node configuration on OpenVZ?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Does FUSE (sshfs) require host node configuration on OpenVZ?

rchurchrchurch Member
edited October 2012 in Help

Does FUSE (sshfs) require host node configuration on OpenVZ?

Does the service provider have to enable it on the node?

Comments

  • MaouniqueMaounique Host Rep, Veteran

    It must be installed in the HN and module loaded. Also enabled in the container.
    M

    Thanked by 1rchurch
  • jarjar Patron Provider, Top Host, Veteran

    Yes but it is terribly simple. Any provider should be happy to enable it for you.

    Thanked by 1rchurch
  • MaouniqueMaounique Host Rep, Veteran
    edited October 2012

    IMO, all providers should have it on by default... Same with TUN/TAP and iptables modules.
    Othwerwise, we would be better off with vserver, it is more stable...
    M

    Thanked by 2rchurch Damian
  • Not all providers are enabling everything just on a customer request.

  • jarjar Patron Provider, Top Host, Veteran

    At this point most probably should. It is safe to say, however, that you can understand how to maintain and provide VPS solutions without realizing that those things are high in demand though, as one is basically book knowledge and the other is more market research. I won't say that I haven't learned from a client or two who had interesting needs.

  • @rchurch said: Does FUSE (sshfs) require host node configuration on OpenVZ?

    Does the service provider have to enable it on the node?

    Yes, give them this link: http://wiki.openvz.org/FUSE

    @qhoster said: Not all providers are enabling everything just on a customer request.

    I'd imagine that providers that don't want to have customers wouldn't.

  • netomxnetomx Moderator, Veteran

    @Damian said: I'd imagine that providers that don't want to have customers wouldn't.

    that reminds me of a provider who promised me FUSE module to use Truecrypt and never did....

  • @netomx If you want Truecrypt shouldn't it you be using VMWare/KVM etc? I don't think OpenVZ would be well suited to that or am I mistaken?

  • For some providers stability is more important than some unknown features than maybe only one person wants and they wouldn't want to load untested modules on a running server with other customers on it ;-)

  • MaouniqueMaounique Host Rep, Veteran
    edited October 2012

    @rchurch said: @netomx If you want Truecrypt shouldn't it you be using VMWare/KVM etc? I don't think OpenVZ would be well suited to that or am I mistaken?

    Truecrypt is not suited for a VPS period. As long as a potential attacker can access freely the memory of your VPS will be able to read sooner or later the key. Of course, it will not be easy.
    You could, however, keep your container there and mount it remotely. The key will not be stored anywhere outside your computer and the connection will not transfer any file, just encrypted blocks. Will be slower, tho.
    M

  • @rds100 I don't think sshfs using FUSE is an untested technology. Its been around for quite a long time. I remember using it in 2006 or 2007.

    @maounique I understand the security concerns, but can it work on OpenVZ, ie Truecrypt?

  • @maounique last time I checked, security wasn't an absolute...

  • MaouniqueMaounique Host Rep, Veteran
    edited October 2012

    @rchurch said: I understand the security concerns, but can it work on OpenVZ, ie Truecrypt?

    In theory, everything can work in OVZ, just need to recompile the kernel (since OVZ only has one kernel, I am talking about the one on the node) or add the necessary modules.
    I was actually arguing about tc on a machine where a potential attacker can read the memory of. Tc keeps the keys in memory and it is not that hard to get them, especially if you are running simple AES and not a cascading encryption. On a VPS it makes no sense not to run a cascading algorithm because the speed will be limited by the connection, not the encryption/decryption speed. It will still not be too hard to get the key.
    @craib of course, however, if ppl go to such lenghts to encrypt things, it would better be good. Good means hard enough to be impractical for any existing attacker and for possible foreseable maximal resources attacker for a few years to come.
    M

  • @Maounique Is the memory on OpenVZ only readable by the administrator on the node, or easy it easy to read from other VMs on the node? Is hacking OpenVZ much easier than rocket science?

  • MaouniqueMaounique Host Rep, Veteran

    Everything can be hacked if the vulnerability exists. Everything is vulnerable, just nobody thought yet where and how to exploit the vulnerability.
    That being said, only the admin should be able to read the memory of random containers/vms.
    This is why it is called virtual private server. It is private even tho virtual.
    In theory, OVZ should be easier to hack into another container because once you escalate privileges entering another container is trivial, while on KVM, even the admin would have a serious problem reading your data, especially if encrypted.
    M

  • @craigb said: @maounique last time I checked, security wasn't an absolute...

    The question is: Who do you want to protect yourself from using Truecrypt? It only provies protection against people who have access to your filesystem. And people that have such access will also have access to the truecrypt files (if the container is mounted) or to the RAM (if they have root access).

  • @gsrdgrdghd The question is: Who do you want to protect yourself from using Truecrypt?

    Indeed. The other ones are 'what are you trying to protect?', 'whats the downside if your protection failed?', 'will you leave the TC volume mounted for long periods of time?', 'does attribution matter if you get pwn'd?' etc etc.

    I didn't see any of those questions getting asked - just a blanket statement...

  • MaouniqueMaounique Host Rep, Veteran

    I am only suggesting to use TC remotely AS STORAGE MEDIUM FOR THE CONTAINER ONLY, not mount it on the VPS. You can mount it on your computer using the VPS only as the FS on which the container is stored.
    An attacker controlling the VPS will not have access to anything without knowing the password, even if it is the admin.
    M

  • @maounique you wrote "Truecrypt is not suited for a VPS period." without asking the OP any questions about use case...

  • MaouniqueMaounique Host Rep, Veteran

    Ah, yeah, I said that because if you expose machine's memory and the container is mounted locally, TC is useless in protecting your data, and if you go to such lenghts as using TC, then probably there is a reason for which SSH only access should not be safe enough. Whom would you need to defend against then, if not the admin ?
    If I want to keep my data private and not fear the admin can be "convinced" to convey it to someone else, then I just store it there and access it through scp, for instance. If I need TC, then probably I need to defend against the admins and whoever might pressure them to give out my data. If I do so using TC and mount the container locally as most ppl would do, then that is not much protection, especially if I am using non-cascading algorithms.
    M

  • @maounique good points but still too black and white IMHO. Think of the VPS tenant that wants to store media content they'd prefer their provider not to pick up during a nightly find(1). Or the person that uses TC to make tampering of their files harder (or even backups of log files). There's a bunch of reasons and admins/providers/remote attackers/govs are at different levels of sophistication when it comes to stealing keys or copying data that's temporarily available in a VM. So it boils down to what assurance you need....which brings us back to use cases and the shades of grey that is real life...

  • MaouniqueMaounique Host Rep, Veteran

    If I use TC, then I am really afraid. Otherwise I would just store them in an encrypted archive of sorts. That should defend against admins, will just unpack when i need and then delete. Sure, not on the same FS, will mount the VPS and unpack on my computer.
    There are other, more standard, encryption schemes, TC is for the paranoid or the ppl that really have their lives at stake. Diskcryptor and all the clones included.
    M

  • @maounique said: "If I use TC, then I am really afraid" <-- yup, so you just defined your use case... :)

Sign In or Register to comment.