# AUTHOR , YEAR. # # neb , 2011. msgid "" msgstr "" "Project-Id-Version: Fedora Virtualization Guide\n" "POT-Creation-Date: 2011-03-02T01:07:52\n" "PO-Revision-Date: 2011-05-27 19:36+0000\n" "Last-Translator: elsupergomez \n" "Language-Team: Spanish (Castilian) \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: es\n" "Plural-Forms: nplurals=2; plural=(n != 1)\n" #. Tag: title #, no-c-format msgid "Security for virtualization" msgstr "Seguridad para virtualización" #. Tag: para #, no-c-format msgid "" "When deploying virtualization technologies on your corporate infrastructure," " you must ensure that the host cannot be compromised. The host is a Fedora " "system that manages the system, devices, memory and networks as well as all " "virtualized guests. If the host is insecure, all guests in the system are " "vulnerable. There are several ways to enhance security on systems using " "virtualization. You or your organization should create a " "Deployment Plan containing the operating specifications" " and specifies which services are needed on your virtualized guests and host" " servers as well as what support is required for these services. Here are a " "few security issues to consider while developing a deployment plan:" msgstr "" #. Tag: para #, no-c-format msgid "" "Run only necessary services on hosts. The fewer processes and services " "running on the host, the higher the level of security and performance." msgstr "" "Ejecute sólo el número de servicios necesarios en hosts. Entre menos " "procesos y servicios se estén ejecutando en el host, mayor será el nivel de " "seguridad y rendimiento requerido." #. Tag: para #, no-c-format msgid "" "Enable SELinux on the hypervisor. Read for more information on using SELinux and " "virtualization." msgstr "" #. Tag: para #, no-c-format msgid "" "Use a firewall to restrict traffic to dom0. You can setup a firewall with " "default-reject rules that will help secure attacks on dom0. It is also " "important to limit network facing services." msgstr "" "Utilice un cortafuegos para limitar el tráfico a dom0. Puede establecer un " "cortafuegos con reglas de rechazo predeterminadas que ayuden a asegurar " "dom0. También es importante limitar los servicios expuestos a la red." #. Tag: para #, no-c-format msgid "" "Do not allow normal users to access dom0. If you do permit normal users dom0" " access, you run the risk of rendering dom0 vulnerable. Remember, dom0 is " "privileged, and granting unprivileged accounts may compromise the level of " "security." msgstr "" "No permita que usuarios normales tengan acceso a dom0. Si permite que los " "usuarios normales tengan acceso a dom0, se corre el riesgo de aumentar la " "vulnerabilidad de dom0. Recuerde, dom0 es privilegiado y otorgar cuentas sin" " privilegios puede comprometer el nivel de seguridad." #. Tag: title #, no-c-format msgid "Storage security issues" msgstr "" #. Tag: para #, no-c-format msgid "" "Administrators of virtualized guests can change the partitions the host " "boots in certain circumstances. To prevent this administrators should follow" " these recommendations:" msgstr "" #. Tag: para #, no-c-format msgid "" "The host should not use disk labels to identify file systems in the " "fstab file, the initrd file or " "used by the kernel command line. If less privileged users, especially " "virtualized guests, have write access to whole partitions or LVM volumes." msgstr "" #. Tag: para #, no-c-format msgid "" "Guest should not be given write access to whole disks or block devices (for " "example, /dev/sdb). Use partitions (for example, " "/dev/sdb1) or LVM volumes." msgstr "" #. Tag: title #, no-c-format msgid "SELinux and virtualization" msgstr "SELinux y virtualización completas" #. Tag: para #, no-c-format msgid "Security Enhanced Linux was developed by the" msgstr "" #. Tag: orgname #, no-c-format msgid "NSA" msgstr "" #. Tag: para #, no-c-format msgid "" "with assistance from the Linux community to provide stronger security for " "Linux. SELinux limits an attackers abilities and works to prevent many " "common security exploits such as buffer overflow attacks and privilege " "escalation. It is because of these benefits that all Fedora systems should " "run with SELinux enabled and in enforcing mode." msgstr "" #. Tag: para #, no-c-format msgid "" "SELinux prevents guest images from loading if SELinux is enabled and the " "images are not in the correct directory. SELinux requires that all guest " "images are stored in /var/lib/libvirt/images." msgstr "" "SELinux impide la carga de imágenes de huésped, si SELinux está habilitado " "y las imágenes no están en el directorio correcto. SELinux requiere que " "todas las imágenes sean almacenadas en " "/var/lib/libvirt/images." #. Tag: title #, no-c-format msgid "Adding LVM based storage with SELinux in enforcing mode" msgstr "" "Adición de almacenamiento basado en LVM con SELinux en modo impositivo." #. Tag: para #, no-c-format msgid "" "The following section is an example of adding a logical volume to a " "virtualized guest with SELinux enabled. These instructions also work for " "hard drive partitions." msgstr "" "La siguiente sección es un ejemplo de la adición de un volumen lógico a un " "huésped virtualizado con SELinux habilitado. Estas instrucciones también se " "aplican a particiones de disco duro." #. Tag: title #, no-c-format msgid "" "Creating and mounting a logical volume on a virtualized guest with SELinux " "enabled" msgstr "" "Creación y montaje de un volumen lógico en un huésped virtualizado con " "SELinux habilitado." #. Tag: para #, no-c-format msgid "" "Create a logical volume. This example creates a 5 gigabyte logical volume " "named NewVolumeName on the volume group named " "volumegroup." msgstr "" "Cree un volumen lógico. Este ejemplo crea un volumen lógico de 5 GB " "denominado NewVolumeName en el grupo de volumen " "denominado volumegroup." #. Tag: screen #, no-c-format msgid "" "# lvcreate -n NewVolumeName -L 5G volumegroup\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "" "Format the NewVolumeName logical volume with a file " "system that supports extended attributes, such as ext3." msgstr "" "De formato al volumen lógico NewVolumeName con un " "sistema de archivos que soporta atributos, tales como ext3." #. Tag: screen #, no-c-format msgid "" "# mke2fs -j /dev/volumegroup/NewVolumeName\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "" "Create a new directory for mounting the new logical volume. This directory " "can be anywhere on your file system. It is advised not to put it in " "important system directories (/etc, " "/var, /sys) or in home directories" " (/home or /root). This example " "uses a directory called /virtstorage" msgstr "" "Cree un nuevo directorio para montar el nuevo volumen lógico. Este " "directorio puede estar en cualquier parte de su sistema de archivos. Se " "recomienda ponerlo en directorios de sistema importantes " "(/etc, /var, " "/sys) o en directorios principales " "(/home o /root). Este ejemplo " "utiliza un directorio llamado /virtstorage" #. Tag: screen #, no-c-format msgid "" "# mkdir /virtstorage\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "Mount the logical volume." msgstr "Monte el volumen lógico." #. Tag: screen #, no-c-format msgid "" "# mount /dev/volumegroup/NewVolumeName /virtstorage\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "Set the correct SELinux type for the libvirt image folder." msgstr "" #. Tag: screen #, no-c-format msgid "# semanage fcontext -a -t virt_image_t \"/virtualization(/.*)?\"\n" msgstr "" #. Tag: para #, no-c-format msgid "" "If the targeted policy is used (targeted is the default policy) the command " "appends a line to the " "/etc/selinux/targeted/contexts/files/file_contexts.local" " file which makes the change persistent. The appended line may resemble " "this:" msgstr "" "Si se utiliza la política objetivo (la objetivo es la predeterminada por " "defecto) el comando añadirá una línea al archivo " "/etc/selinux/targeted/contexts/files/file_contexts.local," " el cual hace el cambio persistente. La línea añadida puede ser similar a " "ésta:" #. Tag: screen #, no-c-format msgid "/virtstorage(/.*)? system_u:object_r:virt_image_t:s0\n" msgstr "" #. Tag: para #, no-c-format msgid "" "Run the command to change the type of the mount point " "(/virtstorage) and all files under it to " "virt_image_t (the restorecon and " "setfiles commands read the files in " "/etc/selinux/targeted/contexts/files/)." msgstr "" #. Tag: screen #, no-c-format msgid "# restorecon -R -v /virtualization\n" msgstr "" #. Tag: title #, no-c-format msgid "Testing new attributes" msgstr "" #. Tag: para #, no-c-format msgid "" "Create a new file (using the touch command) on the file " "system." msgstr "" #. Tag: screen #, no-c-format msgid "# touch /virtualization/newfile" msgstr "" #. Tag: para #, no-c-format msgid "Verify the file has been relabeled using the following command:" msgstr "" #. Tag: screen #, no-c-format msgid "" "# sudo ls -Z /virtualization\n" "-rw-------. root root system_u:object_r:virt_image_t:s0 newfile" msgstr "" #. Tag: para #, no-c-format msgid "" "The output shows that the new file has the correct attribute, " "virt_image_t." msgstr "" #. Tag: title #, no-c-format msgid "SELinux" msgstr "" #. Tag: para #, no-c-format msgid "" "This sections contains topics to consider when using SELinux with your " "virtualization deployment. When you deploy system changes or add devices, " "you must update your SELinux policy accordingly. To configure an LVM volume " "for a guest, you must modify the SELinux context for the respective " "underlying block device and volume group." msgstr "" "Estas sección contiene información que debe tenerse en cuenta cuando se " "utilice SELinux con su implementación de virtualización. Cuando se " "implementan los cambios del sistema o se añaden dispositivos, se debe " "actualizar la política de SELinux. Para configurar un volumen LVM para un " "huésped, se debe modificar el contexto SELinux para el dispositivo de bloque" " y el grupo de volumen respectivos." #. Tag: screen #, no-c-format msgid "" "# semanage fcontext -a -t virt_image _t -f -b /dev/sda2\n" "# restorecon /dev/sda2\n" msgstr "" #. Tag: title #, no-c-format msgid "KVM and SELinux" msgstr "" #. Tag: para #, no-c-format msgid "" "There are several SELinux Booleans which affect KVM and libvirt. These " "Booleans are listed below for your convenience." msgstr "" #. Tag: title #, no-c-format msgid "KVM SELinux Booleans" msgstr "" #. Tag: segtitle #, no-c-format msgid "SELinux Boolean" msgstr "" #. Tag: segtitle #, no-c-format msgid "Description" msgstr "" #. Tag: seg #, no-c-format msgid "allow_unconfined_qemu_transition" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: off. This Boolean controls whether KVM guests can be transitioned " "to unconfined users." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_full_network" msgstr "" #. Tag: seg #, no-c-format msgid "Default: on. This Boolean controls full network access to KVM guests." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_cifs" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: on. This Boolean controls KVM's access to CIFS or Samba file " "systems." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_comm" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: off. This Boolean controls whether KVM can access serial or " "parallel communications ports." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_nfs" msgstr "" #. Tag: seg #, no-c-format msgid "Default: on. This Boolean controls KVM's access to NFS file systems." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_usb" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: on. This Boolean allows KVM access and use passthrough with USB " "devices." msgstr "" #. Tag: title #, no-c-format msgid "Virtualization firewall information" msgstr "" #. Tag: para #, no-c-format msgid "" "Various ports are used for communication between virtualized guests and " "management utilities." msgstr "" #. Tag: title #, no-c-format msgid "Guest network services" msgstr "" #. Tag: para #, no-c-format msgid "" "Any network service on a virtualized guest must have the applicable ports " "open on the guest to allow external access. If a network service on a guest " "is firewalled it will be inaccessible. Always verify the guests network " "configuration first." msgstr "" #. Tag: para #, no-c-format msgid "" "ICMP requests must be accepted. ICMP packets are used for network testing. " "You cannot ping guests if ICMP packets are blocked." msgstr "" #. Tag: para #, no-c-format msgid "Port 22 should be open for SSH access and the initial installation." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 80 or 443 (depending on the security settings on the RHEV Manager) are" " used by the vdsm-reg service to communicate information about the host." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 5634 to 6166 are used for guest console access with the SPICE " "protocol." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 49152 to 49216 are used for migrations with KVM. Migration may use any" " port in this range depending on the number of concurrent migrations " "occurring." msgstr "" #. Tag: para #, no-c-format msgid "" "Enabling IP forwarding (net.ipv4.ip_forward = " "1) is also required for shared bridges and the default " "bridge. Note that installing libvirt enables this variable so it will be " "enabled when the virtualization packages are installed unless it was " "manually disabled." msgstr ""