# AUTHOR , YEAR. # # neb , 2011. msgid "" msgstr "" "Project-Id-Version: Fedora Virtualization Guide\n" "POT-Creation-Date: 2011-03-02T01:07:52\n" "PO-Revision-Date: 2011-06-29 22:53+0000\n" "Last-Translator: perplex \n" "Language-Team: Italian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: it\n" "Plural-Forms: nplurals=2; plural=(n != 1)\n" #. Tag: title #, no-c-format msgid "Security for virtualization" msgstr "Sicurezza per la virtualizzazione" #. Tag: para #, no-c-format msgid "" "When deploying virtualization technologies on your corporate infrastructure," " you must ensure that the host cannot be compromised. The host is a Fedora " "system that manages the system, devices, memory and networks as well as all " "virtualized guests. If the host is insecure, all guests in the system are " "vulnerable. There are several ways to enhance security on systems using " "virtualization. You or your organization should create a " "Deployment Plan containing the operating specifications" " and specifies which services are needed on your virtualized guests and host" " servers as well as what support is required for these services. Here are a " "few security issues to consider while developing a deployment plan:" msgstr "" #. Tag: para #, no-c-format msgid "" "Run only necessary services on hosts. The fewer processes and services " "running on the host, the higher the level of security and performance." msgstr "" "Eseguire solo i servizi necessari sugli host. Minore è il numero di compiti " "e servizi in esecuzione presenti all'interno dell'host, più elevato è il " "livello di sicurezza e delle prestazioni." #. Tag: para #, no-c-format msgid "" "Enable SELinux on the hypervisor. Read for more information on using SELinux and " "virtualization." msgstr "" #. Tag: para #, no-c-format msgid "" "Use a firewall to restrict traffic to dom0. You can setup a firewall with " "default-reject rules that will help secure attacks on dom0. It is also " "important to limit network facing services." msgstr "" "Utilizzate un firewall per limitare il traffico per il dom0. È possibile " "impostare un firewall con regole default-reject il quale assicura una " "protezione del dom0. È altresì importante limitare l'esposizione della rete " "ai servizi." #. Tag: para #, no-c-format msgid "" "Do not allow normal users to access dom0. If you do permit normal users dom0" " access, you run the risk of rendering dom0 vulnerable. Remember, dom0 is " "privileged, and granting unprivileged accounts may compromise the level of " "security." msgstr "" "Non permettete ad utenti normali di accedere al dom0. Se abilitate il loro " "accesso potrete correre il rischio di rendere dom0 vulnerabile. Ricordate, " "dom0 risulta essere privilegiato e conferire account non privilegiati " "potrebbe compromettere il livello di sicurezza." #. Tag: title #, no-c-format msgid "Storage security issues" msgstr "" #. Tag: para #, no-c-format msgid "" "Administrators of virtualized guests can change the partitions the host " "boots in certain circumstances. To prevent this administrators should follow" " these recommendations:" msgstr "" #. Tag: para #, no-c-format msgid "" "The host should not use disk labels to identify file systems in the " "fstab file, the initrd file or " "used by the kernel command line. If less privileged users, especially " "virtualized guests, have write access to whole partitions or LVM volumes." msgstr "" #. Tag: para #, no-c-format msgid "" "Guest should not be given write access to whole disks or block devices (for " "example, /dev/sdb). Use partitions (for example, " "/dev/sdb1) or LVM volumes." msgstr "" #. Tag: title #, no-c-format msgid "SELinux and virtualization" msgstr "SELinux e virtualizzazione" #. Tag: para #, no-c-format msgid "Security Enhanced Linux was developed by the" msgstr "" #. Tag: orgname #, no-c-format msgid "NSA" msgstr "" #. Tag: para #, no-c-format msgid "" "with assistance from the Linux community to provide stronger security for " "Linux. SELinux limits an attackers abilities and works to prevent many " "common security exploits such as buffer overflow attacks and privilege " "escalation. It is because of these benefits that all Fedora systems should " "run with SELinux enabled and in enforcing mode." msgstr "" #. Tag: para #, no-c-format msgid "" "SELinux prevents guest images from loading if SELinux is enabled and the " "images are not in the correct directory. SELinux requires that all guest " "images are stored in /var/lib/libvirt/images." msgstr "" "SELinux impedisce il caricamento delle immagini del guest se SELinux è stato" " abilitato e le immagini non sono presenti nella directory corretta. Con " "SELinux tutte le immagini devono essere conservate in " "/var/lib/libvirt/images." #. Tag: title #, no-c-format msgid "Adding LVM based storage with SELinux in enforcing mode" msgstr "" "Come aggiungere uno storage basato su LVM con SELinux in modalità enforcing" #. Tag: para #, no-c-format msgid "" "The following section is an example of adding a logical volume to a " "virtualized guest with SELinux enabled. These instructions also work for " "hard drive partitions." msgstr "" "La seguente sezione è un esempio su come aggiungere un volume logico ad un " "guest virtualizzato con SELinux abilitato. Queste informazioni possono " "essere utili anche per le partizioni dell'hard drive." #. Tag: title #, no-c-format msgid "" "Creating and mounting a logical volume on a virtualized guest with SELinux " "enabled" msgstr "" "Creazione e montaggio di un volume logico su di un guest virtualizzato con " "SELinux abilitato" #. Tag: para #, no-c-format msgid "" "Create a logical volume. This example creates a 5 gigabyte logical volume " "named NewVolumeName on the volume group named " "volumegroup." msgstr "" "Create un volume logico. In questo esempio viene creato un volume logico di " "5GB chiamato NewVolumeName sul gruppo di volumi " "volumegroup." #. Tag: screen #, no-c-format msgid "" "# lvcreate -n NewVolumeName -L 5G volumegroup\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "" "Format the NewVolumeName logical volume with a file " "system that supports extended attributes, such as ext3." msgstr "" "Formattate il volume logico NewVolumeName con un file" " system in grado di supportare gli attributi estesi come ad esempio ext3." #. Tag: screen #, no-c-format msgid "" "# mke2fs -j /dev/volumegroup/NewVolumeName\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "" "Create a new directory for mounting the new logical volume. This directory " "can be anywhere on your file system. It is advised not to put it in " "important system directories (/etc, " "/var, /sys) or in home directories" " (/home or /root). This example " "uses a directory called /virtstorage" msgstr "" "Create una nuova directory per il montaggio del nuovo volume logico. Questa " "directory può essere posizionata in qualsiasi luogo del file system. È " "consigliato non conservarla all'interno di directory molto importanti " "(/etc, /var, " "/sys) o nelle home directory /home" " o /root). In questo esempio viene usata una directory " "chiamata /virtstorage" #. Tag: screen #, no-c-format msgid "" "# mkdir /virtstorage\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "Mount the logical volume." msgstr "Come montare un volume logico." #. Tag: screen #, no-c-format msgid "" "# mount /dev/volumegroup/NewVolumeName /virtstorage\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "Set the correct SELinux type for the libvirt image folder." msgstr "" #. Tag: screen #, no-c-format msgid "# semanage fcontext -a -t virt_image_t \"/virtualization(/.*)?\"\n" msgstr "" #. Tag: para #, no-c-format msgid "" "If the targeted policy is used (targeted is the default policy) the command " "appends a line to the " "/etc/selinux/targeted/contexts/files/file_contexts.local" " file which makes the change persistent. The appended line may resemble " "this:" msgstr "" "Se utilizzate la targeted policy (targeted è la politica predefinita) il " "comando aggiungerà una riga sul file " "/etc/selinux/targeted/contexts/files/file_contexts.local" " rendendo la modifica persistente. La riga potrebbe somigliare alla " "seguente:" #. Tag: screen #, no-c-format msgid "/virtstorage(/.*)? system_u:object_r:virt_image_t:s0\n" msgstr "" #. Tag: para #, no-c-format msgid "" "Run the command to change the type of the mount point " "(/virtstorage) and all files under it to " "virt_image_t (the restorecon and " "setfiles commands read the files in " "/etc/selinux/targeted/contexts/files/)." msgstr "" #. Tag: screen #, no-c-format msgid "# restorecon -R -v /virtualization\n" msgstr "" #. Tag: title #, no-c-format msgid "Testing new attributes" msgstr "" #. Tag: para #, no-c-format msgid "" "Create a new file (using the touch command) on the file " "system." msgstr "" #. Tag: screen #, no-c-format msgid "# touch /virtualization/newfile" msgstr "" #. Tag: para #, no-c-format msgid "Verify the file has been relabeled using the following command:" msgstr "" #. Tag: screen #, no-c-format msgid "" "# sudo ls -Z /virtualization\n" "-rw-------. root root system_u:object_r:virt_image_t:s0 newfile" msgstr "" #. Tag: para #, no-c-format msgid "" "The output shows that the new file has the correct attribute, " "virt_image_t." msgstr "" #. Tag: title #, no-c-format msgid "SELinux" msgstr "" #. Tag: para #, no-c-format msgid "" "This sections contains topics to consider when using SELinux with your " "virtualization deployment. When you deploy system changes or add devices, " "you must update your SELinux policy accordingly. To configure an LVM volume " "for a guest, you must modify the SELinux context for the respective " "underlying block device and volume group." msgstr "" "Questa sezione contiene le informazioni da considerare durante l'utilizzo di" " SELinux con l'utilizzo della virtualizzazione. Quando implementate alcune " "modifiche che riguardano il sistema oppure desiderate aggiungere alcuni " "dispositivi, sarà necessario aggiornare di conseguenza la vostra politica " "SELinux. Per configurare un volume LVM per un guest è necessario modificare " "il contesto di SELinux per il dispositivo a blocchi sottostante e per il " "gruppo di volumi corrispondenti." #. Tag: screen #, no-c-format msgid "" "# semanage fcontext -a -t virt_image _t -f -b /dev/sda2\n" "# restorecon /dev/sda2\n" msgstr "" #. Tag: title #, no-c-format msgid "KVM and SELinux" msgstr "" #. Tag: para #, no-c-format msgid "" "There are several SELinux Booleans which affect KVM and libvirt. These " "Booleans are listed below for your convenience." msgstr "" #. Tag: title #, no-c-format msgid "KVM SELinux Booleans" msgstr "" #. Tag: segtitle #, no-c-format msgid "SELinux Boolean" msgstr "" #. Tag: segtitle #, no-c-format msgid "Description" msgstr "" #. Tag: seg #, no-c-format msgid "allow_unconfined_qemu_transition" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: off. This Boolean controls whether KVM guests can be transitioned " "to unconfined users." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_full_network" msgstr "" #. Tag: seg #, no-c-format msgid "Default: on. This Boolean controls full network access to KVM guests." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_cifs" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: on. This Boolean controls KVM's access to CIFS or Samba file " "systems." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_comm" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: off. This Boolean controls whether KVM can access serial or " "parallel communications ports." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_nfs" msgstr "" #. Tag: seg #, no-c-format msgid "Default: on. This Boolean controls KVM's access to NFS file systems." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_usb" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: on. This Boolean allows KVM access and use passthrough with USB " "devices." msgstr "" #. Tag: title #, no-c-format msgid "Virtualization firewall information" msgstr "" #. Tag: para #, no-c-format msgid "" "Various ports are used for communication between virtualized guests and " "management utilities." msgstr "" #. Tag: title #, no-c-format msgid "Guest network services" msgstr "" #. Tag: para #, no-c-format msgid "" "Any network service on a virtualized guest must have the applicable ports " "open on the guest to allow external access. If a network service on a guest " "is firewalled it will be inaccessible. Always verify the guests network " "configuration first." msgstr "" #. Tag: para #, no-c-format msgid "" "ICMP requests must be accepted. ICMP packets are used for network testing. " "You cannot ping guests if ICMP packets are blocked." msgstr "" #. Tag: para #, no-c-format msgid "Port 22 should be open for SSH access and the initial installation." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 80 or 443 (depending on the security settings on the RHEV Manager) are" " used by the vdsm-reg service to communicate information about the host." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 5634 to 6166 are used for guest console access with the SPICE " "protocol." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 49152 to 49216 are used for migrations with KVM. Migration may use any" " port in this range depending on the number of concurrent migrations " "occurring." msgstr "" #. Tag: para #, no-c-format msgid "" "Enabling IP forwarding (net.ipv4.ip_forward = " "1) is also required for shared bridges and the default " "bridge. Note that installing libvirt enables this variable so it will be " "enabled when the virtualization packages are installed unless it was " "manually disabled." msgstr ""