# AUTHOR , YEAR. # # neb , 2011. msgid "" msgstr "" "Project-Id-Version: Fedora Virtualization Guide\n" "POT-Creation-Date: 2011-03-02T01:07:52\n" "PO-Revision-Date: 2011-03-22 16:30+0000\n" "Last-Translator: neb \n" "Language-Team: None\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: ko_KR\n" "Plural-Forms: nplurals=1; plural=0\n" #. Tag: title #, no-c-format msgid "Security for virtualization" msgstr "가상화 보안 " #. Tag: para #, no-c-format msgid "" "When deploying virtualization technologies on your corporate infrastructure," " you must ensure that the host cannot be compromised. The host is a Fedora " "system that manages the system, devices, memory and networks as well as all " "virtualized guests. If the host is insecure, all guests in the system are " "vulnerable. There are several ways to enhance security on systems using " "virtualization. You or your organization should create a " "Deployment Plan containing the operating specifications" " and specifies which services are needed on your virtualized guests and host" " servers as well as what support is required for these services. Here are a " "few security issues to consider while developing a deployment plan:" msgstr "" #. Tag: para #, no-c-format msgid "" "Run only necessary services on hosts. The fewer processes and services " "running on the host, the higher the level of security and performance." msgstr "" "호스트에서 필요한 서비스만 실행합니다. 호스트에서 실행 중인 프로세스 및 서비스가 적은 만큼 보안 및 성능 수준이 높아집니다. " #. Tag: para #, no-c-format msgid "" "Enable SELinux on the hypervisor. Read for more information on using SELinux and " "virtualization." msgstr "" #. Tag: para #, no-c-format msgid "" "Use a firewall to restrict traffic to dom0. You can setup a firewall with " "default-reject rules that will help secure attacks on dom0. It is also " "important to limit network facing services." msgstr "" "방화벽을 사용하여 dom0에서의 소통량을 제한합니다. default-reject 규칙을 사용하여 방화벽을 설정하면 dom0 공격에 대한 " "보안을 강화할 수 있습니다. 또한 서비스에 대한 네트워크도 제한합니다. " #. Tag: para #, no-c-format msgid "" "Do not allow normal users to access dom0. If you do permit normal users dom0" " access, you run the risk of rendering dom0 vulnerable. Remember, dom0 is " "privileged, and granting unprivileged accounts may compromise the level of " "security." msgstr "" "일반 사용자가 dom0에 접속하지 못하도록 설정합니다. 일반 사용자가 dom0에 접속하게 하면, dom0를 위험에 노출시키게 됩니다. " "dom0는 권한을 가진 도메인으로 비권한 계정을 허용할 경우 보안 수준을 위협할 수 도 있습니다. " #. Tag: title #, no-c-format msgid "Storage security issues" msgstr "" #. Tag: para #, no-c-format msgid "" "Administrators of virtualized guests can change the partitions the host " "boots in certain circumstances. To prevent this administrators should follow" " these recommendations:" msgstr "" #. Tag: para #, no-c-format msgid "" "The host should not use disk labels to identify file systems in the " "fstab file, the initrd file or " "used by the kernel command line. If less privileged users, especially " "virtualized guests, have write access to whole partitions or LVM volumes." msgstr "" #. Tag: para #, no-c-format msgid "" "Guest should not be given write access to whole disks or block devices (for " "example, /dev/sdb). Use partitions (for example, " "/dev/sdb1) or LVM volumes." msgstr "" #. Tag: title #, no-c-format msgid "SELinux and virtualization" msgstr "SELinux 및 가상화 " #. Tag: para #, no-c-format msgid "Security Enhanced Linux was developed by the" msgstr "" #. Tag: orgname #, no-c-format msgid "NSA" msgstr "" #. Tag: para #, no-c-format msgid "" "with assistance from the Linux community to provide stronger security for " "Linux. SELinux limits an attackers abilities and works to prevent many " "common security exploits such as buffer overflow attacks and privilege " "escalation. It is because of these benefits that all Fedora systems should " "run with SELinux enabled and in enforcing mode." msgstr "" #. Tag: para #, no-c-format msgid "" "SELinux prevents guest images from loading if SELinux is enabled and the " "images are not in the correct directory. SELinux requires that all guest " "images are stored in /var/lib/libvirt/images." msgstr "" "SELinux가 활성화되어 있고 이미지가 올바른 디렉토리에 있지 않을 경우 SELinux는 게스트 이미지를 불러오지 못하게 합니다. " "SELinux에서는 모든 게스트 이미지가 /var/lib/libvirt/images에 저장되어 " "있어야 합니다. " #. Tag: title #, no-c-format msgid "Adding LVM based storage with SELinux in enforcing mode" msgstr "SELinux를 강제 모드로 설정하고 LVM 기반 저장 장치 추가 " #. Tag: para #, no-c-format msgid "" "The following section is an example of adding a logical volume to a " "virtualized guest with SELinux enabled. These instructions also work for " "hard drive partitions." msgstr "" "다음 부분에는 SELinux를 활성화하여 가상 게스트에 논리 볼륨을 추가하는 예제가 있습니다. 이러한 지시 사항은 하드 드라이브 파티션의" " 경우에도 작동합니다. " #. Tag: title #, no-c-format msgid "" "Creating and mounting a logical volume on a virtualized guest with SELinux " "enabled" msgstr "SELinux를 활성화하여 가상 게스트에 논리 볼륨을 생성 및 마운트하기 " #. Tag: para #, no-c-format msgid "" "Create a logical volume. This example creates a 5 gigabyte logical volume " "named NewVolumeName on the volume group named " "volumegroup." msgstr "" "논리 볼륨을 생성합니다. 이 예제에서는 volumegroup이라는 볼륨 그룹에 " "NewVolumeName이라는 5 기가 바이트의 논리 볼륨을 생성하고 있습니다." " " #. Tag: screen #, no-c-format msgid "" "# lvcreate -n NewVolumeName -L 5G volumegroup\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "" "Format the NewVolumeName logical volume with a file " "system that supports extended attributes, such as ext3." msgstr "" "NewVolumeName 논리 볼륨을 ext3와 같은 확장 속성을 지원하는 파일 시스템으로 " "포맷합니다. " #. Tag: screen #, no-c-format msgid "" "# mke2fs -j /dev/volumegroup/NewVolumeName\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "" "Create a new directory for mounting the new logical volume. This directory " "can be anywhere on your file system. It is advised not to put it in " "important system directories (/etc, " "/var, /sys) or in home directories" " (/home or /root). This example " "uses a directory called /virtstorage" msgstr "" "새 논리 볼륨을 마운트하기 위해 새 디렉토리를 생성합니다. 이 디렉토리는 파일 시스템 상의 어디에나 위치할 수 있습니다. 하지만 이를 " "중요한 시스템 디렉토리 (/etc, /var, " "/sys) 또는 홈 디렉토리 (/home 또는 " "/root)에 배치하지 않는 것이 좋습니다. 이 예제에서는 " "/virtstorage라는 디렉토리를 사용하고 있습니다. " #. Tag: screen #, no-c-format msgid "" "# mkdir /virtstorage\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "Mount the logical volume." msgstr "논리 볼륨을 마운트합니다. " #. Tag: screen #, no-c-format msgid "" "# mount /dev/volumegroup/NewVolumeName /virtstorage\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "Set the correct SELinux type for the libvirt image folder." msgstr "" #. Tag: screen #, no-c-format msgid "# semanage fcontext -a -t virt_image_t \"/virtualization(/.*)?\"\n" msgstr "" #. Tag: para #, no-c-format msgid "" "If the targeted policy is used (targeted is the default policy) the command " "appends a line to the " "/etc/selinux/targeted/contexts/files/file_contexts.local" " file which makes the change persistent. The appended line may resemble " "this:" msgstr "" "targeted 정책을 사용할 경우 (targeted는 기본값 정책임) 명령은 " "/etc/selinux/targeted/contexts/files/file_contexts.local" " 파일에 행을 추가하여 변경 사항을 영구화할 수 있습니다. 추가되는 행은 다음과 유사합니다: " #. Tag: screen #, no-c-format msgid "/virtstorage(/.*)? system_u:object_r:virt_image_t:s0\n" msgstr "" #. Tag: para #, no-c-format msgid "" "Run the command to change the type of the mount point " "(/virtstorage) and all files under it to " "virt_image_t (the restorecon and " "setfiles commands read the files in " "/etc/selinux/targeted/contexts/files/)." msgstr "" #. Tag: screen #, no-c-format msgid "# restorecon -R -v /virtualization\n" msgstr "" #. Tag: title #, no-c-format msgid "Testing new attributes" msgstr "" #. Tag: para #, no-c-format msgid "" "Create a new file (using the touch command) on the file " "system." msgstr "" #. Tag: screen #, no-c-format msgid "# touch /virtualization/newfile" msgstr "" #. Tag: para #, no-c-format msgid "Verify the file has been relabeled using the following command:" msgstr "" #. Tag: screen #, no-c-format msgid "" "# sudo ls -Z /virtualization\n" "-rw-------. root root system_u:object_r:virt_image_t:s0 newfile" msgstr "" #. Tag: para #, no-c-format msgid "" "The output shows that the new file has the correct attribute, " "virt_image_t." msgstr "" #. Tag: title #, no-c-format msgid "SELinux" msgstr "" #. Tag: para #, no-c-format msgid "" "This sections contains topics to consider when using SELinux with your " "virtualization deployment. When you deploy system changes or add devices, " "you must update your SELinux policy accordingly. To configure an LVM volume " "for a guest, you must modify the SELinux context for the respective " "underlying block device and volume group." msgstr "" "다음 부분에서는 SELinux를 가상화 환경에 구현할 때 반드시 고려해야 할 사항들을 다루고 있습니다. 시스템을 변경하거나 장치를 추가할" " 때, 이에 따라 SELinux 정책을 업데이트해야 합니다. 게스트 용 LVM 볼륨을 설정하려면, 각 기초 블록 장치 및 볼륨 그룹에 " "대한 SELinux 문맥을 반드시 수정해야 합니다. " #. Tag: screen #, no-c-format msgid "" "# semanage fcontext -a -t virt_image _t -f -b /dev/sda2\n" "# restorecon /dev/sda2\n" msgstr "" #. Tag: title #, no-c-format msgid "KVM and SELinux" msgstr "" #. Tag: para #, no-c-format msgid "" "There are several SELinux Booleans which affect KVM and libvirt. These " "Booleans are listed below for your convenience." msgstr "" #. Tag: title #, no-c-format msgid "KVM SELinux Booleans" msgstr "" #. Tag: segtitle #, no-c-format msgid "SELinux Boolean" msgstr "" #. Tag: segtitle #, no-c-format msgid "Description" msgstr "" #. Tag: seg #, no-c-format msgid "allow_unconfined_qemu_transition" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: off. This Boolean controls whether KVM guests can be transitioned " "to unconfined users." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_full_network" msgstr "" #. Tag: seg #, no-c-format msgid "Default: on. This Boolean controls full network access to KVM guests." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_cifs" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: on. This Boolean controls KVM's access to CIFS or Samba file " "systems." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_comm" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: off. This Boolean controls whether KVM can access serial or " "parallel communications ports." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_nfs" msgstr "" #. Tag: seg #, no-c-format msgid "Default: on. This Boolean controls KVM's access to NFS file systems." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_usb" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: on. This Boolean allows KVM access and use passthrough with USB " "devices." msgstr "" #. Tag: title #, no-c-format msgid "Virtualization firewall information" msgstr "" #. Tag: para #, no-c-format msgid "" "Various ports are used for communication between virtualized guests and " "management utilities." msgstr "" #. Tag: title #, no-c-format msgid "Guest network services" msgstr "" #. Tag: para #, no-c-format msgid "" "Any network service on a virtualized guest must have the applicable ports " "open on the guest to allow external access. If a network service on a guest " "is firewalled it will be inaccessible. Always verify the guests network " "configuration first." msgstr "" #. Tag: para #, no-c-format msgid "" "ICMP requests must be accepted. ICMP packets are used for network testing. " "You cannot ping guests if ICMP packets are blocked." msgstr "" #. Tag: para #, no-c-format msgid "Port 22 should be open for SSH access and the initial installation." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 80 or 443 (depending on the security settings on the RHEV Manager) are" " used by the vdsm-reg service to communicate information about the host." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 5634 to 6166 are used for guest console access with the SPICE " "protocol." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 49152 to 49216 are used for migrations with KVM. Migration may use any" " port in this range depending on the number of concurrent migrations " "occurring." msgstr "" #. Tag: para #, no-c-format msgid "" "Enabling IP forwarding (net.ipv4.ip_forward = " "1) is also required for shared bridges and the default " "bridge. Note that installing libvirt enables this variable so it will be " "enabled when the virtualization packages are installed unless it was " "manually disabled." msgstr ""