# AUTHOR , YEAR. # # neb , 2011. msgid "" msgstr "" "Project-Id-Version: Fedora Virtualization Guide\n" "POT-Creation-Date: 2011-03-02T01:07:52\n" "PO-Revision-Date: 2011-03-22 16:30+0000\n" "Last-Translator: neb \n" "Language-Team: Chinese (Taiwan) \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: zh_TW\n" "Plural-Forms: nplurals=1; plural=0\n" #. Tag: title #, no-c-format msgid "Security for virtualization" msgstr "虛擬化的安全性" #. Tag: para #, no-c-format msgid "" "When deploying virtualization technologies on your corporate infrastructure," " you must ensure that the host cannot be compromised. The host is a Fedora " "system that manages the system, devices, memory and networks as well as all " "virtualized guests. If the host is insecure, all guests in the system are " "vulnerable. There are several ways to enhance security on systems using " "virtualization. You or your organization should create a " "Deployment Plan containing the operating specifications" " and specifies which services are needed on your virtualized guests and host" " servers as well as what support is required for these services. Here are a " "few security issues to consider while developing a deployment plan:" msgstr "" #. Tag: para #, no-c-format msgid "" "Run only necessary services on hosts. The fewer processes and services " "running on the host, the higher the level of security and performance." msgstr "在主機上只執行必要的服務。在主機上執行的程序與服務數量愈少,安全性與效能就愈高。" #. Tag: para #, no-c-format msgid "" "Enable SELinux on the hypervisor. Read for more information on using SELinux and " "virtualization." msgstr "" #. Tag: para #, no-c-format msgid "" "Use a firewall to restrict traffic to dom0. You can setup a firewall with " "default-reject rules that will help secure attacks on dom0. It is also " "important to limit network facing services." msgstr "" "請利用防火牆來限制 dom0 的流量。您能夠以預設的拒絕規則來設置一道防火牆,避免 dom0 受到攻擊。限制網路表面的服務其實也是很重要的。" #. Tag: para #, no-c-format msgid "" "Do not allow normal users to access dom0. If you do permit normal users dom0" " access, you run the risk of rendering dom0 vulnerable. Remember, dom0 is " "privileged, and granting unprivileged accounts may compromise the level of " "security." msgstr "" "請不要允許一般使用者存取 dom0。假如您允許一般使用者存取 dom0 的話,這可能會危及 dom0 的安全性而且讓它變得易遭受到攻擊。請記得,dom0" " 是有特權的,授權給無特權的帳號極可能會造成危害並且降低安全性。" #. Tag: title #, no-c-format msgid "Storage security issues" msgstr "" #. Tag: para #, no-c-format msgid "" "Administrators of virtualized guests can change the partitions the host " "boots in certain circumstances. To prevent this administrators should follow" " these recommendations:" msgstr "" #. Tag: para #, no-c-format msgid "" "The host should not use disk labels to identify file systems in the " "fstab file, the initrd file or " "used by the kernel command line. If less privileged users, especially " "virtualized guests, have write access to whole partitions or LVM volumes." msgstr "" #. Tag: para #, no-c-format msgid "" "Guest should not be given write access to whole disks or block devices (for " "example, /dev/sdb). Use partitions (for example, " "/dev/sdb1) or LVM volumes." msgstr "" #. Tag: title #, no-c-format msgid "SELinux and virtualization" msgstr "SELinux 和虛擬化" #. Tag: para #, no-c-format msgid "Security Enhanced Linux was developed by the" msgstr "" #. Tag: orgname #, no-c-format msgid "NSA" msgstr "" #. Tag: para #, no-c-format msgid "" "with assistance from the Linux community to provide stronger security for " "Linux. SELinux limits an attackers abilities and works to prevent many " "common security exploits such as buffer overflow attacks and privilege " "escalation. It is because of these benefits that all Fedora systems should " "run with SELinux enabled and in enforcing mode." msgstr "" #. Tag: para #, no-c-format msgid "" "SELinux prevents guest images from loading if SELinux is enabled and the " "images are not in the correct directory. SELinux requires that all guest " "images are stored in /var/lib/libvirt/images." msgstr "" "若啟用了 SELinux,它可避免客座端映像檔在位於錯誤目錄中的情況下被載入。SELinux 需要所有的客座端映像檔儲存在 " "/var/lib/libvirt/images 中。" #. Tag: title #, no-c-format msgid "Adding LVM based storage with SELinux in enforcing mode" msgstr "新增基於 LVM 的儲存裝置,並啟用 SELinux 強制模式" #. Tag: para #, no-c-format msgid "" "The following section is an example of adding a logical volume to a " "virtualized guest with SELinux enabled. These instructions also work for " "hard drive partitions." msgstr "以下部份為一個在啟用 SELinux 的情況下,將邏輯卷冊新增至虛擬客座端的範例。這些指示也適用於硬碟分割區。" #. Tag: title #, no-c-format msgid "" "Creating and mounting a logical volume on a virtualized guest with SELinux " "enabled" msgstr "在啟用了 SELinux 的虛擬化客座端上建立與掛載邏輯卷冊" #. Tag: para #, no-c-format msgid "" "Create a logical volume. This example creates a 5 gigabyte logical volume " "named NewVolumeName on the volume group named " "volumegroup." msgstr "" "建立邏輯卷冊。此範例在名為 volumegroup 的卷冊群組上建立了一個 5GB 的邏輯卷冊,名為 " "NewVolumeName。" #. Tag: screen #, no-c-format msgid "" "# lvcreate -n NewVolumeName -L 5G volumegroup\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "" "Format the NewVolumeName logical volume with a file " "system that supports extended attributes, such as ext3." msgstr "請以支援延伸屬性的檔案系統(例如 ext3)來格式化 NewVolumeName 邏輯卷冊。" #. Tag: screen #, no-c-format msgid "" "# mke2fs -j /dev/volumegroup/NewVolumeName\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "" "Create a new directory for mounting the new logical volume. This directory " "can be anywhere on your file system. It is advised not to put it in " "important system directories (/etc, " "/var, /sys) or in home directories" " (/home or /root). This example " "uses a directory called /virtstorage" msgstr "" "建立新目錄來掛載新的邏輯卷冊。此目錄能夠位於您檔案系統中的任何位置上。建議您不要將它放置在重要的系統目錄中(/etc/var/sys)或是家目錄中(/home" " 或 /root)。此範例使用了一個名為 /virtstorage " "的目錄。" #. Tag: screen #, no-c-format msgid "" "# mkdir /virtstorage\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "Mount the logical volume." msgstr "掛載邏輯卷冊。" #. Tag: screen #, no-c-format msgid "" "# mount /dev/volumegroup/NewVolumeName /virtstorage\n" "\t\t\t\t" msgstr "" #. Tag: para #, no-c-format msgid "Set the correct SELinux type for the libvirt image folder." msgstr "" #. Tag: screen #, no-c-format msgid "# semanage fcontext -a -t virt_image_t \"/virtualization(/.*)?\"\n" msgstr "" #. Tag: para #, no-c-format msgid "" "If the targeted policy is used (targeted is the default policy) the command " "appends a line to the " "/etc/selinux/targeted/contexts/files/file_contexts.local" " file which makes the change persistent. The appended line may resemble " "this:" msgstr "" "若使用了目標政策(目標政策為預設政策)的話,這項指令便會附加一行至 " "/etc/selinux/targeted/contexts/files/file_contexts.local" " 檔案中,這將可保留變更的一致性。附加的一行看似:" #. Tag: screen #, no-c-format msgid "/virtstorage(/.*)? system_u:object_r:virt_image_t:s0\n" msgstr "" #. Tag: para #, no-c-format msgid "" "Run the command to change the type of the mount point " "(/virtstorage) and all files under it to " "virt_image_t (the restorecon and " "setfiles commands read the files in " "/etc/selinux/targeted/contexts/files/)." msgstr "" #. Tag: screen #, no-c-format msgid "# restorecon -R -v /virtualization\n" msgstr "" #. Tag: title #, no-c-format msgid "Testing new attributes" msgstr "" #. Tag: para #, no-c-format msgid "" "Create a new file (using the touch command) on the file " "system." msgstr "" #. Tag: screen #, no-c-format msgid "# touch /virtualization/newfile" msgstr "" #. Tag: para #, no-c-format msgid "Verify the file has been relabeled using the following command:" msgstr "" #. Tag: screen #, no-c-format msgid "" "# sudo ls -Z /virtualization\n" "-rw-------. root root system_u:object_r:virt_image_t:s0 newfile" msgstr "" #. Tag: para #, no-c-format msgid "" "The output shows that the new file has the correct attribute, " "virt_image_t." msgstr "" #. Tag: title #, no-c-format msgid "SELinux" msgstr "" #. Tag: para #, no-c-format msgid "" "This sections contains topics to consider when using SELinux with your " "virtualization deployment. When you deploy system changes or add devices, " "you must update your SELinux policy accordingly. To configure an LVM volume " "for a guest, you must modify the SELinux context for the respective " "underlying block device and volume group." msgstr "" "此部份包含了使用 SELinux 建置虛擬化環境時,所需要思考的問題。當您建置系統變更或新增裝置時,您必須依照變更來更新您的 SElinux " "政策。若要為客座端設定 LVM 卷冊時,您必須針對對應的區塊裝置與卷冊群組來修改 SELinux 的內容。" #. Tag: screen #, no-c-format msgid "" "# semanage fcontext -a -t virt_image _t -f -b /dev/sda2\n" "# restorecon /dev/sda2\n" msgstr "" #. Tag: title #, no-c-format msgid "KVM and SELinux" msgstr "" #. Tag: para #, no-c-format msgid "" "There are several SELinux Booleans which affect KVM and libvirt. These " "Booleans are listed below for your convenience." msgstr "" #. Tag: title #, no-c-format msgid "KVM SELinux Booleans" msgstr "" #. Tag: segtitle #, no-c-format msgid "SELinux Boolean" msgstr "" #. Tag: segtitle #, no-c-format msgid "Description" msgstr "" #. Tag: seg #, no-c-format msgid "allow_unconfined_qemu_transition" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: off. This Boolean controls whether KVM guests can be transitioned " "to unconfined users." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_full_network" msgstr "" #. Tag: seg #, no-c-format msgid "Default: on. This Boolean controls full network access to KVM guests." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_cifs" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: on. This Boolean controls KVM's access to CIFS or Samba file " "systems." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_comm" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: off. This Boolean controls whether KVM can access serial or " "parallel communications ports." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_nfs" msgstr "" #. Tag: seg #, no-c-format msgid "Default: on. This Boolean controls KVM's access to NFS file systems." msgstr "" #. Tag: seg #, no-c-format msgid "qemu_use_usb" msgstr "" #. Tag: seg #, no-c-format msgid "" "Default: on. This Boolean allows KVM access and use passthrough with USB " "devices." msgstr "" #. Tag: title #, no-c-format msgid "Virtualization firewall information" msgstr "" #. Tag: para #, no-c-format msgid "" "Various ports are used for communication between virtualized guests and " "management utilities." msgstr "" #. Tag: title #, no-c-format msgid "Guest network services" msgstr "" #. Tag: para #, no-c-format msgid "" "Any network service on a virtualized guest must have the applicable ports " "open on the guest to allow external access. If a network service on a guest " "is firewalled it will be inaccessible. Always verify the guests network " "configuration first." msgstr "" #. Tag: para #, no-c-format msgid "" "ICMP requests must be accepted. ICMP packets are used for network testing. " "You cannot ping guests if ICMP packets are blocked." msgstr "" #. Tag: para #, no-c-format msgid "Port 22 should be open for SSH access and the initial installation." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 80 or 443 (depending on the security settings on the RHEV Manager) are" " used by the vdsm-reg service to communicate information about the host." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 5634 to 6166 are used for guest console access with the SPICE " "protocol." msgstr "" #. Tag: para #, no-c-format msgid "" "Ports 49152 to 49216 are used for migrations with KVM. Migration may use any" " port in this range depending on the number of concurrent migrations " "occurring." msgstr "" #. Tag: para #, no-c-format msgid "" "Enabling IP forwarding (net.ipv4.ip_forward = " "1) is also required for shared bridges and the default " "bridge. Note that installing libvirt enables this variable so it will be " "enabled when the virtualization packages are installed unless it was " "manually disabled." msgstr ""