Razor: Secure and Packaged
Less than a year ago, EMC and Puppet Labs announced the availability of Razor, our next-generation discovery and provisioning solution for bare metal and virtual machines. Since the launch, thousands of people have tested Razor, and we've made significant improvements and bug fixes to the solution.
Today, I'm pleased to announce release 0.8.0 of Project Razor and 0.10.0 of the Razor Microkernel image. This is primarily a security fix release that addresses five serious security vulnerabilities found in Razor. These vulnerabilities affect every deployment, and all existing users should upgrade immediately.
New to Razor? All downloads are available here.
The latest release also represents a major step in the process of bringing Razor to maturity. In addition to the security fixes, we've introduced automated package building, which should help bring you faster and more reliable releases in the future. This is all a part of the overall direction of the Razor Project to reduce complexity, improve the code, and eventually introduce improved features.
To patch the Razor server, update to the latest code from Git and fully restart Razor. (Be sure that the node.js web servers are restarted, as several of the fixed issues affect this component.)
- For users of the `puppetlabs-razor` module, these fixes will have been automatically applied during any Puppet run.
- Users who installed Project Razor manually must update manually.
Security Fix Details
These security issues were discovered as part of internal and external auditing of the Razor project. They are:
- unauthenticated network root shell injection in Razor daemon.
- unauthenticated network root reads of any file on disk.
- unauthenticated network root reads of the Razor configuration, including database credentials.
- unauthenticated network loading of arbitrary code into the Microkernel.
- MCollective active on Microkernel and willing to talk with a broker named `ubuntu` on the network.
These vulnerabilities are severe, and we apologize for both their presence and the time it took to resolve them. We are continuing to work to make Razor more secure, both by reducing the complexity of the codebase and by continuing our practice of proactive auditing.
Packaging and Release Improvements
On a more positive note, we now have official Razor packages in our public repositories, for Debian, Ubuntu, Red Hat Enterprise Linux, CentOS, and Fedora. We are publishing both normal release packages and "nightly" packages; we hope these improve the installation and upgrade process for all our users.
The scare-quotes around "nightly" is because they are actually updated every time a change in Git successfully passes our test suites. Using them is almost identical to installing directly from Git, with the added benefit of being more likely to work in the field.
For the moment, the `puppetlabs-razor` module will still prefer to install from the Git repository, but it will be switching over to prefer packages late this quarter.
The packages will refuse to install over the top of an existing Git deployment of Razor; you can bypass that by removing the `.git` directory from disk. There are no known incompatibilities between the two, but we chose a conservative approach to avoid the possibility of destroying important local changes.
Check it out the latest Razor release, and let us know what you think.
Get Involved with the Razor Project
- Razor IRC channel #puppet-razor
- Razor mailing list
- Get the Razor code or read the documentation
- Download Razor here