Rhel BootLoader, Single-user mode password & Interactive Boot in a Cloud environment

We run cloud service & our vCenter is not accessible to our tenants
and their IT support; so I would say console access is not feasible
unless the tenant/customer IT come to our DC.

If the following 3 hardenings are done our tenant/customer RHEL
Linux VM,  what's the impact to the tenant's sysadmin & IT operation?


a) CIS 1.5.3 Set Boot Loader Password :
    if this password is set, when tenant reboot (shutdown -r)
    their VM each time, will it prompt for the bootloader
    password at console?  If so, is there any way the tenant,
    could still get their VM booted up if they have no access
    to vCenter's console?

b) CIS 1.5.4 Require Authentication for Single-User Mode :
    Does Linux allow ssh access while in single-user mode &
    can this 'single-user mode password' be entered via an
    ssh session (without access to console), assuming certain
    'terminal' service is started up / running while in single
    user mode

c) CIS 1.5.5 Disable Interactive Boot :
    what's the general consensus on this? Disable or enable?
    Our corporate hardening guide does not mention this item.
    So if the tenant wishes to boot up step by step (ie pausing
    at each startup script), they can't do it?

Feel free to add any other impacts that anyone can think of

Lastly, how do people out there grant console access to their
tenants in Cloud environment without security compromise
(I mean without granting vCenter access) : I heard that we can
customize vCenter in a modular way to grant limited access of
vCenter to  each tenants, is this so & any link that describes this?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
I'm also concerned that without console access, when a tenant shut down
their VM, how do they boot it up unless they get us (the Cloud provider's
sysadmin) to do the boot up for them from vCenter.  So how does the
cloud providers out there address this?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
a. they will need to enter a password at the console.

b. yes, this could be done via SSL certificates.

c. How would they do this? they would need console access.

vCenter Access could be available to access their VMs with correct permissions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
> b. yes, this could be done via SSL certificates.
Can elaborate how this can be done?  So with SSL cert,
when booting to errorlevel 1, the tenant who has no
console access could still enter the password required
for single-user authentication via an ssh session?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Actually it's the exchange of secure certificates, so you can login to SSH by having the machine certificate on your workstation, this make's it securer, because it's not relying on a password, e.g. jeyboard authentication, which is usually required for SSH.
0
sunhuxAuthor Commented:
So using this jeyboard authentication, we can boot the Linux
VM to single-user mode?

One last query:
> vCenter access cud be avail to tenants to access their
> VMs with correct permissions
Do you have any link that give such example settings/configuration/cases?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Single User Mode has be defined as a Boot Parameter, they will need to have Console Access, not SSH.

Which vCenter version are you using?
0
sunhuxAuthor Commented:
I'm on 5.0 Update 1
0
sunhuxAuthor Commented:
So can I say in general, the cloud service providers out there customize
their vCenter such that tenants have access to it?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Most only give access via SSH, and do not give real console access.

Do you only have vCenter?
0
gheistCommented:
vcenter is way too expensive and too clumsy to provision service to paying customers.
recently rackspace and amazon rebooted all virtual machines. do you think e.g. dropbox admins booted them entering passwords with fingers bleeding in the afternoon?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.