From 7f95e1f12bab688057110dc3dd99a61a191b8b8b Mon Sep 17 00:00:00 2001 From: OpenStack Proposal Bot Date: Mon, 30 Jun 2014 06:06:27 +0000 Subject: [PATCH] Imported Translations from Transifex Change-Id: Ie7619f7c279f970f7340634ee966cdbc83610b99 --- .../locale/admin-guide-cloud.pot | 448 +- doc/common/locale/common.pot | 282 +- doc/common/locale/fr.po | 285 +- doc/common/locale/ja.po | 273 +- .../locale/config-reference.pot | 120 +- doc/glossary/locale/glossary.pot | 6 +- doc/image-guide/locale/image-guide.pot | 210 +- doc/install-guide/locale/install-guide.pot | 40 +- doc/install-guide/locale/ja.po | 63 +- doc/security-guide/locale/ja.po | 10242 ++++++++++++++++ 10 files changed, 11217 insertions(+), 752 deletions(-) create mode 100644 doc/security-guide/locale/ja.po diff --git a/doc/admin-guide-cloud/locale/admin-guide-cloud.pot b/doc/admin-guide-cloud/locale/admin-guide-cloud.pot index 2216dbab59..a3a6a32567 100644 --- a/doc/admin-guide-cloud/locale/admin-guide-cloud.pot +++ b/doc/admin-guide-cloud/locale/admin-guide-cloud.pot @@ -1,7 +1,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" -"POT-Creation-Date: 2014-06-25 06:07+0000\n" +"POT-Creation-Date: 2014-06-30 06:05+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -706,7 +706,7 @@ msgstr "" msgid "Docker" msgstr "" -#: ./doc/admin-guide-cloud/ch_compute.xml:91(link) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:536(th) +#: ./doc/admin-guide-cloud/ch_compute.xml:91(link) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:535(th) msgid "Hyper-V" msgstr "" @@ -1376,7 +1376,7 @@ msgstr "" msgid "Available networking plug-ins" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:403(th) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:532(th) ./doc/admin-guide-cloud/networking/section_networking_pagination_and_sorting_support.xml:12(th) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:403(th) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:531(th) ./doc/admin-guide-cloud/networking/section_networking_pagination_and_sorting_support.xml:12(th) msgid "Plug-in" msgstr "" @@ -1404,7 +1404,7 @@ msgstr "" msgid "https://wiki.openstack.org/wiki/Brocade-neutron-plugin" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:423(emphasis) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:558(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:423(emphasis) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:557(td) msgid "Cisco" msgstr "" @@ -1501,758 +1501,758 @@ msgid "This guide and , " msgstr "" #: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:499(para) -msgid "Plug-ins can have different properties for hardware requirements, features, performance, scale, or operator tools. Because Networking supports a large number of plug-ins, the cloud administrator can weigh options to decide on the right networking technology for the deployment." +msgid "Plug-ins can have different properties for hardware requirements, features, performance, scale, or operator tools. Because Networking supports a large number of plug-ins, the cloud administrator must determine the right networking technology for the deployment." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:505(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:504(para) msgid "In the Havana release, OpenStack Networking introduces the Modular Layer 2 (ML2) plug-in that enables the use of multiple concurrent mechanism drivers. This capability aligns with the complex requirements typically found in large heterogeneous environments. It currently works with the existing Open vSwitch, Linux Bridge, and Hyper-v L2 agents. The ML2 framework simplifies the addition of support for new L2 technologies and reduces the effort that is required to add and maintain them compared to earlier large plug-ins." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:518(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:517(title) msgid "Plug-in deprecation notice" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:519(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:518(para) msgid "The Open vSwitch and Linux Bridge plug-ins are deprecated in the Havana release and will be removed in the Icehouse release. The features in these plug-ins are now part of the ML2 plug-in in the form of mechanism drivers." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:525(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:524(para) msgid "Not all Networking plug-ins are compatible with all possible Compute drivers:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:528(caption) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:527(caption) msgid "Plug-in compatibility with Compute drivers" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:533(th) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:532(th) msgid "Libvirt (KVM/QEMU)" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:534(th) ./doc/admin-guide-cloud/compute/section_compute-configure-migrations.xml:260(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:533(th) ./doc/admin-guide-cloud/compute/section_compute-configure-migrations.xml:260(title) msgid "XenServer" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:535(th) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:534(th) msgid "VMware" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:537(th) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:536(th) msgid "Bare-metal" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:542(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:541(td) msgid "Big Switch / Floodlight" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:543(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:551(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:559(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:570(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:575(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:583(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:591(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:599(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:602(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:607(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:615(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:623(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:625(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:631(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:639(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:640(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:641(td) ./doc/admin-guide-cloud/networking/section_networking_adv_features.xml:1501(td) ./doc/admin-guide-cloud/networking/section_networking_adv_features.xml:1508(td) ./doc/admin-guide-cloud/networking/section_networking_adv_features.xml:1515(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:542(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:550(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:558(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:569(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:574(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:582(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:590(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:598(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:601(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:606(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:614(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:622(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:624(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:630(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:638(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:639(td) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:640(td) ./doc/admin-guide-cloud/networking/section_networking_adv_features.xml:1501(td) ./doc/admin-guide-cloud/networking/section_networking_adv_features.xml:1508(td) ./doc/admin-guide-cloud/networking/section_networking_adv_features.xml:1515(td) msgid "Yes" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:550(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:549(td) msgid "Brocade" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:566(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:565(td) msgid "Cloudbase Hyper-V" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:574(td) ./doc/admin-guide-cloud/networking/section_networking_pagination_and_sorting_support.xml:29(td) ./doc/admin-guide-cloud/networking/section_networking-adv-config.xml:102(emphasis) ./doc/admin-guide-cloud/networking/section_networking-scenarios.xml:452(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:573(td) ./doc/admin-guide-cloud/networking/section_networking_pagination_and_sorting_support.xml:29(td) ./doc/admin-guide-cloud/networking/section_networking-adv-config.xml:102(emphasis) ./doc/admin-guide-cloud/networking/section_networking-scenarios.xml:452(title) msgid "Linux Bridge" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:582(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:581(td) msgid "Mellanox" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:590(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:589(td) msgid "Midonet" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:598(td) ./doc/admin-guide-cloud/networking/section_networking_pagination_and_sorting_support.xml:19(td) ./doc/admin-guide-cloud/networking/section_networking-scenarios.xml:662(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:597(td) ./doc/admin-guide-cloud/networking/section_networking_pagination_and_sorting_support.xml:19(td) ./doc/admin-guide-cloud/networking/section_networking-scenarios.xml:662(title) msgid "ML2" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:606(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:605(td) msgid "NEC OpenFlow" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:614(td) ./doc/admin-guide-cloud/networking/section_networking_pagination_and_sorting_support.xml:24(td) ./doc/admin-guide-cloud/networking/section_networking-adv-config.xml:79(emphasis) ./doc/admin-guide-cloud/networking/section_networking-scenarios.xml:12(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:613(td) ./doc/admin-guide-cloud/networking/section_networking_pagination_and_sorting_support.xml:24(td) ./doc/admin-guide-cloud/networking/section_networking-adv-config.xml:79(emphasis) ./doc/admin-guide-cloud/networking/section_networking-scenarios.xml:12(title) msgid "Open vSwitch" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:622(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:621(td) msgid "Plumgrid" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:630(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:629(td) msgid "Ryu" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:638(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:637(td) msgid "VMware NSX" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:648(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:647(title) msgid "Plug-in configurations" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:649(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:648(para) msgid "For configurations options, see Networking configuration options in Configuration Reference. These sections explain how to configure specific plug-ins." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:656(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:655(title) msgid "Configure Big Switch, Floodlight REST Proxy plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:659(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:658(title) msgid "To use the REST Proxy plug-in with OpenStack Networking" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:662(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:661(para) msgid "Edit the /etc/neutron/neutron.conf file and add this line:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:668(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:667(para) msgid "Edit the /etc/neutron/plugins/bigswitch/restproxy.ini file for the plug-in and specify a comma-separated list of controller_ip:port pairs:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:675(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:674(para) msgid "For database configuration, see Install Networking Services in the Installation Guide in the OpenStack Documentation index. (The link defaults to the Ubuntu version.)" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:686(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:685(para) msgid "Restart neutron-server to apply the settings:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:694(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:693(title) msgid "Configure Brocade plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:696(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:695(title) msgid "To use the Brocade plug-in with OpenStack Networking" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:699(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:698(para) msgid "Install the Brocade-modified Python netconf client (ncclient) library, which is available at https://github.com/brocade/ncclient:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:705(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:704(para) msgid "As root, run this command:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:711(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:710(para) msgid "Edit the /etc/neutron/neutron.conf file and set the following option:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:717(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:716(para) msgid "Edit the /etc/neutron/plugins/brocade/brocade.ini file for the Brocade plug-in and specify the admin user name, password, and IP address of the Brocade switch:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:723(replaceable) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:985(replaceable) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:986(replaceable) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:997(replaceable) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:722(replaceable) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:984(replaceable) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:985(replaceable) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:996(replaceable) msgid "admin" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:724(replaceable) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:723(replaceable) msgid "password" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:725(replaceable) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:724(replaceable) msgid "switch mgmt ip address" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:727(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:726(para) msgid "For database configuration, see Install Networking Services in any of the Installation Guides in the OpenStack Documentation index. (The link defaults to the Ubuntu version.)" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:738(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:737(para) msgid "Restart the neutron-server service to apply the settings:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:746(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:745(title) msgid "Configure OVS plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:747(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:746(para) msgid "If you use the Open vSwitch (OVS) plug-in in a deployment with multiple hosts, you must use either tunneling or vlans to isolate traffic from multiple networks. Tunneling is easier to deploy because it does not require that you configure VLANs on network switches." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:753(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:752(para) msgid "This procedure uses tunneling:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:755(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:754(title) msgid "To configure OpenStack Networking to use the OVS plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:758(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:757(para) msgid "Edit /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file to specify these values:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:766(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:886(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1111(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:765(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:885(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1110(para) msgid "For database configuration, see Install Networking Services in Installation Guide." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:773(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:772(para) msgid "If you use the neutron DHCP agent, add these lines to the /etc/neutron/dhcp_agent.ini file:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:780(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:779(para) msgid "To lower the MTU size on instances and prevent packet fragmentation over the GRE tunnel, create the /etc/neutron/dnsmasq/dnsmasq-neutron.conf file and add these values:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:788(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:787(para) msgid "Restart the Networking service to apply the settings:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:795(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:794(title) msgid "Configure NSX plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:797(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:796(title) msgid "To configure OpenStack Networking to use the NSX plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:799(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:798(para) msgid "While the instructions in this section refer to the VMware NSX platform, this is formerly known as Nicira NVP." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:803(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:802(para) msgid "Install the NSX plug-in:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:807(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1022(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1064(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:806(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1021(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1063(para) msgid "Edit the /etc/neutron/neutron.conf file and set this line:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:811(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:810(para) msgid "Example neutron.conf file for NSX:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:819(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:818(para) msgid "To configure the NSX controller cluster for OpenStack Networking, locate the [default] section in the /etc/neutron/plugins/vmware/nsx.ini file and add the following entries:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:827(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:826(para) msgid "To establish and configure the connection with the controller cluster you must set some parameters, including NSX API endpoints, access credentials, and settings for HTTP redirects and retries in case of connection failures:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:842(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:841(para) msgid "To ensure correct operations, the nsx_user user must have administrator credentials on the NSX platform." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:847(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:846(para) msgid "A controller API endpoint consists of the IP address and port for the controller; if you omit the port, port 443 is used. If multiple API endpoints are specified, it is up to the user to ensure that all these endpoints belong to the same controller cluster. The OpenStack Networking VMware NSX plug-in does not perform this check, and results might be unpredictable." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:858(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:857(para) msgid "When you specify multiple API endpoints, the plug-in load-balances requests on the various API endpoints." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:864(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:863(para) msgid "The UUID of the NSX Transport Zone that should be used by default when a tenant creates a network. You can get this value from the NSX Manager's Transport Zones page:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:875(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:874(para) msgid "Ubuntu packaging currently does not update the Neutron init script to point to the NSX configuration file. Instead, you must manually update /etc/default/neutron-server to add this line:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:893(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:892(para) msgid "Restart neutron-server to apply settings:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:899(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:898(para) msgid "Example nsx.ini file:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:908(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:907(para) msgid "To debug nsx.ini configuration issues, run this command from the host that runs neutron-server:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:913(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:912(para) msgid "This command tests whether neutron-server can log into all of the NSX Controllers and the SQL server, and whether all UUID values are correct." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:921(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:920(title) msgid "Load Balancer-as-a-Service and Firewall-as-a-Service" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:923(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:922(para) msgid "The NSX LBaaS and FWaaS services use the standard OpenStack API with the exception of requiring routed-insertion extension support." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:927(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:926(para) msgid "The NSX implementation and the community reference implementation of these services differ, as follows:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:932(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:931(para) msgid "The NSX LBaaS and FWaaS plug-ins require the routed-insertion extension, which adds the router_id attribute to the VIP (Virtual IP address) and firewall resources and binds these services to a logical router." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:941(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:940(para) msgid "The community reference implementation of LBaaS only supports a one-arm model, which restricts the VIP to be on the same subnet as the back-end servers. The NSX LBaaS plug-in only supports a two-arm model between north-south traffic, which means that you can create the VIP on only the external (physical) network." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:953(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:952(para) msgid "The community reference implementation of FWaaS applies firewall rules to all logical routers in a tenant, while the NSX FWaaS plug-in applies firewall rules only to one logical router according to the router_id of the firewall entity." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:964(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:963(title) msgid "To configure Load Balancer-as-a-Service and Firewall-as-a-Service with NSX" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:967(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:966(para) msgid "Edit the /etc/neutron/neutron.conf file:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:975(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:974(para) msgid "Edit the /etc/neutron/plugins/vmware/nsx.ini file:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:978(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:977(para) msgid "In addition to the original NSX configuration, the default_l3_gw_service_uuid is required for the NSX Advanced plug-in and you must add a vcns section:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:987(replaceable) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:986(replaceable) msgid "10.37.1.137:443" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:988(replaceable) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:987(replaceable) msgid "aae63e9b-2e4e-4efe-81a1-92cf32e308bf" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:989(replaceable) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:988(replaceable) msgid "2702f27a-869a-49d1-8781-09331a0f6b9e" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:994(replaceable) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:993(replaceable) msgid "https://10.24.106.219" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1000(replaceable) ./doc/admin-guide-cloud/networking/section_networking_adv_features.xml:1191(td) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:999(replaceable) ./doc/admin-guide-cloud/networking/section_networking_adv_features.xml:1191(td) msgid "default" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1003(replaceable) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1002(replaceable) msgid "f2c023cf-76e2-4625-869b-d0dabcfcc638" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1017(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1016(title) msgid "Configure PLUMgrid plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1019(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1018(title) msgid "To use the PLUMgrid plug-in with OpenStack Networking" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1028(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1027(para) msgid "Edit the [PLUMgridDirector] section in the /etc/neutron/plugins/plumgrid/plumgrid.ini file and specify the IP address, port, admin user name, and password of the PLUMgrid Director:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1040(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1039(para) msgid "For database configuration, see Install Networking Services in the Installation Guide." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1047(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1123(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1046(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1122(para) msgid "Restart the neutron-server to apply the settings:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1055(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1054(title) msgid "Configure Ryu plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1057(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1056(title) msgid "To use the Ryu plug-in with OpenStack Networking" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1060(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1059(para) msgid "Install the Ryu plug-in:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1070(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1069(para) msgid "Edit the /etc/neutron/plugins/ryu/ryu.ini file and update these options in the [ovs] section for the ryu-neutron-agent:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1078(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1077(para) msgid "openflow_rest_api. Defines where Ryu is listening for REST API. Substitute ip-address and port-no based on your Ryu setup." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1087(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1086(para) msgid "ovsdb_interface. Enables Ryu to access the ovsdb-server. Substitute eth0 based on your setup. The IP address is derived from the interface name. If you want to change this value irrespective of the interface name, you can specify ovsdb_ip. If you use a non-default port for ovsdb-server, you can specify ovsdb_port." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1103(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1102(para) msgid "tunnel_interface. Defines which IP address is used for tunneling. If you do not use tunneling, this value is ignored. The IP address is derived from the network interface name." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1116(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1115(para) msgid "You can use the same configuration file for many compute nodes by using a network interface name with a different IP address:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1133(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1132(title) msgid "Configure neutron agents" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1134(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1133(para) msgid "Plug-ins typically have requirements for particular software that must be run on each node that handles data packets. This includes any node that runs nova-compute and nodes that run dedicated OpenStack Networking service agents such as neutron-dhcp-agent, neutron-l3-agent, neutron-metering-agent or neutron-lbaas-agent." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1143(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1142(para) msgid "A data-forwarding node typically has a network interface with an IP address on the management network and another interface on the data network." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1146(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1145(para) msgid "This section shows you how to install and configure a subset of the available plug-ins, which might include the installation of switching software (for example, Open vSwitch) and as agents used to communicate with the neutron-server process running elsewhere in the data center." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1154(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1153(title) msgid "Configure data-forwarding nodes" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1156(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1155(title) msgid "Node set up: OVS plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1159(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1158(para) msgid "This section also applies to the ML2 plug-in when you use Open vSwitch as a mechanism driver." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1157(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1156(para) msgid "If you use the Open vSwitch plug-in, you must install Open vSwitch and the neutron-plugin-openvswitch-agent agent on each data-forwarding node:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1167(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1166(para) msgid "Do not install the openvswitch-brcompat package because it prevents the security group functionality from operating correctly." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1173(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1172(title) msgid "To set up each node for the OVS plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1176(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1175(para) msgid "Install the OVS agent package:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1178(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1177(para) msgid "This action also installs the Open vSwitch software as a dependency." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1182(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1181(para) msgid "On each node that runs the neutron-plugin-openvswitch-agent, complete these steps:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1187(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1186(para) msgid "Replicate the ovs_neutron_plugin.ini file that you created on the node." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1193(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1192(para) msgid "If you use tunneling, update the ovs_neutron_plugin.ini file for the node with the IP address that is configured on the data network for the node by using the local_ip value." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1205(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1306(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1204(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1305(para) msgid "Restart Open vSwitch to properly load the kernel module:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1210(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1311(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1209(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1310(para) msgid "Restart the agent:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1214(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1213(para) msgid "All nodes that run neutron-plugin-openvswitch-agent must have an OVS br-int bridge." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1218(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1320(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1217(para) ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1319(para) msgid "To create the bridge, run this command:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1225(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1224(title) msgid "Node set up: NSX plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1226(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1225(para) msgid "If you use the NSX plug-in, you must also install Open vSwitch on each data-forwarding node. However, you do not need to install an additional agent on each node." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1231(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1230(para) msgid "It is critical that you run an Open vSwitch version that is compatible with the current version of the NSX Controller software. Do not use the Open vSwitch version that is installed by default on Ubuntu. Instead, use the Open vSwitch version that is provided on the VMware support portal for your NSX Controller version." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1241(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1240(title) msgid "To set up each node for the NSX plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1244(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1243(para) msgid "Ensure that each data-forwarding node has an IP address on the management network, and an IP address on the \"data network\" that is used for tunneling data traffic. For full details on configuring your forwarding node, see the NSX Administrator Guide." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1254(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1253(para) msgid "Use the NSX Administrator Guide to add the node as a Hypervisor by using the NSX Manager GUI. Even if your forwarding node has no VMs and is only used for services agents like neutron-dhcp-agent or neutron-lbaas-agent, it should still be added to NSX as a Hypervisor." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1266(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1265(para) msgid "After following the NSX Administrator Guide, use the page for this Hypervisor in the NSX Manager GUI to confirm that the node is properly connected to the NSX Controller Cluster and that the NSX Controller Cluster can see the br-int integration bridge." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1279(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1278(title) msgid "Node set up: Ryu plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1280(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1279(para) msgid "If you use the Ryu plug-in, you must install both Open vSwitch and Ryu, in addition to the Ryu agent package." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1284(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1283(title) msgid "To set up each node for the Ryu plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1287(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1286(para) msgid "Install Ryu:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1289(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1288(para) msgid "Currently, no Ryu package exists for Ubuntu." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1293(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1292(para) msgid "Install the Ryu agent and Open vSwitch packages:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1298(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1297(para) msgid "Replicate the ovs_ryu_plugin.ini and neutron.conf files created in the above step on all nodes running neutron-plugin-ryu-agent." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1315(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1314(para) msgid "All nodes that run neutron-plugin-ryu-agent must also have an OVS bridge named br-int on each node." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1328(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1327(title) msgid "Configure DHCP agent" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1329(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1328(para) msgid "The DHCP service agent is compatible with all existing plug-ins and is required for all deployments where VMs should automatically receive IP addresses through DHCP." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1334(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1333(title) msgid "To install and configure the DHCP agent" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1336(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1335(para) msgid "You must configure the host running the neutron-dhcp-agent as a data forwarding node according to the requirements for your plug-in. See ." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1343(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1342(para) msgid "Install the DHCP agent:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1347(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1346(para) msgid "Finally, update any options in the /etc/neutron/dhcp_agent.ini file that depend on the plug-in in use. See the sub-sections." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1354(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1353(para) msgid "If you reboot a node that runs the DHCP agent, you must run the command before the neutron-dhcp-agent service starts." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1360(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1359(para) msgid "On Red Hat, SUSE, and Ubuntu based systems, the neutron-ovs-cleanup service runs the command automatically. However, on Debian-based systems (including Ubuntu in releases earlier than Icehouse), you must manually run this command or write your own system script that runs on boot before the neutron-dhcp-agent service starts." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1373(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1372(title) msgid "DHCP agent setup: OVS plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1374(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1373(para) msgid "These DHCP agent options are required in the /etc/neutron/dhcp_agent.ini file for the OVS plug-in:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1383(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1382(title) msgid "DHCP agent setup: NSX plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1384(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1383(para) msgid "These DHCP agent options are required in the /etc/neutron/dhcp_agent.ini file for the NSX plug-in:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1394(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1393(title) msgid "DHCP agent setup: Ryu plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1395(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1394(para) msgid "These DHCP agent options are required in the /etc/neutron/dhcp_agent.ini file for the Ryu plug-in:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1404(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1403(title) msgid "Configure L3 agent" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1405(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1404(para) msgid "The OpenStack Networking Service has a widely used API extension to allow administrators and tenants to create routers to interconnect L2 networks, and floating IPs to make ports on private networks publicly accessible." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1410(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1409(para) msgid "Many plug-ins rely on the L3 service agent to implement the L3 functionality. However, the following plug-ins already have built-in L3 capabilities:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1415(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1414(para) msgid "NSX plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1418(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1417(para) msgid "Big Switch/Floodlight plug-in, which supports both the open source Floodlight controller and the proprietary Big Switch controller." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1424(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1423(para) msgid "Only the proprietary BigSwitch controller implements L3 functionality. When using Floodlight as your OpenFlow controller, L3 functionality is not available." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1432(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1431(para) msgid "PLUMgrid plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1436(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1435(para) msgid "Do not configure or use neutron-l3-agent if you use one of these plug-ins." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1441(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1440(title) msgid "To install the L3 agent for all other plug-ins" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1444(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1443(para) msgid "Install the neutron-l3-agent binary on the network node:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1450(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1449(para) msgid "To uplink the node that runs neutron-l3-agent to the external network, create a bridge named \"br-ex\" and attach the NIC for the external network to this bridge." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1455(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1454(para) msgid "For example, with Open vSwitch and NIC eth1 connected to the external network, run:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1459(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1458(para) msgid "Do not manually configure an IP address on the NIC connected to the external network for the node running neutron-l3-agent. Rather, you must have a range of IP addresses from the external network that can be used by OpenStack Networking for routers that uplink to the external network. This range must be large enough to have an IP address for each router in the deployment, as well as each floating IP." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1472(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1471(para) msgid "The neutron-l3-agent uses the Linux IP stack and iptables to perform L3 forwarding and NAT. In order to support multiple routers with potentially overlapping IP addresses, neutron-l3-agent defaults to using Linux network namespaces to provide isolated forwarding contexts. As a result, the IP addresses of routers are not visible simply by running the or command on the node. Similarly, you cannot directly fixed IPs." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1487(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1486(para) msgid "To do either of these things, you must run the command within a particular network namespace for the router. The namespace has the name \"qrouter-<UUID of the router>. These example commands run in the router namespace with UUID 47af3868-0fa8-4447-85f6-1304de32153b:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1499(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1498(para) msgid "If you reboot a node that runs the L3 agent, you must run the command before the neutron-l3-agent service starts." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1505(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1504(para) msgid "On Red Hat, SUSE and Ubuntu based systems, the neutron-ovs-cleanup service runs the command automatically. However, on Debian-based systems (including Ubuntu prior to Icehouse), you must manually run this command or write your own system script that runs on boot before the neutron-l3-agent service starts." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1518(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1517(title) msgid "Configure metering agent" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1519(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1518(para) msgid "Starting with the Havana release, the Neutron Metering resides beside neutron-l3-agent." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1523(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1522(title) msgid "To install the metering agent and configure the node" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1526(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1525(para) msgid "Install the agent by running:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1529(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1528(title) msgid "Package name prior to Icehouse" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1530(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1529(para) msgid "In releases of neutron prior to Icehouse, this package was named neutron-plugin-metering-agent." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1536(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1535(para) msgid "If you use one of the following plugins, you need to configure the metering agent with these lines as well:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1541(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1540(para) msgid "An OVS-based plug-in such as OVS, NSX, Ryu, NEC, BigSwitch/Floodlight:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1547(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1546(para) msgid "A plug-in that uses LinuxBridge:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1554(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1553(para) msgid "To use the reference implementation, you must set:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1559(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1558(para) msgid "Set this parameter in the neutron.conf file on the host that runs neutron-server:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1568(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1567(title) msgid "Configure Load-Balancing-as-a-Service (LBaaS)" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1570(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1569(para) msgid "Configure Load-Balancing-as-a-Service (LBaas) with the Open vSwitch or Linux Bridge plug-in. The Open vSwitch LBaaS driver is required when enabling LBaaS for OVS-based plug-ins, including BigSwitch, Floodlight, NEC, NSX, and Ryu." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1576(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1575(title) msgid "To configure LBaas with Open vSwitch or Linux Bridge plug-in" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1579(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1578(para) msgid "Install the agent:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1583(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1582(para) msgid "Enable the HAProxy plug-in by using the parameter in the /etc/neutron/neutron.conf file:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1592(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1591(para) msgid "Enable the load balancer plugin using in the /etc/neutron/neutron.conf file:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1599(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1598(para) msgid "Enable the HAProxy load balancer in the /etc/neutron/lbaas_agent.ini file:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1607(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1606(para) msgid "Select the required driver in the /etc/neutron/lbaas_agent.ini file:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1610(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1609(para) msgid "Enable the Open vSwitch LBaaS driver:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1612(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1611(para) msgid "Or, enable the Linux Bridge LBaaS driver:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1615(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1614(para) msgid "Apply the settings by restarting the neutron-server and neutron-lbaas-agent services." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1621(title) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1620(title) msgid "Upgrade from Havana to Icehouse" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1622(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1621(para) msgid "In the Icehouse release, LBaaS server-agent communications changed. If you transition from Havana to Icehouse, make sure to upgrade both server and agent sides before you use the load balancing service." msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1631(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1630(para) msgid "Enable Load Balancing in the Project section of the dashboard:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1634(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1633(para) msgid "Change the option to True in the /etc/openstack-dashboard/local_settings file:" msgstr "" -#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1639(para) +#: ./doc/admin-guide-cloud/networking/section_networking_introduction.xml:1638(para) msgid "Apply the settings by restarting the httpd service. You can now view the Load Balancer management options in the Project view in the dashboard." msgstr "" @@ -6194,75 +6194,75 @@ msgid "You need to update your copy of the hp_3par_fc.py dr msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:5(title) -msgid "Configure a multiple-storage back-end" +msgid "Configure multiple-storage back ends" msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:6(para) -msgid "With multiple storage back-ends configured, you can create several back-end storage solutions serving the same OpenStack Compute configuration. Basically, multi back-end launches one cinder-volume for each back-end." +msgid "When you configure multiple-storage back ends, you can create several back-end storage solutions that serve the same OpenStack Compute configuration and one cinder-volume is launched for each back end." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:11(para) -msgid "In a multi back-end configuration, each back-end has a name (volume_backend_name). Several back-ends can have the same name. In that case, the scheduler properly decides which back-end the volume has to be created in." +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:10(para) +msgid "In a multiple-storage back end configuration, each back end has a name (volume_backend_name). Several back ends can have the same name. In that case, the scheduler properly decides which back end the volume has to be created in." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:16(para) -msgid "The name of the back-end is declared as an extra-specification of a volume type (such as, volume_backend_name=LVM_iSCSI). When a volume is created, the scheduler chooses an appropriate back-end to handle the request, according to the volume type specified by the user." +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:15(para) +msgid "The name of the back end is declared as an extra-specification of a volume type (such as, volume_backend_name=LVM_iSCSI). When a volume is created, the scheduler chooses an appropriate back end to handle the request, according to the volume type specified by the user." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:23(title) -msgid "Enable multi back-end" +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:22(title) +msgid "Enable multiple-storage back ends" msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:24(para) -msgid "To enable a multi back-end configuration, you must set the flag in the cinder.conf file. This flag defines the names (separated by a comma) of the configuration groups for the different back-ends: one name is associated to one configuration group for a back-end (such as, [lvmdriver-1])." +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:23(para) +msgid "To enable a multiple-storage back ends, you must set the flag in the cinder.conf file. This flag defines the names (separated by a comma) of the configuration groups for the different back ends: one name is associated to one configuration group for a back end (such as, [lvmdriver-1])." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:32(para) +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:31(para) msgid "The configuration group name is not related to the volume_backend_name." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:35(para) +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:34(para) msgid "The options for a configuration group must be defined in the group (or default options are used). All the standard Block Storage configuration options (volume_group, volume_driver, and so on) might be used in a configuration group. Configuration values in the [DEFAULT] configuration group are not used." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:43(para) -msgid "These examples show three back-ends:" +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:42(para) +msgid "These examples show three back ends:" msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:57(para) -msgid "In this configuration, lvmdriver-1 and lvmdriver-2 have the same volume_backend_name. If a volume creation requests the LVM_iSCSI back-end name, the scheduler uses the capacity filter scheduler to choose the most suitable driver, which is either lvmdriver-1 or lvmdriver-2. The capacity filter scheduler is enabled by default. The next section provides more information. In addition, this example presents a lvmdriver-3 back-end." +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:56(para) +msgid "In this configuration, lvmdriver-1 and lvmdriver-2 have the same volume_backend_name. If a volume creation requests the LVM_iSCSI back end name, the scheduler uses the capacity filter scheduler to choose the most suitable driver, which is either lvmdriver-1 or lvmdriver-2. The capacity filter scheduler is enabled by default. The next section provides more information. In addition, this example presents a lvmdriver-3 back end." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:70(title) -msgid "Configure Block Storage scheduler multi back-end" +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:69(title) +msgid "Configure Block Storage scheduler multi back end" msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:71(para) -msgid "You must enable the option to use multi back-end. Filter scheduler acts in two steps:" +msgid "You must enable the option to use multiple-storage back ends. The filter scheduler:" msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:76(para) -msgid "The filter scheduler filters the available back-ends. By default, AvailabilityZoneFilter, CapacityFilter and CapabilitiesFilter are enabled." +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:75(para) +msgid "Filters the available back ends. By default, AvailabilityZoneFilter, CapacityFilter and CapabilitiesFilter are enabled." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:84(para) -msgid "The filter scheduler weighs the previously filtered back-ends. By default, CapacityWeigher is enabled. The CapacityWeigher attributes higher scores to back-ends with the most available." +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:83(para) +msgid "Weights the previously filtered back ends. By default, the option is enabled. When this option is enabled, the filter scheduler assigns the highest weight to back ends with the most available capacity." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:92(para) -msgid "The scheduler uses the filtering and weighing process to pick the best back-end to handle the request, and explicitly creates volumes on specific back-ends through the use of volume types." +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:91(para) +msgid "The scheduler uses filters and weights to pick the best back end to handle the request. The scheduler uses volume types to explicitly create volumes on specific back ends." msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:99(title) +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:98(title) msgid "Volume type" msgstr "" -#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:100(para) +#: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:99(para) msgid "Before using it, a volume type has to be declared to Block Storage. This can be done by the following command:" msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:103(para) -msgid "Then, an extra-specification has to be created to link the volume type to a back-end name. Run this command:" +msgid "Then, an extra-specification has to be created to link the volume type to a back end name. Run this command:" msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:107(para) @@ -6274,7 +6274,7 @@ msgid "Create another volume type:" msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:113(para) -msgid "This second volume type is named lvm_gold and has LVM_iSCSI_b as back-end name." +msgid "This second volume type is named lvm_gold and has LVM_iSCSI_b as back end name." msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:118(para) @@ -6282,7 +6282,7 @@ msgid "To list the extra-specifications, use this command:" msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:123(para) -msgid "If a volume type points to a volume_backend_name that does not exist in the Block Storage configuration, the filter_scheduler returns an error that it cannot find a valid host with the suitable back-end." +msgid "If a volume type points to a volume_backend_name that does not exist in the Block Storage configuration, the filter_scheduler returns an error that it cannot find a valid host with the suitable back end." msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:132(title) @@ -6290,7 +6290,7 @@ msgid "Usage" msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:133(para) -msgid "When you create a volume, you must specify the volume type. The extra-specifications of the volume type are used to determine which back-end has to be used. Considering the cinder.conf described previously, the scheduler creates this volume on lvmdriver-1 or lvmdriver-2." +msgid "When you create a volume, you must specify the volume type. The extra-specifications of the volume type are used to determine which back end has to be used. Considering the cinder.conf described previously, the scheduler creates this volume on lvmdriver-1 or lvmdriver-2." msgstr "" #: ./doc/admin-guide-cloud/blockstorage/section_multi_backend.xml:142(para) diff --git a/doc/common/locale/common.pot b/doc/common/locale/common.pot index d7e9f03305..3ece96d29a 100644 --- a/doc/common/locale/common.pot +++ b/doc/common/locale/common.pot @@ -1,7 +1,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" -"POT-Creation-Date: 2014-06-29 06:06+0000\n" +"POT-Creation-Date: 2014-06-30 06:05+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -2703,7 +2703,7 @@ msgstr "" msgid "or for Fedora/RHEL/CentOS:" msgstr "" -#: ./doc/common/section_dashboard-configure-http.xml:32(para) ./doc/common/section_dashboard-configure-https.xml:98(para) +#: ./doc/common/section_dashboard-configure-http.xml:32(para) msgid "Next, restart memcached:" msgstr "" @@ -2855,7 +2855,7 @@ msgstr "" msgid "Quota name" msgstr "" -#: ./doc/common/section_cli_nova_quotas.xml:20(th) ./doc/common/section_cli_nova_customize_flavors.xml:40(td) ./doc/common/section_cli_overview.xml:43(th) ./doc/common/section_cli_install.xml:30(th) ./doc/common/ch_getstart.xml:31(th) ./doc/common/tables/ceilometer-database.xml:14(th) ./doc/common/tables/neutron-openvswitch_agent.xml:14(th) ./doc/common/tables/heat-clients.xml:14(th) ./doc/common/tables/cinder-solidfire.xml:14(th) ./doc/common/tables/neutron-rpc.xml:14(th) ./doc/common/tables/trove-db_percona.xml:14(th) ./doc/common/tables/nova-periodic.xml:14(th) ./doc/common/tables/keystone-auth.xml:14(th) ./doc/common/tables/keystone-policy.xml:14(th) ./doc/common/tables/glance-auth_token.xml:14(th) ./doc/common/tables/cinder-netapp_7mode_nfs.xml:14(th) ./doc/common/tables/swift-container-server-container-sync.xml:13(th) ./doc/common/tables/swift-proxy-server-DEFAULT.xml:13(th) ./doc/common/tables/cinder-zoning_fabric.xml:14(th) ./doc/common/tables/ceilometer-redis.xml:14(th) ./doc/common/tables/cinder-storage_ceph.xml:14(th) ./doc/common/tables/ceilometer-vmware.xml:14(th) ./doc/common/tables/neutron-cisco.xml:14(th) ./doc/common/tables/nova-testing.xml:14(th) ./doc/common/tables/nova-metadata.xml:14(th) ./doc/common/tables/heat-clients_nova.xml:14(th) ./doc/common/tables/cinder-hp3par.xml:14(th) ./doc/common/tables/keystone-misc.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-cname_lookup.xml:13(th) ./doc/common/tables/neutron-scheduler.xml:14(th) ./doc/common/tables/glance-rbd.xml:14(th) ./doc/common/tables/cinder-storage_xen.xml:14(th) ./doc/common/tables/ceilometer-common.xml:14(th) ./doc/common/tables/cinder-database.xml:14(th) ./doc/common/tables/ceilometer-logging.xml:14(th) ./doc/common/tables/heat-common.xml:14(th) ./doc/common/tables/nova-ipv6.xml:14(th) ./doc/common/tables/nova-vnc.xml:14(th) ./doc/common/tables/cinder-netapp_cdot_extraspecs.xml:13(th) ./doc/common/tables/trove-qpid.xml:14(th) ./doc/common/tables/keystone-api.xml:14(th) ./doc/common/tables/swift-object-expirer-pipeline-main.xml:13(th) ./doc/common/tables/swift-container-server-container-auditor.xml:13(th) ./doc/common/tables/glance-rpc.xml:14(th) ./doc/common/tables/neutron-policy.xml:14(th) ./doc/common/tables/nova-spice.xml:14(th) ./doc/common/tables/heat-clients_heat.xml:14(th) ./doc/common/tables/nova-xen.xml:14(th) ./doc/common/tables/trove-amqp.xml:14(th) ./doc/common/tables/glance-matchmaker.xml:14(th) ./doc/common/tables/nova-rabbitmq.xml:14(th) ./doc/common/tables/neutron-ml2_cisco.xml:14(th) ./doc/common/tables/nova-policy.xml:14(th) ./doc/common/tables/keystone-identity.xml:14(th) ./doc/common/tables/ceilometer-inspector.xml:14(th) ./doc/common/tables/cinder-scheduler.xml:14(th) ./doc/common/tables/trove-db_cassandra.xml:14(th) ./doc/common/tables/neutron-logging.xml:14(th) ./doc/common/tables/nova-availabilityzones.xml:14(th) ./doc/common/tables/keystone-catalog.xml:14(th) ./doc/common/tables/cinder-netapp_eseries_iscsi.xml:14(th) ./doc/common/tables/neutron-rootwrap.xml:14(th) ./doc/common/tables/cinder-auth.xml:14(th) ./doc/common/tables/swift-swift-swift-constraints.xml:13(th) ./doc/common/tables/heat-qpid.xml:14(th) ./doc/common/tables/swift-object-expirer-filter-catch_errors.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-slo.xml:13(th) ./doc/common/tables/nova-zookeeper.xml:14(th) ./doc/common/tables/nova-keymgr.xml:14(th) ./doc/common/tables/neutron-auth_token.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-cache.xml:13(th) ./doc/common/tables/nova-ldap.xml:14(th) ./doc/common/tables/swift-container-server-filter-recon.xml:13(th) ./doc/common/tables/swift-proxy-server-pipeline-main.xml:13(th) ./doc/common/tables/ceilometer-auth.xml:14(th) ./doc/common/tables/cinder-quota.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-account-quotas.xml:13(th) ./doc/common/tables/keystone-os_inherit.xml:14(th) ./doc/common/tables/neutron-sdnve.xml:14(th) ./doc/common/tables/nova-compute.xml:14(th) ./doc/common/tables/keystone-rabbit.xml:14(th) ./doc/common/tables/cinder-backups_ceph.xml:14(th) ./doc/common/tables/nova-vmware.xml:14(th) ./doc/common/tables/heat-cfn_api.xml:14(th) ./doc/common/tables/neutron-vmware.xml:14(th) ./doc/common/tables/nova-rdp.xml:14(th) ./doc/common/tables/keystone-assignment.xml:14(th) ./doc/common/tables/nova-zeromq.xml:14(th) ./doc/common/tables/cinder-storage.xml:14(th) ./doc/common/tables/glance-registry.xml:14(th) ./doc/common/tables/neutron-embrane.xml:14(th) ./doc/common/tables/heat-quota.xml:14(th) ./doc/common/tables/swift-account-server-filter-healthcheck.xml:13(th) ./doc/common/tables/nova-common.xml:14(th) ./doc/common/tables/swift-proxy-server-app-proxy-server.xml:13(th) ./doc/common/tables/nova-volumes.xml:14(th) ./doc/common/tables/neutron-redis.xml:14(th) ./doc/common/tables/trove-db_mysql.xml:14(th) ./doc/common/tables/heat-zeromq.xml:14(th) ./doc/common/tables/heat-amqp.xml:14(th) ./doc/common/tables/neutron-linuxbridge_agent.xml:14(th) ./doc/common/tables/nova-redis.xml:14(th) ./doc/common/tables/swift-container-server-DEFAULT.xml:13(th) ./doc/common/tables/nova-db.xml:14(th) ./doc/common/tables/glance-rabbitmq.xml:14(th) ./doc/common/tables/neutron-l3_agent.xml:14(th) ./doc/common/tables/swift-container-server-pipeline-main.xml:13(th) ./doc/common/tables/glance-policy.xml:14(th) ./doc/common/tables/nova-neutron.xml:14(th) ./doc/common/tables/cinder-backups.xml:14(th) ./doc/common/tables/cinder-keymgr.xml:14(th) ./doc/common/tables/ceilometer-cells.xml:14(th) ./doc/common/tables/keystone-ldap.xml:14(th) ./doc/common/tables/glance-vmware.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-container-quotas.xml:13(th) ./doc/common/tables/cinder-zoning.xml:14(th) ./doc/common/tables/heat-notification.xml:14(th) ./doc/common/tables/swift-container-server-filter-healthcheck.xml:13(th) ./doc/common/tables/nova-vpn.xml:14(th) ./doc/common/tables/neutron-vpn.xml:14(th) ./doc/common/tables/swift-object-expirer-object-expirer.xml:13(th) ./doc/common/tables/trove-common.xml:14(th) ./doc/common/tables/trove-api.xml:14(th) ./doc/common/tables/cinder-zadara.xml:14(th) ./doc/common/tables/swift-object-server-filter-healthcheck.xml:13(th) ./doc/common/tables/nova-conductor.xml:14(th) ./doc/common/tables/swift-object-server-app-object-server.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-catch_errors.xml:13(th) ./doc/common/tables/nova-livemigration.xml:14(th) ./doc/common/tables/heat-rabbitmq.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-keystoneauth.xml:13(th) ./doc/common/tables/neutron-cadf.xml:14(th) ./doc/common/tables/keystone-amqp.xml:14(th) ./doc/common/tables/keystone-rpc.xml:14(th) ./doc/common/tables/swift-object-server-DEFAULT.xml:13(th) ./doc/common/tables/cinder-zones.xml:14(th) ./doc/common/tables/cinder-scality.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-tempauth.xml:13(th) ./doc/common/tables/neutron-agent.xml:14(th) ./doc/common/tables/cinder-emc.xml:14(th) ./doc/common/tables/cinder-vmware.xml:14(th) ./doc/common/tables/neutron-ml2_flat.xml:14(th) ./doc/common/tables/heat-metadata_api.xml:14(th) ./doc/common/tables/trove-rabbitmq.xml:14(th) ./doc/common/tables/nova-upgrade_levels.xml:14(th) ./doc/common/tables/neutron-kombu.xml:14(th) ./doc/common/tables/cinder-netapp_cdot_iscsi.xml:14(th) ./doc/common/tables/neutron-ml2_ofa.xml:14(th) ./doc/common/tables/glance-api.xml:14(th) ./doc/common/tables/heat-waitcondition_api.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-gatekeeper.xml:13(th) ./doc/common/tables/swift-rsyncd-container.xml:13(th) ./doc/common/tables/cinder-storwize.xml:14(th) ./doc/common/tables/cinder-hplefthand.xml:14(th) ./doc/common/tables/glance-s3.xml:14(th) ./doc/common/tables/nova-rootwrap.xml:14(th) ./doc/common/tables/heat-loadbalancer.xml:14(th) ./doc/common/tables/ceilometer-api.xml:14(th) ./doc/common/tables/ceilometer-exchange.xml:14(th) ./doc/common/tables/cinder-lvm.xml:14(th) ./doc/common/tables/trove-dns.xml:14(th) ./doc/common/tables/nova-cells.xml:14(th) ./doc/common/tables/trove-volume.xml:14(th) ./doc/common/tables/heat-auth_token.xml:14(th) ./doc/common/tables/neutron-quotas.xml:14(th) ./doc/common/tables/nova-auth_token.xml:14(th) ./doc/common/tables/cinder-storage_nfs.xml:14(th) ./doc/common/tables/heat-api.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-tempurl.xml:13(th) ./doc/common/tables/heat-clients_ceilometer.xml:14(th) ./doc/common/tables/neutron-ryu.xml:14(th) ./doc/common/tables/glance-logging.xml:14(th) ./doc/common/tables/swift-rsyncd-account.xml:13(th) ./doc/common/tables/neutron-metering_agent.xml:14(th) ./doc/common/tables/neutron-zeromq.xml:14(th) ./doc/common/tables/cinder-storage_glusterfs.xml:14(th) ./doc/common/tables/cinder-common.xml:14(th) ./doc/common/tables/glance-swift.xml:14(th) ./doc/common/tables/trove-quota.xml:14(th) ./doc/common/tables/cinder-auth_token.xml:14(th) ./doc/common/tables/ceilometer-alarm.xml:14(th) ./doc/common/tables/ceilometer-events.xml:14(th) ./doc/common/tables/cinder-xiv.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-name_check.xml:13(th) ./doc/common/tables/neutron-ml2_bigswitch.xml:14(th) ./doc/common/tables/nova-glance.xml:14(th) ./doc/common/tables/keystone-auth_token.xml:14(th) ./doc/common/tables/nova-s3.xml:14(th) ./doc/common/tables/nova-pci.xml:14(th) ./doc/common/tables/swift-account-server-filter-recon.xml:13(th) ./doc/common/tables/heat-clients_cinder.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-ratelimit.xml:13(th) ./doc/common/tables/keystone-revoke.xml:14(th) ./doc/common/tables/cinder-api.xml:14(th) ./doc/common/tables/trove-db_couchbase.xml:14(th) ./doc/common/tables/heat-clients_trove.xml:14(th) ./doc/common/tables/swift-account-server-account-replicator.xml:13(th) ./doc/common/tables/neutron-plumgrid.xml:14(th) ./doc/common/tables/trove-heat.xml:14(th) ./doc/common/tables/glance-sheepdog.xml:14(th) ./doc/common/tables/swift-container-sync-realms-DEFAULT.xml:13(th) ./doc/common/tables/cinder-windows.xml:14(th) ./doc/common/tables/cinder-san-solaris.xml:14(th) ./doc/common/tables/neutron-nuage.xml:14(th) ./doc/common/tables/keystone-zeromq.xml:14(th) ./doc/common/tables/neutron-bigswitch.xml:14(th) ./doc/common/tables/ceilometer-rpc.xml:14(th) ./doc/common/tables/swift-container-server-container-updater.xml:13(th) ./doc/common/tables/trove-db_mongodb.xml:14(th) ./doc/common/tables/swift-object-server-object-replicator.xml:13(th) ./doc/common/tables/glance-filesystem.xml:14(th) ./doc/common/tables/trove-rpc.xml:14(th) ./doc/common/tables/ceilometer-swift.xml:14(th) ./doc/common/tables/trove-backup.xml:14(th) ./doc/common/tables/nova-network.xml:14(th) ./doc/common/tables/glance-redis.xml:14(th) ./doc/common/tables/keystone-ssl.xml:14(th) ./doc/common/tables/nova-ca.xml:14(th) ./doc/common/tables/neutron-dhcp_agent.xml:14(th) ./doc/common/tables/ceilometer-collector.xml:14(th) ./doc/common/tables/cinder-hds-hus.xml:14(th) ./doc/common/tables/cinder-netapp_7mode_iscsi.xml:14(th) ./doc/common/tables/swift-swift-swift-hash.xml:13(th) ./doc/common/tables/neutron-ml2_gre.xml:14(th) ./doc/common/tables/neutron-varmour.xml:14(th) ./doc/common/tables/heat-debug.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-dlo.xml:13(th) ./doc/common/tables/nova-kombu.xml:14(th) ./doc/common/tables/trove-guestagent.xml:14(th) ./doc/common/tables/nova-qpid.xml:14(th) ./doc/common/tables/glance-qpid.xml:14(th) ./doc/common/tables/neutron-ml2_l2pop.xml:14(th) ./doc/common/tables/glance-amqp.xml:14(th) ./doc/common/tables/glance-zmq.xml:14(th) ./doc/common/tables/neutron-embrane_lb.xml:14(th) ./doc/common/tables/swift-object-expirer-DEFAULT.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-authtoken.xml:13(th) ./doc/common/tables/neutron-testing.xml:14(th) ./doc/common/tables/swift-object-server-pipeline-main.xml:13(th) ./doc/common/tables/swift-memcache-memcache.xml:13(th) ./doc/common/tables/swift-account-server-app-account-server.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-formpost.xml:13(th) ./doc/common/tables/trove-compute.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-proxy-logging.xml:13(th) ./doc/common/tables/swift-object-expirer-filter-cache.xml:13(th) ./doc/common/tables/trove-db_redis.xml:14(th) ./doc/common/tables/cinder-rpc.xml:14(th) ./doc/common/tables/swift-container-sync-realms-realm2.xml:13(th) ./doc/common/tables/cinder-hpmsa.xml:14(th) ./doc/common/tables/nova-apiv3.xml:14(th) ./doc/common/tables/keystone-oauth.xml:14(th) ./doc/common/tables/cinder-storage_gpfs.xml:14(th) ./doc/common/tables/neutron-ml2_vlan.xml:14(th) ./doc/common/tables/keystone-notification.xml:14(th) ./doc/common/tables/swift-object-server-object-auditor.xml:13(th) ./doc/common/tables/trove-zeromq.xml:14(th) ./doc/common/tables/neutron-lbaas.xml:14(th) ./doc/common/tables/cinder-backups_swift.xml:14(th) ./doc/common/tables/trove-database.xml:14(th) ./doc/common/tables/swift-container-server-app-container-server.xml:13(th) ./doc/common/tables/nova-authentication.xml:14(th) ./doc/common/tables/neutron-nvsd.xml:14(th) ./doc/common/tables/swift-account-server-pipeline-main.xml:13(th) ./doc/common/tables/glance-gridfs.xml:14(th) ./doc/common/tables/neutron-notifier.xml:14(th) ./doc/common/tables/nova-rpc_all.xml:14(th) ./doc/common/tables/neutron-hyperv_agent.xml:14(th) ./doc/common/tables/keystone-federation.xml:14(th) ./doc/common/tables/nova-scheduling.xml:14(th) ./doc/common/tables/cinder-ssl.xml:14(th) ./doc/common/tables/trove-ssl.xml:14(th) ./doc/common/tables/cinder-eqlx.xml:14(th) ./doc/common/tables/heat-redis.xml:14(th) ./doc/common/tables/nova-ec2.xml:14(th) ./doc/common/tables/keystone-credential.xml:14(th) ./doc/common/tables/cinder-block-device.xml:14(th) ./doc/common/tables/neutron-metadata.xml:14(th) ./doc/common/tables/nova-fping.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-staticweb.xml:13(th) ./doc/common/tables/swift-container-server-container-replicator.xml:13(th) ./doc/common/tables/neutron-ml2_ncs.xml:14(th) ./doc/common/tables/neutron-ml2_arista.xml:14(th) ./doc/common/tables/nova-trustedcomputing.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-bulk.xml:13(th) ./doc/common/tables/swift-object-expirer-app-proxy-server.xml:13(th) ./doc/common/tables/neutron-compute.xml:14(th) ./doc/common/tables/glance-imagecache.xml:14(th) ./doc/common/tables/neutron-ml2_brocade.xml:14(th) ./doc/common/tables/swift-account-server-account-auditor.xml:13(th) ./doc/common/tables/cinder-nas.xml:14(th) ./doc/common/tables/cinder-netapp_cdot_nfs.xml:14(th) ./doc/common/tables/heat-clients_swift.xml:14(th) ./doc/common/tables/keystone-logging.xml:14(th) ./doc/common/tables/neutron-brocade.xml:14(th) ./doc/common/tables/neutron-ml2_odl.xml:14(th) ./doc/common/tables/swift-object-server-filter-recon.xml:13(th) ./doc/common/tables/cinder-connection.xml:14(th) ./doc/common/tables/heat-rpc.xml:14(th) ./doc/common/tables/trove-taskmanager.xml:14(th) ./doc/common/tables/heat-cloudwatch_api.xml:14(th) ./doc/common/tables/cinder-images.xml:14(th) ./doc/common/tables/cinder-huawei.xml:14(th) ./doc/common/tables/nova-console.xml:14(th) ./doc/common/tables/neutron-fwaas.xml:14(th) ./doc/common/tables/cinder-nexenta_nfs.xml:14(th) ./doc/common/tables/nova-quota.xml:14(th) ./doc/common/tables/heat-logging.xml:14(th) ./doc/common/tables/trove-redis.xml:14(th) ./doc/common/tables/keystone-stats.xml:14(th) ./doc/common/tables/heat-crypt.xml:14(th) ./doc/common/tables/neutron-ssl.xml:14(th) ./doc/common/tables/neutron-midonet.xml:14(th) ./doc/common/tables/cinder-coraid.xml:14(th) ./doc/common/tables/neutron-wsgi.xml:14(th) ./doc/common/tables/cinder-compute.xml:14(th) ./doc/common/tables/swift-rsyncd-object.xml:13(th) ./doc/common/tables/glance-wsgi.xml:14(th) ./doc/common/tables/swift-drive-audit-drive-audit.xml:13(th) ./doc/common/tables/nova-baremetal.xml:14(th) ./doc/common/tables/neutron-qpid.xml:14(th) ./doc/common/tables/nova-rpc.xml:14(th) ./doc/common/tables/cinder-backups_tsm.xml:14(th) ./doc/common/tables/cinder-san.xml:14(th) ./doc/common/tables/nova-logging.xml:14(th) ./doc/common/tables/neutron-nec.xml:14(th) ./doc/common/tables/keystone-security.xml:14(th) ./doc/common/tables/heat-clients_neutron.xml:14(th) ./doc/common/tables/nova-api.xml:14(th) ./doc/common/tables/neutron-ml2_mlnx.xml:14(th) ./doc/common/tables/trove-auth_token.xml:14(th) ./doc/common/tables/keystone-trust.xml:14(th) ./doc/common/tables/glance-cinder.xml:14(th) ./doc/common/tables/swift-object-server-object-updater.xml:13(th) ./doc/common/tables/glance-common.xml:14(th) ./doc/common/tables/neutron-ml2_vxlan.xml:14(th) ./doc/common/tables/swift-dispersion-dispersion.xml:13(th) ./doc/common/tables/swift-account-server-DEFAULT.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-domain_remap.xml:13(th) ./doc/common/tables/trove-nova.xml:14(th) ./doc/common/tables/neutron-meta.xml:14(th) ./doc/common/tables/neutron-rabbitmq.xml:14(th) ./doc/common/tables/keystone-ec2.xml:14(th) ./doc/common/tables/heat-clients_keystone.xml:14(th) ./doc/common/tables/neutron-api.xml:14(th) ./doc/common/tables/trove-logging.xml:14(th) ./doc/common/tables/glance-db.xml:14(th) ./doc/common/tables/keystone-kvs.xml:14(th) ./doc/common/tables/keystone-redis.xml:14(th) ./doc/common/tables/nova-xvpnvncproxy.xml:14(th) ./doc/common/tables/glance-paste.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-list-endpoints.xml:13(th) ./doc/common/tables/swift-account-server-account-reaper.xml:13(th) ./doc/common/tables/nova-hyperv.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-container_sync.xml:13(th) ./doc/common/tables/heat-clients_backends.xml:14(th) ./doc/common/tables/glance-testing.xml:14(th) ./doc/common/tables/neutron-common.xml:14(th) ./doc/common/tables/nova-hypervisor.xml:14(th) ./doc/common/tables/keystone-qpid.xml:14(th) ./doc/common/tables/swift-container-sync-realms-realm1.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-healthcheck.xml:13(th) ./doc/common/tables/nova-wsgi.xml:14(th) ./doc/common/tables/keystone-cache.xml:14(th) ./doc/common/tables/nova-configdrive.xml:14(th) ./doc/common/tables/keystone-token.xml:14(th) ./doc/common/tables/ceilometer-ssl.xml:14(th) ./doc/common/tables/ceilometer-qpid.xml:14(th) ./doc/common/tables/heat-database.xml:14(th) ./doc/common/tables/ceilometer-rabbitmq.xml:14(th) ./doc/common/tables/neutron-ml2.xml:14(th) ./doc/common/tables/neutron-db.xml:14(th) ./doc/common/tables/keystone-database.xml:14(th) ./doc/common/tables/keystone-memcache.xml:14(th) ./doc/common/tables/trove-debug.xml:14(th) ./doc/common/tables/trove-swift.xml:14(th) ./doc/common/tables/nova-tilera.xml:14(th) ./doc/common/tables/nova-libvirt.xml:14(th) ./doc/common/tables/neutron-mlnx.xml:14(th) ./doc/common/tables/cinder-zoning_manager.xml:14(th) ./doc/common/tables/ceilometer-amqp.xml:14(th) ./doc/common/tables/glance-ssl.xml:14(th) ./doc/common/tables/neutron-securitygroups.xml:14(th) ./doc/common/tables/keystone-debug.xml:14(th) ./doc/common/tables/cinder-rootwrap.xml:14(th) ./doc/common/tables/cinder-nexenta_iscsi.xml:14(th) +#: ./doc/common/section_cli_nova_quotas.xml:20(th) ./doc/common/section_cli_nova_customize_flavors.xml:51(td) ./doc/common/section_cli_overview.xml:43(th) ./doc/common/section_cli_install.xml:30(th) ./doc/common/ch_getstart.xml:31(th) ./doc/common/tables/ceilometer-database.xml:14(th) ./doc/common/tables/neutron-openvswitch_agent.xml:14(th) ./doc/common/tables/heat-clients.xml:14(th) ./doc/common/tables/cinder-solidfire.xml:14(th) ./doc/common/tables/neutron-rpc.xml:14(th) ./doc/common/tables/trove-db_percona.xml:14(th) ./doc/common/tables/nova-periodic.xml:14(th) ./doc/common/tables/keystone-auth.xml:14(th) ./doc/common/tables/keystone-policy.xml:14(th) ./doc/common/tables/glance-auth_token.xml:14(th) ./doc/common/tables/cinder-netapp_7mode_nfs.xml:14(th) ./doc/common/tables/swift-container-server-container-sync.xml:13(th) ./doc/common/tables/swift-proxy-server-DEFAULT.xml:13(th) ./doc/common/tables/cinder-zoning_fabric.xml:14(th) ./doc/common/tables/ceilometer-redis.xml:14(th) ./doc/common/tables/cinder-storage_ceph.xml:14(th) ./doc/common/tables/ceilometer-vmware.xml:14(th) ./doc/common/tables/neutron-cisco.xml:14(th) ./doc/common/tables/nova-testing.xml:14(th) ./doc/common/tables/nova-metadata.xml:14(th) ./doc/common/tables/heat-clients_nova.xml:14(th) ./doc/common/tables/cinder-hp3par.xml:14(th) ./doc/common/tables/keystone-misc.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-cname_lookup.xml:13(th) ./doc/common/tables/neutron-scheduler.xml:14(th) ./doc/common/tables/glance-rbd.xml:14(th) ./doc/common/tables/cinder-storage_xen.xml:14(th) ./doc/common/tables/ceilometer-common.xml:14(th) ./doc/common/tables/cinder-database.xml:14(th) ./doc/common/tables/ceilometer-logging.xml:14(th) ./doc/common/tables/heat-common.xml:14(th) ./doc/common/tables/nova-ipv6.xml:14(th) ./doc/common/tables/nova-vnc.xml:14(th) ./doc/common/tables/cinder-netapp_cdot_extraspecs.xml:13(th) ./doc/common/tables/trove-qpid.xml:14(th) ./doc/common/tables/keystone-api.xml:14(th) ./doc/common/tables/swift-object-expirer-pipeline-main.xml:13(th) ./doc/common/tables/swift-container-server-container-auditor.xml:13(th) ./doc/common/tables/glance-rpc.xml:14(th) ./doc/common/tables/neutron-policy.xml:14(th) ./doc/common/tables/nova-spice.xml:14(th) ./doc/common/tables/heat-clients_heat.xml:14(th) ./doc/common/tables/nova-xen.xml:14(th) ./doc/common/tables/trove-amqp.xml:14(th) ./doc/common/tables/glance-matchmaker.xml:14(th) ./doc/common/tables/nova-rabbitmq.xml:14(th) ./doc/common/tables/neutron-ml2_cisco.xml:14(th) ./doc/common/tables/nova-policy.xml:14(th) ./doc/common/tables/keystone-identity.xml:14(th) ./doc/common/tables/ceilometer-inspector.xml:14(th) ./doc/common/tables/cinder-scheduler.xml:14(th) ./doc/common/tables/trove-db_cassandra.xml:14(th) ./doc/common/tables/neutron-logging.xml:14(th) ./doc/common/tables/nova-availabilityzones.xml:14(th) ./doc/common/tables/keystone-catalog.xml:14(th) ./doc/common/tables/cinder-netapp_eseries_iscsi.xml:14(th) ./doc/common/tables/neutron-rootwrap.xml:14(th) ./doc/common/tables/cinder-auth.xml:14(th) ./doc/common/tables/swift-swift-swift-constraints.xml:13(th) ./doc/common/tables/heat-qpid.xml:14(th) ./doc/common/tables/swift-object-expirer-filter-catch_errors.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-slo.xml:13(th) ./doc/common/tables/nova-zookeeper.xml:14(th) ./doc/common/tables/nova-keymgr.xml:14(th) ./doc/common/tables/neutron-auth_token.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-cache.xml:13(th) ./doc/common/tables/nova-ldap.xml:14(th) ./doc/common/tables/swift-container-server-filter-recon.xml:13(th) ./doc/common/tables/swift-proxy-server-pipeline-main.xml:13(th) ./doc/common/tables/ceilometer-auth.xml:14(th) ./doc/common/tables/cinder-quota.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-account-quotas.xml:13(th) ./doc/common/tables/keystone-os_inherit.xml:14(th) ./doc/common/tables/neutron-sdnve.xml:14(th) ./doc/common/tables/nova-compute.xml:14(th) ./doc/common/tables/keystone-rabbit.xml:14(th) ./doc/common/tables/cinder-backups_ceph.xml:14(th) ./doc/common/tables/nova-vmware.xml:14(th) ./doc/common/tables/heat-cfn_api.xml:14(th) ./doc/common/tables/neutron-vmware.xml:14(th) ./doc/common/tables/nova-rdp.xml:14(th) ./doc/common/tables/keystone-assignment.xml:14(th) ./doc/common/tables/nova-zeromq.xml:14(th) ./doc/common/tables/cinder-storage.xml:14(th) ./doc/common/tables/glance-registry.xml:14(th) ./doc/common/tables/neutron-embrane.xml:14(th) ./doc/common/tables/heat-quota.xml:14(th) ./doc/common/tables/swift-account-server-filter-healthcheck.xml:13(th) ./doc/common/tables/nova-common.xml:14(th) ./doc/common/tables/swift-proxy-server-app-proxy-server.xml:13(th) ./doc/common/tables/nova-volumes.xml:14(th) ./doc/common/tables/neutron-redis.xml:14(th) ./doc/common/tables/trove-db_mysql.xml:14(th) ./doc/common/tables/heat-zeromq.xml:14(th) ./doc/common/tables/heat-amqp.xml:14(th) ./doc/common/tables/neutron-linuxbridge_agent.xml:14(th) ./doc/common/tables/nova-redis.xml:14(th) ./doc/common/tables/swift-container-server-DEFAULT.xml:13(th) ./doc/common/tables/nova-db.xml:14(th) ./doc/common/tables/glance-rabbitmq.xml:14(th) ./doc/common/tables/neutron-l3_agent.xml:14(th) ./doc/common/tables/swift-container-server-pipeline-main.xml:13(th) ./doc/common/tables/glance-policy.xml:14(th) ./doc/common/tables/nova-neutron.xml:14(th) ./doc/common/tables/cinder-backups.xml:14(th) ./doc/common/tables/cinder-keymgr.xml:14(th) ./doc/common/tables/ceilometer-cells.xml:14(th) ./doc/common/tables/keystone-ldap.xml:14(th) ./doc/common/tables/glance-vmware.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-container-quotas.xml:13(th) ./doc/common/tables/cinder-zoning.xml:14(th) ./doc/common/tables/heat-notification.xml:14(th) ./doc/common/tables/swift-container-server-filter-healthcheck.xml:13(th) ./doc/common/tables/nova-vpn.xml:14(th) ./doc/common/tables/neutron-vpn.xml:14(th) ./doc/common/tables/swift-object-expirer-object-expirer.xml:13(th) ./doc/common/tables/trove-common.xml:14(th) ./doc/common/tables/trove-api.xml:14(th) ./doc/common/tables/cinder-zadara.xml:14(th) ./doc/common/tables/swift-object-server-filter-healthcheck.xml:13(th) ./doc/common/tables/nova-conductor.xml:14(th) ./doc/common/tables/swift-object-server-app-object-server.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-catch_errors.xml:13(th) ./doc/common/tables/nova-livemigration.xml:14(th) ./doc/common/tables/heat-rabbitmq.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-keystoneauth.xml:13(th) ./doc/common/tables/neutron-cadf.xml:14(th) ./doc/common/tables/keystone-amqp.xml:14(th) ./doc/common/tables/keystone-rpc.xml:14(th) ./doc/common/tables/swift-object-server-DEFAULT.xml:13(th) ./doc/common/tables/cinder-zones.xml:14(th) ./doc/common/tables/cinder-scality.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-tempauth.xml:13(th) ./doc/common/tables/neutron-agent.xml:14(th) ./doc/common/tables/cinder-emc.xml:14(th) ./doc/common/tables/cinder-vmware.xml:14(th) ./doc/common/tables/neutron-ml2_flat.xml:14(th) ./doc/common/tables/heat-metadata_api.xml:14(th) ./doc/common/tables/trove-rabbitmq.xml:14(th) ./doc/common/tables/nova-upgrade_levels.xml:14(th) ./doc/common/tables/neutron-kombu.xml:14(th) ./doc/common/tables/cinder-netapp_cdot_iscsi.xml:14(th) ./doc/common/tables/neutron-ml2_ofa.xml:14(th) ./doc/common/tables/glance-api.xml:14(th) ./doc/common/tables/heat-waitcondition_api.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-gatekeeper.xml:13(th) ./doc/common/tables/swift-rsyncd-container.xml:13(th) ./doc/common/tables/cinder-storwize.xml:14(th) ./doc/common/tables/cinder-hplefthand.xml:14(th) ./doc/common/tables/glance-s3.xml:14(th) ./doc/common/tables/nova-rootwrap.xml:14(th) ./doc/common/tables/heat-loadbalancer.xml:14(th) ./doc/common/tables/ceilometer-api.xml:14(th) ./doc/common/tables/ceilometer-exchange.xml:14(th) ./doc/common/tables/cinder-lvm.xml:14(th) ./doc/common/tables/trove-dns.xml:14(th) ./doc/common/tables/nova-cells.xml:14(th) ./doc/common/tables/trove-volume.xml:14(th) ./doc/common/tables/heat-auth_token.xml:14(th) ./doc/common/tables/neutron-quotas.xml:14(th) ./doc/common/tables/nova-auth_token.xml:14(th) ./doc/common/tables/cinder-storage_nfs.xml:14(th) ./doc/common/tables/heat-api.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-tempurl.xml:13(th) ./doc/common/tables/heat-clients_ceilometer.xml:14(th) ./doc/common/tables/neutron-ryu.xml:14(th) ./doc/common/tables/glance-logging.xml:14(th) ./doc/common/tables/swift-rsyncd-account.xml:13(th) ./doc/common/tables/neutron-metering_agent.xml:14(th) ./doc/common/tables/neutron-zeromq.xml:14(th) ./doc/common/tables/cinder-storage_glusterfs.xml:14(th) ./doc/common/tables/cinder-common.xml:14(th) ./doc/common/tables/glance-swift.xml:14(th) ./doc/common/tables/trove-quota.xml:14(th) ./doc/common/tables/cinder-auth_token.xml:14(th) ./doc/common/tables/ceilometer-alarm.xml:14(th) ./doc/common/tables/ceilometer-events.xml:14(th) ./doc/common/tables/cinder-xiv.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-name_check.xml:13(th) ./doc/common/tables/neutron-ml2_bigswitch.xml:14(th) ./doc/common/tables/nova-glance.xml:14(th) ./doc/common/tables/keystone-auth_token.xml:14(th) ./doc/common/tables/nova-s3.xml:14(th) ./doc/common/tables/nova-pci.xml:14(th) ./doc/common/tables/swift-account-server-filter-recon.xml:13(th) ./doc/common/tables/heat-clients_cinder.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-ratelimit.xml:13(th) ./doc/common/tables/keystone-revoke.xml:14(th) ./doc/common/tables/cinder-api.xml:14(th) ./doc/common/tables/trove-db_couchbase.xml:14(th) ./doc/common/tables/heat-clients_trove.xml:14(th) ./doc/common/tables/swift-account-server-account-replicator.xml:13(th) ./doc/common/tables/neutron-plumgrid.xml:14(th) ./doc/common/tables/trove-heat.xml:14(th) ./doc/common/tables/glance-sheepdog.xml:14(th) ./doc/common/tables/swift-container-sync-realms-DEFAULT.xml:13(th) ./doc/common/tables/cinder-windows.xml:14(th) ./doc/common/tables/cinder-san-solaris.xml:14(th) ./doc/common/tables/neutron-nuage.xml:14(th) ./doc/common/tables/keystone-zeromq.xml:14(th) ./doc/common/tables/neutron-bigswitch.xml:14(th) ./doc/common/tables/ceilometer-rpc.xml:14(th) ./doc/common/tables/swift-container-server-container-updater.xml:13(th) ./doc/common/tables/trove-db_mongodb.xml:14(th) ./doc/common/tables/swift-object-server-object-replicator.xml:13(th) ./doc/common/tables/glance-filesystem.xml:14(th) ./doc/common/tables/trove-rpc.xml:14(th) ./doc/common/tables/ceilometer-swift.xml:14(th) ./doc/common/tables/trove-backup.xml:14(th) ./doc/common/tables/nova-network.xml:14(th) ./doc/common/tables/glance-redis.xml:14(th) ./doc/common/tables/keystone-ssl.xml:14(th) ./doc/common/tables/nova-ca.xml:14(th) ./doc/common/tables/neutron-dhcp_agent.xml:14(th) ./doc/common/tables/ceilometer-collector.xml:14(th) ./doc/common/tables/cinder-hds-hus.xml:14(th) ./doc/common/tables/cinder-netapp_7mode_iscsi.xml:14(th) ./doc/common/tables/swift-swift-swift-hash.xml:13(th) ./doc/common/tables/neutron-ml2_gre.xml:14(th) ./doc/common/tables/neutron-varmour.xml:14(th) ./doc/common/tables/heat-debug.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-dlo.xml:13(th) ./doc/common/tables/nova-kombu.xml:14(th) ./doc/common/tables/trove-guestagent.xml:14(th) ./doc/common/tables/nova-qpid.xml:14(th) ./doc/common/tables/glance-qpid.xml:14(th) ./doc/common/tables/neutron-ml2_l2pop.xml:14(th) ./doc/common/tables/glance-amqp.xml:14(th) ./doc/common/tables/glance-zmq.xml:14(th) ./doc/common/tables/neutron-embrane_lb.xml:14(th) ./doc/common/tables/swift-object-expirer-DEFAULT.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-authtoken.xml:13(th) ./doc/common/tables/neutron-testing.xml:14(th) ./doc/common/tables/swift-object-server-pipeline-main.xml:13(th) ./doc/common/tables/swift-memcache-memcache.xml:13(th) ./doc/common/tables/swift-account-server-app-account-server.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-formpost.xml:13(th) ./doc/common/tables/trove-compute.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-proxy-logging.xml:13(th) ./doc/common/tables/swift-object-expirer-filter-cache.xml:13(th) ./doc/common/tables/trove-db_redis.xml:14(th) ./doc/common/tables/cinder-rpc.xml:14(th) ./doc/common/tables/swift-container-sync-realms-realm2.xml:13(th) ./doc/common/tables/cinder-hpmsa.xml:14(th) ./doc/common/tables/nova-apiv3.xml:14(th) ./doc/common/tables/keystone-oauth.xml:14(th) ./doc/common/tables/cinder-storage_gpfs.xml:14(th) ./doc/common/tables/neutron-ml2_vlan.xml:14(th) ./doc/common/tables/keystone-notification.xml:14(th) ./doc/common/tables/swift-object-server-object-auditor.xml:13(th) ./doc/common/tables/trove-zeromq.xml:14(th) ./doc/common/tables/neutron-lbaas.xml:14(th) ./doc/common/tables/cinder-backups_swift.xml:14(th) ./doc/common/tables/trove-database.xml:14(th) ./doc/common/tables/swift-container-server-app-container-server.xml:13(th) ./doc/common/tables/nova-authentication.xml:14(th) ./doc/common/tables/neutron-nvsd.xml:14(th) ./doc/common/tables/swift-account-server-pipeline-main.xml:13(th) ./doc/common/tables/glance-gridfs.xml:14(th) ./doc/common/tables/neutron-notifier.xml:14(th) ./doc/common/tables/nova-rpc_all.xml:14(th) ./doc/common/tables/neutron-hyperv_agent.xml:14(th) ./doc/common/tables/keystone-federation.xml:14(th) ./doc/common/tables/nova-scheduling.xml:14(th) ./doc/common/tables/cinder-ssl.xml:14(th) ./doc/common/tables/trove-ssl.xml:14(th) ./doc/common/tables/cinder-eqlx.xml:14(th) ./doc/common/tables/heat-redis.xml:14(th) ./doc/common/tables/nova-ec2.xml:14(th) ./doc/common/tables/keystone-credential.xml:14(th) ./doc/common/tables/cinder-block-device.xml:14(th) ./doc/common/tables/neutron-metadata.xml:14(th) ./doc/common/tables/nova-fping.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-staticweb.xml:13(th) ./doc/common/tables/swift-container-server-container-replicator.xml:13(th) ./doc/common/tables/neutron-ml2_ncs.xml:14(th) ./doc/common/tables/neutron-ml2_arista.xml:14(th) ./doc/common/tables/nova-trustedcomputing.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-bulk.xml:13(th) ./doc/common/tables/swift-object-expirer-app-proxy-server.xml:13(th) ./doc/common/tables/neutron-compute.xml:14(th) ./doc/common/tables/glance-imagecache.xml:14(th) ./doc/common/tables/neutron-ml2_brocade.xml:14(th) ./doc/common/tables/swift-account-server-account-auditor.xml:13(th) ./doc/common/tables/cinder-nas.xml:14(th) ./doc/common/tables/cinder-netapp_cdot_nfs.xml:14(th) ./doc/common/tables/heat-clients_swift.xml:14(th) ./doc/common/tables/keystone-logging.xml:14(th) ./doc/common/tables/neutron-brocade.xml:14(th) ./doc/common/tables/neutron-ml2_odl.xml:14(th) ./doc/common/tables/swift-object-server-filter-recon.xml:13(th) ./doc/common/tables/cinder-connection.xml:14(th) ./doc/common/tables/heat-rpc.xml:14(th) ./doc/common/tables/trove-taskmanager.xml:14(th) ./doc/common/tables/heat-cloudwatch_api.xml:14(th) ./doc/common/tables/cinder-images.xml:14(th) ./doc/common/tables/cinder-huawei.xml:14(th) ./doc/common/tables/nova-console.xml:14(th) ./doc/common/tables/neutron-fwaas.xml:14(th) ./doc/common/tables/cinder-nexenta_nfs.xml:14(th) ./doc/common/tables/nova-quota.xml:14(th) ./doc/common/tables/heat-logging.xml:14(th) ./doc/common/tables/trove-redis.xml:14(th) ./doc/common/tables/keystone-stats.xml:14(th) ./doc/common/tables/heat-crypt.xml:14(th) ./doc/common/tables/neutron-ssl.xml:14(th) ./doc/common/tables/neutron-midonet.xml:14(th) ./doc/common/tables/cinder-coraid.xml:14(th) ./doc/common/tables/neutron-wsgi.xml:14(th) ./doc/common/tables/cinder-compute.xml:14(th) ./doc/common/tables/swift-rsyncd-object.xml:13(th) ./doc/common/tables/glance-wsgi.xml:14(th) ./doc/common/tables/swift-drive-audit-drive-audit.xml:13(th) ./doc/common/tables/nova-baremetal.xml:14(th) ./doc/common/tables/neutron-qpid.xml:14(th) ./doc/common/tables/nova-rpc.xml:14(th) ./doc/common/tables/cinder-backups_tsm.xml:14(th) ./doc/common/tables/cinder-san.xml:14(th) ./doc/common/tables/nova-logging.xml:14(th) ./doc/common/tables/neutron-nec.xml:14(th) ./doc/common/tables/keystone-security.xml:14(th) ./doc/common/tables/heat-clients_neutron.xml:14(th) ./doc/common/tables/nova-api.xml:14(th) ./doc/common/tables/neutron-ml2_mlnx.xml:14(th) ./doc/common/tables/trove-auth_token.xml:14(th) ./doc/common/tables/keystone-trust.xml:14(th) ./doc/common/tables/glance-cinder.xml:14(th) ./doc/common/tables/swift-object-server-object-updater.xml:13(th) ./doc/common/tables/glance-common.xml:14(th) ./doc/common/tables/neutron-ml2_vxlan.xml:14(th) ./doc/common/tables/swift-dispersion-dispersion.xml:13(th) ./doc/common/tables/swift-account-server-DEFAULT.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-domain_remap.xml:13(th) ./doc/common/tables/trove-nova.xml:14(th) ./doc/common/tables/neutron-meta.xml:14(th) ./doc/common/tables/neutron-rabbitmq.xml:14(th) ./doc/common/tables/keystone-ec2.xml:14(th) ./doc/common/tables/heat-clients_keystone.xml:14(th) ./doc/common/tables/neutron-api.xml:14(th) ./doc/common/tables/trove-logging.xml:14(th) ./doc/common/tables/glance-db.xml:14(th) ./doc/common/tables/keystone-kvs.xml:14(th) ./doc/common/tables/keystone-redis.xml:14(th) ./doc/common/tables/nova-xvpnvncproxy.xml:14(th) ./doc/common/tables/glance-paste.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-list-endpoints.xml:13(th) ./doc/common/tables/swift-account-server-account-reaper.xml:13(th) ./doc/common/tables/nova-hyperv.xml:14(th) ./doc/common/tables/swift-proxy-server-filter-container_sync.xml:13(th) ./doc/common/tables/heat-clients_backends.xml:14(th) ./doc/common/tables/glance-testing.xml:14(th) ./doc/common/tables/neutron-common.xml:14(th) ./doc/common/tables/nova-hypervisor.xml:14(th) ./doc/common/tables/keystone-qpid.xml:14(th) ./doc/common/tables/swift-container-sync-realms-realm1.xml:13(th) ./doc/common/tables/swift-proxy-server-filter-healthcheck.xml:13(th) ./doc/common/tables/nova-wsgi.xml:14(th) ./doc/common/tables/keystone-cache.xml:14(th) ./doc/common/tables/nova-configdrive.xml:14(th) ./doc/common/tables/keystone-token.xml:14(th) ./doc/common/tables/ceilometer-ssl.xml:14(th) ./doc/common/tables/ceilometer-qpid.xml:14(th) ./doc/common/tables/heat-database.xml:14(th) ./doc/common/tables/ceilometer-rabbitmq.xml:14(th) ./doc/common/tables/neutron-ml2.xml:14(th) ./doc/common/tables/neutron-db.xml:14(th) ./doc/common/tables/keystone-database.xml:14(th) ./doc/common/tables/keystone-memcache.xml:14(th) ./doc/common/tables/trove-debug.xml:14(th) ./doc/common/tables/trove-swift.xml:14(th) ./doc/common/tables/nova-tilera.xml:14(th) ./doc/common/tables/nova-libvirt.xml:14(th) ./doc/common/tables/neutron-mlnx.xml:14(th) ./doc/common/tables/cinder-zoning_manager.xml:14(th) ./doc/common/tables/ceilometer-amqp.xml:14(th) ./doc/common/tables/glance-ssl.xml:14(th) ./doc/common/tables/neutron-securitygroups.xml:14(th) ./doc/common/tables/keystone-debug.xml:14(th) ./doc/common/tables/cinder-rootwrap.xml:14(th) ./doc/common/tables/cinder-nexenta_iscsi.xml:14(th) msgid "Description" msgstr "" @@ -6037,7 +6037,7 @@ msgstr "" msgid "Specify the connection information for your attestation service by adding the following lines to the trusted_computing section in the /etc/nova/nova.conf file:" msgstr "" -#: ./doc/common/section_trusted-compute-pools.xml:78(para) ./doc/common/section_cli_nova_customize_flavors.xml:260(para) ./doc/common/section_keystone_config_ldap-hardening.xml:83(para) +#: ./doc/common/section_trusted-compute-pools.xml:78(para) ./doc/common/section_cli_nova_customize_flavors.xml:314(para) ./doc/common/section_keystone_config_ldap-hardening.xml:83(para) msgid "Where:" msgstr "" @@ -9355,303 +9355,303 @@ msgstr "" msgid "A persistent error state may prevent the deletion of an object or container. If this happens, you will see a message such as “Account <name> has not been reaped since <date>” in the log. You can control when this is logged with the reap_warn_after value in the [account-reaper] section of the account-server.conf file. The default value is 30 days." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:7(title) ./doc/common/section_dashboard_access.xml:304(guilabel) +#: ./doc/common/section_cli_nova_customize_flavors.xml:10(title) ./doc/common/section_dashboard_access.xml:304(guilabel) msgid "Flavors" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:8(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:11(para) msgid "Admin users can use the commands to customize and manage flavors. To see the available flavor-related commands, run:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:22(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:27(para) msgid "Configuration rights can be delegated to additional users by redefining the access controls for in /etc/nova/policy.json on the nova-api server." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:26(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:36(para) msgid "To modify an existing flavor in the dashboard, you must delete the flavor and create a modified one with the same name." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:31(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:42(para) msgid "Flavors define these elements:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:33(caption) +#: ./doc/common/section_cli_nova_customize_flavors.xml:44(caption) msgid "Identity Service configuration file sections" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:39(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml:50(td) msgid "Element" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:45(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml:56(literal) msgid "Name" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:47(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml:58(replaceable) msgid "XX" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:47(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml:58(replaceable) msgid "SIZE_NAME" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:46(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml:57(td) msgid "A descriptive name. . is typically not required, though some third party tools may rely on it." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:52(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml:63(literal) msgid "Memory_MB" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:53(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml:64(td) msgid "Virtual machine memory in megabytes." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:56(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml:67(literal) msgid "Disk" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:57(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml:68(td) msgid "Virtual root disk size in gigabytes. This is an ephemeral disk that the base image is copied into. When booting from a persistent volume it is not used. The \"0\" size is a special case which uses the native base image size as the size of the ephemeral root volume." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:65(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml:76(literal) msgid "Ephemeral" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:66(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml:77(td) msgid "Specifies the size of a secondary ephemeral data disk. This is an empty, unformatted disk and exists only for the life of the instance." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:71(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml:82(literal) msgid "Swap" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:72(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml:83(td) msgid "Optional swap space allocation for the instance." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:76(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml:87(literal) msgid "VCPUs" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:77(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml:88(td) msgid "Number of virtual CPUs presented to the instance." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:81(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml:92(literal) msgid "RXTX_Factor" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:82(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml:93(td) msgid "Optional property allows created servers to have a different bandwidth cap than that defined in the network they are attached to. This factor is multiplied by the rxtx_base property of the network. Default value is 1.0. That is, the same as attached network." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:90(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml:101(literal) msgid "Is_Public" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:91(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml:102(td) msgid "Boolean value, whether flavor is available to all users or private to the tenant it was created in. Defaults to True." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:96(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml:107(literal) msgid "extra_specs" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:97(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:108(para) msgid "Key and value pairs that define on which compute nodes a flavor can run. These pairs must match corresponding pairs on the compute nodes. Use to implement special resources, such as flavors that run on only compute nodes with GPU hardware." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:105(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:117(para) msgid "Flavor customization can be limited by the hypervisor in use. For example the libvirt driver enables quotas on CPUs available to a VM, disk tuning, bandwidth I/O, watchdog behavior, random number generator device control, and instance VIF traffic control." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:110(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml:124(term) msgid "CPU limits" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:111(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:126(para) msgid "You can configure the CPU limits with control parameters with the client. For example, to configure the I/O limit, use:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:115(para) -msgid "There are optional CPU control parameters for weight shares, enforcement intervals for runtime quotas, and a quota for maximum allowed bandwidth:" +#: ./doc/common/section_cli_nova_customize_flavors.xml:132(para) +msgid "Use these optional parameters to control weight shares, enforcement intervals for runtime quotas, and a quota for maximum allowed bandwidth:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:121(para) -msgid "cpu_shares specifies the proportional weighted share for the domain. If this element is omitted, the service defaults to the OS provided defaults. There is no unit for the value; it is a relative measure based on the setting of other VMs. For example, a VM configured with value 2048 gets twice as much CPU time as a VM configured with value 1024." +#: ./doc/common/section_cli_nova_customize_flavors.xml:137(para) +msgid "cpu_shares. Specifies the proportional weighted share for the domain. If this element is omitted, the service defaults to the OS provided defaults. There is no unit for the value; it is a relative measure based on the setting of other VMs. For example, a VM configured with value 2048 gets twice as much CPU time as a VM configured with value 1024." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:130(para) -msgid "cpu_period specifies the enforcement interval (unit: microseconds) for QEMU and LXC hypervisors. Within a period, each VCPU of the domain is not allowed to consume more than the quota worth of runtime. The value should be in range [1000, 1000000]. A period with value 0 means no value." +#: ./doc/common/section_cli_nova_customize_flavors.xml:148(para) +msgid "cpu_period. Specifies the enforcement interval (unit: microseconds) for QEMU and LXC hypervisors. Within a period, each VCPU of the domain is not allowed to consume more than the quota worth of runtime. The value should be in range [1000, 1000000]. A period with value 0 means no value." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:138(para) -msgid "cpu_quota specifies the maximum allowed bandwidth (unit: microseconds). A domain with a negative-value quota indicates that the domain has infinite bandwidth, which means that it is not bandwidth controlled. The value should be in range [1000, 18446744073709551] or less than 0. A quota with value 0 means no value. You can use this feature to ensure that all vCPUs run at the same speed. For example:" -msgstr "" - -#: ./doc/common/section_cli_nova_customize_flavors.xml:147(para) -msgid "In this example, the instance of m1.low_cpu can only consume a maximum of 50% CPU of a physical CPU computing capability." -msgstr "" - -#: ./doc/common/section_cli_nova_customize_flavors.xml:155(term) -msgid "Disk tuning" -msgstr "" - -#: ./doc/common/section_cli_nova_customize_flavors.xml:156(para) -msgid "Using disk I/O quotas, you can set maximum disk write to 10 MB per second for a VM user. For example:" -msgstr "" - -#: ./doc/common/section_cli_nova_customize_flavors.xml:159(para) -msgid "The disk I/O options are:" -msgstr "" - -#: ./doc/common/section_cli_nova_customize_flavors.xml:162(para) -msgid "disk_read_bytes_sec" -msgstr "" - -#: ./doc/common/section_cli_nova_customize_flavors.xml:165(para) -msgid "disk_read_iops_sec" -msgstr "" - -#: ./doc/common/section_cli_nova_customize_flavors.xml:168(para) -msgid "disk_write_bytes_sec" +#: ./doc/common/section_cli_nova_customize_flavors.xml:158(para) +msgid "cpu_quota. Specifies the maximum allowed bandwidth (unit: microseconds). A domain with a negative-value quota indicates that the domain has infinite bandwidth, which means that it is not bandwidth controlled. The value should be in range [1000, 18446744073709551] or less than 0. A quota with value 0 means no value. You can use this feature to ensure that all vCPUs run at the same speed. For example:" msgstr "" #: ./doc/common/section_cli_nova_customize_flavors.xml:171(para) -msgid "disk_write_iops_sec" +msgid "In this example, the instance of m1.low_cpu can only consume a maximum of 50% CPU of a physical CPU computing capability." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:174(para) -msgid "disk_total_bytes_sec" -msgstr "" - -#: ./doc/common/section_cli_nova_customize_flavors.xml:177(para) -msgid "disk_total_iops_sec" -msgstr "" - -#: ./doc/common/section_cli_nova_customize_flavors.xml:180(para) -msgid "The vif I/O options are:" +#: ./doc/common/section_cli_nova_customize_flavors.xml:181(term) +msgid "Disk tuning" msgstr "" #: ./doc/common/section_cli_nova_customize_flavors.xml:183(para) +msgid "Using disk I/O quotas, you can set maximum disk write to 10 MB per second for a VM user. For example:" +msgstr "" + +#: ./doc/common/section_cli_nova_customize_flavors.xml:187(para) +msgid "The disk I/O options are:" +msgstr "" + +#: ./doc/common/section_cli_nova_customize_flavors.xml:190(para) +msgid "disk_read_bytes_sec" +msgstr "" + +#: ./doc/common/section_cli_nova_customize_flavors.xml:193(para) +msgid "disk_read_iops_sec" +msgstr "" + +#: ./doc/common/section_cli_nova_customize_flavors.xml:196(para) +msgid "disk_write_bytes_sec" +msgstr "" + +#: ./doc/common/section_cli_nova_customize_flavors.xml:199(para) +msgid "disk_write_iops_sec" +msgstr "" + +#: ./doc/common/section_cli_nova_customize_flavors.xml:202(para) +msgid "disk_total_bytes_sec" +msgstr "" + +#: ./doc/common/section_cli_nova_customize_flavors.xml:205(para) +msgid "disk_total_iops_sec" +msgstr "" + +#: ./doc/common/section_cli_nova_customize_flavors.xml:208(para) +msgid "The vif I/O options are:" +msgstr "" + +#: ./doc/common/section_cli_nova_customize_flavors.xml:211(para) msgid "vif_inbound_ average" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:186(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:214(para) msgid "vif_inbound_burst" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:189(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:217(para) msgid "vif_inbound_peak" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:192(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:220(para) msgid "vif_outbound_ average" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:195(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:223(para) msgid "vif_outbound_burst" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:198(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:226(para) msgid "vif_outbound_peak" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:202(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml:232(term) msgid "Bandwidth I/O" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:203(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:234(para) msgid "Incoming and outgoing traffic can be shaped independently. The bandwidth element can have at most, one inbound and at most, one outbound child element. If you leave any of these child elements out, no quality of service (QoS) is applied on that traffic direction. So, if you want to shape only the network's incoming traffic, use inbound only (and vice versa). Each element has one mandatory attribute average, which specifies the average bit rate on the interface being shaped." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:209(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:245(para) msgid "There are also two optional attributes (integer): , which specifies the maximum rate at which a bridge can send data (kilobytes/second), and , the amount of bytes that can be burst at peak speed (kilobytes). The rate is shared equally within domains connected to the network." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:214(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:252(para) msgid "The following example configures a bandwidth limit for instance network traffic:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:219(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml:259(term) msgid "Watchdog behavior" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:220(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:261(para) msgid "For the libvirt driver, you can enable and set the behavior of a virtual hardware watchdog device for each flavor. Watchdog devices keep an eye on the guest server, and carry out the configured action, if the server hangs. The watchdog uses the i6300esb device (emulating a PCI Intel 6300ESB). If hw_watchdog_action is not specified, the watchdog is disabled." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:226(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:270(para) msgid "To set the behavior, use:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:227(replaceable) ./doc/common/section_cli_nova_customize_flavors.xml:257(replaceable) ./doc/common/section_cli_nova_customize_flavors.xml:258(replaceable) ./doc/common/section_cli_nova_customize_flavors.xml:259(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml:271(replaceable) ./doc/common/section_cli_nova_customize_flavors.xml:311(replaceable) ./doc/common/section_cli_nova_customize_flavors.xml:312(replaceable) ./doc/common/section_cli_nova_customize_flavors.xml:313(replaceable) msgid "FLAVOR-NAME" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:227(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml:271(replaceable) msgid "ACTION" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:228(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:272(para) msgid "Valid ACTION values are:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:231(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:276(para) msgid "disabled(default) The device is not attached." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:234(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:280(para) msgid "resetForcefully reset the guest." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:238(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:284(para) msgid "poweroffForcefully power off the guest." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:242(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:288(para) msgid "pausePause the guest." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:245(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:292(para) msgid "noneOnly enable the watchdog; do nothing if the server hangs." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:249(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:298(para) msgid "Watchdog behavior set using a specific image's properties will override behavior set using flavors." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:254(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml:305(term) msgid "Random-number generator" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:255(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:307(para) msgid "If a random-number generator device has been added to the instance through its image properties, the device can be enabled and configured using:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:258(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml:312(replaceable) msgid "RATE-BYTES" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:259(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml:313(replaceable) msgid "RATE-PERIOD" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:263(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:317(para) msgid "RATE-BYTES(Integer) Allowed amount of bytes that the guest can read from the host's entropy per period." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:267(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:323(para) msgid "RATE-PERIOD(Integer) Duration of the read period in seconds." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:273(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml:331(term) msgid "Instance VIF traffic control" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml:274(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml:333(para) msgid "Flavors can also be assigned to particular projects. By default, a flavor is public and available to all projects. Private flavors are only accessible to those on the access list and are invisible to other projects. To create and assign a private flavor to a project, run these commands:" msgstr "" @@ -10388,7 +10388,7 @@ msgid "The ring builder process includes these high-level steps:" msgstr "" #: ./doc/common/section_objectstorage-ringbuilder.xml:121(para) -msgid "The utility calculates the number of partitions to assign to each device based on the weight of the device. For example, for a partition at the power of 20, the ring has 1,048,576 partitions. One thousand devices of equal weight will each want 1,048.576 partitions. The devices are sorted by the number of partitions they desire and kept in order throughout the initialization process." +msgid "The utility calculates the number of partitions to assign to each device based on the weight of the device. For example, for a partition at the power of 20, the ring has 1,048,576 partitions. One thousand devices of equal weight each want 1,048.576 partitions. The devices are sorted by the number of partitions they desire and kept in order throughout the initialization process." msgstr "" #: ./doc/common/section_objectstorage-ringbuilder.xml:131(para) @@ -12899,55 +12899,67 @@ msgstr "" msgid "Optional new host of user." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:4(title) +#: ./doc/common/section_dashboard-configure-https.xml:6(title) msgid "Configure the dashboard for HTTPS" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:5(para) ./doc/common/section_dashboard-configure.xml:10(para) +#: ./doc/common/section_dashboard-configure-https.xml:7(para) ./doc/common/section_dashboard-configure.xml:10(para) msgid "You can configure the dashboard for a secured HTTPS deployment. While the standard installation uses a non-encrypted HTTP channel, you can enable SSL support for the dashboard." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:9(para) -msgid "The following example uses the domain, \"http://openstack.example.com.\" Use a domain that fits your current setup." +#: ./doc/common/section_dashboard-configure-https.xml:12(para) +msgid "This example uses the http://openstack.example.com domain. Use a domain that fits your current setup." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:13(para) -msgid "In/etc/openstack-dashboard/local_settings.py update the following directives:" +#: ./doc/common/section_dashboard-configure-https.xml:16(para) +msgid "In the /etc/openstack-dashboard/local_settings.py file, update the following options:" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:19(para) -msgid "The first option is required to enable HTTPS. The other recommended settings defend against cross-site scripting and require HTTPS." +#: ./doc/common/section_dashboard-configure-https.xml:23(para) +msgid "To enable HTTPS, the USE_SSL = True option is required." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:24(para) -msgid "Edit /etc/apache2/ports.conf and add the following line:" +#: ./doc/common/section_dashboard-configure-https.xml:25(para) +msgid "The other options require that HTTPS is enabled; these options defend against cross-site scripting." msgstr "" #: ./doc/common/section_dashboard-configure-https.xml:30(para) -msgid "Edit /etc/apache2/conf.d/openstack-dashboard.conf:" +msgid "Edit the /etc/apache2/ports.conf file and add the following line:" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:33(para) -msgid "Before:" +#: ./doc/common/section_dashboard-configure-https.xml:36(para) +msgid "Edit the /etc/apache2/conf.d/openstack-dashboard.conf file as shown in :" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:46(para) -msgid "After:" +#: ./doc/common/section_dashboard-configure-https.xml:41(title) +msgid "Before" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:87(para) -msgid "In this configuration, Apache http server listens on the port 443 and redirects all the hits to the HTTPS protocol for all the non-secured requests. The secured section defines the private key, public key, and certificate to use." +#: ./doc/common/section_dashboard-configure-https.xml:55(title) +msgid "After" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:94(para) -msgid "Restart Apache http server. For Debian/Ubuntu/SUSE:" +#: ./doc/common/section_dashboard-configure-https.xml:97(para) +msgid "In this configuration, the Apache HTTP server listens on port 443 and redirects all non-secure requests to the HTTPS protocol. The secured section defines the private key, public key, and certificate to use." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:96(para) -msgid "Or for Fedora/RHEL/CentOS:" +#: ./doc/common/section_dashboard-configure-https.xml:104(para) +msgid "Restart the Apache HTTP server." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml:100(para) +#: ./doc/common/section_dashboard-configure-https.xml:105(para) +msgid "For Debian, Ubuntu, or SUSE distributions:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml:107(para) +msgid "For Fedora, RHEL, or CentOS distributions:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml:111(para) +msgid "Restart memcached:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml:114(para) msgid "If you try to access the dashboard through HTTP, the browser redirects you to the HTTPS page." msgstr "" @@ -15199,7 +15211,7 @@ msgid "The partitions of the ring are equally divided among all of the devices i msgstr "" #: ./doc/common/section_objectstorage-components.xml:77(para) -msgid "Weights can be used to balance the distribution of partitions on drives across the cluster. This can be useful, for example, when differently sized drives are used in a cluster." +msgid "You can use weights to balance the distribution of partitions on drives across the cluster. This can be useful, for example, when differently sized drives are used in a cluster." msgstr "" #: ./doc/common/section_objectstorage-components.xml:80(para) @@ -15215,7 +15227,7 @@ msgid "These rings are externally managed, in that the server processes themselv msgstr "" #: ./doc/common/section_objectstorage-components.xml:92(para) -msgid "The ring uses a configurable number of bits from a path’s MD5 hash as a partition index that designates a device. The number of bits kept from the hash is known as the partition power, and 2 to the partition power indicates the partition count. Partitioning the full MD5 hash ring allows other parts of the cluster to work in batches of items at once which ends up either more efficient or at least less complex than working with each item separately or the entire cluster all at once." +msgid "The ring uses a configurable number of bits from an MD5 hash for a path as a partition index that designates a device. The number of bits kept from the hash is known as the partition power, and 2 to the partition power indicates the partition count. Partitioning the full MD5 hash ring allows other parts of the cluster to work in batches of items at once which ends up either more efficient or at least less complex than working with each item separately or the entire cluster all at once." msgstr "" #: ./doc/common/section_objectstorage-components.xml:101(para) diff --git a/doc/common/locale/fr.po b/doc/common/locale/fr.po index 8efe93f79c..7b3aed427f 100644 --- a/doc/common/locale/fr.po +++ b/doc/common/locale/fr.po @@ -18,8 +18,8 @@ msgid "" msgstr "" "Project-Id-Version: OpenStack Manuals\n" -"POT-Creation-Date: 2014-06-29 04:08+0000\n" -"PO-Revision-Date: 2014-06-29 01:40+0000\n" +"POT-Creation-Date: 2014-06-30 04:51+0000\n" +"PO-Revision-Date: 2014-06-30 03:49+0000\n" "Last-Translator: openstackjenkins \n" "Language-Team: French (http://www.transifex.com/projects/p/openstack-manuals-i18n/language/fr/)\n" "MIME-Version: 1.0\n" @@ -3982,7 +3982,6 @@ msgid "or for Fedora/RHEL/CentOS:" msgstr "ou pour Fedora/RHEL/CentOS:" #: ./doc/common/section_dashboard-configure-http.xml32(para) -#: ./doc/common/section_dashboard-configure-https.xml98(para) msgid "Next, restart memcached:" msgstr "" @@ -4246,7 +4245,7 @@ msgid "Quota name" msgstr "" #: ./doc/common/section_cli_nova_quotas.xml20(th) -#: ./doc/common/section_cli_nova_customize_flavors.xml40(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml51(td) #: ./doc/common/section_cli_overview.xml43(th) #: ./doc/common/section_cli_install.xml30(th) #: ./doc/common/ch_getstart.xml31(th) @@ -8961,7 +8960,7 @@ msgid "" msgstr "" #: ./doc/common/section_trusted-compute-pools.xml78(para) -#: ./doc/common/section_cli_nova_customize_flavors.xml260(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml314(para) #: ./doc/common/section_keystone_config_ldap-hardening.xml83(para) msgid "Where:" msgstr "" @@ -13393,18 +13392,18 @@ msgid "" "default value is 30 days." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml7(title) +#: ./doc/common/section_cli_nova_customize_flavors.xml10(title) #: ./doc/common/section_dashboard_access.xml304(guilabel) msgid "Flavors" msgstr "Types d'instance" -#: ./doc/common/section_cli_nova_customize_flavors.xml8(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml11(para) msgid "" "Admin users can use the commands to customize and manage " "flavors. To see the available flavor-related commands, run:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml22(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml27(para) msgid "" "Configuration rights can be delegated to additional users by redefining the " "access controls for in " @@ -13412,55 +13411,55 @@ msgid "" "\">nova-api server." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml26(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml36(para) msgid "" "To modify an existing flavor in the dashboard, you must delete the flavor " "and create a modified one with the same name." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml31(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml42(para) msgid "Flavors define these elements:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml33(caption) +#: ./doc/common/section_cli_nova_customize_flavors.xml44(caption) msgid "Identity Service configuration file sections" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml39(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml50(td) msgid "Element" msgstr "élément" -#: ./doc/common/section_cli_nova_customize_flavors.xml45(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml56(literal) msgid "Name" msgstr "Nom" -#: ./doc/common/section_cli_nova_customize_flavors.xml47(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml58(replaceable) msgid "XX" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml47(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml58(replaceable) msgid "SIZE_NAME" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml46(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml57(td) msgid "" "A descriptive name. . is typically not " "required, though some third party tools may rely on it." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml52(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml63(literal) msgid "Memory_MB" msgstr "Memory_MB" -#: ./doc/common/section_cli_nova_customize_flavors.xml53(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml64(td) msgid "Virtual machine memory in megabytes." msgstr "Mémoire de la machine virtuel en mégaoctets." -#: ./doc/common/section_cli_nova_customize_flavors.xml56(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml67(literal) msgid "Disk" msgstr "Disque" -#: ./doc/common/section_cli_nova_customize_flavors.xml57(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml68(td) msgid "" "Virtual root disk size in gigabytes. This is an ephemeral disk that the base" " image is copied into. When booting from a persistent volume it is not used." @@ -13468,37 +13467,37 @@ msgid "" "the size of the ephemeral root volume." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml65(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml76(literal) msgid "Ephemeral" msgstr "ÉphémÚre" -#: ./doc/common/section_cli_nova_customize_flavors.xml66(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml77(td) msgid "" "Specifies the size of a secondary ephemeral data disk. This is an empty, " "unformatted disk and exists only for the life of the instance." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml71(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml82(literal) msgid "Swap" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml72(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml83(td) msgid "Optional swap space allocation for the instance." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml76(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml87(literal) msgid "VCPUs" msgstr "VCPUs" -#: ./doc/common/section_cli_nova_customize_flavors.xml77(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml88(td) msgid "Number of virtual CPUs presented to the instance." msgstr "Nombre de UC virtuelles présentées à l'instance. " -#: ./doc/common/section_cli_nova_customize_flavors.xml81(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml92(literal) msgid "RXTX_Factor" msgstr "RXTX_Factor" -#: ./doc/common/section_cli_nova_customize_flavors.xml82(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml93(td) msgid "" "Optional property allows created servers to have a different bandwidth cap " "than that defined in the network they are attached to. This factor is " @@ -13506,21 +13505,21 @@ msgid "" "That is, the same as attached network." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml90(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml101(literal) msgid "Is_Public" msgstr "Is_Public" -#: ./doc/common/section_cli_nova_customize_flavors.xml91(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml102(td) msgid "" "Boolean value, whether flavor is available to all users or private to the " "tenant it was created in. Defaults to True." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml96(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml107(literal) msgid "extra_specs" msgstr "extra_specs" -#: ./doc/common/section_cli_nova_customize_flavors.xml97(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml108(para) msgid "" "Key and value pairs that define on which compute nodes a flavor can run. " "These pairs must match corresponding pairs on the compute nodes. Use to " @@ -13528,7 +13527,7 @@ msgid "" "with GPU hardware." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml105(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml117(para) msgid "" "Flavor customization can be limited by the hypervisor in use. For example " "the libvirt driver enables quotas on CPUs available" @@ -13536,128 +13535,128 @@ msgid "" "generator device control, and instance VIF traffic control." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml110(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml124(term) msgid "CPU limits" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml111(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml126(para) msgid "" "You can configure the CPU limits with control parameters with the " " client. For example, to configure the I/O limit, use:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml115(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml132(para) msgid "" -"There are optional CPU control parameters for weight shares, enforcement " +"Use these optional parameters to control weight shares, enforcement " "intervals for runtime quotas, and a quota for maximum allowed bandwidth:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml121(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml137(para) msgid "" -"cpu_shares specifies the proportional weighted share for " -"the domain. If this element is omitted, the service defaults to the OS " +"cpu_shares. Specifies the proportional weighted share" +" for the domain. If this element is omitted, the service defaults to the OS " "provided defaults. There is no unit for the value; it is a relative measure " "based on the setting of other VMs. For example, a VM configured with value " "2048 gets twice as much CPU time as a VM configured with value 1024." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml130(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml148(para) msgid "" -"cpu_period specifies the enforcement interval (unit: " -"microseconds) for QEMU and LXC hypervisors. Within a period, each VCPU of " +"cpu_period. Specifies the enforcement interval (unit:" +" microseconds) for QEMU and LXC hypervisors. Within a period, each VCPU of " "the domain is not allowed to consume more than the quota worth of runtime. " "The value should be in range [1000, 1000000]. A period " "with value 0 means no value." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml138(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml158(para) msgid "" -"cpu_quota specifies the maximum allowed bandwidth (unit: " -"microseconds). A domain with a negative-value quota indicates that the " -"domain has infinite bandwidth, which means that it is not bandwidth " +"cpu_quota. Specifies the maximum allowed bandwidth " +"(unit: microseconds). A domain with a negative-value quota indicates that " +"the domain has infinite bandwidth, which means that it is not bandwidth " "controlled. The value should be in range [1000, " "18446744073709551] or less than 0. A quota with value 0 means no " "value. You can use this feature to ensure that all vCPUs run at the same " "speed. For example:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml147(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml171(para) msgid "" "In this example, the instance of m1.low_cpu can only " "consume a maximum of 50% CPU of a physical CPU computing capability." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml155(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml181(term) msgid "Disk tuning" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml156(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml183(para) msgid "" "Using disk I/O quotas, you can set maximum disk write to 10 MB per second " "for a VM user. For example:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml159(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml187(para) msgid "The disk I/O options are:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml162(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml190(para) msgid "disk_read_bytes_sec" msgstr "disk_read_bytes_sec" -#: ./doc/common/section_cli_nova_customize_flavors.xml165(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml193(para) msgid "disk_read_iops_sec" msgstr "disk_read_iops_sec" -#: ./doc/common/section_cli_nova_customize_flavors.xml168(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml196(para) msgid "disk_write_bytes_sec" msgstr "disk_write_bytes_sec" -#: ./doc/common/section_cli_nova_customize_flavors.xml171(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml199(para) msgid "disk_write_iops_sec" msgstr "disk_write_iops_sec" -#: ./doc/common/section_cli_nova_customize_flavors.xml174(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml202(para) msgid "disk_total_bytes_sec" msgstr "disk_total_bytes_sec" -#: ./doc/common/section_cli_nova_customize_flavors.xml177(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml205(para) msgid "disk_total_iops_sec" msgstr "disk_total_iops_sec" -#: ./doc/common/section_cli_nova_customize_flavors.xml180(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml208(para) msgid "The vif I/O options are:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml183(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml211(para) msgid "vif_inbound_ average" msgstr "vif_inbound_ average" -#: ./doc/common/section_cli_nova_customize_flavors.xml186(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml214(para) msgid "vif_inbound_burst" msgstr "vif_inbound_burst" -#: ./doc/common/section_cli_nova_customize_flavors.xml189(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml217(para) msgid "vif_inbound_peak" msgstr "vif_inbound_peak" -#: ./doc/common/section_cli_nova_customize_flavors.xml192(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml220(para) msgid "vif_outbound_ average" msgstr "vif_outbound_ average" -#: ./doc/common/section_cli_nova_customize_flavors.xml195(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml223(para) msgid "vif_outbound_burst" msgstr "vif_outbound_burst" -#: ./doc/common/section_cli_nova_customize_flavors.xml198(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml226(para) msgid "vif_outbound_peak" msgstr "vif_outbound_peak" -#: ./doc/common/section_cli_nova_customize_flavors.xml202(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml232(term) msgid "Bandwidth I/O" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml203(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml234(para) msgid "" "Incoming and outgoing traffic can be shaped independently. The bandwidth " "element can have at most, one inbound and at most, one outbound child " @@ -13668,7 +13667,7 @@ msgid "" " rate on the interface being shaped." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml209(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml245(para) msgid "" "There are also two optional attributes (integer): , " "which specifies the maximum rate at which a bridge can send data " @@ -13677,17 +13676,17 @@ msgid "" "domains connected to the network." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml214(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml252(para) msgid "" "The following example configures a bandwidth limit for instance network " "traffic:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml219(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml259(term) msgid "Watchdog behavior" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml220(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml261(para) msgid "" "For the libvirt driver, you can enable and set the " "behavior of a virtual hardware watchdog device for each flavor. Watchdog " @@ -13697,88 +13696,88 @@ msgid "" " not specified, the watchdog is disabled." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml226(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml270(para) msgid "To set the behavior, use:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml227(replaceable) -#: ./doc/common/section_cli_nova_customize_flavors.xml257(replaceable) -#: ./doc/common/section_cli_nova_customize_flavors.xml258(replaceable) -#: ./doc/common/section_cli_nova_customize_flavors.xml259(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml271(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml311(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml312(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml313(replaceable) msgid "FLAVOR-NAME" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml227(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml271(replaceable) msgid "ACTION" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml228(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml272(para) msgid "Valid ACTION values are:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml231(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml276(para) msgid "disabled(default) The device is not attached." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml234(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml280(para) msgid "resetForcefully reset the guest." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml238(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml284(para) msgid "poweroffForcefully power off the guest." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml242(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml288(para) msgid "pausePause the guest." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml245(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml292(para) msgid "" "noneOnly enable the watchdog; do nothing if the server " "hangs." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml249(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml298(para) msgid "" "Watchdog behavior set using a specific image's properties will override " "behavior set using flavors." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml254(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml305(term) msgid "Random-number generator" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml255(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml307(para) msgid "" "If a random-number generator device has been added to the instance through " "its image properties, the device can be enabled and configured using:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml258(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml312(replaceable) msgid "RATE-BYTES" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml259(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml313(replaceable) msgid "RATE-PERIOD" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml263(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml317(para) msgid "" "RATE-BYTES(Integer) Allowed amount of bytes that " "the guest can read from the host's entropy per period." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml267(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml323(para) msgid "" "RATE-PERIOD(Integer) Duration of the read period " "in seconds." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml273(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml331(term) msgid "Instance VIF traffic control" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml274(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml333(para) msgid "" "Flavors can also be assigned to particular projects. By default, a flavor is" " public and available to all projects. Private flavors are only accessible " @@ -14716,9 +14715,9 @@ msgid "" "The utility calculates the number of partitions to assign to each device " "based on the weight of the device. For example, for a partition at the power" " of 20, the ring has 1,048,576 partitions. One thousand devices of equal " -"weight will each want 1,048.576 partitions. The devices are sorted by the " -"number of partitions they desire and kept in order throughout the " -"initialization process." +"weight each want 1,048.576 partitions. The devices are sorted by the number " +"of partitions they desire and kept in order throughout the initialization " +"process." msgstr "" #: ./doc/common/section_objectstorage-ringbuilder.xml131(para) @@ -17761,11 +17760,11 @@ msgstr "" msgid "Optional new host of user." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml4(title) +#: ./doc/common/section_dashboard-configure-https.xml6(title) msgid "Configure the dashboard for HTTPS" msgstr "Pour configurer le tableau de bord pour HTTPS" -#: ./doc/common/section_dashboard-configure-https.xml5(para) +#: ./doc/common/section_dashboard-configure-https.xml7(para) #: ./doc/common/section_dashboard-configure.xml10(para) msgid "" "You can configure the dashboard for a secured HTTPS deployment. While the " @@ -17773,60 +17772,72 @@ msgid "" "support for the dashboard." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml9(para) +#: ./doc/common/section_dashboard-configure-https.xml12(para) msgid "" -"The following example uses the domain, \"http://openstack.example.com.\" Use" -" a domain that fits your current setup." -msgstr "L’exemple suivant utilise le domaine http://openstack.example.com. Utilisez un domaine qui corresponde à votre installation courante." - -#: ./doc/common/section_dashboard-configure-https.xml13(para) -msgid "" -"In/etc/openstack-dashboard/local_settings.py update the" -" following directives:" -msgstr "Dans /etc/openstack-dashboard/local_settings.py, mettez à jour le paramÚtre suivant :" - -#: ./doc/common/section_dashboard-configure-https.xml19(para) -msgid "" -"The first option is required to enable HTTPS. The other recommended settings" -" defend against cross-site scripting and require HTTPS." +"This example uses the http://openstack.example.com " +"domain. Use a domain that fits your current setup." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml24(para) +#: ./doc/common/section_dashboard-configure-https.xml16(para) msgid "" -"Edit /etc/apache2/ports.conf and add the following " -"line:" +"In the /etc/openstack-dashboard/local_settings.py file," +" update the following options:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml23(para) +msgid "To enable HTTPS, the USE_SSL = True option is required." +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml25(para) +msgid "" +"The other options require that HTTPS is enabled; these options defend " +"against cross-site scripting." msgstr "" #: ./doc/common/section_dashboard-configure-https.xml30(para) msgid "" -"Edit /etc/apache2/conf.d/openstack-dashboard.conf:" -msgstr "Editez le fichier /etc/apache2/conf.d/openstack-dashboard.conf:" +"Edit the /etc/apache2/ports.conf file and add the " +"following line:" +msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml33(para) -msgid "Before:" -msgstr "Avant:" - -#: ./doc/common/section_dashboard-configure-https.xml46(para) -msgid "After:" -msgstr "AprÚs:" - -#: ./doc/common/section_dashboard-configure-https.xml87(para) +#: ./doc/common/section_dashboard-configure-https.xml36(para) msgid "" -"In this configuration, Apache http server listens on the port 443 and " -"redirects all the hits to the HTTPS protocol for all the non-secured " -"requests. The secured section defines the private key, public key, and " -"certificate to use." +"Edit the /etc/apache2/conf.d/openstack-dashboard.conf " +"file as shown in :" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml94(para) -msgid "Restart Apache http server. For Debian/Ubuntu/SUSE:" +#: ./doc/common/section_dashboard-configure-https.xml41(title) +msgid "Before" +msgstr "Avant" + +#: ./doc/common/section_dashboard-configure-https.xml55(title) +msgid "After" +msgstr "AprÚs" + +#: ./doc/common/section_dashboard-configure-https.xml97(para) +msgid "" +"In this configuration, the Apache HTTP server listens on port 443 and " +"redirects all non-secure requests to the HTTPS protocol. The secured section" +" defines the private key, public key, and certificate to use." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml96(para) -msgid "Or for Fedora/RHEL/CentOS:" +#: ./doc/common/section_dashboard-configure-https.xml104(para) +msgid "Restart the Apache HTTP server." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml100(para) +#: ./doc/common/section_dashboard-configure-https.xml105(para) +msgid "For Debian, Ubuntu, or SUSE distributions:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml107(para) +msgid "For Fedora, RHEL, or CentOS distributions:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml111(para) +msgid "Restart memcached:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml114(para) msgid "" "If you try to access the dashboard through HTTP, the browser redirects you " "to the HTTPS page." @@ -20960,7 +20971,7 @@ msgstr "" #: ./doc/common/section_objectstorage-components.xml77(para) msgid "" -"Weights can be used to balance the distribution of partitions on drives " +"You can use weights to balance the distribution of partitions on drives " "across the cluster. This can be useful, for example, when differently sized " "drives are used in a cluster." msgstr "" @@ -20984,8 +20995,8 @@ msgstr "" #: ./doc/common/section_objectstorage-components.xml92(para) msgid "" -"The ring uses a configurable number of bits from a path’s MD5 hash as a " -"partition index that designates a device. The number of bits kept from the " +"The ring uses a configurable number of bits from an MD5 hash for a path as a" +" partition index that designates a device. The number of bits kept from the " "hash is known as the partition power, and 2 to the partition power indicates" " the partition count. Partitioning the full MD5 hash ring allows other parts" " of the cluster to work in batches of items at once which ends up either " diff --git a/doc/common/locale/ja.po b/doc/common/locale/ja.po index 116d133104..917abe0fc5 100644 --- a/doc/common/locale/ja.po +++ b/doc/common/locale/ja.po @@ -7,8 +7,8 @@ msgid "" msgstr "" "Project-Id-Version: OpenStack Manuals\n" -"POT-Creation-Date: 2014-06-29 04:08+0000\n" -"PO-Revision-Date: 2014-06-29 01:40+0000\n" +"POT-Creation-Date: 2014-06-30 04:51+0000\n" +"PO-Revision-Date: 2014-06-30 03:49+0000\n" "Last-Translator: openstackjenkins \n" "Language-Team: Japanese (http://www.transifex.com/projects/p/openstack-manuals-i18n/language/ja/)\n" "MIME-Version: 1.0\n" @@ -3971,7 +3971,6 @@ msgid "or for Fedora/RHEL/CentOS:" msgstr "" #: ./doc/common/section_dashboard-configure-http.xml32(para) -#: ./doc/common/section_dashboard-configure-https.xml98(para) msgid "Next, restart memcached:" msgstr "" @@ -4235,7 +4234,7 @@ msgid "Quota name" msgstr "" #: ./doc/common/section_cli_nova_quotas.xml20(th) -#: ./doc/common/section_cli_nova_customize_flavors.xml40(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml51(td) #: ./doc/common/section_cli_overview.xml43(th) #: ./doc/common/section_cli_install.xml30(th) #: ./doc/common/ch_getstart.xml31(th) @@ -8950,7 +8949,7 @@ msgid "" msgstr "" #: ./doc/common/section_trusted-compute-pools.xml78(para) -#: ./doc/common/section_cli_nova_customize_flavors.xml260(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml314(para) #: ./doc/common/section_keystone_config_ldap-hardening.xml83(para) msgid "Where:" msgstr "各項目:" @@ -13382,18 +13381,18 @@ msgid "" "default value is 30 days." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml7(title) +#: ./doc/common/section_cli_nova_customize_flavors.xml10(title) #: ./doc/common/section_dashboard_access.xml304(guilabel) msgid "Flavors" msgstr "フレヌバヌ" -#: ./doc/common/section_cli_nova_customize_flavors.xml8(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml11(para) msgid "" "Admin users can use the commands to customize and manage " "flavors. To see the available flavor-related commands, run:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml22(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml27(para) msgid "" "Configuration rights can be delegated to additional users by redefining the " "access controls for in " @@ -13401,55 +13400,55 @@ msgid "" "\">nova-api server." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml26(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml36(para) msgid "" "To modify an existing flavor in the dashboard, you must delete the flavor " "and create a modified one with the same name." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml31(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml42(para) msgid "Flavors define these elements:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml33(caption) +#: ./doc/common/section_cli_nova_customize_flavors.xml44(caption) msgid "Identity Service configuration file sections" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml39(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml50(td) msgid "Element" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml45(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml56(literal) msgid "Name" msgstr "名前" -#: ./doc/common/section_cli_nova_customize_flavors.xml47(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml58(replaceable) msgid "XX" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml47(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml58(replaceable) msgid "SIZE_NAME" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml46(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml57(td) msgid "" "A descriptive name. . is typically not " "required, though some third party tools may rely on it." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml52(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml63(literal) msgid "Memory_MB" msgstr "MB メモリヌ" -#: ./doc/common/section_cli_nova_customize_flavors.xml53(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml64(td) msgid "Virtual machine memory in megabytes." msgstr "メガバむト単䜍の仮想マシンメモリヌ。" -#: ./doc/common/section_cli_nova_customize_flavors.xml56(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml67(literal) msgid "Disk" msgstr "ディスク" -#: ./doc/common/section_cli_nova_customize_flavors.xml57(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml68(td) msgid "" "Virtual root disk size in gigabytes. This is an ephemeral disk that the base" " image is copied into. When booting from a persistent volume it is not used." @@ -13457,37 +13456,37 @@ msgid "" "the size of the ephemeral root volume." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml65(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml76(literal) msgid "Ephemeral" msgstr "゚フェメラル" -#: ./doc/common/section_cli_nova_customize_flavors.xml66(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml77(td) msgid "" "Specifies the size of a secondary ephemeral data disk. This is an empty, " "unformatted disk and exists only for the life of the instance." msgstr "二次的な䞀時デヌタディスクの容量を指定したす。これは空の、フォヌマットされおいないディスクです。むンスタンスの生存期間だけ存圚したす。" -#: ./doc/common/section_cli_nova_customize_flavors.xml71(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml82(literal) msgid "Swap" msgstr "スワップ" -#: ./doc/common/section_cli_nova_customize_flavors.xml72(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml83(td) msgid "Optional swap space allocation for the instance." msgstr "むンスタンスに割り圓おられるスワップ空間。これはオプションです。" -#: ./doc/common/section_cli_nova_customize_flavors.xml76(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml87(literal) msgid "VCPUs" msgstr "仮想 CPU" -#: ./doc/common/section_cli_nova_customize_flavors.xml77(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml88(td) msgid "Number of virtual CPUs presented to the instance." msgstr "むンスタンスに存圚する仮想 CPU 数。" -#: ./doc/common/section_cli_nova_customize_flavors.xml81(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml92(literal) msgid "RXTX_Factor" msgstr "RXTX_Factor" -#: ./doc/common/section_cli_nova_customize_flavors.xml82(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml93(td) msgid "" "Optional property allows created servers to have a different bandwidth cap " "than that defined in the network they are attached to. This factor is " @@ -13495,21 +13494,21 @@ msgid "" "That is, the same as attached network." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml90(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml101(literal) msgid "Is_Public" msgstr "Is_Public" -#: ./doc/common/section_cli_nova_customize_flavors.xml91(td) +#: ./doc/common/section_cli_nova_customize_flavors.xml102(td) msgid "" "Boolean value, whether flavor is available to all users or private to the " "tenant it was created in. Defaults to True." msgstr "論理倀。フレヌバヌがすべおのナヌザヌに利甚可胜か、たたは䜜成されたプロゞェクト内のみであるか。暙準で真 (True) です。" -#: ./doc/common/section_cli_nova_customize_flavors.xml96(literal) +#: ./doc/common/section_cli_nova_customize_flavors.xml107(literal) msgid "extra_specs" msgstr "extra_specs" -#: ./doc/common/section_cli_nova_customize_flavors.xml97(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml108(para) msgid "" "Key and value pairs that define on which compute nodes a flavor can run. " "These pairs must match corresponding pairs on the compute nodes. Use to " @@ -13517,7 +13516,7 @@ msgid "" "with GPU hardware." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml105(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml117(para) msgid "" "Flavor customization can be limited by the hypervisor in use. For example " "the libvirt driver enables quotas on CPUs available" @@ -13525,128 +13524,128 @@ msgid "" "generator device control, and instance VIF traffic control." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml110(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml124(term) msgid "CPU limits" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml111(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml126(para) msgid "" "You can configure the CPU limits with control parameters with the " " client. For example, to configure the I/O limit, use:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml115(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml132(para) msgid "" -"There are optional CPU control parameters for weight shares, enforcement " +"Use these optional parameters to control weight shares, enforcement " "intervals for runtime quotas, and a quota for maximum allowed bandwidth:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml121(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml137(para) msgid "" -"cpu_shares specifies the proportional weighted share for " -"the domain. If this element is omitted, the service defaults to the OS " +"cpu_shares. Specifies the proportional weighted share" +" for the domain. If this element is omitted, the service defaults to the OS " "provided defaults. There is no unit for the value; it is a relative measure " "based on the setting of other VMs. For example, a VM configured with value " "2048 gets twice as much CPU time as a VM configured with value 1024." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml130(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml148(para) msgid "" -"cpu_period specifies the enforcement interval (unit: " -"microseconds) for QEMU and LXC hypervisors. Within a period, each VCPU of " +"cpu_period. Specifies the enforcement interval (unit:" +" microseconds) for QEMU and LXC hypervisors. Within a period, each VCPU of " "the domain is not allowed to consume more than the quota worth of runtime. " "The value should be in range [1000, 1000000]. A period " "with value 0 means no value." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml138(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml158(para) msgid "" -"cpu_quota specifies the maximum allowed bandwidth (unit: " -"microseconds). A domain with a negative-value quota indicates that the " -"domain has infinite bandwidth, which means that it is not bandwidth " +"cpu_quota. Specifies the maximum allowed bandwidth " +"(unit: microseconds). A domain with a negative-value quota indicates that " +"the domain has infinite bandwidth, which means that it is not bandwidth " "controlled. The value should be in range [1000, " "18446744073709551] or less than 0. A quota with value 0 means no " "value. You can use this feature to ensure that all vCPUs run at the same " "speed. For example:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml147(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml171(para) msgid "" "In this example, the instance of m1.low_cpu can only " "consume a maximum of 50% CPU of a physical CPU computing capability." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml155(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml181(term) msgid "Disk tuning" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml156(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml183(para) msgid "" "Using disk I/O quotas, you can set maximum disk write to 10 MB per second " "for a VM user. For example:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml159(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml187(para) msgid "The disk I/O options are:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml162(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml190(para) msgid "disk_read_bytes_sec" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml165(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml193(para) msgid "disk_read_iops_sec" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml168(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml196(para) msgid "disk_write_bytes_sec" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml171(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml199(para) msgid "disk_write_iops_sec" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml174(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml202(para) msgid "disk_total_bytes_sec" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml177(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml205(para) msgid "disk_total_iops_sec" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml180(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml208(para) msgid "The vif I/O options are:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml183(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml211(para) msgid "vif_inbound_ average" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml186(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml214(para) msgid "vif_inbound_burst" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml189(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml217(para) msgid "vif_inbound_peak" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml192(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml220(para) msgid "vif_outbound_ average" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml195(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml223(para) msgid "vif_outbound_burst" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml198(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml226(para) msgid "vif_outbound_peak" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml202(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml232(term) msgid "Bandwidth I/O" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml203(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml234(para) msgid "" "Incoming and outgoing traffic can be shaped independently. The bandwidth " "element can have at most, one inbound and at most, one outbound child " @@ -13657,7 +13656,7 @@ msgid "" " rate on the interface being shaped." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml209(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml245(para) msgid "" "There are also two optional attributes (integer): , " "which specifies the maximum rate at which a bridge can send data " @@ -13666,17 +13665,17 @@ msgid "" "domains connected to the network." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml214(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml252(para) msgid "" "The following example configures a bandwidth limit for instance network " "traffic:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml219(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml259(term) msgid "Watchdog behavior" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml220(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml261(para) msgid "" "For the libvirt driver, you can enable and set the " "behavior of a virtual hardware watchdog device for each flavor. Watchdog " @@ -13686,88 +13685,88 @@ msgid "" " not specified, the watchdog is disabled." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml226(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml270(para) msgid "To set the behavior, use:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml227(replaceable) -#: ./doc/common/section_cli_nova_customize_flavors.xml257(replaceable) -#: ./doc/common/section_cli_nova_customize_flavors.xml258(replaceable) -#: ./doc/common/section_cli_nova_customize_flavors.xml259(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml271(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml311(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml312(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml313(replaceable) msgid "FLAVOR-NAME" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml227(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml271(replaceable) msgid "ACTION" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml228(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml272(para) msgid "Valid ACTION values are:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml231(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml276(para) msgid "disabled(default) The device is not attached." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml234(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml280(para) msgid "resetForcefully reset the guest." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml238(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml284(para) msgid "poweroffForcefully power off the guest." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml242(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml288(para) msgid "pausePause the guest." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml245(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml292(para) msgid "" "noneOnly enable the watchdog; do nothing if the server " "hangs." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml249(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml298(para) msgid "" "Watchdog behavior set using a specific image's properties will override " "behavior set using flavors." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml254(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml305(term) msgid "Random-number generator" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml255(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml307(para) msgid "" "If a random-number generator device has been added to the instance through " "its image properties, the device can be enabled and configured using:" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml258(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml312(replaceable) msgid "RATE-BYTES" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml259(replaceable) +#: ./doc/common/section_cli_nova_customize_flavors.xml313(replaceable) msgid "RATE-PERIOD" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml263(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml317(para) msgid "" "RATE-BYTES(Integer) Allowed amount of bytes that " "the guest can read from the host's entropy per period." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml267(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml323(para) msgid "" "RATE-PERIOD(Integer) Duration of the read period " "in seconds." msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml273(term) +#: ./doc/common/section_cli_nova_customize_flavors.xml331(term) msgid "Instance VIF traffic control" msgstr "" -#: ./doc/common/section_cli_nova_customize_flavors.xml274(para) +#: ./doc/common/section_cli_nova_customize_flavors.xml333(para) msgid "" "Flavors can also be assigned to particular projects. By default, a flavor is" " public and available to all projects. Private flavors are only accessible " @@ -14705,9 +14704,9 @@ msgid "" "The utility calculates the number of partitions to assign to each device " "based on the weight of the device. For example, for a partition at the power" " of 20, the ring has 1,048,576 partitions. One thousand devices of equal " -"weight will each want 1,048.576 partitions. The devices are sorted by the " -"number of partitions they desire and kept in order throughout the " -"initialization process." +"weight each want 1,048.576 partitions. The devices are sorted by the number " +"of partitions they desire and kept in order throughout the initialization " +"process." msgstr "" #: ./doc/common/section_objectstorage-ringbuilder.xml131(para) @@ -17750,11 +17749,11 @@ msgstr "" msgid "Optional new host of user." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml4(title) +#: ./doc/common/section_dashboard-configure-https.xml6(title) msgid "Configure the dashboard for HTTPS" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml5(para) +#: ./doc/common/section_dashboard-configure-https.xml7(para) #: ./doc/common/section_dashboard-configure.xml10(para) msgid "" "You can configure the dashboard for a secured HTTPS deployment. While the " @@ -17762,60 +17761,72 @@ msgid "" "support for the dashboard." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml9(para) +#: ./doc/common/section_dashboard-configure-https.xml12(para) msgid "" -"The following example uses the domain, \"http://openstack.example.com.\" Use" -" a domain that fits your current setup." +"This example uses the http://openstack.example.com " +"domain. Use a domain that fits your current setup." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml13(para) +#: ./doc/common/section_dashboard-configure-https.xml16(para) msgid "" -"In/etc/openstack-dashboard/local_settings.py update the" -" following directives:" +"In the /etc/openstack-dashboard/local_settings.py file," +" update the following options:" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml19(para) -msgid "" -"The first option is required to enable HTTPS. The other recommended settings" -" defend against cross-site scripting and require HTTPS." +#: ./doc/common/section_dashboard-configure-https.xml23(para) +msgid "To enable HTTPS, the USE_SSL = True option is required." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml24(para) +#: ./doc/common/section_dashboard-configure-https.xml25(para) msgid "" -"Edit /etc/apache2/ports.conf and add the following " -"line:" +"The other options require that HTTPS is enabled; these options defend " +"against cross-site scripting." msgstr "" #: ./doc/common/section_dashboard-configure-https.xml30(para) msgid "" -"Edit /etc/apache2/conf.d/openstack-dashboard.conf:" +"Edit the /etc/apache2/ports.conf file and add the " +"following line:" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml33(para) -msgid "Before:" -msgstr "" - -#: ./doc/common/section_dashboard-configure-https.xml46(para) -msgid "After:" -msgstr "" - -#: ./doc/common/section_dashboard-configure-https.xml87(para) +#: ./doc/common/section_dashboard-configure-https.xml36(para) msgid "" -"In this configuration, Apache http server listens on the port 443 and " -"redirects all the hits to the HTTPS protocol for all the non-secured " -"requests. The secured section defines the private key, public key, and " -"certificate to use." +"Edit the /etc/apache2/conf.d/openstack-dashboard.conf " +"file as shown in :" msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml94(para) -msgid "Restart Apache http server. For Debian/Ubuntu/SUSE:" +#: ./doc/common/section_dashboard-configure-https.xml41(title) +msgid "Before" +msgstr "前に挿入" + +#: ./doc/common/section_dashboard-configure-https.xml55(title) +msgid "After" +msgstr "埌に挿入" + +#: ./doc/common/section_dashboard-configure-https.xml97(para) +msgid "" +"In this configuration, the Apache HTTP server listens on port 443 and " +"redirects all non-secure requests to the HTTPS protocol. The secured section" +" defines the private key, public key, and certificate to use." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml96(para) -msgid "Or for Fedora/RHEL/CentOS:" +#: ./doc/common/section_dashboard-configure-https.xml104(para) +msgid "Restart the Apache HTTP server." msgstr "" -#: ./doc/common/section_dashboard-configure-https.xml100(para) +#: ./doc/common/section_dashboard-configure-https.xml105(para) +msgid "For Debian, Ubuntu, or SUSE distributions:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml107(para) +msgid "For Fedora, RHEL, or CentOS distributions:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml111(para) +msgid "Restart memcached:" +msgstr "" + +#: ./doc/common/section_dashboard-configure-https.xml114(para) msgid "" "If you try to access the dashboard through HTTP, the browser redirects you " "to the HTTPS page." @@ -20949,7 +20960,7 @@ msgstr "" #: ./doc/common/section_objectstorage-components.xml77(para) msgid "" -"Weights can be used to balance the distribution of partitions on drives " +"You can use weights to balance the distribution of partitions on drives " "across the cluster. This can be useful, for example, when differently sized " "drives are used in a cluster." msgstr "" @@ -20973,8 +20984,8 @@ msgstr "" #: ./doc/common/section_objectstorage-components.xml92(para) msgid "" -"The ring uses a configurable number of bits from a path’s MD5 hash as a " -"partition index that designates a device. The number of bits kept from the " +"The ring uses a configurable number of bits from an MD5 hash for a path as a" +" partition index that designates a device. The number of bits kept from the " "hash is known as the partition power, and 2 to the partition power indicates" " the partition count. Partitioning the full MD5 hash ring allows other parts" " of the cluster to work in batches of items at once which ends up either " diff --git a/doc/config-reference/locale/config-reference.pot b/doc/config-reference/locale/config-reference.pot index a495b7ad3f..439f83dcd9 100644 --- a/doc/config-reference/locale/config-reference.pot +++ b/doc/config-reference/locale/config-reference.pot @@ -1,7 +1,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" -"POT-Creation-Date: 2014-06-29 06:06+0000\n" +"POT-Creation-Date: 2014-06-30 06:05+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -805,7 +805,7 @@ msgstr "" msgid "If a service's default port falls within this range, run the following program to check if the port has already been assigned to another application:" msgstr "" -#: ./doc/config-reference/app_firewalls-ports.xml:30(replaceable) ./doc/config-reference/compute/section_compute-cells.xml:316(replaceable) +#: ./doc/config-reference/app_firewalls-ports.xml:30(replaceable) ./doc/config-reference/compute/section_compute-cells.xml:315(replaceable) msgid "PORT" msgstr "" @@ -3565,7 +3565,7 @@ msgid "HDS iSCSI volume driver configuration options" msgstr "" #: ./doc/config-reference/block-storage/drivers/hds-hus-driver.xml:277(para) -msgid "There is no relative precedence or weight among these four labels." +msgid "Each of these four labels has no relative precedence or weight." msgstr "" #: ./doc/config-reference/block-storage/drivers/hds-hus-driver.xml:271(para) @@ -7733,7 +7733,7 @@ msgstr "" msgid "How long in seconds to wait for replies from calls between cells." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:80(term) ./doc/config-reference/compute/section_compute-cells.xml:208(option) +#: ./doc/config-reference/compute/section_compute-cells.xml:80(term) ./doc/config-reference/compute/section_compute-cells.xml:207(option) msgid "scheduler_filter_classes" msgstr "" @@ -7741,163 +7741,163 @@ msgstr "" msgid "Filter classes that the cells scheduler should use. By default, uses \"nova.cells.filters.all_filters\" to map to all cells filters included with Compute." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:90(term) ./doc/config-reference/compute/section_compute-cells.xml:219(option) ./doc/config-reference/compute/section_compute-scheduler.xml:672(literal) ./doc/config-reference/compute/section_compute-scheduler.xml:786(literal) +#: ./doc/config-reference/compute/section_compute-cells.xml:90(term) ./doc/config-reference/compute/section_compute-cells.xml:218(option) ./doc/config-reference/compute/section_compute-scheduler.xml:672(literal) ./doc/config-reference/compute/section_compute-scheduler.xml:786(literal) msgid "scheduler_weight_classes" msgstr "" #: ./doc/config-reference/compute/section_compute-cells.xml:92(para) -msgid "Weight classes the cells scheduler should use. By default, uses \"nova.cells.weights.all_weighers\" to map to all cells weight algorithms (weighers) included with Compute." +msgid "Weight classes that the scheduler for cells uses. By default, uses nova.cells.weights.all_weighers to map to all cells weight algorithms included with Compute." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:100(term) ./doc/config-reference/compute/section_compute-scheduler.xml:650(literal) ./doc/config-reference/compute/section_compute-scheduler.xml:653(option) ./doc/config-reference/compute/section_compute-scheduler.xml:776(literal) ./doc/config-reference/compute/section_compute-scheduler.xml:779(option) +#: ./doc/config-reference/compute/section_compute-cells.xml:99(term) ./doc/config-reference/compute/section_compute-scheduler.xml:650(literal) ./doc/config-reference/compute/section_compute-scheduler.xml:653(option) ./doc/config-reference/compute/section_compute-scheduler.xml:776(literal) ./doc/config-reference/compute/section_compute-scheduler.xml:779(option) msgid "ram_weight_multiplier" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:102(para) -msgid "Multiplier used for weighing ram. Negative numbers mean you want Compute to stack VMs on one host instead of spreading out new VMs to more hosts in the cell. The default value is 10.0." +#: ./doc/config-reference/compute/section_compute-cells.xml:101(para) +msgid "Multiplier used to weight RAM. Negative numbers indicate that Compute should stack VMs on one host instead of spreading out new VMs to more hosts in the cell. The default value is 10.0." msgstr "" #: ./doc/config-reference/compute/section_compute-cells.xml:42(para) msgid "Cells are disabled by default. All cell-related configuration options appear in the [cells] section in nova.conf. The following cell-related options are currently supported:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:112(title) +#: ./doc/config-reference/compute/section_compute-cells.xml:111(title) msgid "Configure the API (top-level) cell" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:113(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:112(para) msgid "The compute API class must be changed in the API cell so that requests can be proxied through nova-cells down to the correct cell properly. Add the following line to nova.conf in the API cell:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:126(title) +#: ./doc/config-reference/compute/section_compute-cells.xml:125(title) msgid "Configure the child cells" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:137(replaceable) +#: ./doc/config-reference/compute/section_compute-cells.xml:136(replaceable) msgid "cell1" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:127(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:126(para) msgid "Add the following lines to nova.conf in the child cells, replacing cell1 with the name of each cell:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:140(title) +#: ./doc/config-reference/compute/section_compute-cells.xml:139(title) msgid "Configure the database in each cell" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:141(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:140(para) msgid "Before bringing the services online, the database in each cell needs to be configured with information about related cells. In particular, the API cell needs to know about its immediate children, and the child cells must know about their immediate agents. The information needed is the RabbitMQ server credentials for the particular cell." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:148(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:147(para) msgid "Use the command to add this information to the database in each cell:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:169(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:168(para) msgid "As an example, assume an API cell named api and a child cell named cell1." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:172(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:171(para) msgid "Within the api cell, specify the following RabbitMQ server information:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:179(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:178(para) msgid "Within the cell1 child cell, specify the following RabbitMQ server information:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:186(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:185(para) msgid "You can run this in the API cell as root:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:190(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:189(para) msgid "Repeat the previous steps for all child cells." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:191(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:190(para) msgid "In the child cell, run the following, as root:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:195(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:194(para) msgid "To customize the Compute cells, use the configuration option settings documented in ." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:200(title) +#: ./doc/config-reference/compute/section_compute-cells.xml:199(title) msgid "Cell scheduling configuration" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:201(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:200(para) msgid "To determine the best cell to use to launch a new instance, Compute uses a set of filters and weights defined in the /etc/nova/nova.conf file. The following options are available to prioritize cells for scheduling:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:210(para) -msgid ". Specifies the list of filter classes. By default is specified, which maps to all cells filters included with Compute (see )." +#: ./doc/config-reference/compute/section_compute-cells.xml:209(para) +msgid "List of filter classes. By default is specified, which maps to all cells filters included with Compute (see )." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:221(para) -msgid "Specifies the list of weight classes. By default is specified, which maps to all cell weight algorithms (weighers) included with Compute. The following modules are available:" +#: ./doc/config-reference/compute/section_compute-cells.xml:220(para) +msgid "List of weight classes. By default is specified, which maps to all cell weight algorithms included with Compute. The following modules are available:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:229(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:228(para) msgid "mute_child. Downgrades the likelihood of child cells being chosen for scheduling requests, which haven't sent capacity or capability updates in a while. Options include (multiplier for mute children; value should be negative) and (assigned to mute children; should be a positive value)." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:243(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:242(para) msgid "ram_by_instance_type. Select cells with the most RAM capacity for the instance type being requested. Because higher weights win, Compute returns the number of available units for the instance type requested. The option defaults to 10.0 that adds to the weight by a factor of 10. Use a negative number to stack VMs on one host instead of spreading out new VMs to more hosts in the cell." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:258(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:257(para) msgid "weight_offset. Allows modifying the database to weight a particular cell. You can use this when you want to disable a cell (for example, '0'), or to set a default cell by making its weight_offset very high (for example, '999999999999999'). The highest weight will be the first cell to be scheduled for launching an instance." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:273(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:272(para) msgid "Additionally, the following options are available for the cell scheduler:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:277(option) +#: ./doc/config-reference/compute/section_compute-cells.xml:276(option) msgid "scheduler_retries" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:279(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:278(para) msgid "Specifies how many times the scheduler tries to launch a new instance when no cells are available (default=10)." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:285(option) +#: ./doc/config-reference/compute/section_compute-cells.xml:284(option) msgid "scheduler_retry_delay" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:287(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:286(para) msgid "Specifies the delay (in seconds) between retries (default=2)." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:292(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:291(para) msgid "As an admin user, you can also add a filter that directs builds to a particular cell. The policy.json file must have a line with \"cells_scheduler_filter:TargetCellFilter\" : \"is_admin:True\" to let an admin user specify a scheduler hint to direct a build to a particular cell." msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:301(title) +#: ./doc/config-reference/compute/section_compute-cells.xml:300(title) msgid "Optional cell configuration" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:302(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:301(para) msgid "Cells store all inter-cell communication data, including user names and passwords, in the database. Because the cells data is not updated very frequently, use the option to specify a JSON file to store cells data. With this configuration, the database is no longer consulted when reloading the cells data. The file must have columns present in the Cell model (excluding common database fields and the column). You must specify the queue connection information through a field, instead of , , and so on. The has the following form:" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:316(replaceable) +#: ./doc/config-reference/compute/section_compute-cells.xml:315(replaceable) msgid "USERNAME" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:316(replaceable) +#: ./doc/config-reference/compute/section_compute-cells.xml:315(replaceable) msgid "PASSWORD" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:316(replaceable) +#: ./doc/config-reference/compute/section_compute-cells.xml:315(replaceable) msgid "HOSTNAME" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:316(replaceable) +#: ./doc/config-reference/compute/section_compute-cells.xml:315(replaceable) msgid "VIRTUAL_HOST" msgstr "" -#: ./doc/config-reference/compute/section_compute-cells.xml:317(para) +#: ./doc/config-reference/compute/section_compute-cells.xml:316(para) msgid "The scheme can be either qpid or rabbit, as shown previously. The following sample shows this optional configuration:" msgstr "" @@ -9060,7 +9060,7 @@ msgid "Filter scheduler" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:89(para) -msgid "The Filter Scheduler (nova.scheduler.filter_scheduler.FilterScheduler) is the default scheduler for scheduling virtual machine instances. It supports filtering and weighting to make informed decisions on where a new instance should be created." +msgid "The filter scheduler (nova.scheduler.filter_scheduler.FilterScheduler) is the default scheduler for scheduling virtual machine instances. It supports filtering and weighting to make informed decisions on where a new instance should be created." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:98(title) @@ -9068,7 +9068,7 @@ msgid "Filters" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:99(para) -msgid "When the Filter Scheduler receives a request for a resource, it first applies filters to determine which hosts are eligible for consideration when dispatching a resource. Filters are binary: either a host is accepted by the filter, or it is rejected. Hosts that are accepted by the filter are then processed by a different algorithm to decide which hosts to use for that request, described in the Weights section." +msgid "When the filter scheduler receives a request for a resource, it first applies filters to determine which hosts are eligible for consideration when dispatching a resource. Filters are binary: either a host is accepted by the filter, or it is rejected. Hosts that are accepted by the filter are then processed by a different algorithm to decide which hosts to use for that request, described in the Weights section." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:108(title) @@ -9472,7 +9472,7 @@ msgid "Weights" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:610(para) -msgid "When resourcing instances, the Filter Scheduler filters and weighs each host in the list of acceptable hosts. Each time the scheduler selects a host, it virtually consumes resources on it, and subsequent selections are adjusted accordingly. This process is useful when the customer asks for the same large amount of instances, because weight is computed for each requested instance." +msgid "When resourcing instances, the filter scheduler filters and weights each host in the list of acceptable hosts. Each time the scheduler selects a host, it virtually consumes resources on it, and subsequent selections are adjusted accordingly. This process is useful when the customer asks for the same large amount of instances, because weight is computed for each requested instance." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:617(para) @@ -9480,7 +9480,7 @@ msgid "All weights are normalized before being summed up; the host with the larg msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:621(title) -msgid "Weighing hosts" +msgid "Weighting hosts" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:630(para) @@ -9488,7 +9488,7 @@ msgid "If cells are used, cells are weighted by the scheduler in the same manner msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:632(para) -msgid "Hosts and cells are weighed based on the following options in the /etc/nova/nova.conf file:" +msgid "Hosts and cells are weighted based on the following options in the /etc/nova/nova.conf file:" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:636(caption) @@ -9508,7 +9508,7 @@ msgid "scheduler_host_subset_size" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:661(td) -msgid "New instances are scheduled on a host that is chosen randomly from a subset of the N best hosts. This property defines the subset size from which a host is chosen. A value of 1 chooses the first host returned by the weighing functions. This value must be at least 1. A value less than 1 is ignored, and 1 is used instead. Use an integer value." +msgid "New instances are scheduled on a host that is chosen randomly from a subset of the N best hosts. This property defines the subset size from which a host is chosen. A value of 1 chooses the first host returned by the weighting functions. This value must be at least 1. A value less than 1 is ignored, and 1 is used instead. Use an integer value." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:674(literal) @@ -9516,7 +9516,7 @@ msgid "nova.scheduler.weights.all_weighers" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:673(td) -msgid "Defaults to , which selects the only available weigher, the RamWeigher. Hosts are then weighed and sorted with the largest weight winning." +msgid "Defaults to , which selects the RamWeigher. Hosts are then weighted and sorted with the largest weight winning." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:680(td) ./doc/config-reference/compute/section_compute-scheduler.xml:686(td) ./doc/config-reference/compute/section_compute-scheduler.xml:696(td) ./doc/config-reference/compute/section_compute-scheduler.xml:718(td) @@ -9528,7 +9528,7 @@ msgid "weight_multiplier" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:682(td) -msgid "Multiplier for weighing metrics. Use a floating-point value." +msgid "Multiplier for weighting metrics. Use a floating-point value." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:687(literal) ./doc/config-reference/compute/section_compute-scheduler.xml:722(option) @@ -9540,7 +9540,7 @@ msgid "name1.value * 1.0 + name2.value * -1.0" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:688(td) -msgid "Determines how metrics are weighed. Use a comma-separated list of metricName=ratio. For example: \"name1=1.0, name2=-1.0\" results in: " +msgid "Determines how metrics are weighted. Use a comma-separated list of metricName=ratio. For example: \"name1=1.0, name2=-1.0\" results in: " msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:697(literal) ./doc/config-reference/compute/section_compute-scheduler.xml:720(option) @@ -9552,7 +9552,7 @@ msgid "TrueRaises an exception. To avoid the raised exception, you should use th msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:709(para) -msgid "FalseTreated as a negative factor in the weighing process (uses the weight_of_unavailable option)." +msgid "FalseTreated as a negative factor in the weighting process (uses the weight_of_unavailable option)." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:698(para) @@ -9580,7 +9580,7 @@ msgid "mute_weight_multiplier" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:755(td) -msgid "Multiplier to weigh mute children (hosts which have not sent capacity or capacity updates for some time). Use a negative, floating-point value." +msgid "Multiplier to weight mute children (hosts which have not sent capacity or capacity updates for some time). Use a negative, floating-point value." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:762(literal) @@ -9596,7 +9596,7 @@ msgid "offset_weight_multiplier" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:770(td) -msgid "Multiplier to weigh cells, so you can specify a preferred cell. Use a floating point value." +msgid "Multiplier to weight cells, so you can specify a preferred cell. Use a floating point value." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:777(td) @@ -9608,7 +9608,7 @@ msgid "nova.cells.weights.all_weighers" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:787(td) -msgid "Defaults to , which maps to all cell weighers included with Compute. Cells are then weighed and sorted with the largest weight winning." +msgid "Defaults to , which maps to all cell weighters included with Compute. Cells are then weighted and sorted with the largest weight winning." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:804(title) @@ -9616,7 +9616,7 @@ msgid "Chance scheduler" msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:806(para) -msgid "As an administrator, you work with the Filter Scheduler. However, the Compute service also uses the Chance Scheduler, nova.scheduler.chance.ChanceScheduler, which randomly selects from lists of filtered hosts." +msgid "As an administrator, you work with the filter scheduler. However, the Compute service also uses the Chance Scheduler, nova.scheduler.chance.ChanceScheduler, which randomly selects from lists of filtered hosts." msgstr "" #: ./doc/config-reference/compute/section_compute-scheduler.xml:817(para) diff --git a/doc/glossary/locale/glossary.pot b/doc/glossary/locale/glossary.pot index 1c41e89455..a4b28b23f8 100644 --- a/doc/glossary/locale/glossary.pot +++ b/doc/glossary/locale/glossary.pot @@ -1,7 +1,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" -"POT-Creation-Date: 2014-06-11 06:07+0000\n" +"POT-Creation-Date: 2014-06-30 06:05+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -7526,11 +7526,11 @@ msgid "W" msgstr "" #: ./doc/glossary/glossary-terms.xml:7723(primary) -msgid "weighing" +msgid "weighting" msgstr "" #: ./doc/glossary/glossary-terms.xml:7722(glossterm) -msgid "weighing" +msgid "weighting" msgstr "" #: ./doc/glossary/glossary-terms.xml:7727(para) diff --git a/doc/image-guide/locale/image-guide.pot b/doc/image-guide/locale/image-guide.pot index 54d13e2286..11e7e54496 100644 --- a/doc/image-guide/locale/image-guide.pot +++ b/doc/image-guide/locale/image-guide.pot @@ -1,7 +1,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" -"POT-Creation-Date: 2014-06-27 06:07+0000\n" +"POT-Creation-Date: 2014-06-30 06:06+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -369,16 +369,214 @@ msgstr "" msgid "When you're done, clean up:" msgstr "" -#: ./doc/image-guide/section_freebsd-example.xml:8(title) +#. When image changes, this message will be marked fuzzy or untranslated for you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/image-guide/section_freebsd-example.xml:158(None) +msgid "@@image: 'figures/freebsd-partitions.png'; md5=47dbba18dda83b095f370a71e1dc3413" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:10(title) msgid "Example: FreeBSD image" msgstr "" -#: ./doc/image-guide/section_freebsd-example.xml:9(para) -msgid "We do not yet have a fully documented example of how to create a FreeBSD image." +#: ./doc/image-guide/section_freebsd-example.xml:11(para) +msgid "This example creates a minimal FreeBSD image that is compatible with OpenStack and bsd-cloudinit. The bsd-cloudinit program is independently maintained and in active development. The best source of information on the current state of the project is at http://pellaeon.github.io/bsd-cloudinit." msgstr "" -#: ./doc/image-guide/section_freebsd-example.xml:11(para) -msgid "See the bsd-cloudinit project for information on how to build a FreeBSD VM image that works with OpenStack." +#: ./doc/image-guide/section_freebsd-example.xml:19(para) +msgid "KVM with virtio drivers is used as the virtualization platform because that is the most widely used among OpenStack operators. If you use a different platform for your cloud virtualization, use that same platform in the image creation step." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:23(para) +msgid "This example shows how to create a FreeBSD 10 image. To create a FreeBSD 9.2 image, follow these steps with the noted differences." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:27(title) +msgid "To create a FreeBSD image" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:29(para) +msgid "Make a virtual drive:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:31(para) +msgid "The minimum supported disk size for FreeBSD is 1GB. Because the goal is to make the smallest possible base image, the example uses that minimum size. This size is sufficient to include the optional doc, games, and lib32 collections. To include the ports collection, add another 1GB. To include src, add 512MB." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:41(para) +msgid "Get the installer ISO:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:47(para) +msgid "Launch a VM on your local workstation. Use the same hypervisor, virtual disk, and virtual network drivers as you use in your production environment." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:50(para) +msgid "The following command uses the minimum amount of RAM, which is 128MB:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:55(para) +msgid "You can specify up to 1GB additional RAM to make the installation process run faster." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:57(para) +msgid "This VM must also have Internet access to download packages." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:60(para) +msgid "By using the same hypervisor, you can ensure that you emulate the same devices that exist in production. However, if you use full hardware virtualization instead of paravirtualization, you do not need to use the same hypervisor; you must use the same type of virtualized hardware because FreeBSD device names are related to their drivers. If the name of your root block device or primary network interface in production differs than the names used during image creation, errors can occur." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:70(para) +msgid "You now have a VM that boots from the downloaded install ISO and is connected to the blank virtual disk that you created previously." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:75(para) +msgid "To install the operating system, complete the following steps inside the VM:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:79(para) +msgid "When prompted, choose to run the ISO in Install mode." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:83(para) +msgid "Accept the default keymap or select an appropriate mapping for your needs." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:87(para) +msgid "Provide a host name for your image. If you use bsd-cloudinit, it overrides this value with the name provided by OpenStack when an instance boots from this image." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:93(para) +msgid "When prompted about the optional doc, games, lib32, ports, and src system components, select only those that you need. It is possible to have a fully functional installation without selecting additional components selected. As noted previously, a minimal system with a 1GB virtual disk supports doc, games, and lib32 inclusive. The ports collection requires at least 1GB additional space and possibly more if you plan to install many ports. The src collection requires an additional 512MB." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:109(para) +msgid "Configure the primary network interface to use DHCP. In this example, which uses a virtio network device, this interface is named vtnet0." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:114(para) +msgid "Accept the default network mirror." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:117(para) +msgid "Set up disk partitioning." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:118(para) +msgid "Disk partitioning is a critical element of the image creation process and the auto-generated default partitioning scheme does not work with bsd-cloudinit at this time." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:123(para) +msgid "Because the default does not work, you must select manual partitioning. The partition editor should list only one block device. If you use virtio for the disk device driver, it is named vtbd0. Select this device and run the command three times:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:131(para) +msgid "Select Create to create a partition table. This action is the default when no partition table exists. Then, select GPT GUID Partition Table from the list. This choice is the default." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:140(para) +msgid "First partition: A 64kB freebsd-boot partition with no mount point." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:145(para) +msgid "Second partition: A freebsd-ufs partition with a mount point of / with all remaining free space." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:138(para) +msgid "Create two partitions:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:153(para) +msgid "The following figure shows a completed partition table with a 1GB virtual disk:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:161(para) +msgid "Select Finish and then Commit to commit your changes." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:165(para) +msgid "If you modify this example, the root partition, which is mounted on /, must be the last partition on the drive so that it can expand at run time to the disk size that your instance type provides. Also note that bsd-cloudinit currently has a hard-coded assumption that this is the second partition." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:177(para) +msgid "Select a root password." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:180(para) +msgid "Select the CMOS time zone." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:181(para) +msgid "The virtualized CMOS almost always stores its time in UTC, so unless you know otherwise, select UTC." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:185(para) +msgid "Select the time zone appropriate to your environment." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:189(para) +msgid "From the list of services to start on boot, you must select ssh. Optionally, select other services." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:194(para) +msgid "Optionally, add users." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:195(para) +msgid "You do not need to add users at this time. The bsd-cloudinit program adds a freebsd user account if one does not exist. The ssh keys for this user are associated with OpenStack. To customize this user account, you can create it now. For example, you might want to customize the shell for the user." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:204(title) +msgid "Final config" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:205(para) +msgid "This menu enables you to update previous settings. Check that the settings are correct, and click exit." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:210(para) +msgid "After you exit, you can open a shell to complete manual configuration steps. Select Yes to make a few OpenStack-specific changes:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:215(para) +msgid "Set up the console:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:217(para) +msgid "This sets console output to go to the serial console, which is displayed by , and the video console for sites with VNC or Spice configured." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:223(para) +msgid "Minimize boot delay:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:227(para) +msgid "Download the latest bsd-cloudinit-installer. The download commands differ between FreeBSD 10.0 and 9.2 because of differences in how the command handles HTTPS URLs." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:232(para) +msgid "In FreeBSD 10.0 the command verifies SSL peers by default, so you need to install the ca_root_nss package that contains certificate authority root certificates and tell where to find them. For FreeBSD 10.0 run these commands:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:241(para) +msgid "FreeBSD 9.2 does not support peer-verification for https. For FreeBSD 9.2, run this command:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:247(para) +msgid "Run the installer:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:249(para) +msgid "The installer installs necessary prerequisites and downloads and installs the latest bsd-cloudinit." +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:254(para) +msgid "Install sudo and configure the freebsd user to have passwordless access:" +msgstr "" + +#: ./doc/image-guide/section_freebsd-example.xml:263(para) +msgid "Power off the system:" msgstr "" #: ./doc/image-guide/ch_converting.xml:4(title) diff --git a/doc/install-guide/locale/install-guide.pot b/doc/install-guide/locale/install-guide.pot index 9e0894b6e9..f507de222b 100644 --- a/doc/install-guide/locale/install-guide.pot +++ b/doc/install-guide/locale/install-guide.pot @@ -1,7 +1,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" -"POT-Creation-Date: 2014-06-29 06:06+0000\n" +"POT-Creation-Date: 2014-06-30 06:06+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -836,50 +836,46 @@ msgid "Verify operation" msgstr "" #: ./doc/install-guide/section_glance-verify.xml:6(para) -msgid "This section describes how to verify operation of the Image Service, code-named glance, by using CirrOS. CirrOS is a small Linux image that helps you test OpenStack deployments." +msgid "This section describes how to verify operation of the Image Service using CirrOS, a small Linux image that helps you test your OpenStack deployment." msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:11(para) +#: ./doc/install-guide/section_glance-verify.xml:10(para) msgid "For more information about how to download and build images, see OpenStack Virtual Machine Image Guide. For information about how to manage images, see the OpenStack User Guide." msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:21(para) +#: ./doc/install-guide/section_glance-verify.xml:20(para) msgid "Create and change into a temporary local directory:" msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:26(para) +#: ./doc/install-guide/section_glance-verify.xml:25(para) msgid "Download the image to the local directory:" msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:30(para) ./doc/install-guide/section_nova-networking-initial-network.xml:26(para) ./doc/install-guide/section_neutron-initial-networks.xml:45(para) -msgid "Source the admin tenant credentials:" +#: ./doc/install-guide/section_glance-verify.xml:29(para) ./doc/install-guide/section_glance-install.xml:46(para) +msgid "Source the admin credentials to gain access to admin-only CLI commands:" msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:35(para) +#: ./doc/install-guide/section_glance-verify.xml:34(para) msgid "Upload the image to the Image Service:" msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:36(para) -msgid "For example:" -msgstr "" - -#: ./doc/install-guide/section_glance-verify.xml:60(para) +#: ./doc/install-guide/section_glance-verify.xml:57(para) msgid "For information about the parameters for the command, see Image Service command-line client in the OpenStack Command-Line Interface Reference." msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:66(para) +#: ./doc/install-guide/section_glance-verify.xml:63(para) msgid "For information about disk and container formats for images, see Disk and container formats for images in the OpenStack Virtual Machine Image Guide." msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:72(para) +#: ./doc/install-guide/section_glance-verify.xml:69(para) msgid "Because the returned image ID is generated dynamically, your deployment generates a different ID than the one shown in this example." msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:78(para) +#: ./doc/install-guide/section_glance-verify.xml:75(para) msgid "Confirm upload of the image and validate attributes:" msgstr "" -#: ./doc/install-guide/section_glance-verify.xml:88(para) +#: ./doc/install-guide/section_glance-verify.xml:85(para) msgid "Remove the temporary local directory:" msgstr "" @@ -1181,6 +1177,10 @@ msgstr "" msgid "To create the network" msgstr "" +#: ./doc/install-guide/section_nova-networking-initial-network.xml:26(para) ./doc/install-guide/section_neutron-initial-networks.xml:45(para) +msgid "Source the admin tenant credentials:" +msgstr "" + #: ./doc/install-guide/section_nova-networking-initial-network.xml:30(para) ./doc/install-guide/section_neutron-initial-networks.xml:49(para) ./doc/install-guide/section_neutron-initial-networks.xml:136(para) msgid "Create the network:" msgstr "" @@ -2306,7 +2306,7 @@ msgid "@@image: 'figures/debconf-screenshots/glance-common_pipeline_flavor.png'; msgstr "" #: ./doc/install-guide/section_glance-install.xml:6(para) -msgid "This section describes how to install and configure the Image Service (glance) on the controller node. For simplicity, this configuration stores images on the local file system." +msgid "This section describes how to install and configure the Image Service, code-named glance, on the controller node. For simplicity, this configuration stores images on the local file system." msgstr "" #: ./doc/install-guide/section_glance-install.xml:10(para) @@ -2345,10 +2345,6 @@ msgstr "" msgid "Exit the database access client:" msgstr "" -#: ./doc/install-guide/section_glance-install.xml:46(para) -msgid "Source the admin credentials to gain access to admin-only CLI commands:" -msgstr "" - #: ./doc/install-guide/section_glance-install.xml:51(para) msgid "To create the Identity service credentials, complete these steps:" msgstr "" diff --git a/doc/install-guide/locale/ja.po b/doc/install-guide/locale/ja.po index 97559d8c9c..e969514914 100644 --- a/doc/install-guide/locale/ja.po +++ b/doc/install-guide/locale/ja.po @@ -5,8 +5,8 @@ msgid "" msgstr "" "Project-Id-Version: OpenStack Manuals\n" -"POT-Creation-Date: 2014-06-29 04:08+0000\n" -"PO-Revision-Date: 2014-06-29 04:21+0000\n" +"POT-Creation-Date: 2014-06-30 04:51+0000\n" +"PO-Revision-Date: 2014-06-30 04:52+0000\n" "Last-Translator: openstackjenkins \n" "Language-Team: Japanese (http://www.transifex.com/projects/p/openstack-manuals-i18n/language/ja/)\n" "MIME-Version: 1.0\n" @@ -1505,13 +1505,12 @@ msgstr "運甚の怜蚌" #: ./doc/install-guide/section_glance-verify.xml6(para) msgid "" -"This section describes how to verify operation of the Image Service, code-" -"named glance, by using CirrOS. CirrOS is a small Linux " -"image that helps you test OpenStack deployments." -msgstr "このセクションは、CirrOS を䜿甚しお、コヌド名 glance ずいう Image Service の動䜜を怜蚌する方法に぀いお蚘茉したす。CirrOS は、OpenStack 環境のテストを支揎する、軜量の Linux むメヌゞです。" +"This section describes how to verify operation of the Image Service using " +"CirrOS, a small Linux " +"image that helps you test your OpenStack deployment." +msgstr "" -#: ./doc/install-guide/section_glance-verify.xml11(para) +#: ./doc/install-guide/section_glance-verify.xml10(para) msgid "" "For more information about how to download and build images, see ." msgstr "ダりンロヌド方法ずむメヌゞ構築の詳现はOpenStack 仮想マシンむメヌゞガむドを参照しおください。むメヌゞの管理方法の詳现はOpenStack ナヌザヌガむドを参照しおください。" -#: ./doc/install-guide/section_glance-verify.xml21(para) +#: ./doc/install-guide/section_glance-verify.xml20(para) msgid "Create and change into a temporary local directory:" msgstr "ロヌカル䞀時ディレクトリを䜜成し、移動したす。" -#: ./doc/install-guide/section_glance-verify.xml26(para) +#: ./doc/install-guide/section_glance-verify.xml25(para) msgid "Download the image to the local directory:" msgstr "むメヌゞをロヌカルディレクトリにダりンロヌドしたす。" -#: ./doc/install-guide/section_glance-verify.xml30(para) -#: ./doc/install-guide/section_nova-networking-initial-network.xml26(para) -#: ./doc/install-guide/section_neutron-initial-networks.xml45(para) -msgid "Source the admin tenant credentials:" -msgstr "admin プロゞェクトのクレデンシャルを読み蟌みたす。" +#: ./doc/install-guide/section_glance-verify.xml29(para) +#: ./doc/install-guide/section_glance-install.xml46(para) +msgid "" +"Source the admin credentials to gain access to admin-only" +" CLI commands:" +msgstr "" -#: ./doc/install-guide/section_glance-verify.xml35(para) +#: ./doc/install-guide/section_glance-verify.xml34(para) msgid "Upload the image to the Image Service:" msgstr "むメヌゞを Image Service にアップロヌドしたす。" -#: ./doc/install-guide/section_glance-verify.xml36(para) -msgid "For example:" -msgstr "䟋:" - -#: ./doc/install-guide/section_glance-verify.xml60(para) +#: ./doc/install-guide/section_glance-verify.xml57(para) msgid "" "For information about the parameters for the command, see " "OpenStack Command-Line Interface Reference." msgstr " コマンドのパラメヌタヌの詳现は、OpenStack Command-Line Interface Reference の Image Service command-line client を参照しおください。" -#: ./doc/install-guide/section_glance-verify.xml66(para) +#: ./doc/install-guide/section_glance-verify.xml63(para) msgid "" "For information about disk and container formats for images, see OpenStack Virtual Machine Image Guide." msgstr "むメヌゞのディスクずコンテナヌ圢匏に関する詳现は、OpenStack Virtual Machine Image Guide の Disk and container formats for images を参照しおください。" -#: ./doc/install-guide/section_glance-verify.xml72(para) +#: ./doc/install-guide/section_glance-verify.xml69(para) msgid "" "Because the returned image ID is generated dynamically, your deployment " "generates a different ID than the one shown in this example." msgstr "返されたむメヌゞ ID は動的に倉曎されるため、導入環境によりこの䟋で瀺されおいるものず異なる ID が生成されたす。" -#: ./doc/install-guide/section_glance-verify.xml78(para) +#: ./doc/install-guide/section_glance-verify.xml75(para) msgid "Confirm upload of the image and validate attributes:" msgstr "むメヌゞがアップロヌドされたこずを確認し、属性を怜蚌したす。" -#: ./doc/install-guide/section_glance-verify.xml88(para) +#: ./doc/install-guide/section_glance-verify.xml85(para) msgid "Remove the temporary local directory:" msgstr "ロヌカル䞀時ディレクトリを削陀したす。" @@ -2134,6 +2130,11 @@ msgstr "これらのコマンドをコントロヌラヌノヌドで実行した msgid "To create the network" msgstr "ネットワヌクの䜜成方法" +#: ./doc/install-guide/section_nova-networking-initial-network.xml26(para) +#: ./doc/install-guide/section_neutron-initial-networks.xml45(para) +msgid "Source the admin tenant credentials:" +msgstr "admin プロゞェクトのクレデンシャルを読み蟌みたす。" + #: ./doc/install-guide/section_nova-networking-initial-network.xml30(para) #: ./doc/install-guide/section_neutron-initial-networks.xml49(para) #: ./doc/install-guide/section_neutron-initial-networks.xml136(para) @@ -3925,9 +3926,9 @@ msgstr "@@image: 'figures/debconf-screenshots/glance-common_pipeline_flavor.png' #: ./doc/install-guide/section_glance-install.xml6(para) msgid "" -"This section describes how to install and configure the Image Service " -"(glance) on the controller node. For simplicity, this configuration stores " -"images on the local file system." +"This section describes how to install and configure the Image Service, code-" +"named glance, on the controller node. For simplicity, this configuration " +"stores images on the local file system." msgstr "" #: ./doc/install-guide/section_glance-install.xml10(para) @@ -3977,12 +3978,6 @@ msgstr "" msgid "Exit the database access client:" msgstr "" -#: ./doc/install-guide/section_glance-install.xml46(para) -msgid "" -"Source the admin credentials to gain access to admin-only" -" CLI commands:" -msgstr "" - #: ./doc/install-guide/section_glance-install.xml51(para) msgid "To create the Identity service credentials, complete these steps:" msgstr "" diff --git a/doc/security-guide/locale/ja.po b/doc/security-guide/locale/ja.po new file mode 100644 index 0000000000..93870a840c --- /dev/null +++ b/doc/security-guide/locale/ja.po @@ -0,0 +1,10242 @@ +# +# Translators: +# Akira Yoshiyama , 2013-2014 +# yfukuda , 2014 +# Mitsuhiro Tanino , 2014 +# myamamot , 2013-2014 +# Tomoaki Nakajima <>, 2013-2014 +# Tomoya goto , 2013-2014 +# Tomoyuki KATO , 2013-2014 +# Toru Makabe , 2013-2014 +# ykatabam , 2013-2014 +msgid "" +msgstr "" +"Project-Id-Version: OpenStack Manuals\n" +"POT-Creation-Date: 2014-06-29 10:05+0000\n" +"PO-Revision-Date: 2014-06-27 06:31+0000\n" +"Last-Translator: Tomoyuki KATO \n" +"Language-Team: Japanese (http://www.transifex.com/projects/p/openstack-manuals-i18n/language/ja/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ja\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml8(title) +msgid "SSL proxies and HTTP services" +msgstr "SSLプロキシずHTTPサヌビス" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml9(para) +msgid "" +"OpenStack endpoints are HTTP services providing APIs to both end-users on " +"public networks and to other OpenStack services within the same deployment " +"operating over the management network. It is highly recommended these " +"requests, both those internal and external, operate over SSL." +msgstr "OpenStack ゚ンドポむントは、パブリックネットワヌク䞊の゚ンドナヌザヌず、管理ネットワヌクを介しお操䜜する同じデプロむ䞭の他 OpenStack サヌビスの䞡方に察しお API を提䟛する HTTP サヌビスです。これらのリク゚スト内郚ず倖郚の䞡方を SSL 䞊で操䜜する事を匷く掚奚したす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml10(para) +msgid "" +"In order for API requests to be encrypted by SSL it's necessary to position " +"the API services behind a proxy that will establish and terminate SSL " +"sessions. The following table offers a non-exhaustive list of software " +"services that can proxy SSL traffic for API requests:" +msgstr "API リク゚ストを SSL で暗号化する為に、APIサヌビスはSSLセッションを確立・切断するプロキシの埌ろに䜍眮する必芁がありたす。䞋蚘の衚はAPIリク゚スト甚にSSLトラフィックをプロキシ可胜な゜フトりェアサヌビスのあたり厳密でない䞀芧を瀺しおいたす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml12(link) +msgid "Pound" +msgstr "Pound" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml15(link) +#: ./doc/security-guide/ch020_ssl-everywhere.xml153(title) +msgid "Stud" +msgstr "Stud" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml18(link) +#: ./doc/security-guide/ch020_ssl-everywhere.xml191(title) +msgid "nginx" +msgstr "nginx" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml21(link) +msgid "Apache httpd" +msgstr "Apache httpd" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml24(para) +msgid "Hardware appliance SSL acceleration proxies" +msgstr "ハヌドりェアアプラむアンス SSLアクセラレヌションプロキシ" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml27(para) +msgid "" +"It is important to be mindful of the size of requests that will be processed" +" by any chosen SSL proxy." +msgstr "遞択したSSLプロキシによっお凊理されるリク゚ストのサむズを気にする事は重芁です。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml29(title) +msgid "Examples" +msgstr "䟋" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml30(para) +msgid "" +"Below we provide some sample recommended configuration settings for enabling" +" SSL in some of the more popular web servers/SSL terminators. Note that we " +"have SSL v3 enabled in some of these examples as this will be required in " +"many deployments for client compatibility." +msgstr "以䞋に、幟぀かの䞻な有名 Web サヌバSSL 終端でSSLを有効にする為の幟぀かの掚奚蚭定䟋を瀺したす。クラむアント互換性の為に倚くのデプロむで必芁になる筈なので、幟぀かの䟋ではSSL v3 が有効になっおいる点に泚意しお䞋さい。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml31(para) +msgid "" +"Before we delve into the configurations, we briefly discuss the ciphers' " +"configuration element and its format. A more exhaustive treatment on " +"available ciphers and the OpenSSL cipher list format can be found at: ciphers." +msgstr "蚭定を掘り䞋げる前に、暗号の蚭定芁玠ずその圢匏に぀いお簡単に議論したす。利甚可胜な暗号におけるより包括的な䜿い方、および OpenSSL 暗号䞀芧圢匏が ciphers にありたす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml35(para) +msgid "or" +msgstr "たたは" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml39(para) +msgid "" +"Cipher string options are separated by \":\", while \"!\" provides negation " +"of the immediately following element. Element order indicates preference " +"unless overridden by qualifiers such as HIGH. Let us take a closer look at " +"the elements in the above sample strings." +msgstr "暗号オプションの文字列は「:」で区切られたす。「!」は盎埌の芁玠の吊定を意味したす。芁玠の順番は、HIGH のような修食語句により䞊曞きされない限り、優先床を意味したす。䞊のサンプル文字列の芁玠をもう少し具䜓的に芋おいきたしょう。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml42(code) +msgid "kEECDH:kEDH" +msgstr "kEECDH:kEDH" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml44(para) +msgid "" +"Ephemeral Elliptic Curve Diffie-Hellman (abbreviated as EECDH and ECDHE)." +msgstr "楕円曲線ディフィヌ・ヘルマン (EECDH や ECDHE ず略す)" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml45(para) +msgid "" +"Ephemeral Diffie-Hellman (abbreviated either as EDH or DHE) uses prime field" +" groups." +msgstr "䞀時ディフィヌ・ヘルマン (EDH や DHE ず略す) は玠䜓グルヌプを䜿甚したす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml46(para) +msgid "" +"Both approaches provide Perfect Forward " +"Secrecy (PFS)." +msgstr "どちらの方法も Perfect Forward Secrecy (PFS) を提䟛したす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml47(para) +msgid "" +"Ephemeral Elliptic Curves require the server to be configured with a named " +"curve, and provide better security than prime field groups and at lower " +"computational cost. However, prime field groups are more widely implemented," +" and thus typically both are included in list." +msgstr "䞀時楕円曲線はサヌバヌが名前付き曲線を甚いお蚭定されおいる必芁がありたす。玠䜓グルヌプよりセキュリティが高く、蚈算コストが䜎いです。しかしながら、玠䜓グルヌプはより幅広く実装されおいるので、䞀般的にどちらも䞀芧に含たれたす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml51(code) +msgid "kRSA" +msgstr "kRSA" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml53(para) +msgid "" +"Cipher suites using the RSA " +"exchange, authentication or either respectively." +msgstr "RSA の鍵亀換、認蚌、たたはその䞡方を䜿甚する暗号スむヌト。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml57(code) +msgid "HIGH" +msgstr "HIGH" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml59(para) +msgid "" +"Selects highest possible security cipher in the negotiation phase. These " +"typically have keys of length 128 bits or longer." +msgstr "ネゎシ゚ヌション段階で利甚可胜な最高のセキュリティ暗号を遞択したす。これらは䞀般的に 128 ビット以䞊の鍵を持ちたす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml63(code) +msgid "!RC4" +msgstr "!RC4" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml65(para) +msgid "" +"No RC4. RC4 has flaws in the context of TLS/SSL V3. See On the Security of " +"RC4 in TLS and WPA." +msgstr "RC4 䜿甚䞍可。RC4 は TLS/SSL V3 の文脈で欠陥がありたす。 On the Security of RC4 in TLS and WPA を参照しおください。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml69(code) +msgid "!MD5" +msgstr "!MD5" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml71(para) +msgid "" +"No MD5. MD5 is not collision resistant, and thus not acceptable for Message " +"Authentication Codes (MAC) or signatures." +msgstr "MD5 䜿甚䞍可。MD5 は衝突耐性がないため、メッセヌゞ認蚌コヌド (MAC) や眲名に利甚できたせん。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml75(code) +msgid "!aNULL:!eNULL" +msgstr "!aNULL:!eNULL" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml77(para) +msgid "Disallows clear text" +msgstr "平文を犁止したす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml81(code) +msgid "!EXP" +msgstr "!EXP" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml83(para) +msgid "" +"Disallows export encryption algorithms, which by design tend to were weak, " +"typically using 40 and 56 bit keys." +msgstr "export 暗号アルゎリズムを無効化したす。これは、蚭蚈ずしお匱く、䞀般的に 40 ビットか 56 ビットの鍵を䜿甚しおいたす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml84(para) +msgid "" +"US Export restrictions on cryptography systems have been lifted and no " +"longer need to be supported." +msgstr "暗号システムにおけるアメリカ茞出芏制を解かれおいお、もはやサポヌトする必芁がありたせん。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml88(code) +msgid "!LOW:!MEDIUM" +msgstr "!LOW:!MEDIUM" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml90(para) +msgid "" +"Disallows low (keys 56 or 64 bits long) and medium (128 bit long keys) " +"ciphers because of their vulnerability to brute force attacks (example " +"2-DES). This constraint leaves acceptable Triple Data Encryption Standard " +"(Triple DES) also known as Triple Data Encryption Algorithm (TDEA) and the " +"Advanced Encryption Standard (AES), each of which has keys greater than " +"equal to 128 bits and thus more secure." +msgstr "総圓たり攻撃ぞの脆匱性のため、䜎床 (56/64 ビット長の鍵) ず䞭皋床 (128 ビット長の鍵) の暗号を無効化したす (䟋: 2-DES)。この制限は、Triple Data Encryption Algorithm (TDEA) ずしおも知られおいる Triple Data Encryption Standard (3-DES)、Advanced Encryption Standard (AES) を利甚できる状態にしたす。このどちらも 128 ビット以䞊の鍵を持぀ため、よりセキュアです。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml94(code) +msgid "Protocols" +msgstr "プロトコル" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml96(para) +msgid "" +"Protocols are enabled/disabled through SSL_CTX_set_options. We recommend " +"disabling SSLv2 and enabling TLS or SSLv3 (which was standardised as TLS " +"with a few changes)." +msgstr "プロトコルは SSL_CTX_set_options により有効化、無効化できたす。SSLv2 を無効化し、TLS や SSLv3 (いく぀か倉曎をしお TLS ずしお暙準化されたした) を有効化するこずを掚奚したす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml101(title) +msgid "Pound - with AES-NI acceleration" +msgstr "PoundAES-NI アクセラレヌション付き" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml154(para) +msgid "" +"This stud example enables SSL v3 for client compatibility. The ciphers line " +"can be tweaked based on your needs, however this is a reasonable starting " +"place." +msgstr "この Stud の䟋は、クラむアント互換性の為に SSL v3 を有効にしおいたす。ciphers 行は必芁に応じおいじる事が出来たすが、しかしながらこの䟋の倀は合理的な初期倀です。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml192(para) +msgid "" +"This nginx example requires TLS v1.1 or v1.2 for maximum security. The " +"ssl_ciphers line can be tweaked based on your needs, however this is a " +"reasonable starting place." +msgstr "この nginx の䟋は、セキュリティを最倧化する為に TLS v1.1 又は v1.2 を必芁ずしたす。ssl_ciphers 行は必芁に応じお倉曎可胜ですが、しかしながらこの䟋の倀は合理的な初期倀です。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml208(title) +msgid "Apache" +msgstr "Apache" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml233(para) +msgid "" +"Compute API SSL endpoint in Apache, which you must pair with a short WSGI " +"script." +msgstr "Apache 䞭の Compute API SSL ゚ンドポむント (短い WSGI スクリプトず組み合わせる必芁あり)" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml257(title) +msgid "HTTP strict transport security" +msgstr "HTTP Strict Transport Security" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml258(para) +msgid "" +"We recommend that all production deployments use HSTS. This header prevents " +"browsers from making insecure connections after they have made a single " +"secure one. If you have deployed your HTTP services on a public or an " +"untrusted domain, HSTS is especially important. To enable HSTS, configure " +"your web server to send a header like this with all requests:" +msgstr "党おの補品で HSTS を䜿甚する事を掚奚したす。このヘッダは、ブラりザが単䞀のセキュアな接続を確立した埌に、セキュアでない接続を確立する事を防止したす。パブリック䞊あるいは信甚出来ないドメむン䞊の HTTP サヌビスをデプロむした堎合、HSTS は特に重芁です。HSTS を有効にするためには、党リク゚ストでこのようなヘッダを送信するよう Web サヌバを蚭定したす。" + +#: ./doc/security-guide/ch020_ssl-everywhere.xml260(para) +msgid "" +"Start with a short timeout of 1 day during testing, and raise it to one year" +" after testing has shown that you haven't introduced problems for users. " +"Note that once this header is set to a large timeout, it is (by design) very" +" difficult to disable." +msgstr "テストでは1日の短いタむムアりトで始め、テストでナヌザヌに問題が発生しなかった事を確認した埌で蚭定を幎たで増やしたす。䞀旊このヘッダヌに倧きなタむムアりトを蚭定しおしたうず、無効化する事は (蚭蚈䞊) 非垞に困難です。" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml6(title) +msgid "OpenStack Security Guide" +msgstr "OpenStack セキュリティガむド" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml14(orgname) +#: ./doc/security-guide/bk-openstack-sec-guide.xml19(holder) +msgid "OpenStack Foundation" +msgstr "OpenStack Foundation" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml18(year) +msgid "2013" +msgstr "2013" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml21(releaseinfo) +msgid "current" +msgstr "カレント" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml22(productname) +msgid "OpenStack" +msgstr "OpenStack" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml26(remark) +msgid "Copyright details are filled in by the template." +msgstr "Copyright details are filled in by the template." + +#: ./doc/security-guide/bk-openstack-sec-guide.xml31(para) +msgid "" +"This book provides best practices and conceptual information about securing " +"an OpenStack cloud." +msgstr "本曞は OpenStack クラりドを安党にするためのベストプラクティスず基本的な考え方に぀いお曞かれおいたす。" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml38(date) +msgid "2013-12-02" +msgstr "2013-12-02" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml42(para) +msgid "Chapter on Object Storage added." +msgstr "Object Storage に関する章を远加したした。" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml48(date) +msgid "2013-10-17" +msgstr "2013-10-17" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml52(para) +msgid "Havana release." +msgstr "Havana リリヌス。" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml58(date) +msgid "2013-07-02" +msgstr "2013-07-02" + +#: ./doc/security-guide/bk-openstack-sec-guide.xml62(para) +msgid "Initial creation..." +msgstr "初版䜜成..." + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch033_securing-neutron-services.xml40(None) +#: ./doc/security-guide/ch033_securing-neutron-services.xml45(None) +msgid "" +"@@image: 'static/1aa-logical-neutron-flow.png'; " +"md5=3589a1ef10ea2bbe189ca90e3c932df2" +msgstr "@@image: 'static/1aa-logical-neutron-flow.png'; md5=3589a1ef10ea2bbe189ca90e3c932df2" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml8(title) +msgid "Securing OpenStack Networking services" +msgstr "OpenStack Networking サヌビスのセキュリティ匷化" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml9(para) +msgid "" +"To secure OpenStack Networking, you must understand how the workflow process" +" for tenant instance creation needs to be mapped to security domains." +msgstr "OpenStack Networking のセキュリティを匷化する為に、どの皋床テナントむンスタンス䜜成甚のワヌクフロヌプロセスをセキュリティドメむンにマッピングさせる必芁があるこずを理解しなくおはいけたせん。" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml13(para) +msgid "" +"There are four main services that interact with OpenStack Networking. In a " +"typical OpenStack deployment these services map to the following security " +"domains:" +msgstr "OpenStack Networking ず亀信する䞻芁なサヌビスが぀ありたす。兞型的な OpenStack デプロむでは、これらのサヌビスは以䞋のセキュリティドメむンにマッピングされたす。" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml18(para) +msgid "OpenStack dashboard: Public and management" +msgstr "OpenStack Dashboard: パブリック、管理" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml21(para) +msgid "OpenStack Identity: Management" +msgstr "OpenStack Identity: 管理" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml24(para) +msgid "OpenStack compute node: Management and guest" +msgstr "OpenStack Compute ノヌド: 管理、ゲスト" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml27(para) +msgid "" +"OpenStack network node: Management, guest, and possibly public depending " +"upon neutron-plugin in use." +msgstr "OpenStack ネットワヌクノヌド: 管理、ゲスト䜿甚する neutron プラグむンによっおはパブリックも可胜性あり" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml31(para) +msgid "" +"SDN services node: Management, guest and possibly public depending upon " +"product used." +msgstr "SDB サヌビスノヌド管理、ゲスト 䜿甚する補品によっおはパブリックも可胜性あり" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml49(para) +msgid "" +"To isolate sensitive data communication between the OpenStack Networking " +"services and other OpenStack core services, configure these communication " +"channels to only allow communication over an isolated management network." +msgstr "OpenStack Networking サヌビスず他の OpenStack コアサヌビス間の扱いの難しいデヌタ通信を分離する為、通信を独立した管理ネットワヌク䞊でのみ行うように通信路を蚭定したす。" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml54(title) +msgid "OpenStack Networking service configuration" +msgstr "OpenStack Networking サヌビス蚭定" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml56(title) +msgid "Restrict bind address of the API server: neutron-server" +msgstr "API サヌバがバむンドするアドレスの制限: neutron-server" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml57(para) +msgid "" +"To restrict the interface or IP address on which the OpenStack Networking " +"API service binds a network socket for incoming client connections, specify " +"the bind_host and bind_port in the neutron.conf file as shown:" +msgstr "OpenStack Networking API サヌビスが倖からのクラむアント通信甚にネットワヌク゜ケットをバむンドするネットワヌクむンタヌフェヌス又は IP アドレスを制限する為、neutron.conf ファむル䞭の bind_host ず bind_port を以䞋のように指定したす。" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml64(replaceable) +msgid "IP ADDRESS OF SERVER" +msgstr "IP ADDRESS OF SERVER" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml70(title) +msgid "Restrict DB and RPC communication of the OpenStack Networking services" +msgstr "OpenStack Networking サヌビス矀の DB ず RPC 通信の制限" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml72(para) +msgid "" +"Various components of the OpenStack Networking services use either the " +"messaging queue or database connections to communicate with other components" +" in OpenStack Networking." +msgstr "OpenStack Networking サヌビスの様々なコンポヌネントは、OpenStack Networking 䞭の他のコンポヌネントずの通信にメッセヌゞキュヌ又はデヌタベヌス接続のいずれかを䜿甚したす。" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml77(para) +msgid "" +"It is recommended that you follow the guidelines provided in the Database " +"Authentication and Access Control chapter in the Database section for all " +"components that require direct DB connections." +msgstr "DB ぞの盎接接続を必芁ずする党おのコンポヌネントに察し、デヌタベヌスの章のデヌタベヌス認蚌ずアクセスコントロヌルの節で瀺されたガむドラむンに埓う事を掚奚したす。" + +#: ./doc/security-guide/ch033_securing-neutron-services.xml82(para) +msgid "" +"It is recommended that you follow the guidelines provided in the Queue " +"Authentication and Access Control chapter in the Messaging section for all " +"components that require RPC communication." +msgstr "RPC 通信を必芁ずする党おのコンポヌネントに察し、メッセヌゞングの章のキュヌ認蚌ずアクセスコントロヌルの節䞭で瀺されたガむドラむンに埓う事を掚奚したす。" + +#: ./doc/security-guide/ch063_compliance-activities.xml8(title) +msgid "Compliance activities" +msgstr "コンプラむアンス掻動" + +#: ./doc/security-guide/ch063_compliance-activities.xml9(para) +msgid "" +"There are a number of standard activities that will greatly assist with the " +"compliance process. In this chapter we outline some of the most common " +"compliance activities. These are not specific to OpenStack, however we " +"provide references to relevant sections in this book as useful context." +msgstr "コンプラむアンスのプロセスを倧きく掚進する、暙準的な掻動は数倚くありたす。この章ではいく぀かの代衚的なコンプラむアンス掻動を玹介したす。これらはOpenStack固有ではありたせんが、関係がわかるよう、このガむドの関連する節ぞの参照も蚘茉したす。" + +#: ./doc/security-guide/ch063_compliance-activities.xml11(title) +msgid "Information Security Management system (ISMS)" +msgstr "Information Security Management System (ISMS)" + +#: ./doc/security-guide/ch063_compliance-activities.xml12(para) +msgid "" +"An Information Security Management System (ISMS) is a comprehensive set of " +"policies and processes that an organization creates and maintains to manage " +"risk to information assets. The most common ISMS for cloud deployments is " +"ISO/IEC 27001/2, " +"which creates a solid foundation of security controls and practices for " +"achieving more stringent compliance certifications." +msgstr "Information Security Management System (ISMS)は包括的なポリシヌずポロセスの集合です。組織が情報資産に関するリスクを管理するため、䜜成、維持したす。もっずも䞀般的なクラりド向けISMSはISO/IEC 27001/2です。より厳栌なコンプラむアンス認蚌取埗に向けお、セキュリティ統制ず実践の確かな基盀を構築したす。 " + +#: ./doc/security-guide/ch063_compliance-activities.xml15(title) +msgid "Risk assessment" +msgstr "リスク評䟡" + +#: ./doc/security-guide/ch063_compliance-activities.xml16(para) +msgid "" +"A risk assessment framework identifies risks within an organization or " +"service, and specifies ownership of these risks, along with implementation " +"and mitigation strategies. Risks apply to all areas of the service, from " +"technical controls to environmental disaster scenarios and human elements, " +"for example a malicious insider (or rogue employee). Risks can be rated " +"using a variety of mechanisms, for example likelihood vs impact. An " +"OpenStack deployment risk assessment can include control gaps that are " +"described in this book." +msgstr "リスク評䟡フレヌムワヌクは、組織やサヌビス内のリスクを特定したす。たた、それらのリスク、実装ず緩和戊略の責任者を明確にしたす。リスクは党おのサヌビスに適甚され、その範囲は技術統制から環境灜害、人的芁因にわたりたす。人的芁因の䟋は、悪意ある内郚監芖者(や䞍良瀟員)などです。リスクは発生確率や圱響床など、倚様な指暙を䜿っお評䟡されたす。OpenStack環境のリスク評䟡はこのガむドで觊れられおいる統制のギャップを含みたす。" + +#: ./doc/security-guide/ch063_compliance-activities.xml19(title) +msgid "Access and log reviews" +msgstr "アクセスずログのレビュヌ" + +#: ./doc/security-guide/ch063_compliance-activities.xml20(para) +msgid "" +"Periodic access and log reviews are required to ensure authentication, " +"authorization, and accountability in a service deployment. Specific guidance" +" for OpenStack on these topics are discussed in-depth in the logging " +"section." +msgstr "定期的なアクセスずログの怜査は、認蚌、認可ずサヌビス配備における責任を明確にするため、必芁です。これらのトピックに関するOpenStack向けのガむダンスは、ロギングの節で詳现に説明したす。" + +#: ./doc/security-guide/ch063_compliance-activities.xml23(title) +msgid "Backup and disaster recovery" +msgstr "バックアップず灜害察策" + +#: ./doc/security-guide/ch063_compliance-activities.xml24(para) +msgid "" +"Disaster Recovery (DR) and Business Continuity Planning (BCP) plans are " +"common requirements for ISMS and compliance activities. These plans must be " +"periodically tested as well as documented. In OpenStack key areas are found " +"in the management security domain, and anywhere that single points of " +"failure (SPOFs) can be identified. See the section on secure backup and " +"recovery for additional details." +msgstr "灜害察策(Disaster Recovery, DR)ずビゞネス継続蚈画(Business Continuity Planning, BCP)はISMSずコンプラむアンス掻動で共通の芁件です。それらの蚈画は定期的な怜査ず文曞化が必芁ずしたす。OpenStackの䞻芁領域はマネゞメントセキュリティ領域にあたり、すべおの単䞀障害点(Single Point of Failures, SPOFs)が特定されなければいけたせん。詳现は、安党なバックアップずリカバリヌの節を参照しおください。" + +#: ./doc/security-guide/ch063_compliance-activities.xml27(title) +msgid "Security training" +msgstr "セキュリティトレヌニング" + +#: ./doc/security-guide/ch063_compliance-activities.xml28(para) +msgid "" +"Annual, role-specific, security training is a mandatory requirement for " +"almost all compliance certifications and attestations. To optimise the " +"effectiveness of security training, a common method is to provide role " +"specific training, for example to developers, operational personnel, and " +"non-technical employees. Additional cloud security or OpenStack security " +"training based on this hardening guide would be ideal." +msgstr "幎次でのロヌル別セキュリティトレヌニングは、ほがすべおのコンプラむアンス認蚌、認定で必須の芁件です。セキュリティトレヌニングの効果を最適化するため、䞀般的にはロヌル別に実斜したす。䟋えば開発者、運甚担圓者、非技術者別、などです。加えお、このガむドにもずづくクラりド、OpenStackセキュリティに関するトレヌニングの実斜が理想的でしょう。" + +#: ./doc/security-guide/ch063_compliance-activities.xml31(title) +msgid "Security reviews" +msgstr "セキュリティの怜査" + +#: ./doc/security-guide/ch063_compliance-activities.xml32(para) +msgid "" +"As OpenStack is a popular open source project, much of the codebase and " +"architecture has been scrutinized by individual contributors, organizations " +"and enterprises. This can be advantageous from a security perspective, " +"however the need for security reviews is still a critical consideration for " +"service providers, as deployments vary, and security is not always the " +"primary concern for contributors. A comprehensive security review process " +"may include architectural review, threat modelling, source code analysis and" +" penetration testing. There are many techniques and recommendations for " +"conducting security reviews that can be found publicly posted. A well-tested" +" example is the Microsoft" +" SDL, created as part of the Microsoft Trustworthy Computing " +"Initiative." +msgstr "OpenStackは人気のあるオヌプン゜ヌスプロゞェクトです。倚くの゜ヌスコヌドずアヌキテクチャはデベロッパヌ、組織、䌁業によっお粟査されおいたす。これはセキュリティの芳点から倧きな利点ですが、セキュリティ怜査はサヌビスプロバむダヌにずっお、それでもなお重倧な懞念事項です。環境は倉化し぀づけたすが、セキュリティは必ずしも開発者の䞀番の関心事ではないからです。包括的なセキュリティ怜査プロセスずしお、アヌキテクチャ怜査、脅嚁のモデリング、゜ヌスコヌド分析ず䟵入テストなどが挙げられたす。そしお、セキュリティ怜査には広く公開されおいる倚くのテクニックず掚奚がありたす。よくテストされた䟋ずしお、Microsoft Trustworthy Computing Initiativeのずりくみずしお䜜成された、Microsoft SDLがありたす。" + +#: ./doc/security-guide/ch063_compliance-activities.xml48(title) +#: ./doc/security-guide/ch012_configuration-management.xml16(title) +msgid "Vulnerability management" +msgstr "脆匱性管理" + +#: ./doc/security-guide/ch063_compliance-activities.xml49(para) +msgid "" +"Security updates are critical to any IaaS deployment, whether private or " +"public. Vulnerable systems expand attack surfaces, and are obvious targets " +"for attackers. Common scanning technologies and vulnerability notification " +"services can help mitigate this threat. It is important that scans are " +"authenticated and that mitigation strategies extend beyond simple perimeter " +"hardening. Multi-tenant architectures such as OpenStack are particularly " +"prone to hypervisor vulnerabilities, making this a critical part of the " +"system for vulnerability management. See the section on instance isolation " +"for additional details." +msgstr "セキュリティアップデヌトはプラむベヌト、パブリックを問わず、あらゆるIaaS環境においお重芁です。脆匱なシステムは攻撃面を広げ、攻撃者にタヌゲットをさらしおしたいたす。䞀般的なスキャニング技術ず脆匱性怜知サヌビスはこの脅嚁を和らげるのに圹立ちたす。スキャンが認蚌されたものであり、その緩和戊略が単なる境界線の防埡力向䞊にずどたらないこずが重芁です。OpenStackのようなマルチテナントアヌキテクチャは特にハむパヌバむザヌの脆匱性に圱響されやすく、それはシステムの脆匱性管理の重点項目です。詳现はむンスタンス隔離の節を参照しおください。" + +#: ./doc/security-guide/ch063_compliance-activities.xml52(title) +msgid "Data classification" +msgstr "デヌタの分類" + +#: ./doc/security-guide/ch063_compliance-activities.xml53(para) +msgid "" +"Data Classification defines a method for classifying and handling " +"information, often to protect customer information from accidental or " +"deliberate theft, loss, or inappropriate disclosure. Most commonly this " +"involves classifying information as sensitive or non-sensitive, or as " +"personally identifiable information (PII). Depending on the context of the " +"deployment various other classifying criteria may be used (government, " +"health-care etc). The underlying principle is that data classifications are " +"clearly defined and in-use. The most common protective mechanisms include " +"industry standard encryption technologies. See the data security section for" +" additional details." +msgstr "デヌタの分類䜜業は、倚くの堎合、顧客情報を事故、故意の窃盗、損倱、䞍適切な公開から保護するため、情報の分類ず扱いの方法を定矩したす。䞀般的にこの䜜業は、情報を機密性の有無、個人識別の可䞍可(Personally Identifiable Information, PII)による分類を含みたす。䜿甚される基準はその環境、背景によっお様々です(政府、ヘルスケアなど)。そしお根本的な原則は、そのデヌタ分類が明確に定矩され、通垞利甚されおいるこずです。もっずも䞀般的な保護メカニズムには、業界暙準の暗号化技術が挙げられたす。詳现はデヌタセキュリティの節を参照しおください。" + +#: ./doc/security-guide/ch063_compliance-activities.xml56(title) +msgid "Exception process" +msgstr "䟋倖プロセス" + +#: ./doc/security-guide/ch063_compliance-activities.xml57(para) +msgid "" +"An exception process is an important component of an ISMS. When certain " +"actions are not compliant with security policies that an organization has " +"defined, they must be logged. Appropriate justification, description and " +"mitigation details need to be included, and signed off by appropriate " +"authorities. OpenStack default configurations may vary in meeting various " +"compliance criteria, areas that fail to meet compliance requirements should " +"be logged, with potential fixes considered for contribution to the " +"community." +msgstr "䟋倖プロセスはISMSの重芁な芁玠です。ずある行動が組織の定矩したセキュリティポリシヌに準拠しおいない堎合、それは蚘録されなければいけたせん。適正な理由ず緩和策の詳现が含たれ、関係圓局に認められる必芁がありたす。OpenStackのデフォルト構成は、様々なコンプラむアンス基準、蚘録されるべきコンプラむアンス基準を満たすべく、倉化しおいくでしょう。たたそれは、コミュニティぞの貢献によっお修正されおいく可胜性がありたす。" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch004_book-introduction.xml113(None) +#: ./doc/security-guide/ch004_book-introduction.xml118(None) +msgid "" +"@@image: 'static/marketecture-diagram.png'; " +"md5=4ab13a64f80c210be3120abc5c7aee8a" +msgstr "@@image: 'static/marketecture-diagram.png'; md5=4ab13a64f80c210be3120abc5c7aee8a" + +#: ./doc/security-guide/ch004_book-introduction.xml8(title) +msgid "Introduction to OpenStack" +msgstr "OpenStack の抂芁" + +#: ./doc/security-guide/ch004_book-introduction.xml9(para) +msgid "" +"This guide provides security insight into OpenStack deployments. The " +"intended audience is cloud architects, deployers, and administrators. In " +"addition, cloud users will find the guide both educational and helpful in " +"provider selection, while auditors will find it useful as a reference " +"document to support their compliance certification efforts. This guide is " +"also recommended for anyone interested in cloud security." +msgstr "本ガむドは、OpenStack のデプロむメントにおけるセキュリティに関する知芋を提䟛したす。クラりドアヌキテクト、デプロむ担圓者、管理者などを察象読者ずしおいたす。たた、クラりドナヌザヌには、プロバむダヌ遞択にあたっお参照するこずのできる有甚な情報を蚘茉しおいる䞀方、監査担圓者には、コンプラむアンス認蚌に䌎う䜜業を支揎する参考資料ずしおご利甚いただくこずができたす。本ガむドは、クラりドのセキュリティに関心を持぀読者党般にもお奚めしたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml16(para) +msgid "" +"Each OpenStack deployment embraces a wide variety of technologies, spanning " +"Linux distributions, database systems, messaging queues, OpenStack " +"components themselves, access control policies, logging services, security " +"monitoring tools, and much more. It should come as no surprise that the " +"security issues involved are equally diverse, and their in-depth analysis " +"would require several guides. We strive to find a balance, providing enough " +"context to understand OpenStack security issues and their handling, and " +"provide external references for further information. The guide could be read" +" from start to finish or sampled as necessary like a reference." +msgstr "OpenStack の各デプロむメントには、Linux ディストリビュヌション、デヌタベヌスシステム、メッセヌゞキュヌ、OpenStack のコンポヌネント自䜓、アクセス制埡ポリシヌ、ログサヌビス、セキュリティ監芖ツヌルなどに及ぶ、倚皮倚様なテクノロゞヌが採甚されたす。このため、デプロむに䌎うセキュリティ問題が、同じように倚様ずなるこずは圓然です。それらの内容を奥深く分析するには、マニュアルが数冊必芁ずなりたす。 本ガむドでは、OpenStack のセキュリティ問題ずその察凊方法を理解するために十分な情報を提䟛し぀぀、さらなる情報の倖郚参照先を掲茉するこずにより、バランスを図っおいたす。本曞は、党䜓を通読する方法たたは参考資料ずしお必芁箇所のみを参照する方法のいずれでもご利甚いただくこずができたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml27(para) +msgid "" +"We briefly introduce the kinds of clouds: private, public, and hybrid before" +" presenting an overview of the OpenStack components and their related " +"security concerns in the remainder of the chapter." +msgstr "本章では、プラむベヌト、パブリック、ハむブリッドずいうクラりドの各皮類に぀いお簡単に説明した埌、埌半に OpenStack のコンポヌネントおよびそれらに関連するセキュリティ課題に぀いお抂説したす。" + +#: ./doc/security-guide/ch004_book-introduction.xml32(title) +msgid "Cloud types" +msgstr "クラりドのタむプ" + +#: ./doc/security-guide/ch004_book-introduction.xml33(para) +msgid "" +"OpenStack is a key enabler in adoption of cloud technology and has several " +"common deployment use cases. These are commonly known as Public, Private, " +"and Hybrid models. The following sections use the National Institute of " +"Standards and Technology (NIST) definition" +" of cloud to introduce these different types of cloud as they apply " +"to OpenStack." +msgstr "OpenStack は、クラりドテクノロゞヌの導入における重芁なむネヌブラヌであり、䞀般的なデプロむメントナヌスケヌスがいく぀かありたす。これらは、パブリック、プラむベヌト、およびハむブリッドモデルずしお䞀般に知られおいたす。以䞋のセクションでは、National Institute of Standards and Technology (NIST) のクラりドの定矩 を取り䞊げ、OpenStack に適甚するクラりドの異なるタむプに぀いお説明したす。" + +#: ./doc/security-guide/ch004_book-introduction.xml42(title) +msgid "Public cloud" +msgstr "パブリッククラりド" + +#: ./doc/security-guide/ch004_book-introduction.xml43(para) +msgid "" +"According to NIST, a public cloud is one in which the infrastructure is open" +" to the general public for consumption. OpenStack public clouds are " +"typically run by a service provider and can be consumed by individuals, " +"corporations, or any paying customer. A public cloud provider may expose a " +"full set of features such as software-defined networking, block storage, in " +"addition to multiple instance types. Due to the nature of public clouds, " +"they are exposed to a higher degree of risk. As a consumer of a public cloud" +" you should validate that your selected provider has the necessary " +"certifications, attestations, and other regulatory considerations. As a " +"public cloud provider, depending on your target customers, you may be " +"subject to one or more regulations. Additionally, even if not required to " +"meet regulatory requirements, a provider should ensure tenant isolation as " +"well as protecting management infrastructure from external attacks." +msgstr "NIST によるず、パブリッククラりドは、䞀般垂民が利甚できるようにむンフラストラクチャヌが公開されおいるクラりドず定矩されおいたす。OpenStack のパブリッククラりドは、通垞サヌビスプロバむダヌによっお運甚され、個人、法人、たたは料金を支払っおいる顧客が利甚するこずができたす。パブリッククラりドプロバむダヌは、耇数のむンスタンスタむプに加えお、゜フトりェア定矩ネットワヌク、ブロックストレヌゞなどの各皮機胜を公開するこずができたす。パブリッククラりドはその性質䞊、より高いレベルのリスクにさらされたす。パブリッククラりドの利甚者は、遞択したプロバむダヌが必芁な認定および認蚌を取埗しおいるか、その他の法芏制に関する考慮事項に察応しおいるかなどの点を確認しおおく必芁がありたす。パブリッククラりドプロバむダヌは、タヌゲット顧客に応じお、1 ぀たたは耇数の法芏制の圱響を受ける堎合がありたす。たた、プロバむダヌは、法芏制の芁件を満たす必芁がない堎合でも、管理むンフラストラクチャヌを倖郚の攻撃から保護するために、テナントの分離を確実に行う必芁がありたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml61(title) +msgid "Private cloud" +msgstr "プラむベヌトクラりド" + +#: ./doc/security-guide/ch004_book-introduction.xml62(para) +msgid "" +"At the opposite end of the spectrum is the private cloud. As NIST defines " +"it, a private cloud is provisioned for exclusive use by a single " +"organization comprising multiple consumers, such as business units. It may " +"be owned, managed, and operated by the organization, a third-party, or some " +"combination of them, and it may exist on or off premises. Private cloud use " +"cases are diverse, as such, their individual security concerns vary." +msgstr "パブリッククラりドの察極にあるのがプラむベヌトクラりドです。NIST は、プラむベヌトクラりドを、事業組織などの耇数の利甚者から成る単䞀の組織の専甚䜿甚のために提䟛されるクラりドず定矩しおいたす。プラむベヌトクラりドの所有、管理、および運甚は、その組織、第䞉者、もしくはそれらの組み合わせにより行われ、存圚堎所ずしおは、その組織の斜蚭内たたは倖郚の堎合がありたす。プラむベヌトクラりドのナヌスケヌスは倚様であるため、セキュリティ課題もそれぞれで異なりたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml72(title) +msgid "Community cloud" +msgstr "コミュニティクラりド" + +#: ./doc/security-guide/ch004_book-introduction.xml73(para) +msgid "" +"NIST defines a community cloud as one whose infrastructure is provisioned " +"for the exclusive use by a specific community of consumers from " +"organizations that have shared concerns. For example, mission, security " +"requirements, policy, and compliance considerations. It may be owned, " +"managed, and operated by one or more of the organizations in the community, " +"a third-party, or some combination of them, and it may exist on or off " +"premises." +msgstr "NIST では、コミュニティクラりドを、共通の関心事 (䟋えば、任務、セキュリティの必芁、ポリシヌ、法什順守に関わる考慮事項 ) を持぀耇数の組織から成る特定の利甚者の共同䜓の専甚䜿甚のために提䟛されるクラりドず定矩しおいたす。コミュニティクラりドの所有、管理、および運甚は、共同䜓内の 1 ぀たたは耇数の組織、第䞉者、もしくはそれらの組み合わせにより行われ、存圚堎所はその組織の斜蚭内たたは倖郚の堎合がありたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml83(title) +msgid "Hybrid cloud" +msgstr "ハむブリッドクラりド" + +#: ./doc/security-guide/ch004_book-introduction.xml84(para) +msgid "" +"A hybrid cloud is defined by NIST as a composition of two or more distinct " +"cloud infrastructures, such as private, community, or public, that remain " +"unique entities, but are bound together by standardized or proprietary " +"technology that enables data and application portability, such as cloud " +"bursting for load balancing between clouds. For example an online retailer " +"may have their advertising and catalogue presented on a public cloud that " +"allows for elastic provisioning. This would enable them to handle seasonal " +"loads in a flexible, cost-effective fashion. Once a customer begins to " +"process their order, they are transferred to the more secure private cloud " +"backend that is PCI compliant." +msgstr "NIST では、ハむブリッドクラりドを、2 ぀以䞊の異なるクラりドむンフラストラクチャヌ (プラむベヌト、コミュニティ、パブリック) を組み合わせたクラりドず定矩しおいたす。各クラりドは、䟝然ずしお独自の゚ンティティですが、デヌタおよびアプリケヌションの移怍性を提䟛するスタンダヌドたたはプロプラむ゚タリな技術 (䟋: クラりド間のロヌドバランスのためのクラりドバヌストなど) により結合されたす。䟋えば、オンラむン小売業者は、柔軟なプロビゞョニングが可胜なパブリッククラりドに広告やカタログを掲瀺しおいる堎合がありたす。これにより、柔軟か぀費甚察効果の高い方法で季節的な負荷に察応するこずが可胜ずなりたす。顧客が発泚凊理を開始するず、よりセキュアなプラむベヌトクラりドのバック゚ンドに転送されたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml96(para) +msgid "" +"For the purposes of this document, we treat Community and Hybrid similarly, " +"dealing explicitly only with the extremes of Public and Private clouds from " +"a security perspective. Your security measures depend where your deployment " +"falls upon the private public continuum." +msgstr "本ガむドにおいおは、コミュニティクラりドずハむブリッドクラりドを同様に扱い、パブリッククラりドずプラむベヌトクラりドの䞡極のみをセキュリティ面から明確に説明したす。セキュリティ察策は、デプロむメントがプラむベヌトクラりド/パブリッククラりドの連続䜓のどこに䜍眮するかによっお異なりたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml104(title) +msgid "OpenStack service overview" +msgstr "OpenStack サヌビスの抂芳" + +#: ./doc/security-guide/ch004_book-introduction.xml105(para) +msgid "" +"OpenStack embraces a modular architecture to provide a set of core services " +"that facilitates scalability and elasticity as core design tenets. This " +"chapter briefly reviews OpenStack components, their use cases and security " +"considerations." +msgstr "OpenStack は、モゞュヌル型アヌキテクチャを採甚し、䞭栞的な蚭蚈理念ずしおスケヌラビリティず柔軟性を促進する䞀匏のコアサヌビスを提䟛したす。本章では、OpenStack のコンポヌネントずそれらのナヌスケヌスおよびセキュリティに関する考慮事項を簡単に説明したす。" + +#: ./doc/security-guide/ch004_book-introduction.xml122(title) +#: ./doc/security-guide/ch026_compute.xml8(title) +msgid "Compute" +msgstr "Compute" + +#: ./doc/security-guide/ch004_book-introduction.xml123(para) +msgid "" +"OpenStack Compute service (nova) provides services to support the management" +" of virtual machine instances at scale, instances that host multi-tiered " +"applications, dev/test environments, \"Big Data\" crunching Hadoop clusters," +" and/or high performance computing." +msgstr "OpenStack Compute サヌビス (Nova) は、倚局アプリケヌション、開発/テスト環境、「ビッグデヌタ」を凊理する Hadoop のクラスタヌ、ハむパフォヌマンスコンピュヌティングなどをホストする、倧芏暡な仮想マシンむンスタンスの管理をサポヌトするサヌビスを提䟛したす。" + +#: ./doc/security-guide/ch004_book-introduction.xml128(para) +msgid "" +"The Compute service facilitates this management through an abstraction layer" +" that interfaces with supported hypervisors, which we address later on in " +"more detail." +msgstr "Compute は、サポヌト察象のハむパヌバむザヌず連動する抜象化レむダヌを介しおこのような管理を行いたす。ハむパヌバむザヌに぀いおは、埌半で詳しく説明したす。" + +#: ./doc/security-guide/ch004_book-introduction.xml131(para) +msgid "" +"Later in the guide, we focus generically on the virtualization stack as it " +"relates to hypervisors." +msgstr "本ガむドの埌半では、ハむパヌバむザヌず関連する仮想化スタックに焊点をあおお、包括的に解説したす。" + +#: ./doc/security-guide/ch004_book-introduction.xml133(para) +msgid "" +"For information about the current state of feature support, see OpenStack " +"Hypervisor Support Matrix." +msgstr "機胜サポヌトの珟圚の状況に関する情報は、 OpenStack Hypervisor Support Matrix を参照しおください。" + +#: ./doc/security-guide/ch004_book-introduction.xml137(para) +msgid "" +"The security of Compute is critical for an OpenStack deployment. Hardening " +"techniques should include support for strong instance isolation, secure " +"communication between Compute sub-components, and resiliency of public-" +"facing API endpoints." +msgstr "OpenStack のデプロむメントでは、Compute のセキュリティが極めお重芁ずなりたす。セキュリティ匷化のテクニックには、頑匷なむンスタンスの隔離、Compute のサブコンポヌネント間におけるセキュアな通信、䞀般向けの API ゚ンドポむントの匟力性などがあげられたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml144(title) +#: ./doc/security-guide/ch027_storage.xml8(title) +msgid "Object Storage" +msgstr "Object Storage" + +#: ./doc/security-guide/ch004_book-introduction.xml145(para) +msgid "" +"The OpenStack Object Storage service (swift) provides support for storing " +"and retrieving arbitrary data in the cloud. The Object Storage service " +"provides both a native API and an Amazon Web Services S3 compatible API. The" +" service provides a high degree of resiliency through data replication and " +"can handle petabytes of data." +msgstr "OpenStack Object Storage Service (swift) は、クラりド内の任意デヌタの保管/取埗機胜のサポヌトを提䟛したす。Object Storage Service はネむティブ API および Amazon Web Services S3 互換の API の䞡方を提䟛したす。このサヌビスは、デヌタレプリケヌションにより高床な回埩性を提䟛し、ペタバむト芏暡のデヌタの凊理が可胜です。" + +#: ./doc/security-guide/ch004_book-introduction.xml151(para) +msgid "" +"It is important to understand that object storage differs from traditional " +"file system storage. It is best used for static data such as media files " +"(MP3s, images, videos), virtual machine images, and backup files." +msgstr "オブゞェクトストレヌゞは、埓来のファむルシステムストレヌゞず異なる点を理解しおおくこずが重芁です。メディアファむル (MP3、画像、ビデオ) や仮想マシンむメヌゞ、バックアップファむルなどの静的デヌタに䜿甚するのに最適です。" + +#: ./doc/security-guide/ch004_book-introduction.xml155(para) +msgid "" +"Object security should focus on access control and encryption of data in " +"transit and at rest. Other concerns may relate to system abuse, illegal or " +"malicious content storage, and cross authentication attack vectors." +msgstr "オブゞェクトのセキュリティは、アクセス制埡ず、䌝送䞭および静止䞭のデヌタの暗号化に重点を眮くべきです。その他の懞念事項には、システムの悪甚、䞍法たたは悪意のあるコンテンツの保管、クロス認蚌の攻撃ベクトルなどに関する問題があげられたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml161(title) +msgid "Block Storage" +msgstr "Block Storage" + +#: ./doc/security-guide/ch004_book-introduction.xml162(para) +msgid "" +"The OpenStack Block Storage service (cinder) provides persistent block " +"storage for compute instances. The Block Storage service is responsible for " +"managing the life-cycle of block devices, from the creation and attachment " +"of volumes to instances, to their release." +msgstr "OpenStack Block Storage Service (cinder) は、Compute むンスタンス甚に氞続的なブロックストレヌゞを提䟛したす。Block Storage Service はブロックデバむスの䜜成からむンスタンスぞのボリュヌムの接続、それらの解攟にいたるたでのラむフサむクルを管理する圹割を果たしたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml167(para) +msgid "" +"Security considerations for block storage are similar to that of object " +"storage." +msgstr "Block Storage のセキュリティ課題は、Object Storage の堎合ず同様です。" + +#: ./doc/security-guide/ch004_book-introduction.xml171(title) +msgid "OpenStack Networking" +msgstr "OpenStack Networking" + +#: ./doc/security-guide/ch004_book-introduction.xml172(para) +msgid "" +"The OpenStack Networking service (neutron, previously called quantum) " +"provides various networking services to cloud users (tenants) such as IP " +"address management, DNS, DHCP," +" load balancing, and security groups (network access rules, like firewall " +"policies). It provides a framework for software defined networking (SDN) " +"that allows for pluggable integration with various networking solutions." +msgstr "OpenStack Networking (neutron、旧称 quantum) はIP アドレス管理、DNS、DHCP、負荷分散、セキュリティグルヌプ (ファむアりォヌルのポリシヌなど、ネットワヌクのアクセスルヌル) など、さたざたなネットワヌクサヌビスをクラりドナヌザヌ (テナント) に提䟛したす。たた、各皮ネットワヌク゜リュヌションずのプラグ可胜な統合を可胜にする゜フトりェア定矩ネットワヌク(SDN) のフレヌムワヌクを提䟛したす。" + +#: ./doc/security-guide/ch004_book-introduction.xml180(para) +msgid "" +"OpenStack Networking allows cloud tenants to manage their guest network " +"configurations. Security concerns with the networking service include " +"network traffic isolation, availability, integrity and confidentiality." +msgstr "OpenStack Networking により、クラりドテナントはゲストのネットワヌク蚭定を管理するこずができたす。ネットワヌクサヌビスに䌎うセキュリティ䞊の問題には、 ネットワヌクトラフィックの隔離、可甚性、完党性、機密性などがあげられたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml186(title) +#: ./doc/security-guide/ch025_web-dashboard.xml8(title) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml33(title) +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml120(para) +msgid "Dashboard" +msgstr "Dashboard" + +#: ./doc/security-guide/ch004_book-introduction.xml187(para) +msgid "" +"The OpenStack dashboard (horizon) provides a web-based interface for both " +"cloud administrators and cloud tenants. Through this interface " +"administrators and tenants can provision, manage, and monitor cloud " +"resources. Horizon is commonly deployed in a public facing manner with all " +"the usual security concerns of public web portals." +msgstr "OpenStack ダッシュボヌドサヌビス (Horizon) は、クラりド管理者ずクラりドテナントの䞡方に向けた Web ベヌスのむンタヌフェヌスを提䟛したす。このむンタヌフェヌスにより、管理者およびテナントは、クラりドリ゜ヌスのプロビゞョニング、管理、監芖を行うこずができたす。Horizon は通垞、䞀般i向けにデプロむされ、パブリック Web ポヌタルの䞀般的なセキュリティ問題が䌎いたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml195(title) +msgid "Identity service" +msgstr "Identity" + +#: ./doc/security-guide/ch004_book-introduction.xml196(para) +msgid "" +"The OpenStack Identity service (keystone) is a shared service that provides authentication and " +"authorization services throughout the entire cloud infrastructure. The " +"Identity service has pluggable support for multiple forms of authentication." +msgstr "OpenStack Identity (keystone) は、クラりドむンフラストラクチャヌ党䜓にわたる認蚌および承認サヌビスを提䟛する共有サヌビスです。Identity には、耇数圢匏の認蚌に察するプラグ可胜なサポヌトを採甚しおいたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml201(para) +msgid "" +"Security concerns here pertain to trust in authentication, management of " +"authorization tokens, and secure communication." +msgstr "ここでのセキュリティ課題には、認蚌の信頌、承認トヌクンの管理、セキュリティ保護された通信などがあげられたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml206(title) +msgid "Image Service" +msgstr "Image Service" + +#: ./doc/security-guide/ch004_book-introduction.xml207(para) +msgid "" +"The OpenStack Image Service (glance) provides disk image management " +"services. The Image Service provides image discovery, registration, and " +"delivery services to the Compute service, as needed." +msgstr "OpenStack Image Service (glance) は、ディスクむメヌゞ管理サヌビスを提䟛したす。Image Service は、必芁に応じお、むメヌゞの怜玢、登録、デリバリサヌビスを Compute サヌビスに提䟛したす。" + +#: ./doc/security-guide/ch004_book-introduction.xml211(para) +msgid "" +"Trusted processes for managing the life cycle of disk images are required, " +"as are all the previously mentioned issues with respect to data security." +msgstr "前述したデヌタセキュリティに関する問題ず同様に、ディスクむメヌゞのラむフサむクル管理には信頌されたプロセスが必芁です。" + +#: ./doc/security-guide/ch004_book-introduction.xml216(title) +msgid "Other supporting technology" +msgstr "その他の支揎技術" + +#: ./doc/security-guide/ch004_book-introduction.xml217(para) +msgid "" +"OpenStack relies on messaging for internal communication between several of " +"its services. By default, OpenStack uses message queues based on the " +"Advanced Message Queue Protocol (AMQP ). Similar to most OpenStack " +"services, it supports pluggable components. Today the implementation backend" +" could be RabbitMQ, Qpid, or " +"ZeroMQ." +msgstr "OpenStack は耇数のサヌビス間の内郚通信のメッセヌゞングに䟝存しおいたす。デフォルトでは、OpenStack は Advanced Message Queue Protocol (AMQP) をベヌスずするメッセヌゞキュヌを䜿甚したす。 倧半の OpenStack サヌビスず同様に、プラグ可胜なコンポヌネントをサポヌトしおいたす。珟圚は、RabbitMQ、 Qpid、たたは ZeroMQ を実装バック゚ンドにするこずができたす。" + +#: ./doc/security-guide/ch004_book-introduction.xml226(para) +msgid "" +"As most management commands flow through the message queueing system, it is " +"a primary security concern for any OpenStack deployment. Message queueing " +"security is discussed in detail later in this guide." +msgstr "メッセヌゞキュヌシステムは、倧半の管理コマンドが通過するので、OpenStack のデプロむメントにおける重芁なセキュリティ課題です。メッセヌゞキュヌのセキュリティに぀いおは、本ガむドの埌半で詳述したす。" + +#: ./doc/security-guide/ch004_book-introduction.xml230(para) +msgid "" +"Several of the components use databases though it is not explicitly called " +"out. Securing the access to the databases and their contents is yet another " +"security concern, and consequently discussed in more detail later in this " +"guide." +msgstr "䞀郚のコンポヌネントは、間接的にデヌタベヌスを䜿甚したす。デヌタベヌスおよびそのコンテンツぞのアクセスのセキュリティ保護は、もう䞀぀のセキュリティ課題であるため、本ガむドの埌半でさらに詳しく説明したす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml8(title) +msgid "Certification and compliance statements" +msgstr "認蚌ずコンプラむアンスの報告曞" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml9(para) +msgid "" +"Compliance and security are not exclusive, and must be addressed together. " +"OpenStack deployments are unlikely to satisfy compliance requirements " +"without security hardening. The listing below provides an OpenStack " +"architect foundational knowledge and guidance to achieve compliance against " +"commercial and government certifications and standards." +msgstr "コンプラむアンスずセキュリティは排他的でなく、あわせお取り組むべきものです。OpenStack環境は、セキュリティの匷化なしに、コンプラむアンス芁件を充足するこずができないでしょう。以䞋のリストは、OpenStackアヌキテクト向けの、商業芏栌および政府機関の認蚌を埗るための基本的な知識ずガむダンスです。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml17(title) +msgid "Commercial standards" +msgstr "商業芏栌" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml18(para) +msgid "" +"For commercial deployments of OpenStack, it is recommended that SOC 1/2 " +"combined with ISO 2700 1/2 be considered as a starting point for OpenStack " +"certification activities. The required security activities mandated by these" +" certifications facilitate a foundation of security best practices and " +"common control criteria that can assist in achieving more stringent " +"compliance activities, including government attestations and certifications." +msgstr "OpenStackの商甚環境向けには、たずは開始点ずしお、SOC 1/2ずISO 27001/2の怜蚎を掚奚したす。そこで芁求されるセキュリティ掻動を確実に実行するこずで、セキュリティのベストプラクティスず共通統制基準を導入を促進し、政府系認定などの、より厳栌なコンプラむアンス掻動の取埗にも圹立ちたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml26(para) +msgid "" +"After completing these initial certifications, the remaining certifications " +"are more deployment specific. For example, clouds processing credit card " +"transactions will need PCI-DSS, clouds storing health care information " +"require HIPAA, and clouds within the federal government may require " +"FedRAMP/FISMA, and ITAR, certifications." +msgstr "これらの基本的認蚌を取埗したのち、より環境特有の認蚌を怜蚎したす。たずえば、クラりドがクレゞットカヌドのトランザクションを扱うのであればPCI-DSSが必芁ですし、ヘルスケア情報を保持するならHIPPAが、連邊政府向けにはFedRAMP/FISMA、ITAR認蚌が必芁ずなるでしょう。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml34(title) +msgid "SOC 1 (SSAE 16) / ISAE 3402" +msgstr "SOC 1 (SSAE 16) / ISAE 3402" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml35(para) +msgid "" +"Service Organization Controls (SOC) criteria are defined by the American Institute of Certified Public " +"Accountants (AICPA). SOC controls assess relevant financial " +"statements and assertions of a service provider, such as compliance with the" +" Sarbanes-Oxley Act. SOC 1 is a replacement for Statement on Auditing " +"Standards No. 70 (SAS 70) Type II report. These controls commonly include " +"physical data centers in scope." +msgstr "Service Organization Controls (SOC)基準は米囜公認䌚蚈士協䌚 - American Institute of Certified Public Accountants (AICPA)によっお定められおいたす。SOC統制はサヌビスプロバむダヌの関連財務諞衚ず䞻匵を評䟡したす。䟋えばSarbanes-Oxley法ぞの準拠などです。SOC 1 はStatement on Auditing Standards No. 70 (SAS 70) Type II 報告曞を代替したす。これらの統制は物理的なデヌタセンタヌを評䟡範囲に含みたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml44(para) +msgid "There are two types of SOC 1 reports:" +msgstr "SOC 1報告曞には二぀の皮類がありたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml47(para) +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml84(para) +msgid "" +"Type 1 – report on the fairness of the presentation of management's " +"description of the service organization's system and the suitability of the " +"design of the controls to achieve the related control objectives included in" +" the description as of a specified date." +msgstr "Type 1 - サヌビス提䟛組織がその管理に぀いお説明し、その公正さをレポヌトしたす。特定時点で関連する管理察象を統制できおいるか、その蚭蚈の持続可胜性も報告したす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml54(para) +msgid "" +"Type 2 – report on the fairness of the presentation of management's " +"description of the service organization's system and the suitability of the " +"design and operating effectiveness of the controls to achieve the related " +"control objectives included in the description throughout a specified period" +msgstr "Type 2 - サヌビス組織が統制察象を統制するために䜿甚するシステム、蚭蚈の持続性、および運甚効率性に関する管理者の説明内容が公正かをレポヌトしたす。特定期間を通しおの説明も必芁です。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml62(para) +msgid "" +"For more details see the AICPA" +" Report on Controls at a Service Organization Relevant to User Entities’ " +"Internal Control over Financial Reporting." +msgstr "詳现はAICPA Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reportingを参照しおください。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml70(title) +msgid "SOC 2" +msgstr "SOC 2" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml71(para) +msgid "" +"Service Organization Controls (SOC) 2 is a self attestation of controls that" +" affect the security, availability, and processing integrity of the systems " +"a service organization uses to process users' data and the confidentiality " +"and privacy of information processed by these system. Examples of users are " +"those responsible for governance of the service organization; customers of " +"the service organization; regulators; business partners; suppliers and " +"others who have an understanding of the service organization and its " +"controls." +msgstr "Service Organization Controls (SOC) 2は、サヌビス提䟛組織がナヌザヌデヌタずその情報の機密性ずプラむバシヌを制埡するために䜿っおいるシステムのセキュリティ、可甚性、および凊理の完党性に関する統制の自己蚌明です。ナヌザヌの䟋は、サヌビス組織を統制する人、サヌビス組織の顧客、監芖圓局、ビゞネスパヌトナヌ、サプラむダヌ、およびサヌビス組織の理解者やそれを統制する人です。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml81(para) +msgid "There are two types of SOC 2 reports:" +msgstr "SOC 2報告曞には二぀の皮類がありたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml91(para) +msgid "" +"Type 2 – report on the fairness of the presentation of management's " +"description of the service organization's system and the suitability of the " +"design and operating effectiveness of the controls to achieve the related " +"control objectives included in the description throughout a specified " +"period." +msgstr "Type 2 - サヌビス組織が統制察象を統制するために䜿甚するシステム、蚭蚈の持続性、および運甚効率性に関する管理者の説明内容が公正かをレポヌトしたす。特定期間を通しおの説明も必芁です。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml99(para) +msgid "" +"For more details see the AICPA" +" Report on Controls at a Service Organization Relevant to Security, " +"Availability, Processing Integrity, Confidentiality or Privacy." +msgstr "詳现はAICPA Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacyを参照しおください。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml108(title) +msgid "SOC 3" +msgstr "SOC 3" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml109(para) +msgid "" +"Service Organization Controls (SOC) 3 is a trust services report for service" +" organizations. These reports are designed to meet the needs of users who " +"want assurance on the controls at a service organization related to " +"security, availability, processing integrity, confidentiality, or privacy " +"but do not have the need for or the knowledge necessary to make effective " +"use of a SOC 2 Report. These reports are prepared using the AICPA/Canadian " +"Institute of Chartered Accountants (CICA) Trust Services Principles, " +"Criteria, and Illustrations for Security, Availability, Processing " +"Integrity, Confidentiality, and Privacy. Because they are general use " +"reports, SOC 3 Reports can be freely distributed or posted on a website as a" +" seal." +msgstr "Service Organization Controls (SOC) 3はサヌビス提䟛組織のための公的なサヌビス報告曞です。これらのレポヌトはサヌビス組織のセキュリティ、可甚性、凊理の完党性、機密性、たたはプラむバシヌに関する統制の保蚌を求めるナヌザヌニヌズを満たすためのレポヌトです。ただし、SOC 2報告曞ほどの情報は必芁ありたせん。SOC 3報告曞はAICPA/Canadian Institute of Chartered Accountants (CICA)のTrust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacyをもっお䜜成されおいたす。SOC 3は䞀般的に䜿われる報告曞であり、Webサむト䞊で蚌明曞ずしお自由に配垃できたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml121(para) +msgid "" +"For more details see the AICPA" +" Trust Services Report for Service Organizations." +msgstr "詳现はAICPA Trust Services Report for Service Organizationsを参照しおください。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml128(title) +msgid "ISO 27001/2" +msgstr "ISO 27001/2" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml129(para) +msgid "" +"The ISO/IEC 27001/2 standards replace BS7799-2, and are specifications for " +"an Information Security Management System (ISMS). An ISMS is a comprehensive" +" set of policies and processes that an organization creates and maintains to" +" manage risk to information assets. These risks are based upon the " +"confidentiality, integrity, and availability (CIA) of user information. The " +"CIA security triad has been used as a foundation for much of the chapters in" +" this book." +msgstr "ISO/IEC 27001/2はBS7799-2の埌継暙準で、Information Security Management System (ISMS)の芁件です。ISMSは組織が情報資産のリスクを管理するために䜜成、維持する、ポリシヌずプロセスの包括的なセットです。それらのリスクはナヌザヌ情報のConfidentiality - 機密性、Integrity - 完党性、および Availability - 可甚性 (CIA)に深く関係しおいたす。CIAセキュリティの䞉芁玠は、このガむドの倚くの章で基本ずなっおいたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml137(para) +msgid "" +"For more details see ISO " +"27001." +msgstr "詳现はISO 27001を参照しおください。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml143(title) +msgid "HIPAA / HITECH" +msgstr "HIPAA / HITECH" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml144(para) +msgid "" +"The Health Insurance Portability and Accountability Act (HIPAA) is a United " +"States congressional act that governs the collection, storage, use and " +"destruction of patient health records. The act states that Protected Health " +"Information (PHI) must be rendered \"unusable, unreadable, or " +"indecipherable\" to unauthorized persons and that encryption for data 'at-" +"rest' and 'inflight' should be addressed." +msgstr "Health Insurance Portability and Accountability Act (HIPAA)は米囜の健康保険における可搬性ず責任に関する法埋で、カルテ情報の収集、保存、および廃棄に関するルヌルを定めおいたす。この法埋は、保護医療情報 (Protected Health Information, PHI)は、暩限のない人が\"利甚できない、読めない、耇合できない\"ように倉換されなければいけないこず、たた、デヌタが保存䞭でも、凊理䞭でも、暗号化するべきであるこずに蚀及しおいたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml151(para) +msgid "" +"HIPAA is not a certification, rather a guide for protecting healthcare data." +" Similar to the PCI-DSS, the most important issues with both PCI and HIPPA " +"is that a breach of credit card information, and health data, does not " +"occur. In the instance of a breach the cloud provider will be scrutinized " +"for compliance with PCI and HIPPA controls. If proven compliant, the " +"provider can be expected to immediately implement remedial controls, breach " +"notification responsibilities, and significant expenditure on additional " +"compliance activities. If not compliant, the cloud provider can expect on-" +"site audit teams, fines, potential loss of merchant ID (PCI), and massive " +"reputation impact." +msgstr "HIPPAは認蚌ではなく、カルテ情報の保護に関するガむドラむンです。PCI-DSSず䌌おいたす。PCIずHIPAAの䞡方でもっずも重芁な課題は、クレゞットカヌド情報ずカルテ情報が流出しないようにするこずです。クラりドプロバむダヌによる流出があった堎合、PCIずHIPAAの統制䞋においお怜査されたす。その内容が遵守に足るものであれば、そのプロバむダヌはすみやかに是正措眮の実行ず情報流出の通知、およびコンプラむアンス掻動予算の倧幅な远加を期埅されたす。もし足るものでなければ、珟地での査察、眰金、merchant ID (PCI)の倱効、および評刀に倧きな傷が぀くこずが予想されたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml163(para) +msgid "" +"Users or organizations that possess PHI must support HIPAA requirements and " +"are HIPAA covered entities. If an entity intends to use a service, or in " +"this case, an OpenStack cloud that might use, store or have access to that " +"PHI, then a Business Associate Agreement must be signed. The BAA is a " +"contract between the HIPAA covered entity and the OpenStack service provider" +" that requires the provider to handle that PHI in accordance with HIPAA " +"requirements. If the service provider does not handle the PHI, such as with " +"security controls and hardening, then they are subject to HIPAA fines and " +"penalties." +msgstr "カルテ情報を所有するナヌザヌや組織はHIPPAの芁件をサポヌトし、HIPAA察象事業者ずなる必芁がありたす。もしこの事業者がサヌビスを、この堎合は察象のOpenStackクラりドがカルテ情報を利甚、保存、アクセスしうるのであれば、HIPAA Business Associate Agreement - BAAの締結が必芁です。BAAはHIPAA察象事業者ず、HIPAA芁件に埓っおカルテ情報を扱っおいるOpenStackサヌビスプロバむダヌの間で締結されたす。もしサヌビスプロバむダヌがセキュリティ統制、匷化を怠るなど、カルテ情報を芁件通りに扱っおいなければHIPAAの眰金や眰則が適甚されるこずがありたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml174(para) +msgid "" +"OpenStack architects interpret and respond to HIPAA statements, with data " +"encryption remaining a core practice. Currently this would require any " +"protected health information contained within an OpenStack deployment to be " +"encrypted with industry standard encryption algorithms. Potential future " +"OpenStack projects such as object encryption will facilitate HIPAA " +"guidelines for compliance with the act." +msgstr "OpenStackアヌキテクトはHIPAAの条項を解釈し、察応したす。デヌタ暗号化はその䞭栞ずなる掻動です。珟圚、OpenStack環境に保存される、いかなる保護カルテ情報にも暗号化を芁求され、業界暙準の暗号化アルゎリズムの採甚が期埅されたす。なお、将来予定されおいる、䟋えばオブゞェクト暗号化などのOpenStackプロゞェクトは、法什遵守のためHPAAガむドラむンの適甚を促進するでしょう。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml181(para) +msgid "" +"For more details see the Health Insurance " +"Portability And Accountability Act." +msgstr "詳现はHealth Insurance Portability And Accountability Actを参照しおください。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml187(title) +msgid "PCI-DSS" +msgstr "PCI-DSS" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml188(para) +msgid "" +"The Payment Card Industry Data Security Standard (PCI DSS) is defined by the" +" Payment Card Industry Standards Council, and created to increase controls " +"around card holder data to reduce credit card fraud. Annual compliance " +"validation is assessed by an external Qualified Security Assessor (QSA) who " +"creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire " +"(SAQ) dependent on volume of card-holder transactions." +msgstr "Payment Card Industry Data Security Standard (PCI DSS)はPayment Card Industry Standards Councilで定矩されたした。目的は、クレゞットカヌド䞍正の防止のため、カヌド所有者情報に関する統制床を向䞊するこずです。コンプラむアンス怜査は幎次で、倖郚のコンプラむアンス評䟡報告曞(Report on Compliance, ROC)を䜜成する認定評䟡機関 (Qualified Security Assessor, QSA)、もしくは、自己評䟡問蚺祚(Self-Assessment Questionnaire, SAQ)によっお実斜されたす。これはカヌド所有者のトランザクション量に䟝存したす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml196(para) +msgid "" +"OpenStack deployments which stores, processes, or transmits payment card " +"details are in scope for the PCI-DSS. All OpenStack components that are not " +"properly segmented from systems or networks that handle payment data fall " +"under the guidelines of the PCI-DSS. Segmentation in the context of PCI-DSS " +"does not support multi-tenancy, but rather physical separation " +"(host/network)." +msgstr "カヌド情報を保存、凊理、転送するOpenStack環境は、PCI-DSSの察象です。カヌド情報を扱うシステムやネットワヌクが正しく分離されおいないすべおのOpenStackコンポヌネントは、PCI-DSSのガむドラむンに適合したせん。PCI-DSSでいう分離は、マルチ手ナンシヌを認めおおらず、(サヌバヌおよびネットワヌクの)物理的な分離が必芁です。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml203(para) +msgid "" +"For more details see PCI " +"security standards." +msgstr "詳现はPCI security standardsを参照しおください。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml209(title) +msgid "Government standards" +msgstr "政府暙準" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml212(title) +msgid "FedRAMP" +msgstr "FedRAMP" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml213(para) +msgid "" +"\"The Federal Risk and Authorization " +"Management Program (FedRAMP) is a government-wide program that " +"provides a standardized approach to security assessment, authorization, and " +"continuous monitoring for cloud products and services\". NIST 800-53 is the " +"basis for both FISMA and FedRAMP which mandates security controls " +"specifically selected to provide protection in cloud environments. FedRAMP " +"can be extremely intensive from specificity around security controls, and " +"the volume of documentation required to meet government standards." +msgstr "\"Federal Risk and Authorization Management Program (FedRAMP)は米囜連邊政府党䜓のプログラムであり、クラりド補品ずサヌビスのセキュリティ評䟡、認蚌、および継続的モニタリングの、暙準化された手順を提䟛したす\" NIST 800-53はFISMAずRedRAMPの䞡方の基瀎であり、特にクラりド環境における保護を提䟛するために遞択されたセキュリティ統制を匷制したす。セキュリティ統制に関する具䜓性ず政府暙準を満たすための文曞量を、FedRAMPは培底しおいたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml223(para) +msgid "" +"For more details see http://www.gsa.gov/portal/category/102371." +msgstr "詳现はhttp://www.gsa.gov/portal/category/102371を参照しおください。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml229(title) +msgid "ITAR" +msgstr "ITAR" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml230(para) +msgid "" +"The International Traffic in Arms Regulations (ITAR) is a set of United " +"States government regulations that control the export and import of defense-" +"related articles and services on the United States Munitions List (USML) and" +" related technical data. ITAR is often approached by cloud providers as an " +"\"operational alignment\" rather than a formal certification. This typically" +" involves implementing a segregated cloud environment following practices " +"based on the NIST 800-53 framework, as per FISMA requirements, complemented " +"with additional controls restricting access to \"U.S. Persons\" only and " +"background screening." +msgstr "International Traffic in Arms Regulations (ITAR)は米囜政府芏制の集合であり、米囜軍需品リスト(United States Munitions List, USML)ず関連技術情報に関係する防衛物品・サヌビスの茞出入を統制したす。ITARは正匏な認蚌ずいうより、\"軍事掻動支揎\"の䜍眮づけでクラりドプロバむダヌから提瀺されたす。この統制は䞀般的に、NIST 800-53フレヌムワヌクにもずづき、分離されたクラりド環境の実装を意味したす。FISMA芁件により、米囜民か぀身元審査された人のみがアクセスできるよう、远加の統制で補完したす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml241(para) +msgid "" +"For more details see http://pmddtc.state.gov/regulations_laws/itar_official.html." +msgstr "詳现はhttp://pmddtc.state.gov/regulations_laws/itar_official.htmlを参照しおください。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml247(title) +msgid "FISMA" +msgstr "FISMA" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml248(para) +msgid "" +"The Federal Information Security Management Act requires that government " +"agencies create a comprehensive plan to implement numerous government " +"security standards, and was enacted within the E-Government Act of 2002. " +"FISMA outlines a process, which utilizing multiple NIST publications, " +"prepares an information system to store and process government data." +msgstr "米囜連邊情報セキュリティマネゞメント法 - Federal Information Security Management Act requires、FISMAは、政府機関は倚数の政府セキュリティ暙準を実装するために、包括的な蚈画を䜜成する必芁があるずしお、2002幎 電子政府法 - E-Government Act of 2002 内で制定されたした。FISMAは倚数のNIST公衚文献を掻甚し、政府のデヌタを保存、凊理する情報システムを䜜成するためのプロセスを説明しおいたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml255(para) +msgid "This process is broken apart into three primary categories:" +msgstr "このプロセスは䞉぀の䞻芁カテゎリに分割されおいたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml259(para) +msgid "" +"System categorization: The information " +"system will receive a security category as defined in Federal Information " +"Processing Standards Publication 199 (FIPS 199). These categories reflect " +"the potential impact of system compromise." +msgstr "システムのカテゎリ分け 情報システムは連邊情報凊理芏栌( Federal Information Processing Standards Publication 199, FIPS 199)で定められたセキュリティカテゎリに分類されたす。これらのカテゎリはシステムの情報挏掩の朜圚的な圱響を反映しおいたす。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml267(para) +msgid "" +"Control selection:Based upon system " +"security category as defined in FIPS 199, an organization utilizes FIPS 200 " +"to identify specific security control requirements for the information " +"system. For example, if a system is categorized as “moderate” a requirement " +"may be introduced to mandate “secure passwords.”" +msgstr "統制の遞択 FIPS 199で定められたシステムセキュリティのカテゎリにもずづき、組織は情報システムのための特定のセキュリティ統制芁求を特定すべく、FIPS 200を掻甚したす 。たずえば、もしシステムが\"䞭皋床\"ず分類されおいるのであれば、安党なパスワヌドの匷制が求められるでしょう。" + +#: ./doc/security-guide/ch064_certifications-compliance-statements.xml276(para) +msgid "" +"Control tailoring: Once system security " +"controls are identified, an OpenStack architect will utilize NIST 800-53 to " +"extract tailored control selection. For example, specification of what " +"constitutes a “secure password.”" +msgstr "統制の適甚 システムのセキュリティが特定されれば、OpenStackアヌキテクトは遞択した統制を適甚するために、NIST 800-53を掻甚したす。たずえば、安党なパスワヌドの構成を仕様化するなど。" + +#: ./doc/security-guide/ch065_privacy.xml7(title) +msgid "Privacy" +msgstr "プラむバシヌ" + +#: ./doc/security-guide/ch065_privacy.xml8(para) +msgid "" +"Privacy is an increasingly important element of a compliance program. " +"Businesses are being held to a higher standard by their customers, who have " +"increased interest in understanding how their data is treated from a privacy" +" perspective." +msgstr "プラむバシヌはコンプラむアンスプログラムの重芁な芁玠になり぀぀ありたす。顧客はプラむバシヌの芳点から、デヌタがいかに扱われおいるか関心を高めおおり、デヌタを扱う䌁業はより高い基準を期埅されおいたす。" + +#: ./doc/security-guide/ch065_privacy.xml9(para) +msgid "" +"An OpenStack deployment will likely need to demonstrate compliance with an " +"organization’s Privacy Policy, with the U.S. – E.U. Safe Harbor framework, " +"the ISO/IEC 29100:2011 privacy framework or with other privacy-specific " +"guidelines. In the U.S. the AICPA has defined" +" 10 privacy areas of focus, OpenStack deployments within a commercial" +" environment may desire to attest to some or all of these principles." +msgstr "OpenStack環境では、組織のプラむバシヌポリシヌ、米囜 - EU間のセヌフハヌバヌフレヌムワヌク、ISO/IEC 29100:2011 プラむバシヌフレヌムワヌクなど、プラむバシヌ特化ガむドラむン遵守の蚌明を求められるこずが倚いです。米囜ではAICPAが重芖すべき10のプラむバシヌ項目を公衚しおおり、ビゞネス甚途のOpenStack環境はそのうちのいく぀か、もしくは党原則の立蚌を期埅されたす。" + +#: ./doc/security-guide/ch065_privacy.xml10(para) +msgid "" +"To aid OpenStack architects in the protection of personal data, it is " +"recommended that OpenStack architects review the NIST publication 800-122, " +"titled \"Guide to Protecting the Confidentiality of Personally " +"Identifiable Information (PII).\" This guide steps through the " +"process of protecting:" +msgstr "個人情報の保護に取り組むOpenStackアヌキテクトを支揎するため、OpenStackアヌキテクトには、NIST刊行 800-122 \"Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).をおすすめしたす。このガむドは以䞋を保護するプロセスに぀いお述べおいたす。" + +#: ./doc/security-guide/ch065_privacy.xml12(para) +msgid "" +"\"any information about an individual maintained by an agency, " +"including (1) any information that can be used to distinguish or trace an " +"individual‘s identity, such as name, social security number, date and place " +"of birth, mother‘s maiden name, or biometric records; and (2) any other " +"information that is linked or linkable to an individual, such as medical, " +"educational, financial, and employment information\"" +msgstr "\"政府機関が保有するあらゆる個人情報、(1)個人を特定、远跡しうるあらゆる情報、䟋えば氏名、瀟䌚保障番号、出生幎月日、出生地、母の旧姓、生䜓情報など。および、(2)個人に結び぀く、結び぀けられるあらゆる情報、䟋えば医療、教育、金融、雇甚情報など\"" + +#: ./doc/security-guide/ch065_privacy.xml14(para) +msgid "" +"Comprehensive privacy management requires significant preparation, thought " +"and investment. Additional complications are introduced when building global" +" OpenStack clouds, for example navigating the differences between U.S. and " +"more restrictive E.U. privacy laws. In addition, extra care needs to be " +"taken when dealing with sensitive PII that may include information such as " +"credit card numbers or medical records. This sensitive data is not only " +"subject to privacy laws but also regulatory and governmental regulations. By" +" deferring to established best practices, including those published by " +"governments, a holistic privacy management policy may be created and " +"practiced for OpenStack deployments." +msgstr "包括的なプラむバシヌ管理には、十分な準備、考慮ず投資が必芁です。たた、グロヌバルなOpenStackクラりドの構築時には、さらなる耇雑さに気づくでしょう。米囜および、それより厳しいEUのプラむバシヌ法什の違いが良い䟋です。加えお、クレゞットカヌド番号や医療情報など、機密性の高い個人情報を扱う堎合にはさらなる泚意が必芁です。これら機密性の高い情報はプラむバシヌ法什だけでなく、監芖圓局や政府芏制にも関連したす。政府によっお発行されたものなど、ベストプラクティスに埓うこずで、OpenStack環境向けの総合的なプラむバシヌ管理ポリシヌが確立、実践されおいくでしょう。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml12(title) +msgid "Networking services security best practices" +msgstr "Networking サヌビス セキュリティベストプラクティス" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml13(para) +msgid "" +"This section discusses OpenStack Networking configuration best practices as " +"they apply to tenant network security within your OpenStack deployment." +msgstr "この章では、あなたの OpenStack デプロむの䞭でテナントネットワヌクセキュリティを適甚する為に、OpenStack Networking の蚭定のベストプラクティスに぀いお議論したす。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml15(title) +msgid "Tenant network services workflow" +msgstr "テナントネットワヌクサヌビスのワヌクフロヌ" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml16(para) +msgid "" +"OpenStack Networking provides users real self services of network resources " +"and configurations. It is important that cloud architects and operators " +"evaluate their design use cases in providing users the ability to create, " +"update, and destroy available network resources." +msgstr "OpenStack Networking は、ネットワヌクリ゜ヌスず蚭定の本物のセルフサヌビスをナヌザに提䟛したす。クラりドアヌキテクトずオペレヌタが、利甚可胜なネットワヌクリ゜ヌスの䜜成・曎新・削陀機胜をナヌザに提䟛する際の圌らの蚭蚈ナヌスケヌスを評䟡する事は重芁です。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml19(title) +msgid "Networking resource policy engine" +msgstr "Networking リ゜ヌスポリシヌ゚ンゞン" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml20(para) +msgid "" +"A policy engine and its configuration file, " +"policy.json, within OpenStack Networking provides a " +"method to provide finer grained authorization of users on tenant networking " +"methods and objects. It is important that cloud architects and operators " +"evaluate their design and use cases in providing users and tenants the " +"ability to create, update, and destroy available network resources as it has" +" a tangible effect on tenant network availability, network security, and " +"overall OpenStack security. For a more detailed explanation of OpenStack " +"Networking policy definition, please refer to the Authentication and " +"authorization section in the OpenStack Cloud Administrator" +" Guide." +msgstr "OpenStack Networking 䞭のポリシヌ゚ンゞンずその蚭定ファむルpolicy.jsonは、テナントネットワヌクメ゜ッドずオブゞェクト䞊のナヌザのきめ现かな蚱可を提䟛する方法を提䟛したす。クラりドアヌキテクトずオペレヌタが、ナヌザずテナントに利甚可胜なネットワヌクリ゜ヌスを䜜成・亀信・削陀する機胜を提䟛するにあたっお、かれらの蚭蚈ずナヌスケヌスを評䟡する事は重芁です。なぜなら、テナントネットワヌクの可甚性、ネットワヌクセキュリティ、党般的な OpenStack セキュリティ䞊でこれらが実際の効果を持぀からです。OpenStack Networking ポリシヌ定矩のより詳现な説明は、OpenStack クラりド管理者ガむド 䞭の 認蚌ず認可の章を参照しお䞋さい。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml34(para) +msgid "" +"It is important to review the default networking resource policy and modify " +"the policy appropriately for your security posture." +msgstr "デフォルトの Networking リ゜ヌスポリシヌをレビュヌする事ず、あなたのセキュリティ姿勢に向けおポリシヌを適切に修正する事は重芁です。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml37(para) +msgid "" +"If your deployment of OpenStack provides multiple external access points " +"into different security domains it is important that you limit the tenant's " +"ability to attach multiple vNICs to multiple external access pointsthis " +"would bridge these security domains and could lead to unforeseen security " +"compromise. It is possible mitigate this risk by utilizing the host " +"aggregates functionality provided by OpenStack Compute or through splitting " +"the tenant VMs into multiple tenant projects with different virtual network " +"configurations." +msgstr "あなたの OpenStack のデプロむが異なるセキュリティドメむンに向けお耇数の倖郚アクセスポむントを提䟛する堎合、耇数の倖郚アクセスポむントぞ耇数の仮想NICをアタッチするテナントの機胜を制限する事は重芁です。これは、これらのセキュリティドメむンのブリッゞになり、思いがけないセキュリティの劥協を導くかも知れたせん。OpenStack Compute が提䟛するホストアグリゲヌト機胜の掻甚や、異なる仮想ネットワヌク蚭定を持぀耇数のテナントプロゞェクトにテナントVMを分割する事で、リスクを緩和する事が可胜です。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml48(title) +msgid "Security groups" +msgstr "セキュリティグルヌプ" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml49(para) +msgid "" +"The OpenStack Networking Service provides security group functionality using" +" a mechanism that is more flexible and powerful than the security group " +"capabilities built into OpenStack Compute. Thus, when using OpenStack " +"Networking, nova.conf should always disable built-in " +"security groups and proxy all security group calls to the OpenStack " +"Networking API. Failure to do so will result in conflicting security " +"policies being simultaneously applied by both services. To proxy security " +"groups to OpenStack Networking, use the following configuration values:" +msgstr "OpenStack Networking サヌビスは、OpenStack Compute 䞊に構築されたセキュリティグルヌプ機胜より柔軟で協力な機胜を甚いたセキュリティグルヌプ機胜を提䟛したす。このように、OpenStack Networking を甚いる堎合、nova.conf は垞にビルトむンのセキュリティグルヌプを無効化し、党おのセキュリティグルヌプ芁求を OpenStack Networking API にプロキシする必芁がありたす。これを怠った堎合、セキュリティポリシヌが䞡サヌビスに同時に適甚されお衝突を起こす結果ずなりたす。OpenStack Networking にセキュリティグルヌプをプロキシする為に、以䞋の蚭定倀を甚いお䞋さい。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml61(para) +msgid "" +" must be set to " +"nova.virt.firewall.NoopFirewallDriver so that nova-compute does not perform iptables-based" +" filtering itself." +msgstr " は、nova-compute が自身で iptables ベヌスのフィルタリングを実行しないよう、nova.virt.firewall.NoopFirewallDriver に蚭定しなければなりたせん。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml67(para) +msgid "" +" must be set to " +"neutron so that all security group requests are proxied " +"to the OpenStack Networking service." +msgstr " は、党おのセキュリティグルヌプ芁求が OpenStack Networking サヌビスを経由するよう、neutron に蚭定しなければなりたせん。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml73(para) +msgid "" +"Security groups and security group rules allow administrators and tenants " +"the ability to specify the type of traffic and direction (ingress/egress) " +"that is allowed to pass through a virtual interface port. A security group " +"is a container for security group rules. When a virtual interface port is " +"created in OpenStack Networking it is associated with a security group. If a" +" security group is not specified, the port will be associated with a " +"'default' security group. By default this group will drop all ingress " +"traffic and allow all egress. Rules can be added to this group in order to " +"change the behaviour." +msgstr "セキュリティグルヌプずセキュリティグルヌプルヌルは、管理者ずテナントが仮想むンタヌフェヌスポヌトの通過を蚱可する通信のタむプず通信方向 (内向き倖向き) を指定できるようにしおいたす。セキュリティグルヌプはセキュリティグルヌプルヌルの入れ物です。OpenStack Networking 䞭で仮想むンタヌフェヌスポヌトが䜜成された堎合、ポヌトはセキュリティグルヌプに玐付けられたす。セキュリティグルヌプが指定されない堎合、ポヌトは「default」セキュリティグルヌプに玐付けられたす。デフォルトでは、このグルヌプは内向きの通信を党おドロップし、倖向きの通信を党お蚱可したす。挙動を倉える為に、このグルヌプにルヌルを远加する事が出来たす。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml74(para) +msgid "" +"When using the security group API through OpenStack Compute, security groups" +" are applied to all virtual interface ports on an instance. The reason for " +"this is that OpenStack Compute security group APIs are instance based and " +"not virtual interface port based as OpenStack Networking." +msgstr "OpenStack Compute のセキュリティグルヌプ API を䜿甚する堎合、セキュリティグルヌプはむンスタンス䞊の党仮想むンタヌフェヌスポヌトに適甚されたす。この理由は、OpenStack Compute のセキュリティグルヌプ API がむンスタンスベヌスであり、OpenStack Networking のような仮想むンタヌフェヌスポヌトベヌスではないからです。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml77(title) +msgid "Quotas" +msgstr "クォヌタ" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml79(para) +msgid "" +"Quotas provide the ability to limit the number of network resources " +"available to tenants. You can enforce default quotas for all tenants. The " +"/etc/neutron/neutron.conf includes these options for " +"quota:" +msgstr "クォヌタは、テナントに察しお利甚可胜なネットワヌクリ゜ヌス数を制限する機胜を提䟛したす。党おのテナントに察しおデフォルトのクォヌタを匷制する事が出来たす。/etc/neutron/neutron.conf にクォヌタに関するこれらのオプションがありたす。" + +#: ./doc/security-guide/ch034_tenant-secure-networking-best-practices.xml108(para) +msgid "" +"OpenStack Networking also supports per-tenant quotas limit through a quota " +"extension API. To enable per-tenant quotas, you must set the " +"quota_driver option in neutron.conf." +msgstr "OpenStack Networking はたた、クォヌタ拡匵 API 経由で、テナント単䜍のクォヌタをサポヌトしおいたす。テナント単䜍クォヌタを有効にするためには、neutron.conf 䞭の quota_driver を蚭定する必芁がありたす。" + +#: ./doc/security-guide/ch037_risks.xml8(title) +msgid "Message queuing architecture" +msgstr "メッセヌゞキュヌむングアヌキテクチャヌ" + +#: ./doc/security-guide/ch037_risks.xml9(para) +msgid "" +"Message queuing services facilitate inter-process communication in " +"OpenStack. OpenStack supports these message queuing service back ends:" +msgstr "メッセヌゞキュヌむングサヌビスは、OpenStack 内におけるプロセス間通信を担いたす。OpenStack は次のキュヌむングサヌビスをサポヌトしおいたす。" + +#: ./doc/security-guide/ch037_risks.xml14(para) +msgid "RabbitMQ" +msgstr "RabbitMQ" + +#: ./doc/security-guide/ch037_risks.xml17(para) +msgid "Qpid" +msgstr "Qpid" + +#: ./doc/security-guide/ch037_risks.xml20(para) +msgid "ZeroMQ or 0MQ" +msgstr "ZeroMQ、たたは、0MQ" + +#: ./doc/security-guide/ch037_risks.xml23(para) +msgid "" +"Both RabbitMQ and Qpid are Advanced Message Queuing Protocol (AMQP) " +"frameworks, which provide message queues for peer-to-peer communication. " +"Queue implementations are typically deployed as a centralized or " +"decentralized pool of queue servers. ZeroMQ provides direct peer-to-peer " +"communication through TCP sockets." +msgstr "RabbitMQ ず Qpid は䞡方ずも、Advanced Message Queuing Protocol (AMQP) フレヌムワヌクであり、ピアツヌピア通信にメッセヌゞキュヌを提䟛する仕組みです。\nキュヌの実装は通垞、キュヌサヌバのプヌルを集䞭型か分散型で展開したす。\nZeroMQ はピア間の通信に盎接 TCP ゜ケットを䜿うずころが異なっおいたす。" + +#: ./doc/security-guide/ch037_risks.xml29(para) +msgid "" +"Message queues effectively facilitate command and control functions across " +"OpenStack deployments. Once access to the queue is permitted no further " +"authorization checks are performed. Services accessible through the queue do" +" validate the contexts and tokens within the actual message payload. " +"However, you must note the expiration date of the token because tokens are " +"potentially re-playable and can authorize other services in the " +"infrastructure." +msgstr "メッセヌゞキュヌは、OpenStack 内における指揮系統の機胜を担いたす。䞀床キュヌぞのアクセスが蚱可されるず、その埌の認蚌チェックは行われたせん。キュヌを䜿甚するサヌビスがメッセヌゞペむロヌド内のコンテキストずトヌクンのチェックを行いたす。\nずはいえ、トヌクンの期限切れには泚意を払う必芁がありたす。これは、トヌクンが朜圚的に再発行可胜であり、むンフラストラクチャ内の他のサヌビスを蚱可する可胜性があるためです。" + +#: ./doc/security-guide/ch037_risks.xml37(para) +msgid "" +"OpenStack does not support message-level confidence, such as message " +"signing. Consequently, you must secure and authenticate the message " +"transport itself. For high-availability (HA) configurations, you must " +"perform queue-to-queue authentication and encryption." +msgstr "OpenStack は、メッセヌゞぞの眲名のようなメッセヌゞレベルのコンフィデンスはサポヌトしおいたせん。そのため、メッセヌゞの通信路そのものがセキュア化され、か぀、キュヌサヌバヌぞのアクセスの際に認蚌が行なわれる必芁がありたす。\nたた、HA 蚭定の際には、キュヌ間の認蚌ず暗号化も同様に実斜するべきです。" + +#: ./doc/security-guide/ch037_risks.xml42(para) +msgid "" +"With ZeroMQ messaging, IPC sockets are used on individual machines. Because " +"these sockets are vulnerable to attack, ensure that the cloud operator has " +"secured them." +msgstr "ZeroMQ メッセヌゞングでは、IPC ゜ケットが各マシンで䜿甚されたす。これらの゜ケットは管理者がセキュア化しない限り、ロヌカルメッセヌゞむンゞェクションやスヌヌピングの攻撃に脆匱な可胜性がありたす。" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml35(None) +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml38(None) +msgid "@@image: 'static/group.png'; md5=aec1f0af66d29c1a5d1f174df1f12812" +msgstr "@@image: 'static/group.png'; md5=aec1f0af66d29c1a5d1f174df1f12812" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml8(title) +msgid "Why and how we wrote this book" +msgstr "本曞の䜜成理由ず方法" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml9(para) +msgid "" +"As OpenStack adoption continues to grow and the product matures, security " +"has become a priority. The OpenStack Security Group has recognized the need " +"for a comprehensive and authoritative security guide. The OpenStack Security Guide has been written to " +"provide an overview of security best practices, guidelines, and " +"recommendations for increasing the security of an OpenStack deployment. The " +"authors bring their expertise from deploying and securing OpenStack in a " +"variety of environments." +msgstr "OpenStack が拡倧を続け、補品が成熟しおきたので、セキュリティが重芁事項になっおきたした。OpenStack Security Group は包括的か぀暩嚁のあるセキュリティガむドの必芁性を認識したした。OpenStack セキュリティガむドは、OpenStack のセキュリティ向䞊を目的ずした、セキュリティのベストプラクティス、ガむドラむン、掚奚事項の抂芁に぀いお蚘茉しおいたす。著者は\nさたざたな環境で OpenStack の導入やセキュア化をした専門知識をもたらしたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml10(para) +msgid "" +"The guide augments the OpenStack Operations " +"Guide and can be referenced to harden existing OpenStack " +"deployments or to evaluate the security controls of OpenStack cloud " +"providers." +msgstr "このガむドは OpenStack Operations Guide OpenStack 運甚ガむドを補足したす。既存の OpenStack 環境のセキュリティを匷化したり、OpenStack を甚いたクラりド事業者のセキュリティ制埡を評䟡するための参考曞ずしお掻甚しおください。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml12(title) +msgid "Objectives" +msgstr "本曞の目的" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml14(para) +msgid "Identify the security domains in OpenStack" +msgstr "OpenStack のセキュリティ領域の明確化" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml17(para) +msgid "Provide guidance to secure your OpenStack deployment" +msgstr "OpenStack をセキュア化するガむドの提䟛" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml20(para) +msgid "" +"Highlight security concerns and potential mitigations in present day " +"OpenStack" +msgstr "珟圚の OpenStack におけるセキュリティ懞念事項ず実珟可胜な軜枛策の玹介" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml23(para) +msgid "Discuss upcoming security features" +msgstr "今埌予定されおいるセキュリティ機胜の議論" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml26(para) +msgid "" +"To provide a community driven facility for knowledge capture and " +"dissemination" +msgstr "コミュニティ䞻導のナレッゞ蓄積ず普及の堎の提䟛" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml31(title) +msgid "How" +msgstr "本曞の執筆方法" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml32(para) +msgid "" +"As with the OpenStack Operations Guide, we followed the book sprint " +"methodology. The book sprint process allows for rapid development and " +"production of large bodies of written work. Coordinators from the OpenStack " +"Security Group re-enlisted the services of Adam Hyde as facilitator. " +"Corporate support was obtained and the project was formally announced during" +" the OpenStack summit in Portland, Oregon." +msgstr "本曞はOpenStack Operations GuideOpenStack 運甚ガむドず同様に「ブックスプリントメ゜ッド」を甚いたした。このメ゜ッドでは、迅速な倧量文章の䜜成を実珟したす。OpenStack Security Group のコヌディネヌタヌは再びAdam Hydeをファシリテヌタヌずしお力を借りたした。さらに䌁業からのサポヌトが埗られ、オレゎン州ポヌトランドで開催されたOpenStack サミットでプロゞェクトが正匏に公衚されたした。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml33(para) +msgid "" +"The team converged in Annapolis, MD due to the close proximity of some key " +"members of the group. This was a remarkable collaboration between public " +"sector intelligence community members, silicon valley startups and some " +"large, well-known technology companies. The book sprint ran during the last " +"week in June 2013 and the first edition was created in five days." +msgstr "チヌムは、グルヌプの䞻芁なメンバヌが集たるために、メリヌランド州アナポリスに集たりたした。これは、公共郚門のむンテリゞェンス・コミュニティヌのメンバヌ、シリコンバレヌのスタヌトアップ、いく぀かの有名な倧手技術䌁業の間での驚くべきコラボレヌションです。Book Sprint は 2013 幎 6 月の最終週に行われ、初版は 5 日間で䜜成されたした。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml41(para) +msgid "The team included:" +msgstr "チヌムメンバヌは以䞋のずおりです。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml44(para) +msgid "Bryan D. Payne, Nebula" +msgstr "Bryan D. Payne, Nebula" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml45(para) +msgid "" +"Dr. Bryan D. Payne is the Director of Security Research at Nebula and co-" +"founder of the OpenStack Security Group (OSSG). Prior to joining Nebula, he " +"worked at Sandia National Labs, the National Security Agency, BAE Systems, " +"and IBM Research. He graduated with a Ph.D. in Computer Science from the " +"Georgia Tech College of Computing, specializing in systems security." +msgstr "Dr. Bryan D. Payne は、Nebula の Security Research の Director です。たた、OpenStack Security Group (OSSG) の共同創蚭者です。Nebula に参加する前は、Sandia National Labs、National Security Agency、BAE Systems、IBM Research に勀務しおいたした。Georgia Tech College of Computing でシステムセキュリティを専攻し、コンピュヌタヌサむ゚ンスの Ph.D. を取埗したした。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml48(para) +msgid "Robert Clark, HP" +msgstr "Robert Clark, HP" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml49(para) +msgid "" +"Robert Clark is the Lead Security Architect for HP Cloud Services and co-" +"founder of the OpenStack Security Group (OSSG). Prior to being recruited by " +"HP, he worked in the UK Intelligence Community. Robert has a strong " +"background in threat modeling, security architecture and virtualization " +"technology. Robert has a master's degree in Software Engineering from the " +"University of Wales." +msgstr "Robert Clark は、Nebula の HP Cloud Services の Lead Security Architect です。たた、OpenStack Security Group (OSSG) の共同創蚭者です。HP に入瀟する前は、UK Intelligence Community に勀務しおいたした。脅嚁モデリング、セキュリティアヌキテクチャ、仮想化技術に関する匷固なバックグラりンドを持ちたす。University of Wales の゜フトりェア゚ンゞニアリングの修士号を持っおいたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml52(para) +msgid "Keith Basil, Red Hat" +msgstr "Keith Basil, Red Hat" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml53(para) +msgid "" +"Keith Basil is a Principal Product Manager for Red Hat OpenStack and is " +"focused on Red Hat's OpenStack product management, development and strategy." +" Within the US public sector, Basil brings previous experience from the " +"design of an authorized, secure, high-performance cloud architecture for " +"Federal civilian agencies and contractors." +msgstr "Keith Basil は Red Hat OpenStack の Principal Product Manager です。Red Hat の OpenStack 補品マネゞメント、開発、戊略に泚力しおいたす。アメリカの公共郚門の䞭で、アメリカの民間機関ず委蚗業者向けの認定枈み、セキュアか぀ハむパフォヌマンスなクラりドアヌキテクチャの蚭蚈から、これたでの経隓をもたらしたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml56(para) +msgid "Cody Bunch, Rackspace" +msgstr "Cody Bunch, Rackspace" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml57(para) +msgid "" +"Cody Bunch is a Private Cloud architect with Rackspace. Cody has co-authored" +" an update to \"The OpenStack Cookbook\" as well as books on VMware " +"automation." +msgstr "Cody Bunch は Rackspace の Private Cloud architect です。『The OpenStack Cookbook』ず VMware 自動化の曞籍の共同執筆者です。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml60(para) +msgid "Malini Bhandaru, Intel" +msgstr "Malini Bhandaru, Intel" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml61(para) +msgid "" +"Malini Bhandaru is a security architect at Intel. She has a varied " +"background, having worked on platform power and performance at Intel, speech" +" products at Nuance, remote monitoring and management at ComBrio, and web " +"commerce at Verizon. She has a Ph.D. in Artificial Intelligence from the " +"University of Massachusetts, Amherst." +msgstr "Malini Bhandaru は Intel のセキュリティアヌキテクトです。Intel でプラットフォヌムの電力ずパフォヌマンス、Nuance でスピヌチ補品、ComBrio でリモヌトモニタリングず管理、Verizon でりェブコマヌスに関するさたざたなバックグラりンドを持ちたす。University of Massachusetts, Amherst で人工知胜に関する Ph.D. を持っおいたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml64(para) +msgid "" +"Gregg Tally, Johns Hopkins University " +"Applied Physics Laboratory" +msgstr "Gregg Tally, Johns Hopkins University Applied Physics Laboratory" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml65(para) +msgid "" +"Gregg Tally is the Chief Engineer at JHU/APL's Cyber Systems Group within " +"the Asymmetric Operations Department. He works primarily in systems security" +" engineering. Previously, he has worked at SPARTA, McAfee, and Trusted " +"Information Systems where he was involved in cyber security research " +"projects." +msgstr "Gregg Tally は Asymmetric Operations Department の JHU/APL's Cyber Systems Group の Chief Engineer です。䞻にシステムセキュリティ゚ンゞニアリングに関する仕事をしおいたす。以前は、サむバヌセキュリティ研究プロゞェクトに関わり、SPARTA、McAfee、Trusted Information Systems に勀務しおいたした。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml68(para) +msgid "Eric Lopez, VMware" +msgstr "Eric Lopez, VMware" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml69(para) +msgid "" +"Eric Lopez is Senior Solution Architect at VMware's Networking and Security " +"Business Unit where he helps customers implement OpenStack and VMware NSX " +"(formerly known as Nicira's Network Virtualization Platform). Prior to " +"joining VMware (through the company's acquisition of Nicira), he worked for " +"Q1 Labs, Symantec, Vontu, and Brightmail. He has a B.S in Electrical " +"Engineering/Computer Science and Nuclear Engineering from U.C. Berkeley and " +"MBA from the University of San Francisco." +msgstr "Eric Lopez は VMware の Networking and Security Business Unit の Senior Solution Architect です。顧客が OpenStack や VMware NSX (以前は Nicira の Network Virtualization Platform ずしお知られおいたした) を導入する支揎をしおいたす。VMware (Nicira の䌁業買収により) に参加する前は、Q1 Labs、Symantec、Vontu、Brightmail に勀務しおいたした。U.C. Berkeley の Electrical Engineering/Computer Science、Nuclear Engineering の B.S. を保持しおたす。たた、University of San Francisco の MBA を保持しおいたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml72(para) +msgid "Shawn Wells, Red Hat" +msgstr "Shawn Wells, Red Hat" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml73(para) +msgid "" +"Shawn Wells is the Director, Innovation Programs at Red Hat, focused on " +"improving the process of adopting, contributing to, and managing open source" +" technologies within the U.S. Government. Additionally, Shawn is an upstream" +" maintainer of the SCAP Security Guide project which forms virtualization " +"and operating system hardening policy with the U.S. Military, NSA, and DISA." +" Formerly an NSA civilian, Shawn developed SIGINT collection systems " +"utilizing large distributed computing infrastructures." +msgstr "Shawn Wells は Red Hat の Innovation Programs の Director です。アメリカ政府の䞭でオヌプン゜ヌス技術を適甚、貢献、管理するプロセスを改善するこずに泚力しおいたす。さらに、SCAP Security Guide プロゞェクトのアップストリヌムのメンテナヌです。このプロゞェクトは、 U.S. Military、NSA、DISA で仮想化ずオペレヌティングシステムの匷化ポリシヌを䜜成しおいたす。NSA の契玄者になる前は、倧芏暡分散コンピュヌティング環境を利䟿化する SIGINT 収集システムを開発しおいたした。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml76(para) +msgid "Ben de Bont, HP" +msgstr "Ben de Bont, HP" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml77(para) +msgid "" +"Ben de Bont is the CSO for HP Cloud Services. Prior to his current role Ben " +"led the information security group at MySpace and the incident response team" +" at MSN Security. Ben holds a master's degree in Computer Science from the " +"Queensland University of Technology." +msgstr "Ben de Bont は HP Cloud Services の CSO です。その前は、MySpace の情報セキュリティグルヌプ、MSN Security のむンシデントレスポンスチヌムを率いおいたした。Queensland University of Technology のコンピュヌタヌサむ゚ンスの修士号を保持しおいたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml80(para) +msgid "" +"Nathanael Burton, National Security " +"Agency" +msgstr "Nathanael Burton, National Security Agency" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml81(para) +msgid "" +"Nathanael Burton is a Computer Scientist at the National Security Agency. He" +" has worked for the Agency for over 10 years working on distributed systems," +" large-scale hosting, open source initiatives, operating systems, security, " +"storage, and virtualization technology. He has a B.S. in Computer Science " +"from Virginia Tech." +msgstr "Nathanael Burton は National Security Agency のコンピュヌタヌサむ゚ンティストです。Agency に 10 幎以䞊勀務し、分散システム、倧芏暡ホスティング、オヌプン゜ヌスむニシアティブ、オペレヌティングシステム、セキュリティ、ストレヌゞ、仮想化技術に携わっおいたす。Virginia Tech でコンピュヌタヌサむ゚ンスの B.S. を取埗したした。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml84(emphasis) +msgid "Vibha Fauver" +msgstr "Vibha Fauver" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml85(para) +msgid "" +"Vibha Fauver, GWEB, CISSP, PMP, has over fifteen years of experience in " +"Information Technology. Her areas of specialization include software " +"engineering, project management and information security. She has a B.S. in " +"Computer & Information Science and a M.S. in Engineering Management with" +" specialization and a certificate in Systems Engineering." +msgstr "Vibha Fauver (GWEB, CISSP, PMP) は情報技術に関する 15 幎以䞊の経隓がありたす。専門分野は゜フトりェア゚ンゞニアリング、プロゞェクト管理ず情報セキュリティです。Computer & Information Science の B.S. ず Engineering Management の M.S. を保持しおいたす。Systems Engineering の資栌を保持しおいたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml88(para) +msgid "Eric Windisch, Cloudscaling" +msgstr "Eric Windisch, Cloudscaling" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml89(para) +msgid "" +"Eric Windisch is a Principal Engineer at Cloudscaling where he has been " +"contributing to OpenStack for over two years. Eric has been in the trenches " +"of hostile environments, building tenant isolation and infrastructure " +"security through more than a decade of experience in the web hosting " +"industry. He has been building cloud computing infrastructure and automation" +" since 2007." +msgstr "Eric Windisch は Cloudscaling の Principal Engineer です。OpenStack に 2 幎以䞊貢献しおいたす。りェブホスティング業界における 10 幎以䞊の経隓から、ホスティング環境の分離性、テナント独立性の構築、むンフラセキュリティに携わっおいたす。2007 幎以降、クラりドコンピュヌティング環境の構築ず自動化に携わっおいたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml92(para) +msgid "Andrew Hay, CloudPassage" +msgstr "Andrew Hay, CloudPassage" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml93(para) +msgid "" +"Andrew Hay is the Director of Applied Security Research at CloudPassage, " +"Inc. where he leads the security research efforts for the company and its " +"server security products purpose-built for dynamic public, private, and " +"hybrid cloud hosting environments." +msgstr "Andrew Hay は CloudPassage, Inc. の Applied Security Research の Director です。瀟内セキュリティおよび、ダむナミックパブリック、プラむベヌト、ハむブリッドクラりドのホスティング環境向けに蚭蚈されたサヌバヌセキュリティ補品のセキュリティ研究チヌムを率いおいたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml96(emphasis) +msgid "Adam Hyde" +msgstr "Adam Hyde" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml97(para) +msgid "" +"Adam facilitated this Book Sprint. He also founded the Book Sprint " +"methodology and is the most experienced Book Sprint facilitator around. Adam" +" founded FLOSS Manuals—a community of some 3,000 individuals developing Free" +" Manuals about Free Software. He is also the founder and project manager for" +" Booktype, an open source project for writing, editing, and publishing books" +" online and in print." +msgstr "Adam はこのブックスプリントをリヌドしたした。圌はブックスプリントメ゜ッドの創蚭者でもあり、䞀番経隓豊富なブックスプリントのファシリテヌタヌです。3000 人もの参加者がいる、フリヌ゜フトりェアのフリヌなマニュアルを䜜成するコミュニティである FLOSS Manuals の創蚭者です。たた、Booktype の創蚭者でプロゞェクトマネヌゞャヌです。 Booktype はオンラむンで本の執筆、線集、出版を行うオヌプン゜ヌスプロゞェクトです。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml100(para) +msgid "" +"During the sprint we also had help from Anne Gentle, Warren Wang, Paul " +"McMillan, Brian Schott and Lorin Hochstein." +msgstr "たた、ブックスプリント期間䞭、Anne Gentle、Warren Wang、Paul McMillan、Brian Schott、Lorin Hochstein からの支揎がありたした。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml101(para) +msgid "" +"This Book was produced in a 5 day book sprint. A book sprint is an intensely" +" collaborative, facilitated process which brings together a group to produce" +" a book in 3-5 days. It is a strongly facilitated process with a specific " +"methodology founded and developed by Adam Hyde. For more information visit " +"the book sprint web page at http://www.booksprints.net." +msgstr "本曞は 5 日間のブックスプリントで䜜成されたした。ブックスプリントでは、3〜5 日でドキュメントを䜜成するために、高床なコラボレヌションず統制されたプロセスによっおグルヌプメンバヌをひず぀にしたす。ブックスプリントメ゜ッドは Adam Hyde によっお蚭立された高床なファシリテヌションプロセスです。詳现はブックスプリントのりェブペヌゞ http://www.booksprints.net を参照しおください。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml109(para) +msgid "After initial publication, the following added new content:" +msgstr "初版の発行埌、以䞋の内容を远加したした。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml112(para) +msgid "Rodney D. Beede, Seagate Technology" +msgstr "Rodney D. Beede, Seagate Technology" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml115(para) +msgid "" +"Rodney D. Beede is the Cloud Security Engineer for Seagate Technology. He " +"contributed the missing chapter on securing OpenStack Object Storage " +"(swift). He holds a M.S. in Computer Science from the University of " +"Colorado." +msgstr "Rodney D. Beede は Seagate Technology の Cloud Security Engineer です。圌は OpenStack Object Storage (swift) のセキュア化に関する䞍足しおいた章に貢献したした。University of Colorado の Computer Science に関する M.S. を保持しおいたす。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml124(title) +msgid "How to contribute to this book" +msgstr "本曞ぞの貢献方法" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml125(para) +msgid "" +"The initial work on this book was conducted in an overly air-conditioned " +"room that served as our group office for the entirety of the documentation " +"sprint." +msgstr "執筆䜜業の初めは空調が効きすぎの郚屋で行われたした。最終的に、その郚屋がグルヌプのオフィスずしお執筆スプリント期間䞭䜿甚されたした。" + +#: ./doc/security-guide/ch002_why-and-how-we-wrote-this-book.xml128(para) +msgid "" +"Learn more about how to contribute to the OpenStack docs: http://wiki.openstack.org/Documentation/HowTo." +msgstr "OpenStack ドキュメントに貢献する方法に぀いお: http://wiki.openstack.org/Documentation/HowTo" + +#: ./doc/security-guide/ch012_configuration-management.xml8(title) +msgid "Continuous systems management" +msgstr "継続的なシステム管理" + +#: ./doc/security-guide/ch012_configuration-management.xml9(para) +msgid "" +"A cloud will always have bugs. Some of these will be security problems. For " +"this reason, it is critically important to be prepared to apply security " +"updates and general software updates. This involves smart use of " +"configuration management tools, which are discussed below. This also " +"involves knowing when an upgrade is necessary." +msgstr "クラりドには必ずバグがありたす。その䞭にはセキュリティの問題も含たれおいたす。このような理由から、セキュリティ曎新や䞀般的な゜フトりェア曎新の適甚準備を行うこずが極めお重芁です。䟋えば、構成管理ツヌルを賢く利甚しおいくこずになりたす。これに぀いおは以䞋で説明しおいたす。たた、アップグレヌドが必芁な時期を把握するこずも重芁です。" + +#: ./doc/security-guide/ch012_configuration-management.xml17(para) +msgid "" +"For announcements regarding security relevant changes, subscribe to the " +"OpenStack Announce mailing list. The security " +"notifications are also posted through the downstream packages for example " +"through Linux distributions that you may be subscribed to as part of the " +"package updates." +msgstr "セキュリティ関連の倉曎に関するお知らせは、OpenStack Announce mailing list を賌読しおください。このセキュリティの通知は、Linux ディストリビュヌションなどのダりンストリヌムのパッケヌゞでも掲茉されたす。これはパッケヌゞ曎新の䞀郚ずしお賌読しおいるかもしれたせん。" + +#: ./doc/security-guide/ch012_configuration-management.xml24(para) +msgid "" +"The OpenStack components are only a small fraction of the software in a " +"cloud. It is important to keep up to date with all of these other " +"components, too. While the specific data sources will be deployment " +"specific, the key idea is to ensure that a cloud administrator subscribes to" +" the necessary mailing lists for receiving notification of any related " +"security updates. Often this is as simple as tracking an upstream Linux " +"distribution." +msgstr "OpenStack のコンポヌネントは、クラりドにある゜フトりェアのごく䞀郚です。これらだけではなく他のコンポヌネントすべおを最新の状態に保぀こずが重芁です。デヌタ゜ヌスはそれぞれデプロむメント固有ずなりたすが、クラりド管理者は必芁なメヌリングリストを賌読しお、関連するセキュリティ曎新の通知を受信できるようにするこずが重芁です。通垞、Linux のアップストリヌムディストリビュヌションをチェックするのず同じくらいシンプルです。" + +#: ./doc/security-guide/ch012_configuration-management.xml36(para) +msgid "" +"OpenStack Security Advisories (OSSA) are created by the OpenStack " +"Vulnerability Management Team (VMT). They pertain to security holes in core " +"OpenStack services. More information on the VMT can be found here: https://wiki.openstack.org/wiki/Vulnerability_Management" +msgstr "OpenStack セキュリティアドバむザリ (OSSA: OpenStack Security Advisories) は、OpenStack 脆匱性管理チヌム (VMT: Vulnerability Management Team) が䜜成しおいたす。コアずなる OpenStack サヌビスのセキュリティホヌルに関連するものです。VMT に関する詳现情報は、https://wiki.openstack.org/wiki/Vulnerability_Management を参照しおください。" + +#: ./doc/security-guide/ch012_configuration-management.xml44(para) +msgid "" +"OpenStack Security Notes (OSSN) are created by the OpenStack Security Group " +"(OSSG) to support the work of the VMT. OSSN address issues in supporting " +"software and common deployment configurations. They're referenced throughout" +" this guide. Security Notes are archived at https://launchpad.net/ossn/" +msgstr "OpenStack セキュリティノヌト (OSSN: OpenStack Security Notes) は、VMT の䜜業をサポヌトする OpenStack セキュリティグルヌプ (OSSG: OpenStack Security Group) が 䜜成しおいたす。OSSN は゜フトりェアや䞀般的なデプロむメント蚭定のサポヌトにおける問題に察応しおいたす。本曞でも OSNN に぀いおは党䜓的に参照しおいたす。セキュリティノヌトは https://launchpad.net/ossn/ でアヌカむブされおいたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml33(para) +msgid "" +"OpenStack releases security information through two channels. " +"" +msgstr "OpenStack は 2 ぀のチャネルからセキュリティ情報を発信しおいたす。 " + +#: ./doc/security-guide/ch012_configuration-management.xml56(title) +msgid "Triage" +msgstr "トリアヌゞ" + +#: ./doc/security-guide/ch012_configuration-management.xml57(para) +msgid "" +"After you are notified of a security update, the next step is to determine " +"how critical this update is to a given cloud deployment. In this case, it is" +" useful to have a pre-defined policy. Existing vulnerability rating systems " +"such as the common vulnerability scoring system (CVSS) v2 do not properly " +"account for cloud deployments." +msgstr "セキュリティ曎新を通知された埌、次のステップずしお、指定のクラりドデプロむメントにずっお、この曎新がどの皋床重芁かを刀断したす。このような堎合、ポリシヌを事前定矩しおおくず䟿利です。共通脆匱性評䟡システム (CVSS) v2 などの既存の脆匱性評䟡システムは、クラりドデプロむメントに正しく察応しおいたせん。" + +#: ./doc/security-guide/ch012_configuration-management.xml63(para) +msgid "" +"In this example we introduce a scoring matrix that places vulnerabilities in" +" three categories: Privilege Escalation, Denial of Service and Information " +"Disclosure. Understanding the type of vulnerability and where it occurs in " +"your infrastructure will enable you to make reasoned response decisions." +msgstr "以䞋の䟋では、暩限昇栌、DoS (サヌビス劚害)、情報開瀺の 3 ぀のカテゎリヌに脆匱性を分類した評䟡䞀芧衚を玹介しおいたす。脆匱性の皮類やむンフラストラクチャヌ内での発生箇所を理解するこずで、裏付けに基いた察応意思決定を䞋すこずができたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml69(para) +msgid "" +"Privilege Escalation describes the ability of a user to act with the " +"privileges of some other user in a system, bypassing appropriate " +"authorization checks. For example, a standard Linux user running code or " +"performing an operation that allows them to conduct further operations with " +"the privileges of the root users on the system." +msgstr "暩限昇栌ずは、適切な認蚌チェックをすり抜けおシステム内の他のナヌザヌの暩限を行䜿するナヌザヌの胜力のこずを指したす。䟋えば、暙準の Linux ナヌザヌがシステム䞊の root ナヌザヌの暩限で自分の暩限以䞊の操䜜を可胜にするオペレヌションを実行したり、コヌドを実行したりするなどです。" + +#: ./doc/security-guide/ch012_configuration-management.xml75(para) +msgid "" +"Denial of Service refers to an exploited vulnerability that may cause " +"service or system disruption. This includes both distributed attacks to " +"overwhelm network resources, and single-user attacks that are typically " +"caused through resource allocation bugs or input induced system failure " +"flaws." +msgstr "サヌビス劚害 (DoS) ずは、サヌビスやシステムの䞭断を匕き起こす脆匱性を悪甚するこずを指したす。これには、ネットワヌクリ゜ヌスを倧量に䜿甚する分散型攻撃や、リ゜ヌス割り圓おのバグや誘導型でのシステム障害の問題などで䞀般的に匕き起こされるシングルナヌザヌ攻撃の䞡方が含たれたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml80(para) +msgid "" +"Information Disclosure vulnerabilities reveal information about your system " +"or operations. These vulnerabilities range from debugging information " +"disclosure, to exposure of critical security data, such as authentication " +"credentials and passwords." +msgstr "情報開瀺の脆匱性は、システムや操䜜の情報を公開したす。これらの脆匱性は、情報開瀺のデバッグから認蚌情報やパスワヌドなどの重芁なセキュリティデヌタの公開などが圓おはたりたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml96(emphasis) +msgid "Attacker position / Privilege level" +msgstr "攻撃者の䜍眮付け/暩限レベル" + +#: ./doc/security-guide/ch012_configuration-management.xml102(emphasis) +msgid "External" +msgstr "倖郚" + +#: ./doc/security-guide/ch012_configuration-management.xml103(emphasis) +msgid "Cloud user" +msgstr "クラりドナヌザヌ" + +#: ./doc/security-guide/ch012_configuration-management.xml105(emphasis) +msgid "Cloud admin" +msgstr "クラりドの管理者" + +#: ./doc/security-guide/ch012_configuration-management.xml107(emphasis) +msgid "Control plane" +msgstr "制埡プレヌン" + +#: ./doc/security-guide/ch012_configuration-management.xml111(emphasis) +msgid "Privilege elevation (3 levels)" +msgstr "暩限昇栌 (3 ぀のレベル)" + +#: ./doc/security-guide/ch012_configuration-management.xml113(para) +#: ./doc/security-guide/ch012_configuration-management.xml121(para) +#: ./doc/security-guide/ch012_configuration-management.xml122(para) +#: ./doc/security-guide/ch012_configuration-management.xml129(para) +#: ./doc/security-guide/ch012_configuration-management.xml130(para) +#: ./doc/security-guide/ch012_configuration-management.xml131(para) +msgid "Critical" +msgstr "重芁" + +#: ./doc/security-guide/ch012_configuration-management.xml114(para) +#: ./doc/security-guide/ch012_configuration-management.xml115(para) +#: ./doc/security-guide/ch012_configuration-management.xml116(para) +#: ./doc/security-guide/ch012_configuration-management.xml123(para) +#: ./doc/security-guide/ch012_configuration-management.xml124(para) +#: ./doc/security-guide/ch012_configuration-management.xml132(para) +msgid "n/a" +msgstr "なし" + +#: ./doc/security-guide/ch012_configuration-management.xml119(emphasis) +msgid "Privilege elevation (2 levels)" +msgstr "暩限昇栌 (2 ぀のレベル)" + +#: ./doc/security-guide/ch012_configuration-management.xml127(emphasis) +msgid "Privilege elevation (1 level)" +msgstr "暩限昇栌 (1぀のレベル)" + +#: ./doc/security-guide/ch012_configuration-management.xml135(emphasis) +msgid "Denial of service" +msgstr "サヌビス劚害 (DoS)" + +#: ./doc/security-guide/ch012_configuration-management.xml137(para) +msgid "High" +msgstr "高" + +#: ./doc/security-guide/ch012_configuration-management.xml138(para) +msgid "Medium" +msgstr "äž­" + +#: ./doc/security-guide/ch012_configuration-management.xml139(para) +#: ./doc/security-guide/ch012_configuration-management.xml140(para) +#: ./doc/security-guide/ch012_configuration-management.xml148(para) +msgid "Low" +msgstr "䜎" + +#: ./doc/security-guide/ch012_configuration-management.xml143(emphasis) +msgid "Information disclosure" +msgstr "情報開瀺" + +#: ./doc/security-guide/ch012_configuration-management.xml145(para) +#: ./doc/security-guide/ch012_configuration-management.xml146(para) +msgid "Critical / high" +msgstr "重芁/高" + +#: ./doc/security-guide/ch012_configuration-management.xml147(para) +msgid "Medium / low" +msgstr "äž­/䜎" + +#: ./doc/security-guide/ch012_configuration-management.xml152(para) +msgid "" +"This table illustrates a generic approach to measuring the impact of a " +"vulnerability based on where it occurs in your deployment and the effect. " +"For example, a single level privilege escalation on a Compute API node " +"potentially allows a standard user of the API to escalate to have the same " +"privileges as the root user on the node." +msgstr "この衚は、デプロむメントの発生箇所や圱響をもずに脆匱性から受ける圱響レベルを枬定するための䞀般的な手法を瀺しおいたす。䟋えば、Compute API ノヌドで暩限レベルを 1 ぀昇栌するず、API の暙準ナヌザヌはこのノヌド䞊の root ナヌザヌず同等の暩限にたで昇栌するこずが可胜です。" + +#: ./doc/security-guide/ch012_configuration-management.xml158(para) +msgid "" +"We suggest that cloud administrators use this table as a model to help " +"define which actions to take for the various security levels. For example, a" +" critical-level security update might require the cloud to be upgraded on a " +"specified time line, whereas a low-level update might be more relaxed." +msgstr "クラりド管理者が、さたざたなセキュリティレベルに合わせお実行するアクションを定矩する圹に立おるために、この衚をモデルずしお䜿甚するこずを掚奚したす。䟋えば、レベルが「重芁」であるセキュリティ曎新では、指定のスケゞュヌルでクラりドのアップグレヌドが必芁ずなる可胜性がありたすが、レベルが「䜎」の曎新ではそこたで厳しくないでしょう。" + +#: ./doc/security-guide/ch012_configuration-management.xml165(title) +msgid "Testing the updates" +msgstr "曎新のテスト" + +#: ./doc/security-guide/ch012_configuration-management.xml166(para) +msgid "" +"You should test any update before you deploy it in a production environment." +" Typically this requires having a separate test cloud setup that first " +"receives the update. This cloud should be as close to the production cloud " +"as possible, in terms of software and hardware. Updates should be tested " +"thoroughly in terms of performance impact, stability, application impact, " +"and more. Especially important is to verify that the problem theoretically " +"addressed by the update, such as a specific vulnerability, is actually " +"fixed." +msgstr "䜕らかの曎新を本番環境にデプロむする前に、それらをテストするようにしおください。䞀般的に、曎新を最初に受信するテスト甚のクラりド蚭定が別途必芁になりたす。このクラりドの゜フトりェアやハヌドりェアはできるだけ実皌働クラりドず同じ環境にする必芁がありたす。パフォヌマンスの圱響、安定性、アプリケヌションぞの圱響など、曎新党䜓をテストする必芁がありたす。特に重芁なのは、曎新で理論䞊察応されおいる問題 (䟋: 特定の脆匱性) が実際に修正されおいるかどうかを確認するこずです。" + +#: ./doc/security-guide/ch012_configuration-management.xml177(title) +msgid "Deploying the updates" +msgstr "曎新のデプロむ" + +#: ./doc/security-guide/ch012_configuration-management.xml178(para) +msgid "" +"Once the updates are fully tested, they can be deployed to the production " +"environment. This deployment should be fully automated using the " +"configuration management tools described below." +msgstr "曎新の完党なテストが終了するず、実皌働環境にデプロむするこずができたす。このデプロむメントは、以䞋に蚘茉の構成管理ツヌルで完党に自動的に行われたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml185(title) +msgid "Configuration management" +msgstr "蚭定管理" + +#: ./doc/security-guide/ch012_configuration-management.xml186(para) +msgid "" +"A production quality cloud should always use tools to automate configuration" +" and deployment. This eliminates human error, and allows the cloud to scale " +"much more rapidly. Automation also helps with continuous integration and " +"testing." +msgstr "実皌働環境の品質を持぀クラりドは蚭定ずデプロむメントの自動化ツヌルを必ず䜿甚しおいたす。こうするこずで、人的ミスをなくし、クラりドの迅速なスケヌルアりトが可胜になりたす。自動化により、継続的な統合やテストが行いやすくなりたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml191(para) +msgid "" +"When building an OpenStack cloud it is strongly recommended to approach your" +" design and implementation with a configuration management tool or framework" +" in mind. Configuration management allows you to avoid the many pitfalls " +"inherent in building, managing, and maintaining an infrastructure as complex" +" as OpenStack. By producing the manifests, cookbooks, or templates required " +"for a configuration management utility, you are able to satisfy a number of " +"documentation and regulatory reporting requirements. Further, configuration " +"management can also function as part of your BCP and DR plans wherein you " +"can rebuild a node or service back to a known state in a DR event or given a" +" compromise." +msgstr "OpenStack クラりドの構築時は、構成管理ツヌルたたはフレヌムワヌクを念頭に蚭蚈、実装に着手するように匷く掚奚したす。構成管理により、OpenStack のように耇雑なむンフラストラクチャヌの構築、管理、維持においお陥りやすい倚くの問題を回避するこずができたす。構成管理ナヌティリティに必芁なマニフェスト、クックブック、テンプレヌトを䜜成するこずで、倚くの文曞や監督機関ぞのレポヌト芁件を満たすこずができたす。さらに、構成管理は、BCP および DR プランの䞀郚ずしおも機胜する可胜性もありたす。その堎合、DR やセキュリティ䟵害があった堎合にノヌドやサヌビスを既知の状態ぞ再構築するこずができたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml203(para) +msgid "" +"Additionally, when combined with a version control system such as Git or " +"SVN, you can track changes to your environment over time and re-mediate " +"unauthorized changes that may occur. For example, a " +"nova.conf file or other configuration file falls out of" +" compliance with your standard, your configuration management tool can " +"revert or replace the file and bring your configuration back into a known " +"state. Finally a configuration management tool can also be used to deploy " +"updates; simplifying the security patch process. These tools have a broad " +"range of capabilities that are useful in this space. The key point for " +"securing your cloud is to choose a tool for configuration management and use" +" it." +msgstr "さらに、Git や SVN などのバヌゞョン管理システムず統合するず、経幎の環境の倉化をチェックしお、発生する可胜性のある未認蚌の倉曎を修正するこずができたす。䟋えば、nova.conf ファむルやその他の蚭定ファむルが芏栌に準拠しなくなった堎合、既知の状態に構成管理ツヌルはファむルを埩元たたは眮き換えるこずができるでしょう。最埌に、構成管理ツヌルを䜿甚しお、曎新のデプロむも可胜で、セキュリティパッチのプロセスを簡玠化したす。これらのツヌルには、この項においお䟿利な機胜が幅広く含たれおいたす。クラりドのセキュリティ確保の䞻な目的は、構成管理のツヌルを遞択しお䜿甚するこずです。" + +#: ./doc/security-guide/ch012_configuration-management.xml215(para) +msgid "" +"There are many configuration management solutions; at the time of this " +"writing there are two in the marketplace that are robust in their support of" +" OpenStack environments: Chef and " +"Puppet. A non-exhaustive listing of tools in this " +"space is provided below:" +msgstr "構成管理゜リュヌションは倚数存圚したすが、本曞の䜜成時点で垂堎にある゜リュヌションで OpenStack 環境のサポヌトが匷力なものは Chef ず Puppet の 2 皮類ずなっおいたす。以䞋に完党ではありたせんが、ツヌルのリストを瀺しおいたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml223(para) +msgid "Chef" +msgstr "Chef" + +#: ./doc/security-guide/ch012_configuration-management.xml226(para) +msgid "Puppet" +msgstr "Puppet" + +#: ./doc/security-guide/ch012_configuration-management.xml229(para) +msgid "Salt Stack" +msgstr "Salt Stack" + +#: ./doc/security-guide/ch012_configuration-management.xml232(para) +msgid "Ansible" +msgstr "Ansible" + +#: ./doc/security-guide/ch012_configuration-management.xml236(title) +msgid "Policy changes" +msgstr "ポリシヌの倉曎" + +#: ./doc/security-guide/ch012_configuration-management.xml237(para) +msgid "" +"Whenever a policy or configuration management is changed, it is good " +"practice to log the activity, and backup a copy of the new set. Often, such " +"policies and configurations are stored in a version controlled repository " +"such as git." +msgstr "ポリシヌや構成管理が倉曎されるず、そのアクティビティをロギングしお、新しいセットのコピヌをバックアップするず慣習ずしお良いでしょう。通垞、このようなポリシヌや蚭定は Git などのバヌゞョン管理リポゞトリに保存されおいたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml244(title) +msgid "Secure backup and recovery" +msgstr "セキュアなバックアップずリカバリ" + +#: ./doc/security-guide/ch012_configuration-management.xml245(para) +msgid "" +"It is important to include Backup procedures and policies in the overall " +"System Security Plan. For a good overview of OpenStack's Backup and Recovery" +" capabilities and procedures, please refer to the OpenStack Operations " +"Guide." +msgstr "党䜓的なシステムセキュリティプランにバックアップ手順ずポリシヌを含めるこずは重芁です。OpenStack のバックアップリカバリヌ機胜や手順に぀いおの適切な抂芁は、OpenStack 運甚ガむドを参照しおください。" + +#: ./doc/security-guide/ch012_configuration-management.xml250(title) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml60(title) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml117(title) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml150(title) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml174(title) +#: ./doc/security-guide/ch026_compute.xml45(title) +#: ./doc/security-guide/ch026_compute.xml90(title) +msgid "Security considerations" +msgstr "セキュリティの課題" + +#: ./doc/security-guide/ch012_configuration-management.xml253(para) +msgid "" +"Ensure only authenticated users and backup clients have access to the backup" +" server." +msgstr "認蚌枈みのナヌザヌおよびバックアップクラむアントのみがバックアップサヌバヌにアクセスできるようにするこず" + +#: ./doc/security-guide/ch012_configuration-management.xml257(para) +msgid "Use data encryption options for storage and transmission of backups." +msgstr "バックアップの保存や送信にはデヌタ暗号化オプションを䜿甚するこず" + +#: ./doc/security-guide/ch012_configuration-management.xml261(para) +msgid "" +"Use a dedicated and hardened backup servers. The logs for the backup server " +"must be monitored daily and accessible by only few individuals." +msgstr "セキュリティが匷化された専甚のバックアップサヌバヌを䜿甚するこず。バックアップサヌバヌのログは日次で監査し、ほんの䞀握りの人だけがこのログにアクセスできるようにしなければいけたせん。" + +#: ./doc/security-guide/ch012_configuration-management.xml266(para) +msgid "" +"Test data recovery options regularly. One of the things that can be restored" +" from secured backups is the images. In case of a compromise, the best " +"practice would be to terminate running instances immediately and then " +"relaunch the instances from the images in the secured backup repository." +msgstr "デヌタのリカバリヌオプションを定期的にテストするこず。セキュアなバックアップからリストアが可胜なものの 1 ぀にむメヌゞがありたす。情報挏掩などが発生した堎合のベストプラクティスは、すぐに実行䞭のむンスタンスを終了しお、セキュアなバックアップリポゞトリにあるむメヌゞからむンスタンスを再起動するこずです。" + +#: ./doc/security-guide/ch012_configuration-management.xml276(title) +#: ./doc/security-guide/ch058_forensicsincident-response.xml48(title) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml90(title) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml160(title) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml199(title) +#: ./doc/security-guide/ch026_compute.xml60(title) +#: ./doc/security-guide/ch026_compute.xml106(title) +msgid "References" +msgstr "参考資料" + +#: ./doc/security-guide/ch012_configuration-management.xml279(para) +msgid "" +"OpenStack Operations Guide on backup and recovery" +msgstr "OpenStack 運甚ガむド の バックアップずリカバリヌ" + +#: ./doc/security-guide/ch012_configuration-management.xml287(link) +msgid "" +"http://www.sans.org/reading_room/whitepapers/backup/security-considerations-" +"enterprise-level-backups_515" +msgstr "http://www.sans.org/reading_room/whitepapers/backup/security-considerations-enterprise-level-backups_515" + +#: ./doc/security-guide/ch012_configuration-management.xml291(link) +msgid "OpenStack Security Primer" +msgstr "OpenStack セキュリティ入門" + +#: ./doc/security-guide/ch012_configuration-management.xml297(title) +msgid "Security auditing tools" +msgstr "セキュリティ監査ツヌル" + +#: ./doc/security-guide/ch012_configuration-management.xml298(para) +msgid "" +"Security auditing tools can complement the configuration management tools. " +"Security auditing tools automate the process of verifying that a large " +"number of security controls are satisfied for a given system configuration. " +"These tools help to bridge the gap from security configuration guidance " +"documentation (for example, the STIG and NSA Guides) to a specific system " +"installation. For example, SCAP can compare a running system to a pre-defined " +"profile. SCAP outputs a report detailing which controls in the profile were " +"satisfied, which ones failed, and which ones were not checked." +msgstr "セキュリティ監査ツヌルは、構成管理ツヌルを補完するこずができたす。セキュリティ監査ツヌルは、セキュリティ制埡の倚くが指定のシステム蚭定を満たしおいるこずを確認するプロセスを自動化したす。これらのツヌルは、セキュリティ蚭定方針文曞 (䟋: STIG および NSA ガむド) から個別のシステムむンストヌル環境のギャップを埋めるサポヌトをしたす。䟋えば、SCAP は実行䞭のシステムず事前定矩枈みのプロファむルを比范するこずができたす。SCAP はプロファむル内のどの制埡に察応しおいるか、問題があるものはどれか、確認されおいないものはどれかを詳现にたずめたレポヌトを出力したす。" + +#: ./doc/security-guide/ch012_configuration-management.xml310(para) +msgid "" +"Combining configuration management and security auditing tools creates a " +"powerful combination. The auditing tools will highlight deployment concerns." +" And the configuration management tools simplify the process of changing " +"each system to address the audit concerns. Used together in this fashion, " +"these tools help to maintain a cloud that satisfies security requirements " +"ranging from basic hardening to compliance validation." +msgstr "構成管理ずセキュリティ監査ツヌルを組み合わせるこずで匷力になりたす。監査ツヌルはデプロむメントの課題をハむラむトし、構成管理ツヌルは各システムの倉曎プロセスを簡玠化しお監査の課題に察応しおいきたす。このような方法で組み合わせお䜿甚するこずで、これらのツヌルは、基本的なセキュリティの匷化からコンプラむアンスのバリデヌションに至るたで、このようなセキュリティ芁件を満たすクラりドを維持できるようにしたす。" + +#: ./doc/security-guide/ch012_configuration-management.xml317(para) +msgid "" +"Configuration management and security auditing tools will introduce another " +"layer of complexity into the cloud. This complexity brings additional " +"security concerns with it. We view this as an acceptable risk trade-off, " +"given their security benefits. Securing the operational use of these tools " +"is beyond the scope of this guide." +msgstr "構成管理およびセキュリティ監査ツヌルは、もう぀のレベルで耇雑性をクラりドにもたらしたす。この耇雑性により、新たなセキュリティの課題が出おきたす。これに぀いおは、セキュリティの利点もあるため、蚱容範囲のリスクのトレヌドオフずいう芋解を持っおいたす。これらのツヌルの運甚におけるセキュリティ確保に぀いおは、本曞の察象倖ずなっおいたす。" + +#: ./doc/security-guide/ch047_data-encryption.xml8(title) +msgid "Data encryption" +msgstr "デヌタ暗号化" + +#: ./doc/security-guide/ch047_data-encryption.xml9(para) +msgid "" +"The option exists for implementors to encrypt tenant data wherever it is " +"stored on disk or transported over a network. This is above and beyond the " +"general recommendation that users encrypt their own data before sending it " +"to their provider." +msgstr "このオプションは、デヌタをディスクに保存する箇所やデヌタをネットワヌク経由で転送する箇所でテナントデヌタを暗号化する実装者甚です。ナヌザが自分自身のデヌタをプロバむダに送信する前にデヌタを暗号化するずいう䞀般的な掚奚の䞊たたはその先にあるものです。" + +#: ./doc/security-guide/ch047_data-encryption.xml10(para) +msgid "" +"The importance of encrypting data on behalf of tenants is largely related to" +" the risk assumed by a provider that an attacker could access tenant data. " +"There may be requirements here in government, as well as requirements per-" +"policy, in private contract, or even in case law in regard to private " +"contracts for public cloud providers. It is recommended that a risk " +"assessment and legal consul advised before choosing tenant encryption " +"policies." +msgstr "テナントの為のデヌタ暗号化の重芁性は、攻撃者がテナントデヌタにアクセスできる事をプロバむダが想定するリスクに広く関係しおいたす。政府での芁件があるかも知れたせんし、ポリシヌ単䜍の芁件ず同様パブリッククラりド提䟛者甚の随意契玄に関しおは、随意契玄の䞭、あるいは刀䟋法の䞭でさえ芁求されるかも知れたせん。テナント暗号化ポリシヌを遞択する前に、リスク分析ず法務コンサルの忠告を受ける事をお勧めしたす。" + +#: ./doc/security-guide/ch047_data-encryption.xml11(para) +msgid "" +"Per-instance or per-object encryption is preferable over, in descending " +"order, over per-project, per-tenant, per-host, and per-cloud aggregations. " +"This recommendation is inverse to the complexity and difficulty of " +"implementation. Presently, in some projects it is difficult or impossible to" +" implement encryption as loosely granular as even per-tenant. We recommend " +"implementors make a best-effort in encrypting tenant data." +msgstr "暗号化の単䜍は、奜たしい方から順にむンスタンス単䜍又はオブゞェクト単䜍、プロゞェクト単䜍、テナント単䜍、ホスト単䜍、クラりド集合単䜍です。この掚奚順は、実装の耇雑さず困難さの順序の逆です。珟圚、いく぀かのプロゞェクトでは、テナント単䜍ですら粒床の荒い暗号化の実装が困難又は䞍可胜です。実装者がテナントデヌタの暗号化を最善策ずする事をお勧めしたす。" + +#: ./doc/security-guide/ch047_data-encryption.xml12(para) +msgid "" +"Often, data encryption relates positively to the ability to reliably destroy" +" tenant and per-instance data, simply by throwing away the keys. It should " +"be noted that in doing so, it becomes of great importance to destroy those " +"keys in a reliable and secure manner." +msgstr "時々、デヌタ暗号化は単に暗号鍵を捚おるずいう事による、信頌できるテナントやむンスタンス単䜍のデヌタ削陀可胜性ず明確に関係がありたす。そうするよう蚘述すべきですし、信頌できる安党な方法でこれらの鍵を砎壊する事が埓来になりたす。" + +#: ./doc/security-guide/ch047_data-encryption.xml13(para) +msgid "Opportunities to encrypt data for users are present:" +msgstr "ナヌザ甚のデヌタ暗号化をする機䌚は珟存したす。" + +#: ./doc/security-guide/ch047_data-encryption.xml15(para) +#: ./doc/security-guide/ch047_data-encryption.xml25(title) +#: ./doc/security-guide/ch046_data-residency.xml31(para) +msgid "Object Storage objects" +msgstr "Object Storage オブゞェクト" + +#: ./doc/security-guide/ch047_data-encryption.xml18(para) +#: ./doc/security-guide/ch047_data-encryption.xml31(title) +msgid "Block Storage volumes and instance ephemeral filesystems" +msgstr "Block Storage ボリュヌムずむンスタンスの䞀時ファむルシステム" + +#: ./doc/security-guide/ch047_data-encryption.xml21(para) +#: ./doc/security-guide/ch047_data-encryption.xml37(title) +msgid "Network data" +msgstr "ネットワヌクデヌタ" + +#: ./doc/security-guide/ch047_data-encryption.xml26(para) +msgid "" +"The ability to encrypt objects in Object Storage is presently limited to " +"disk-level encryption per node. However, there does exist third-party " +"extensions and modules for per-object encryption. These modules have been " +"proposed upstream, but have not per this writing been formally accepted. " +"Below are some pointers:" +msgstr "Object Storage 䞭のオブゞェクトの暗号化の可胜性は、珟時点ではノヌド単䜍のディスクレベル暗号化に限定されおいたす。しかしながら、オブゞェクト単䜍の暗号化甚のサヌドパヌティ拡匵やモゞュヌルが存圚したす。これらのモゞュヌルはアップストリヌムに提案されおいたすが、この文曞を曞いおいる時点では公匏に認可されおいたせん。䞋蚘はそれらの幟぀かぞのポむンタです。" + +#: ./doc/security-guide/ch047_data-encryption.xml27(link) +msgid "https://github.com/Mirantis/swift-encrypt" +msgstr "https://github.com/Mirantis/swift-encrypt" + +#: ./doc/security-guide/ch047_data-encryption.xml28(link) +msgid "" +"http://www.mirantis.com/blog/on-disk-encryption-prototype-for-openstack-" +"swift/" +msgstr "http://www.mirantis.com/blog/on-disk-encryption-prototype-for-openstack-swift/" + +#: ./doc/security-guide/ch047_data-encryption.xml32(para) +msgid "" +"The ability to encrypt volumes depends on the service backends chosen. Some " +"backends may not support this at all." +msgstr "暗号化ボリュヌムの可吊は遞択したサヌビスバック゚ンドに䟝存したす。いく぀かのバック゚ンドは暗号化を党くサポヌトしないかも知れたせん。" + +#: ./doc/security-guide/ch047_data-encryption.xml33(para) +msgid "" +"As both block storage and compute support LVM backed storage, we can easily " +"provide an example applicable to both systems. In deployments using LVM, " +"encryption may be performed against the backing physical volumes. An " +"encrypted block device would be created using the standard Linux tools, with" +" the LVM physical volume (PV) created on top of the decrypted block device " +"using pvcreate. Then, the vgcreate or vgmodify tool may be used to add the " +"encrypted physical volume to an LVM volume group (VG)." +msgstr "Block Storage ず Compute は䞡方、LVM ベヌスのストレヌゞをサポヌトしおいるので、䞡システムに簡単に適甚可胜な䟋を提䟛したす。LVM を甚いたデプロむでは、暗号化はベヌスの物理ボリュヌムに察しお実斜できたす。暗号化ブロックデバむスは、pvcreate を䜿甚しお埩号化したブロックデバむスの䞊に䜜成した LVM 物理ボリュヌム (PV) を甚いお、暙準の Linux ツヌルを䜿甚しお䜜成する事ができたす。それから、vgcreate 又は vgmodify ツヌルを䜿甚しお、暗号化した物理ボリュヌムを LVM のボリュヌムグルヌプ (VG) に远加できたす。" + +#: ./doc/security-guide/ch047_data-encryption.xml34(para) +msgid "" +"A feature aimed for the Havana release provides encryption of the VM's data " +"before it is written to disk. This allows the privacy of data to be " +"maintained while residing on the storage device. The idea is similar to how " +"self-encrypting drives work. This feature presents a normal block storage " +"device to the VM but encrypts the bytes in the virtualization host before " +"writing them to the disk. The block server operates exactly as it does when " +"reading and writing unencrypted blocks, except special handling will be " +"required for Block Storage features such as snapshots and live migration. " +"Note that this feature uses an independent key manager." +msgstr "Havana リリヌス向けの機胜が、ディスクに曞き蟌たれる前の VM デヌタの暗号化を提䟛しおいたす。これは、ストレヌゞデバむス䞊でもデヌタのプラむバシヌが管理される事を可胜にしたす。このアむデアは自己暗号化ドラむブが機胜する方法ず同様です。この機胜は、VM には通垞のブロックストレヌゞデバむスずしお芋えたすが、仮想化ホストではディスクにデヌタが曞き蟌たれる前にデヌタが暗号化されたす。ブロックサヌバは、特別な凊理がスナップショットやラむブマむグレヌションずいった Block Storage の機胜に向けお芁求される事を陀いお、暗号化されおいないブロックを読み曞きする堎合ず党く同様に凊理が行われたす。この機胜は独立した鍵管理を䜿甚する事に泚意しお䞋さい。" + +#: ./doc/security-guide/ch047_data-encryption.xml38(para) +msgid "" +"Tenant data for compute could be encrypted over IPSec or other tunnels. This" +" is not functionality common or standard in OpenStack, but is an option " +"available to motivated and interested implementors." +msgstr "compute のテナントデヌタは IPSec 又は他のトンネルで暗号化できたす。OpenStack での共通たたは暙準の機胜ではありたせんが、やる気ず興味がある実装者に぀の遞択肢が利甚できたす。" + +#: ./doc/security-guide/ch047_data-encryption.xml42(para) +msgid "" +"Block storage supports a variety of mechanisms for supplying mountable " +"volumes. It is outside the scope of this guide to specify recommendations " +"for each Block Storage backend driver. For the purpose of performance, many " +"storage protocols are unencrypted. Some protocols such as iSCSI can provide " +"authentication and encrypted sessions, it is our recommendation to enable " +"these features." +msgstr "Block Storage は、マりント可胜なボリュヌムの提䟛に向けた様々な機構をサポヌトしたす。Block Storage の各バック゚ンドドラむバ甚に掚奚を指定する事はこのガむドの範囲倖です。性胜の為に、倚くのストレヌゞプロトコルは暗号化されおいたせん。iSCSI のような幟぀かのプロトコルは、認蚌ず暗号化セッションを提䟛できたす。これらの機胜を有効にする事を掚奚したす。" + +#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml8(title) +msgid "Case studies: API endpoints" +msgstr "ケヌススタディ: API ゚ンドポむント" + +#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would address endpoint " +"configuration to secure their private and public clouds. Alice's cloud is " +"not publicly accessible, but she is still concerned about securing the " +"endpoints against improper use. Bob's cloud, being public, must take " +"measures to reduce the risk of attacks by external adversaries." +msgstr "このケヌススタディでは、アリスずボブがどうやっおプラむベヌトクラりドずパブリッククラりドの゚ンドポむント蚭定を堅牢化するかに぀いお議論したす。\nアリスのプラむベヌトクラりドは公開されたものではありたせんが、䞍適切な䜿い方から゚ンドポむントを守る方法に぀いお憂慮しおいたす。ボブのパブリッククラりドは、倖郚からの攻撃に察しおリスクを䜎枛する措眮を講じなければいけたせん。" + +#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml11(title) +#: ./doc/security-guide/ch066_case-studies-compliance.xml11(title) +#: ./doc/security-guide/ch015_case-studies-management.xml28(title) +#: ./doc/security-guide/ch056_case-studies-instance-management.xml11(title) +#: ./doc/security-guide/ch035_case-studies-networking.xml11(title) +#: ./doc/security-guide/ch028_case-studies-identity-management.xml18(title) +#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml11(title) +#: ./doc/security-guide/ch018_case-studies-pkissl.xml11(title) +#: ./doc/security-guide/ch039_case-studies-messaging.xml11(title) +#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml11(title) +#: ./doc/security-guide/ch009_case-studies.xml11(title) +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml17(title) +#: ./doc/security-guide/ch044_case-studies-database.xml11(title) +msgid "Alice's private cloud" +msgstr "アリスのプラむベヌトクラりド" + +#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml12(para) +msgid "" +"Alice's organization requires that the security architecture protect the " +"access to the public and private endpoints, so she elects to use the Apache " +"SSL proxy on both public and internal services. Alice's organization has " +"implemented its own certificate authority. Alice contacts the PKI office in " +"her agency that manages her PKI and certificate issuance. Alice obtains " +"certificates issued by this CA and configures the services within both the " +"public and management security domains to use these certificates. Since " +"Alice's OpenStack deployment exists entirely on a disconnected from the " +"Internet network, she makes sure to remove all default CA bundles that " +"contain external public CA providers to ensure the OpenStack services only " +"accept client certificates issued by her agency's CA. Alice has registered " +"all of the services in the Identity service's catalog, using the internal " +"URLs for access by internal services. She has installed host-based intrusion" +" detection on all of the API endpoints." +msgstr "アリスは所属する組織から、パブリックずプラむベヌトの゚ンドポむントぞのアクセスに察しおセキュリティ察策を講じるように呜じられたした。そこで圌女は、パブリックずプラむベヌトのサヌビスに察しお Apache SSL Proxy を構築したした。アリスの組織では、自前の認蚌局を甚意しおいたす。アリスは、圌女の PKI ず蚌明曞発行を管理する PKI 担圓郚門に連絡したす。アリスはこのCAによっお発行された蚌明曞を入手し、これらの蚌明曞を䜿甚するようパブリックず管理セキュリティドメむンの䞡方のサヌビスを蚭定したす。アリスの OpenStack デプロむが完党にむンタヌネットから独立しお存圚するので、OpenStack サヌビスが圌女の組織の CA から発行されたクラむアント蚌明曞のみ蚱可するよう、倖郚のパブリックな CA プロバむダを含むデフォルトの党 CA バンドルが削陀されおいる事を確認しおいたす。アリスは、内郚サヌビスのアクセス甚の内郚 URL を利甚しお、Identity のサヌビスカタログに党サヌビスを登録したした。圌女は、すべおの API ゚ンドポむントにホストベヌス IDS をむンストヌルしたした。" + +#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml33(title) +#: ./doc/security-guide/ch066_case-studies-compliance.xml18(title) +#: ./doc/security-guide/ch015_case-studies-management.xml33(title) +#: ./doc/security-guide/ch056_case-studies-instance-management.xml17(title) +#: ./doc/security-guide/ch035_case-studies-networking.xml29(title) +#: ./doc/security-guide/ch028_case-studies-identity-management.xml43(title) +#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml15(title) +#: ./doc/security-guide/ch018_case-studies-pkissl.xml15(title) +#: ./doc/security-guide/ch039_case-studies-messaging.xml15(title) +#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml17(title) +#: ./doc/security-guide/ch009_case-studies.xml16(title) +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml50(title) +#: ./doc/security-guide/ch044_case-studies-database.xml15(title) +msgid "Bob's public cloud" +msgstr "ボブのパブリッククラりド" + +#: ./doc/security-guide/ch022_case-studies-api-endpoints.xml34(para) +msgid "" +"Bob must also protect the access to the public and private endpoints, so he " +"elects to use the Apache SSL proxy on both public and internal services. On " +"the public services, he has configured the certificate key files with " +"certificates signed by a well-known Certificate Authority. He has used his " +"organization's self-signed CA to sign certificates in the internal services " +"on the Management network. Bob has registered his services in the Identity " +"service's catalog, using the internal URLs for access by internal services. " +"Bob's public cloud runs services on SELinux, which he has configured with a " +"mandatory access control policy to reduce the impact of any publicly " +"accessible services that may be compromised. He has also configured the " +"endpoints with a host-based IDS." +msgstr "ボブもたた、パブリックずプラむベヌト゚ンドポむントを守るひ぀ようがあるため、 Apache SSL proxy をパブリックサヌビスず内郚サヌビスの䞡方に構築したした。\nパブリックサヌビス偎には、よく知られおいる認蚌局が眲名した蚌明曞キヌファむルを、内郚サヌビス偎には、自己眲名蚌明曞を管理ネットワヌク䞊のサヌビスに蚭定したした。\n内郚アクセス甚の Internal URL 越しに、サヌビスを Identity のサヌビスカタログに登録し、たた、ホストベヌスの䟵入怜知システムを党 API ゚ンドポむントに蚭定したした。" + +#: ./doc/security-guide/ch066_case-studies-compliance.xml8(title) +msgid "Case studies: compliance" +msgstr "ケヌススタディ: コンプラむアンス" + +#: ./doc/security-guide/ch066_case-studies-compliance.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would address common " +"compliance requirements. The preceding chapter refers to a wide variety of " +"compliance certifications and standards. Alice will address compliance in a " +"private cloud, while Bob will be focused on compliance for a public cloud." +msgstr "このケヌススタディでは、アリスずボブがどのように䞀般的なコンプラむアンス芁件に察応するかを説明したす。これたでの章で、さたざたなコンプラむアンス認蚌ず暙準に぀いお蚀及したした。アリスはプラむベヌトクラりドでコンプラむアンスに取り組み、いっぜうボブはパブリッククラりド向けのコンプラむアンスに泚力したす。" + +#: ./doc/security-guide/ch066_case-studies-compliance.xml12(para) +msgid "" +"Alice is building an OpenStack private cloud for the United States " +"government, specifically to provide elastic compute environments for signal " +"processing. Alice has researched government compliance requirements, and has" +" identified that her private cloud will be required to certify against FISMA" +" and follow the FedRAMP accreditation process, which is required for all " +"federal agencies, departments and contractors to become a Certified Cloud " +"Provider (CCP). In this particular scenario for signal processing, the FISMA" +" controls required will most likely be FISMA High, which indicates possible " +"\"severe or catastrophic adverse effects\" should the information system " +"become compromised. In addition to FISMA Moderate controls Alice must ensure" +" her private cloud is FedRAMP certified, as this is a requirement for all " +"agencies that currently utilize, or host federal information within a cloud " +"environment." +msgstr "アリスはOpenStackプラむベヌトクラりドを米囜政府向けに構築しおいたす。具䜓的には、信号凊理向けの柔軟なコンピュヌティング環境です。アリスは政府向けコンプラむアンス芁件を調査した結果、これから構築しようずしおいるプラむベヌトクラりドはFISMAおよびFedRAMP認定が必芁であるず刀断したした。これは政府系機関、行政郚、および契玄者、どのような立堎であっおも、認定クラりドプロバむダヌ(Certified Cloud Provider, CCP)になるために必芁な手続きです。特に信号凊理は、FISMAはそれを\"深刻で壊滅的な圱響\"をシステムに䞎えうるずしおいるため、FISMA圱響床が\"高\"ずなりがちです。加えおFISMA Moderateレベルにおいお、アリスはそのプラむベヌトクラりドを確実にFedRAMP認蚌ずしなければいけたせん。これはクラりド内に政府の情報を保有する、党おの機関に求められおる条件です。" + +#: ./doc/security-guide/ch066_case-studies-compliance.xml13(para) +msgid "" +"To meet these strict government regulations Alice undertakes a number of " +"activities. Scoping of requirements is particularly important due to the " +"volume of controls that must be implemented, which will be defined in NIST " +"Publication 800-53." +msgstr "これらの厳しい政府芏制の芁件を満たすため、アリスは倚くの掻動を行いたす。範囲の決定䜜業は、実装すべき統制の量に圱響するため、特に重芁です。これはNIST刊行 800-53で定められおいたす。" + +#: ./doc/security-guide/ch066_case-studies-compliance.xml14(para) +msgid "" +"All technology within her private cloud must be FIPS certified technology, " +"as mandated within NIST 800-53 and FedRAMP. As the U.S. Department of " +"Defense is involved, Security Technical Implementation Guides (STIGs) will " +"come into play, which are the configuration standards for DOD IA and IA-" +"enabled devices / systems. Alice notices a number of complications here as " +"there is no STIG for OpenStack, so she must address several underlying " +"requirements for each OpenStack service; for example, the networking SRG and" +" Application SRG will both be applicable (list of SRGs). Other " +"critical controls include ensuring that all identities in the cloud use PKI," +" that SELinux is enabled, that encryption exists for all wire-level " +"communications, and that continuous monitoring is in place and clearly " +"documented. Alice is not concerned with object encryption, as this will be " +"the tenants responsibility rather than the provider." +msgstr "圌女のプラむベヌトクラりドで䜿われる党おの技術は、NIST 800-53ずFedRAMPに埓い、FIPS認蚌技術であるこずが求められたす。米囜囜防省が関わる堎合、囜防省のIA - Information AssuranceおよびIA-enabled察象機噚/システムの構成暙準であるSecurity Technical Implementation Guides (STIGs) も関係したす。OpenStack向けのSTIGが無くずも、アリスはさたざたな芁玠を考慮し、各OpenStackサヌビス毎に、いく぀かの朜圚的な芁件を考慮しなければいけたせん。䟋えば、networking SRG - Security Requirements GuidesずApplication SRGはどちらも察象です(list of SRGs)。他の重芁な統制ずしお、クラりド内の党おのIDではPKIが䜿われ、SELinuxが有効であり、すべおの党おの通信経路が暗号化でき、持続的に監芖が行われ、か぀明快に文曞化されおいるこず、などが挙げられたす。なお、アリスはオブゞェクトの暗号化を考慮したせんでしたが、これはプロバむダヌずいうよりは、テナントの責任であるからです。" + +#: ./doc/security-guide/ch066_case-studies-compliance.xml15(para) +msgid "" +"If Alice has adequately scoped and executed these compliance activities, she" +" may begin the process to become FedRAMP compliant by hiring an approved " +"third-party auditor. Typically this process takes up to 6 months, after " +"which she will receive an Authority to Operate and can offer OpenStack cloud" +" services to the government." +msgstr "もしアリスが十分な範囲を定矩し、それらのコンプラむアンス掻動を実斜できたのであれば、次は認定倖郚監査人によるFedRAMP認蚌の取埗プロセスに移りたす。䞀般的にこのプロセスは最長6ヶ月を芁したす。このステップを経お、Authority to Operate - 泚意圱響レベル認定 を取埗し、OpenStackクラりドサヌビスを政府に提案できるようになりたす。" + +#: ./doc/security-guide/ch066_case-studies-compliance.xml19(para) +msgid "" +"Bob is tasked with compliance for a new OpenStack public cloud deployment, " +"that is focused on providing cloud services to both small developers and " +"startups, as well as large enterprises. Bob recognizes that individual " +"developers are not necessarily concerned with compliance certifications, but" +" to larger enterprises certifications are critical. Specifically Bob desires" +" to achieve SOC 1, SOC 2 Security, as well as ISO 27001/2 as quickly as " +"possible. Bob references the Cloud Security Alliance Cloud Control Matrix " +"(CCM) to assist in identifying common controls across these three " +"certifications (such as periodic access reviews, auditable logging and " +"monitoring services, risk assessment activities, security reviews, etc). Bob" +" then engages an experienced audit team to conduct a gap analysis on the " +"public cloud deployment, reviews the results and fills any gaps identified. " +"Bob works with other team members to ensure that these security controls and" +" activities are regularly conducted for a typical audit period (~6-12 " +"months)." +msgstr "ボブは新たなOpenStackクラりド環境のコンプラむアンス掻動を任されおいたす。このクラりドは小芏暡の開発者やスタヌトアップだけでなく、倧芏暡䌁業向けにも泚力しおいたす。ボブは個人開発者はコンプラむアンス認蚌を意識するこずが倚くないが、いっぜうで倧芏暡䌁業向けには認蚌が重芁であるこずを認識しおいたす。ボブは特にSOC 1、SOC 2、およびISO 27001/2認蚌を早急に取埗したいず考えおいたす。そこでボブは3぀の認蚌に共通する統制を特定するため、Cloud Security Alliance Cloud Control Matrix (CCM)を参考にしたした (䟋えば、定期的なアクセス怜査、監査可胜なロギングや監芖サヌビス、リスク評䟡掻動、セキュリティレビュヌなど)。それからボブは、パブリッククラりドのギャップ評䟡、結果のレビュヌ、そしお特定されたギャップを埋めるため、経隓ある監査人チヌムず契玄したす。ボブは他のチヌムメンバヌずずもに、それらのセキュリティ統制ず掻動が䞀般的な監査期間(〜6-12ヶ月)においお、定期的に、確実に機胜するようにしたす。" + +#: ./doc/security-guide/ch066_case-studies-compliance.xml36(para) +msgid "" +"At the end of the audit period Bob has arranged for an external audit team " +"to review in-scope security controls at randomly sampled points of time over" +" a 6 month period. The audit team provides Bob with an official report for " +"SOC 1 and SOC 2, and separately for ISO 27001/2. As Bob has been diligent in" +" ensuring security controls are in place for his OpenStack public cloud, " +"there are no additional gaps exposed on the report. Bob can now provide " +"these official reports to his customers under NDA, and advertise that he is " +"SOC 1, SOC 2 and ISO 27001/2 compliant on his website." +msgstr "監査期間の最埌にボブは倖郚監査人チヌムずの調敎を行いたす。目的は、6ヶ月以䞊にわたっお無䜜為なタむミングで実斜した、セキュリティ統制のレビュヌです。そしお、監査人チヌムはボブにSOC 1ずSOC 2、たた別途ISO 27001/2向けの公匏な報告曞を提䟛したす。ボブのパブリッククラりド採甚における勀勉な取り組みの結果、指摘されるような远加のギャップはありたせんでした。ボブは正匏な報告曞を圌の顧客にNDA䞋で提䟛でき、たた、SOC 1、SOC 2、およびISO 27001/2に準拠しおいるこずを圌のりェブサむトでアピヌルできるようになりたした。" + +#: ./doc/security-guide/ch015_case-studies-management.xml8(title) +msgid "Case studies: management interfaces" +msgstr "ケヌススタディ: 管理むンタヌフェヌス" + +#: ./doc/security-guide/ch015_case-studies-management.xml9(para) +msgid "" +"Previously we discussed typical OpenStack management interfaces and " +"associated backplane issues. We will now approach these issues by returning " +"to our Alice and Bob case study. Specifically, we will look into how both " +"Alice and Bob will address:" +msgstr "䞀般的な OpenStack 管理むンタヌフェヌスず関連のバックプレヌンの問題に぀いお、ここたでに議論したした。再床、アリスずボブのケヌススタディに戻っお、これらの問題を芋おいきたす。特に、アリスずボブが以䞋の点をどのように察応したかを確認しおいきたす。" + +#: ./doc/security-guide/ch015_case-studies-management.xml15(para) +msgid "Cloud administration" +msgstr "クラりド管理" + +#: ./doc/security-guide/ch015_case-studies-management.xml18(para) +msgid "Self service" +msgstr "セルフサヌビス" + +#: ./doc/security-guide/ch015_case-studies-management.xml21(para) +msgid "Data replication and recovery" +msgstr "デヌタの耇補およびリカバリヌ" + +#: ./doc/security-guide/ch015_case-studies-management.xml24(para) +msgid "SLA and security monitoring" +msgstr "SLA およびセキュリティの監芖" + +#: ./doc/security-guide/ch015_case-studies-management.xml29(para) +msgid "" +"When building her private cloud, while air-gapped, Alice still needs to " +"consider her service management interfaces. Before deploying her private " +"cloud, Alice has completed her system documentation. Specifically she has " +"identified which OpenStack services will exist in each security domain. From" +" there Alice has further restricted access to management interfaces by " +"deploying a combination of IDS, SSL encryption, and physical network " +"isolation. Additionally, Alice requires high availability and redundant " +"services. Thus, Alice sets up redundant infrastructure for various OpenStack" +" API services." +msgstr "プラむベヌトクラりドを構築する際、ネットワヌクが物理的に分離されおいたすが、アリスはサヌビス管理むンタヌフェヌスを怜蚎する必芁がありたす。プラむベヌトクラりドをデプロむする前に、システム文曞を曞き䞊げたした。特に、どの OpenStack サヌビスが各セキュリティドメむンに存圚するかを特定したした。そこから、アリスは、IDS、SSL、暗号化、物理的なネットワヌクの分離を組み合わせおデプロむするこずで、管理むンタヌフェヌスぞのアクセスをさらに制限したした。たた、高可甚性や冗長サヌビスも必芁ずするため、様々な OpenStack API サヌビスに察しおむンフラストラクチャヌの冗長蚭定を行いたした。" + +#: ./doc/security-guide/ch015_case-studies-management.xml30(para) +msgid "" +"Alice also needs to provide assurances that the physical servers and " +"hypervisors have been built from a known secure state into a well-defined " +"configuration. To enable this, Alice uses a combination of a Configuration " +"Management platform to configure each machine according to the standards and" +" regulations she must comply with. It will also enable Alice to report " +"periodically on the state of her cloud and perform remediation to a known " +"state should anything be out of the ordinary. Additionally, Alice provides " +"hardware assurances by using a PXE system to build her nodes from a known " +"set of base images. During the boot process, Alice provides further " +"assurances by enabling Intel TXT and related trusted boot technologies " +"provided by the hardware." +msgstr "たた、物理サヌバヌずハむパヌバむザヌは既知のセキュアな状態から十分に定矩された蚭定ぞず確実に構築されるようにする必芁がありたす。これを可胜にするには、構成管理プラットフォヌムを合わせお䜿甚しお、準拠する必芁のある芏栌や芏定に埓い各マシンを蚭定しおいきたす。たた、構成管理プラットフォヌムは、クラりドの状態を定期的に報告しお、通垞以倖のこずが発生した堎合に既知の状態に修正するこずができたす。さらに、PXE システムを䜿甚するこずで、既知のベヌスむメヌゞからノヌドを構築しおハヌドりェア保蚌を提䟛するこずができたす。ブヌトプロセス時に、そのハヌドりェアから提䟛される Intel TXT や関連の信頌できるブヌト技術を有効にするこずでさらなる保蚌を確保できたす。" + +#: ./doc/security-guide/ch015_case-studies-management.xml34(para) +msgid "" +"As a public cloud provider, Bob is concerned with both the continuous " +"availability of management interfaces and the security of transactions to " +"the management interfaces. To that end Bob implements multiple redundant " +"OpenStack API endpoints for the services his cloud will run. Additionally on" +" the public network Bob uses SSL to encrypt all transactions between his " +"customers and his cloud interfaces. To isolate his cloud operations Bob has " +"physically isolated his management, instance migration, and storage " +"networks." +msgstr "パブリッククラりドのプロバむダヌずしお、ボブは管理むンタヌフェヌスの継続的な可甚性ず、管理むンタヌフェヌスぞのトランザクションのセキュリティの䞡方を考慮しおいたす。このように、ボブは、クラりドが実行するサヌビスに察しお、冗長化された OpenStack API ゚ンドポむントを実装したす。さらに、パブリックネットワヌクでは、SSL を䜿甚しお、顧客ずクラりドむンタヌフェヌスの間のトランザクションをすべお暗号化したす。クラりドの運甚を分離するために、ボブは管理、むンスタンスマむグレヌション、ストレヌゞネットワヌクを物理的に分離したした。" + +#: ./doc/security-guide/ch015_case-studies-management.xml35(para) +msgid "" +"To ease scaling and reduce management overhead Bob implements a " +"configuration management system. For customer data assurances, Bob offers a " +"backup as a service product as requirements will vary between customers. " +"Finally, Bob does not provide a \"baremetal\" or the ability to schedule an " +"entire node, so to reduce management overhead and increase operational " +"efficiency Bob does not implement any node boot time security." +msgstr "管理オヌバヌヘッドのスケヌリングや削枛を簡単にするため、構成管理システムを実装したす。顧客のデヌタ保蚌に察しおは、顧客ごずに芁件が倉わるためサヌビス商品ずしおバックアップを提䟛したす。最埌に、「ベアメタル」やノヌド党䜓のスケゞュヌル機胜を提䟛せず、管理オヌバヌヘッドの削枛、運甚効率の向䞊を図るため、ノヌドのブヌト時におけるセキュリティは実装したせん。" + +#: ./doc/security-guide/ch006_introduction-to-case-studies.xml8(title) +msgid "Introduction to case studies" +msgstr "ケヌススタディの抂芁" + +#: ./doc/security-guide/ch006_introduction-to-case-studies.xml9(para) +msgid "" +"This guide refers to two running case studies, which are introduced here and" +" referred to at the end of each chapter." +msgstr "本ガむドでは、党䜓を通しお、2 ぀の運甚事䟋を参照しおいたす。ここでは、これらを抂芁を説明し、各章末で参照したす。" + +#: ./doc/security-guide/ch006_introduction-to-case-studies.xml12(title) +msgid "Case study: Alice, the private cloud builder" +msgstr "事䟋: プラむベヌトクラりド構築者のアリス" + +#: ./doc/security-guide/ch006_introduction-to-case-studies.xml13(para) +msgid "" +"Alice deploys a private cloud for use by a government department in the US. " +"The cloud must comply with relevant standards, such as FedRAMP. The security" +" paperwork requirements for this cloud are very high. It must have no direct" +" access to the internet: its API endpoints, compute instances, and other " +"resources must be exposed to only systems within the department's network, " +"which is entirely air-gapped from all other networks. The cloud can access " +"other network services on the organization's intranet such as the " +"authentication and logging services." +msgstr "アリスは、米囜のある政府機関で䜿甚するクラりドをデプロむしおいたす。このクラりドは、FedRAMP などの関連基準に準拠する必芁があり、たたセキュリティ関連の文曞業務を行う必芁性が非垞に高くなっおいたす。クラりドは、むンタヌネットには盎接アクセスしおはなりたせん。API ゚ンドポむント、Compute むンスタンス、およびその他のリ゜ヌスは、その政府機関のネットワヌク内のシステムに察しおのみ公開される必芁がありたす。このネットワヌクは、他の党ネットワヌクから完党に隔離されおいたす。クラりドは、この機関のむントラネット䞊で、認蚌/ロギングサヌビスなどの他のネットワヌクサヌビスにアクセスするこずが可胜です。" + +#: ./doc/security-guide/ch006_introduction-to-case-studies.xml25(title) +msgid "Case study: Bob, the public cloud provider" +msgstr "事䟋: パブリッククラりドプロバむダヌのボブ" + +#: ./doc/security-guide/ch006_introduction-to-case-studies.xml26(para) +msgid "" +"Bob is a lead architect for a company that deploys a large greenfield public" +" cloud. This cloud provides IaaS for the masses and enables any consumer " +"with a valid credit card access to utility computing and storage, but the " +"primary focus is enterprise customers. Data privacy concerns are a big " +"priority for Bob as they are seen as a major barrier to large-scale adoption" +" of the cloud by organizations." +msgstr "ボブは、新芏展開の倧芏暡なパブリッククラりドのデプロむを行う䌚瀟のリヌドアヌキテクトです。このクラりドは、有効なクレゞットカヌドを持぀消費者が、ナヌティリティコンピュヌティングやストレヌゞに䜿甚できる䞀般倧衆向けの IaaS を提䟛したすが、第䞀のタヌゲットは 䌁業顧客です。䌁業の間では、デヌタプラむバシヌ問題は、倧芏暡なクラりド導入の倧きな障害ずみなされおいるため、ボブにずっお優先課題ずなっおいたす。" + +#: ./doc/security-guide/ch048_key-management.xml8(title) +msgid "Key management" +msgstr "キヌマネヌゞメント" + +#: ./doc/security-guide/ch048_key-management.xml9(para) +msgid "" +"To address the often mentioned concern of tenant data privacy and limiting " +"cloud provider liability, there is greater interest within the OpenStack " +"community to make data encryption more ubiquitous. It is relatively easy for" +" an end-user to encrypt their data prior to saving it to the cloud, and this" +" is a viable path for tenant objects such as media files, database archives " +"among others. However, when client side encryption is used for virtual " +"machine images, block storage etc, client intervention is necessary in the " +"form of presenting keys to unlock the data for further use. To seamlessly " +"secure the data and yet have it accessible without burdening the client with" +" having to manage their keys and interactively provide them calls for a key " +"management service within OpenStack. Providing encryption and key management" +" services as part of OpenStack eases data-at-rest security adoption, " +"addresses customer concerns about the privacy and misuse of their data with " +"the added advantage of limiting cloud provider liability. Provider liability" +" is of concern in multi-tenant public clouds with respect to handing over " +"tenant data during a misuse investigation." +msgstr "頻繁に觊れられるテナントデヌタのプラむバシヌずクラりドプロバむダヌの法的責任の限床に぀いおの懞念に察凊するために、OpenStack コミュニティはデヌタヌの暗号化を様々な個所ぞ適甚するこずに興味を持っおいたす。゚ンドナヌザヌがクラりドにデヌタをセヌブする前にそれらを暗号化するこずは比范的に簡単で、メディアファむル、デヌタベヌスアヌカむブなどテナントオブゞェクトに実行可胜な方法です。しかし、クラむアント偎の暗号化が仮想マシンのむメヌゞを䜿甚する堎合、ブロックストレヌゞなどクラむアントの介入では、デヌタの曎なる利甚のために解陀する鍵を提瀺する圢匏が必芁です。しかし、クラむアント偎の暗号化が仮想マシンのむメヌゞを䜿甚する堎合、ブロックストレヌゞなどクラむアントの介入では、デヌタの曎なる利甚のために解陀する鍵を提瀺する圢匏が必芁です。シヌムレスにデヌタを保護し、クラむアントの鍵を管理し察話的に鍵を提䟛するこずで負担をかけるこずなく、それがアクセスできるようにするには、OpenStack 内に鍵管理サヌビスを求められたす。OpenStack の䞀環ずしお、暗号化ず鍵管理サヌビスの提䟛は、デヌタ保存セキュリティ導入を容易にし、クラりド·プロバむダヌの法的責任を制限する远加の利点ず、プラむバシヌずデヌタの誀䜿甚に関する顧客の懞念に察凊しおいたす。プロバむダの法的責任は、マルチテナントのパブリッククラりドで誀った調査によっおテナントデヌタを匕き枡す事が懞念されおいたす。" + +#: ./doc/security-guide/ch048_key-management.xml10(para) +msgid "" +"A key management service is in the early stages of being developed and has a" +" way to go before becoming an official component of OpenStack. Refer to " +"https://github.com/cloudkeep/barbican/wiki/_pages" +" for details." +msgstr "鍵管理は、ただ開発の初期段階で、OpenStack の正匏コンポヌネントになる過皋の途䞭です。詳现は、https://github.com/cloudkeep/barbican/wiki/_pagesを参照しおください。" + +#: ./doc/security-guide/ch048_key-management.xml11(para) +msgid "" +"It shall support the creation of keys, and their secure saving (with a " +"service master-key). Some of the design questions still being debated are " +"how much of the Key Management Interchange Protocol (KMIP) to support, key " +"formats, and certificate management. The key manager will be pluggable to " +"facilitate deployments that need a third-party Hardware Security Module " +"(HSM)." +msgstr "鍵管理は、鍵の䜜成ず安党な保存''サヌビスマスタヌ鍵付き''をサポヌトしなければなりたせん。いく぀かの鍵管理における盞互運甚性プロトコル" + +#: ./doc/security-guide/ch048_key-management.xml12(para) +msgid "" +"OpenStack Block Storage, cinder, is the first service looking to integrate " +"with the key manager to provide volume encryption." +msgstr "OpenStack Block Storage (cinder) は、ボリュヌムの暗号化を提䟛するためにキヌマネヌゞャヌずの統合を怜蚎した最初のサヌビスです。" + +#: ./doc/security-guide/ch048_key-management.xml14(title) +msgid "References:" +msgstr "参考資料" + +#: ./doc/security-guide/ch048_key-management.xml16(link) +msgid "Barbican" +msgstr "Barbican" + +#: ./doc/security-guide/ch048_key-management.xml19(link) +msgid "KMIP" +msgstr "KMIP" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch013_node-bootstrapping.xml64(None) +#: ./doc/security-guide/ch013_node-bootstrapping.xml69(None) +msgid "" +"@@image: 'static/node-provisioning-pxe.png'; " +"md5=51b76c5aced74f935490b37ba921dc43" +msgstr "@@image: 'static/node-provisioning-pxe.png'; md5=51b76c5aced74f935490b37ba921dc43" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml12(title) +msgid "Integrity life-cycle" +msgstr "完党性ラむフサむクル" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml13(para) +msgid "" +"We define integrity life cycle as a deliberate process that provides " +"assurance that we are always running the expected software with the expected" +" configurations throughout the cloud. This process begins with secure " +"bootstrapping and is maintained through configuration management and " +"security monitoring. This chapter provides recommendations on how to " +"approach the integrity life-cycle process." +msgstr "OpenStack では、完党性ラむフサむクルを「クラりド党䜓にわたっお想定されおいる゜フトりェアが想定されおいる蚭定で垞に実行されるこずを保蚌する蚈画的なプロセス」ず定矩しおいたす。このプロセスは、セキュアなブヌトストラッピングで開始し、蚭定管理およびセキュリティ監芖の機胜により維持されたす。本章では、完党性ラむフサむクルプロセスのアプロヌチ方法に぀いお説明したす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml21(title) +msgid "Secure bootstrapping" +msgstr "セキュアブヌトストラップ" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml22(para) +msgid "" +"Nodes in the cloudincluding compute, storage, network, service, and hybrid " +"nodesshould have an automated provisioning process. This ensures that nodes " +"are provisioned consistently and correctly. This also facilitates security " +"patching, upgrading, bug fixing, and other critical changes. Since this " +"process installs new software that runs at the highest privilege levels in " +"the cloud, it is important to verify that the correct software is installed." +" This includes the earliest stages of the boot process." +msgstr "クラりド内のノヌド (コンピュヌト、ストレヌゞ、ネットワヌク、サヌビス、およびハむブリッドのノヌドを含む) には、自動プロビゞョニングプロセスを䜿甚すべきです。このプロセスにより、ノヌドが䞀貫しお正しくプロビゞョニングされたす。たた、セキュリティパッチの適甚、アップグレヌド、バグ修正、その他の重芁な倉曎が円滑に行われたす。このプロセスにより、クラりド内においお最高暩限で実行される新芏゜フトりェアがむンストヌルされるので、正しい゜フトりェアがむンストヌルされるこずを怜蚌するこずが重芁ずなりたす。これには、ブヌトプロセスの最初期段階が含たれたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml31(para) +msgid "" +"There are a variety of technologies that enable verification of these early " +"boot stages. These typically require hardware support such as the trusted " +"platform module (TPM), Intel Trusted Execution Technology (TXT), dynamic " +"root of trust measurement (DRTM), and Unified Extensible Firmware Interface " +"(UEFI) secure boot. In this book, we will refer to all of these collectively" +" as secure boot technologies. We recommend using secure" +" boot, while acknowledging that many of the pieces necessary to deploy this " +"require advanced technical skills in order to customize the tools for each " +"environment. Utilizing secure boot will require deeper integration and " +"customization than many of the other recommendations in this guide. TPM " +"technology, while common in most business class laptops and desktops for " +"several years, and is now becoming available in servers together with " +"supporting BIOS. Proper planning is essential to a successful secure boot " +"deployment." +msgstr "このような初期ブヌト段階の怜蚌を可胜にするさたざたな技術がありたす。通垞は、Trusted Platform Module (TPM)、Intel Trusted Execution Technology (TXT)、Dynamic Root of Trust Measurement (DRTM)、Unified Extensible Firmware Interface (UEFI) などによるセキュアブヌトのハヌドりェアサポヌトが必芁です。本ガむドでは、これらを総称しおセキュアブヌトテクノロゞヌず呌びたす。OpenStack ではセキュアブヌトの䜿甚を掚奚しおいたすが、このデプロむに必芁な諞䜜業には、各環境甚にツヌルをカスタマむズするための高床の技術的スキルが必芁である点を認識しおいたす。セキュアブヌトの掻甚には、本ガむドに蚘茉しおいるその他倚くの掚奚事項よりも深い統合ずカスタマむズが必芁になりたす。TPM テクノロゞヌはこの数幎、倧半のビゞネスクラスのラップトップおよびデスクトップに通垞搭茉されおいたすが、BIOS のサポヌトずずもにサヌバヌでも提䟛されるようになっおきおいたす。セキュアブヌトのデプロむには、適切な蚈画が䞍可欠です。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml47(para) +msgid "" +"A complete tutorial on secure boot deployment is beyond the scope of this " +"book. Instead, here we provide a framework for how to integrate secure boot " +"technologies with the typical node provisioning process. For additional " +"details, cloud architects should refer to the related specifications and " +"software configuration manuals." +msgstr "セキュアブヌトのデプロむに関する完党なチュヌトリアルは、本曞の範囲倖なので、その代わりずしお、暙準的なノヌドプロビゞョニングプロセスにセキュアブヌトテクノロゞヌを統合する方法の枠組みを提䟛したす。クラりドアヌキテクトが曎に詳しい情報を確認するには、関連する仕様および゜フトりェア蚭定のマニュアルを参照するこずをお勧めしたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml54(title) +msgid "Node provisioning" +msgstr "ノヌドのプロビゞョニング" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml55(para) +msgid "" +"Nodes should use Preboot eXecution Environment (PXE) for provisioning. This " +"significantly reduces the effort required for redeploying nodes. The typical" +" process involves the node receiving various boot stagesthat is " +"progressively more complex software to execute from a server." +msgstr "ノヌドは、プロビゞョニングに Preboot eXecution Environment (PXE) を䜿甚すべきです。これにより、ノヌドの再デプロむに必芁な䜜業が倧幅に軜枛されたす。暙準的なプロセスでは、ノヌドがサヌバヌからさたざたなブヌト段階 (実行する゜フトりェアが埐々に耇雑化) を受信する必芁がありたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml72(para) +msgid "" +"We recommend using a separate, isolated network within the management " +"security domain for provisioning. This network will handle all PXE traffic, " +"along with the subsequent boot stage downloads depicted above. Note that the" +" node boot process begins with two insecure operations: DHCP and TFTP. Then " +"the boot process downloads over SSL the remaining information required to " +"deploy the node. This information might include an initramfs and a kernel. " +"This concludes by downloading the remaining information needed to deploy the" +" node. This may be an operating system installer, a basic install managed by" +" Chef or Puppet, or even a complete file " +"system image that is written directly to disk." +msgstr "プロビゞョニングには、管理セキュリティドメむン内の別個の分離したネットワヌクを䜿甚するこずを掚奚したす。このネットワヌクは、䞊蚘に瀺した埌続のブヌト段階のダりンロヌドに加えお、すべおの PXE トラフィックを凊理したす。 ノヌドのブヌトプロセスは、安党性の䜎い DHCP および TFTP の 2 ぀の操䜜で開始する点に泚意しおください。次にブヌトプロセスは、ノヌドのデプロむに必芁な残りの情報を SSL を介しおダりンロヌドしたす。この情報には、initramfs ずカヌネルが含たれる堎合がありたす。このプロセスは、ノヌドのデプロむに必芁な残りの情報のダりンロヌドで終了したす。これは、オペレヌティングシステムのむンストヌラヌ、Chef たたは Puppet によっお管理される基本むンストヌル、たたはディスクに盎接曞き蟌たれた完党なファむルシステムむメヌゞの堎合もありたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml86(para) +msgid "" +"While utilizing SSL during the PXE boot process is somewhat more " +"challenging, common PXE firmware projects, such as iPXE, provide this " +"support. Typically this involves building the PXE firmware with knowledge of" +" the allowed SSL certificate chain(s) so that it can properly validate the " +"server certificate. This raises the bar for an attacker by limiting the " +"number of insecure, plain text network operations." +msgstr "PXE ブヌトプロセス䞭に SSL を掻甚するのは若干困難ですが、iPXE などの䞀般的な PXE ファヌムりェアプロゞェクトは、この機胜をサポヌトしおいたす。通垞、この䜜業には、サヌバヌの蚌明曞を適切に怜蚌するための蚱可枈み SSL 蚌明曞チェヌンに぀いおの知識を掻甚した PXE ファヌムりェア構築が䌎いたす。これにより、安党性の䜎いプレヌンテキストのネットワヌク操䜜数が制限されるので、攻撃者に察するセキュリティレベルが高くなりたす。." + +#: ./doc/security-guide/ch013_node-bootstrapping.xml96(title) +msgid "Verified boot" +msgstr "怜蚌枈みブヌト" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml97(para) +msgid "" +"In general, there are two different strategies for verifying the boot " +"process. Traditional secure boot will validate the code" +" run at each step in the process, and stop the boot if code is incorrect. " +"Boot attestation will record which code is run at each " +"step, and provide this information to another machine as proof that the boot" +" process completed as expected. In both cases, the first step is to measure " +"each piece of code before it is run. In this context, a measurement is " +"effectively a SHA-1 hash of the code, taken before it is executed. The hash " +"is stored in a platform configuration register (PCR) in the TPM." +msgstr "ブヌトプロセスの怜蚌には、通垞 2 ぀の異なる戊略がありたす。埓来のセキュアブヌトは、プロセスの各ステップに実行されるコヌドを怜蚌し、コヌドが正しくない堎合にはブヌトを䞭止したす。ブヌトアテステヌションは、どのステップでどのコヌドが実行されるかを蚘録し、ブヌトプロセスが想定通りに完了した蚌拠ずしお、この情報を別のマシンに提䟛したす。いずれのケヌスにおいおも、第 1 のステップでは、実行前にコヌドの各芁玠を蚈枬したす。この堎合、蚈枬倀は実質的にはコヌドの SHA-1 ハッシュで、実行前に取埗されたす。 このハッシュは、TPM 内の Platform Configuration Register (PCR) に保管されたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml109(para) +msgid "Note: SHA-1 is used here because this is what the TPM chips support." +msgstr "泚蚘: ここで SHA-1 を䜿甚するのは、TPM チップが察応しおいるためです。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml111(para) +msgid "" +"Each TPM has at least 24 PCRs. The TCG Generic Server Specification, v1.0, " +"March 2005, defines the PCR assignments for boot-time integrity " +"measurements. The table below shows a typical PCR configuration. The context" +" indicates if the values are determined based on the node hardware " +"(firmware) or the software provisioned onto the node. Some values are " +"influenced by firmware versions, disk sizes, and other low-level " +"information. Therefore, it is important to have good practices in place " +"around configuration management to ensure that each system deployed is " +"configured exactly as desired." +msgstr "各 TPM には少なくずも 24 の PCR が含たれたす。TCG Generic Server Specification ( v1.0、2005 幎 3 月版) には、ブヌト時の完党性蚈枬のための PCR の割り圓おが定矩されおいたす。以䞋の衚には、暙準的な PCR 蚭定を蚘茉しおいたす。コンテキストには、その倀がノヌドのハヌドりェア (ファヌムりェア) をベヌスに決定されるか、ノヌドにプロビゞョニングされおいる゜フトりェアをベヌスに決定されるかを瀺しおいたす。䞀郚の倀は、ファヌムりェアのバヌゞョンやディスクサむズ、その他の䜎レベルの情報によっお圱響を受けたす。このため、蚭定管理の適切なプラクティスを敎備し、デプロむするシステムが芁望通りに蚭定されるようにしおおくこずが重芁ずなりたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml131(emphasis) +msgid "Register" +msgstr "レゞスタヌ" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml132(emphasis) +msgid "What is measured" +msgstr "蚈枬の察象" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml135(emphasis) +msgid "Context" +msgstr "コンテキスト" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml138(para) +msgid "PCR-00" +msgstr "PCR-00" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml139(para) +msgid "" +"Core Root of Trust Measurement (CRTM), BIOS code, Host platform extensions" +msgstr "Core Root of Trust Measurement (CRTM)、 BIOS コヌド、ホストプラットフォヌムの拡匵機胜" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml141(para) +#: ./doc/security-guide/ch013_node-bootstrapping.xml146(para) +#: ./doc/security-guide/ch013_node-bootstrapping.xml151(para) +#: ./doc/security-guide/ch013_node-bootstrapping.xml156(para) +msgid "Hardware" +msgstr "ハヌドりェア" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml144(para) +msgid "PCR-01" +msgstr "PCR-01" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml145(para) +msgid "Host platform configuration" +msgstr "ハヌドりェアプラットフォヌムの蚭定" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml149(para) +msgid "PCR-02" +msgstr "PCR-02" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml150(para) +msgid "Option ROM code" +msgstr "オプションの ROM コヌド" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml154(para) +msgid "PCR-03" +msgstr "PCR-03" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml155(para) +msgid "Option ROM configuration and data" +msgstr "オプションの ROM 蚭定およびデヌタ" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml159(para) +msgid "PCR-04" +msgstr "PCR-04" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml160(para) +msgid "Initial Program Loader (IPL) code. For example, master boot record." +msgstr "Initial Program Loader (IPL) コヌド (䟋: マスタヌブヌトレコヌド) " + +#: ./doc/security-guide/ch013_node-bootstrapping.xml162(para) +#: ./doc/security-guide/ch013_node-bootstrapping.xml167(para) +#: ./doc/security-guide/ch013_node-bootstrapping.xml172(para) +#: ./doc/security-guide/ch013_node-bootstrapping.xml177(para) +#: ./doc/security-guide/ch013_node-bootstrapping.xml183(para) +#: ./doc/security-guide/ch013_node-bootstrapping.xml188(para) +#: ./doc/security-guide/ch013_node-bootstrapping.xml193(para) +msgid "Software" +msgstr "゜フトりェア" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml165(para) +msgid "PCR-05" +msgstr "PCR-05" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml166(para) +msgid "IPL code configuration and data" +msgstr "IPL コヌドの蚭定およびデヌタ" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml170(para) +msgid "PCR-06" +msgstr "PCR-06" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml171(para) +msgid "State transition and wake events" +msgstr "状態遷移ずりェむクむベント" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml175(para) +msgid "PCR-07" +msgstr "PCR-07" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml176(para) +msgid "Host platform manufacturer control" +msgstr "ホストプラットフォヌムのメヌカヌによる制埡" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml180(para) +msgid "PCR-08" +msgstr "PCR-08" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml181(para) +msgid "Platform specific, often kernel, kernel extensions, and drivers" +msgstr "プラットフォヌム固有、倚くの堎合はカヌネル、カヌネル拡匵機胜、ドラむバヌ" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml186(para) +msgid "PCR-09" +msgstr "PCR-09" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml187(para) +msgid "Platform specific, often Initramfs" +msgstr "プラットフォヌム固有、倚くの堎合は Initramfs" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml191(para) +msgid "PCR-10 to PCR-23" +msgstr "PCR-10 から PCR-23" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml192(para) +msgid "Platform specific" +msgstr "プラットフォヌム固有" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml198(para) +msgid "" +"At the time of this writing, very few clouds are using secure boot " +"technologies in a production environment. As a result, these technologies " +"are still somewhat immature. We recommend planning carefully in terms of " +"hardware selection. For example, ensure that you have a TPM and Intel TXT " +"support. Then verify how the node hardware vendor populates the PCR values. " +"For example, which values will be available for validation. Typically the " +"PCR values listed under the software context in the table above are the ones" +" that a cloud architect has direct control over. But even these may change " +"as the software in the cloud is upgraded. Configuration management should be" +" linked into the PCR policy engine to ensure that the validation is always " +"up to date." +msgstr "本ガむドの執筆時点では、実皌働環境でセキュアブヌトテクノロゞヌを䜿甚するクラりドはほずんどありたせんでした。このため、これらのテクノロゞヌはただ若干未成熟な状態です。ハヌドりェアは、慎重に蚈画した䞊で遞択するこずを掚奚したす (䟋: TPM および Intel TXT の察応を確認するなど)。次に、ノヌドのハヌドりェアベンダヌが PCR 倀をどのように事前蚭定しおいるかを怜蚌したす (䟋: どの倀を怜蚌できるか)。䞊蚘の衚のコンテキストに゜フトりェアず蚘茉されおいる PCR 倀は通垞、クラりドアヌキテクトが盎接コントロヌルできたす。ただし、これらの倀は、クラりド内の゜フトりェアをアップグレヌドするず倉曎される堎合がありたす。蚭定管理は、PCR ポリシヌ゚ンゞン内にリンクしお、怜蚌を垞に最新の状態 に確保すべきです。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml211(para) +msgid "" +"Each manufacturer must provide the BIOS and firmware code for their servers." +" Different servers, hypervisors, and operating systems will choose to " +"populate different PCRs. In most real world deployments, it will be " +"impossible to validate every PCR against a known good quantity (\"golden " +"measurement\"). Experience has shown that, even within a single vendor's " +"product line, the measurement process for a given PCR may not be consistent." +" We recommend establishing a baseline for each server and monitoring the PCR" +" values for unexpected changes. Third-party software may be available to " +"assist in the TPM provisioning and monitoring process, depending upon your " +"chosen hypervisor solution." +msgstr "各メヌカヌは、サヌバヌの BIOS ずファヌムりェアのコヌドを提䟛する必芁がありたす。サヌバヌ、ハむパヌバむザヌ、オペレヌティングシステムによっお、事前蚭定される PCR 倀の遞択が異なりたす。実際のデプロむメントではほずんどの堎合、既知の適切な量 (「黄金の蚈枬倀」) ず察照しお各 PCR を怜蚌するこずは䞍可胜です。単䞀のベンダヌ の補品ラむンの堎合でも、䞀定の PCR の蚈枬プロセスに䞀貫性がない堎合があるこずが、経隓により実蚌されおいたす。各サヌバヌに基準倀を定め、 PCR 倀の予期せぬ倉化を監芖するこずを掚奚したす。遞択したハむパヌバむザヌ゜リュヌションによっおは、TPM プロビゞョニングおよび監芖プロセスを支揎する サヌドパヌティヌ補の゜フトりェアが提䟛されおいる可胜性がありたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml223(para) +msgid "" +"The initial program loader (IPL) code will most likely be the PXE firmware, " +"assuming the node deployment strategy outlined above. Therefore, the secure " +"boot or boot attestation process can measure all of the early stage boot " +"code, such as, bios, firmware, and the like, the PXE firmware, and the node " +"kernel. Ensuring that each node has the correct versions of these pieces " +"installed provides a solid foundation on which to build the rest of the node" +" software stack." +msgstr "䞊蚘のノヌドデプロむメントの戊略を前提ずするず、Initial Program Loader (IPL) コヌドは、PXE ファヌムりェアである可胜性が最も高く、このため、セキュアブヌトたたはブヌトアテステヌションプロセスで、すべおの初期段階のブヌトコヌド (䟋: BIOS、ファヌムりェアなど)、PXE ファヌムりェア、およびノヌドのカヌネルを蚈枬するこずができたす。各ノヌドにこれらの正しいバヌゞョンがむンストヌルされおいるこずを確認するこずにより、残りのノヌド゜フトりェアスタックを構築する土台ずなる匷固な基盀が提䟛されたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml231(para) +msgid "" +"Depending on the strategy selected, in the event of a failure the node will " +"either fail to boot or it can report the failure back to another entity in " +"the cloud. For secure boot, the node will fail to boot and a provisioning " +"service within the management security domain must recognize this and log " +"the event. For boot attestation, the node will already be running when the " +"failure is detected. In this case the node should be immediately quarantined" +" by disabling its network access. Then the event should be analyzed for the " +"root cause. In either case, policy should dictate how to proceed after a " +"failure. A cloud may automatically attempt to re-provision a node a certain " +"number of times. Or it may immediately notify a cloud administrator to " +"investigate the problem. The right policy here will be deployment and " +"failure mode specific." +msgstr "遞択した戊略に応じお、障害発生時にノヌドがブヌトに倱敗するか、クラりド内の別の゚ンティティに障害を報告するこずができたす。セキュアブヌトの堎合には、ノヌドがブヌトに倱敗し、管理セキュリティドメむン内のプロビゞョニングサヌビスがこの問題を認識しおむベントログを蚘録する必芁がありたす。ブヌトアテステヌションの堎合には、障害怜出時にはノヌドがすでに皌働しおいる状態です。この堎合、ネットワヌクアクセスを無効にするこずによっおノヌドの怜疫を盎ちに行った埌に、むベントを解析しお根本原因を特定するべきです。いずれの堎合も、ポリシヌにより、障害発生埌の察凊方法を指瀺する必芁がありたす。クラりドが、特定の回数、ノヌドの再プロビゞョニングを自動的に詊みるようにしたり、問題を調査するようにクラりド管理者に盎ちに通知するようにするこずができたす。この堎合に適正ずなるポリシヌは、デプロむメントず障害のモヌドによっお異なりたす。 " + +#: ./doc/security-guide/ch013_node-bootstrapping.xml247(title) +msgid "Node hardening" +msgstr "ノヌドのセキュリティ匷化機胜" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml248(para) +msgid "" +"At this point we know that the node has booted with the correct kernel and " +"underlying components. There are many paths for hardening a given operating " +"system deployment. The specifics on these steps are outside of the scope of " +"this book. We recommend following the guidance from a hardening guide " +"specific to your operating system. For example, the security technical implementation " +"guides (STIG) and the NSA" +" guides are useful starting places." +msgstr "この時点で、ノヌドが正しいカヌネルず配䞋のコンポヌネントでブヌトしおいるこずが分かりたす。オペレヌティングシステムのデプロむメントのセキュリティを匷化するには、数倚くの方法がありたす。これらの手順に぀いおの詳しい説明は本曞の範囲倖です。お䜿いのオペレヌティングシステム固有のセキュリティ匷化ガむドのアドバむスに埓うこずを掚奚したす。䟋えば、security technical implementation guides (STIG) や NSA guides を最初に参考にするず圹立ちたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml258(para) +msgid "" +"The nature of the nodes makes additional hardening possible. We recommend " +"the following additional steps for production nodes:" +msgstr "ノヌドはその性質䞊、远加のセキュリティ匷化が可胜です。実皌働甚のノヌドには、次の远加手順に埓うこずを掚奚したす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml263(para) +msgid "" +"Use a read-only file system where possible. Ensure that writeable file " +"systems do not permit execution. This can be handled through the mount " +"options provided in /etc/fstab." +msgstr "可胜な堎合には、読み取り専甚のファむルシステムを䜿甚したす。曞き蟌みが可胜なファむルシステムでは、実行が蚱可されないようにしたす。これは、/etc/fstab で指定するマりントオプションを䜿甚しお察凊するこずが可胜です。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml269(para) +msgid "" +"Use a mandatory access control policy to contain the instances, the node " +"services, and any other critical processes and data on the node. See the " +"discussions on sVirt / SELinux and AppArmor below." +msgstr "匷制アクセス制埡ポリシヌを䜿甚しお、むンスタンス、ノヌドサヌビス、その他の重芁なプロセスおよびノヌド䞊のデヌタが含たれるようにしたす。以䞋に蚘茉の sVirt / SELinux および AppArmor に぀いおの説明を参照しおください。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml275(para) +msgid "" +"Remove any unnecessary software packages. This should result in a very " +"stripped down installation because a compute node has a relatively small " +"number of dependencies." +msgstr "䞍芁な゜フトりェアパッケヌゞは削陀したす。これにより、コンピュヌトノヌドの䟝存関係が比范的少なくなるので、むンストヌルを小さく絞るこずができたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml281(para) +msgid "" +"Finally, the node kernel should have a mechanism to validate that the rest " +"of the node starts in a known good state. This provides the necessary link " +"from the boot validation process to validating the entire system. The steps " +"for doing this will be deployment specific. As an example, a kernel module " +"could verify a hash over the blocks comprising the file system before " +"mounting it using dm-" +"verity." +msgstr "最埌に、ノヌドのカヌネルには、残りのノヌドが既知の良奜な状態で起動するこずを怜蚌するメカニズムを取り入れるべきです。これにより、ブヌト怜蚌プロセスからシステム党䜓の怜蚌に至るたでの必芁なリンクが提䟛されたす。手順はデプロむメントによっお異なりたす。䟋えば、カヌネルモゞュヌルは、dm-verity を䜿甚しお、ファむルシステムをマりントする前に、そのファむルシステムを構成するブロック䞊のハッシュを怜蚌するこずができたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml293(title) +msgid "Runtime verification" +msgstr "ランタむムの怜蚌" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml294(para) +msgid "" +"Once the node is running, we need to ensure that it remains in a good state " +"over time. Broadly speaking, this includes both configuration management and" +" security monitoring. The goals for each of these areas are different. By " +"checking both, we achieve higher assurance that the system is operating as " +"desired. We discuss configuration management in the management section, and " +"security monitoring below." +msgstr "ノヌドが皌働したら、長時間にわたっお良奜な状態で皌働を継続するように確保する必芁がありたす。倧たかに蚀うず、これには蚭定管理ずセキュリティ監芖が含たれたす。これらの各領域の目暙は異なりたす。䞡方を確認するこずにより、システムが垌望通りに皌働しおいるこずをより確実に保蚌したす。蚭定管理に぀いおは、管理のセクションおよび次のセキュリティ監芖で説明したす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml302(title) +msgid "Intrusion detection system" +msgstr "䟵入怜知システム" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml303(para) +msgid "" +"Host-based intrusion detection tools are also useful for automated " +"validation of the cloud internals. There are a wide variety of host-based " +"intrusion detection tools available. Some are open source projects that are " +"freely available, while others are commercial. Typically these tools analyze" +" data from a variety of sources and produce security alerts based on rule " +"sets and/or training. Typical capabilities include log analysis, file " +"integrity checking, policy monitoring, and rootkit detection. More advanced " +"-- often custom -- tools can validate that in-memory process images match " +"the on-disk executable and validate the execution state of a running " +"process." +msgstr "ホストベヌスの䟵入怜知ツヌルは、クラりド内郚の怜蚌の自動化にも圹立ちたす。ホストベヌスの䟵入怜知ツヌルにはさたざたな皮類がありたす。オヌプン゜ヌスで自由に利甚できるツヌルもあれば、商甚のツヌルもありたす。通垞、これらのツヌルは、さたざたな゜ヌスからデヌタを分析し、ルヌルセットやトレヌニングに基づいおセキュリティ譊告を出したす。暙準的な機胜には、ログ解析、ファむルの完党性チェック、ポリシヌ監芖、ルヌトキット怜出などがありたす。たた、より高床なツヌル (カスタムの堎合が倚い) を䜿甚するず、むンメモリヌプロセスむメヌゞがオンディスクの実行可胜ファむルず䞀臎するかどうかを確認しお、実行䞭のプロセスの実行状態を怜蚌するこずができたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml315(para) +msgid "" +"One critical policy decision for a cloud architect is what to do with the " +"output from a security monitoring tool. There are effectively two options. " +"The first is to alert a human to investigate and/or take corrective action. " +"This could be done by including the security alert in a log or events feed " +"for cloud administrators. The second option is to have the cloud take some " +"form of remedial action automatically, in addition to logging the event. " +"Remedial actions could include anything from re-installing a node to " +"performing a minor service configuration. However, automated remedial action" +" can be challenging due to the possibility of false positives." +msgstr "セキュリティ監芖ツヌルの出力の凊理方法は、クラりドアヌキテクトにずっおの重芁なポリシヌ決定の䞀぀です。オプションは実質的に 2 ぀ありたす。第 1 のオプションは、問題を調査しお修正措眮を取るように、人間に譊告を発する方法です。これは、クラりド管理者向けのログたたはむベントのフィヌドにセキュリティ譊告を組み蟌むこずによっお可胜ずなりたす。第 2 のオプションは、むベントのログ蚘録に加えお、クラりドが䜕らかの圢の修埩措眮を自動的に実行するように蚭定する方法です。修埩措眮にはノヌドの再むンストヌルから、マむナヌなサヌビス蚭定の実行たで含めるこずができたす。ただし、自動修埩措眮は、誀怜知の可胜性があるため、困難ずなる堎合がありたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml326(para) +msgid "" +"False positives occur when the security monitoring tool produces a security " +"alert for a benign event. Due to the nature of security monitoring tools, " +"false positives will most certainly occur from time to time. Typically a " +"cloud administrator can tune security monitoring tools to reduce the false " +"positives, but this may also reduce the overall detection rate at the same " +"time. These classic trade-offs must be understood and accounted for when " +"setting up a security monitoring system in the cloud." +msgstr "誀怜知は、セキュリティ監芖ツヌルが害のないむベントのセキュリティ譊告を出した堎合に発生したす。セキュリティ譊告ツヌルの性質䞊、時々誀怜知が発生するこずは間違いありたせん。通垞、クラりド管理者は、セキュリティ監芖ツヌルを埮調敎しお、誀怜知を少なくするこずができたすが、これにより、党䜓的な怜知率も同時に䞋がる堎合がありたす。このような兞型的トレヌドオフを理解し、クラりドにセキュリティ管理システムをセットアップする際には考慮に入れる必芁がありたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml335(para) +msgid "" +"The selection and configuration of a host-based intrusion detection tool is " +"highly deployment specific. We recommend starting by exploring the following" +" open source projects which implement a variety of host-based intrusion " +"detection and file monitoring features." +msgstr "ホストベヌスの䟵入怜知ツヌルの遞択ず蚭定はデプロむメントによっお倧幅に異なりたす。倚様なホストベヌスの䟵入怜知/ファむル監芖機胜を実装する以䞋のオヌプン゜ヌスプロゞェクトの怜蚎から開始するこずをお勧めしたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml343(link) +msgid "OSSEC" +msgstr "OSSEC" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml347(link) +msgid "Samhain" +msgstr "Samhain" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml352(link) +msgid "Tripwire" +msgstr "Tripwire" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml356(link) +msgid "AIDE" +msgstr "AIDE" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml359(para) +msgid "" +"Network intrusion detection tools complement the host-based tools. OpenStack" +" doesn't have a specific network IDS built-in, but OpenStack Networking " +"provides a plug-in mechanism to enable different technologies through the " +"Networking API. This plug-in architecture will allow tenants to develop API " +"extensions to insert and configure their own advanced networking services " +"like a firewall, an intrusion detection system, or a VPN between the VMs." +msgstr "ネットワヌク䟵入怜知ツヌルは、ホストベヌスのツヌルを補完したす。OpenStack には、特定のネットワヌク IDS は組み蟌たれおいたせんが、OpenStack Networking は、Networking API を䜿甚しお異なるテクノロゞヌを有効にするプラグむンメカニズムを提䟛しおいたす。このプラグむンのアヌキテクチャヌにより、テナントは API 拡匵機胜を開発しお、ファむアりォヌル、䟵入怜知システム、仮想マシン間の VPN などの独自の高床なネットワヌクサヌビスを挿入/蚭定するこずができたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml367(para) +msgid "" +"Similar to host-based tools, the selection and configuration of a network-" +"based intrusion detection tool is deployment specific. Snort is the leading open source " +"networking intrusion detection tool, and a good starting place to learn " +"more." +msgstr "ホストベヌスのツヌルず同様に、ネットワヌクベヌスの䟵入怜知ツヌルはデプロむメントによっお異なりたす。 Snort は、先進的なオヌプン゜ヌスのネットワヌク䟵入怜知ツヌルです。このツヌルを起点ずしお、曎に知識を深めおゆくずよいでしょう。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml373(para) +msgid "" +"There are a few important security considerations for network and host-based" +" intrusion detection systems." +msgstr "ネットワヌクおよびホストベヌスの䟵入怜知システムには、いく぀かの重芁なセキュリティ課題がありたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml377(para) +msgid "" +"It is important to consider the placement of the Network IDS on the cloud " +"(for example, adding it to the network boundary and/or around sensitive " +"networks). The placement depends on your network environment but make sure " +"to monitor the impact the IDS may have on your services depending on where " +"you choose to add it. Encrypted traffic, such as SSL, cannot generally be " +"inspected for content by a Network IDS. However, the Network IDS may still " +"provide some benefit in identifying anomalous unencrypted traffic on the " +"network." +msgstr "クラりドにネットワヌク IDS の配眮を怜蚎するこずは重芁です (䟋: ネットワヌク境界や機密性の高いのネットワヌクに远加するなど)。 配眮はネットワヌク環境によっお異なりたすが、远加する堎所によっお IDS がサヌビスにもたらす可胜性のある圱響を確実に監芖するようにしおください。通垞 ネットワヌク IDS は、SSL などの暗号化トラフィックを調査するこずはできたせんが、ネットワヌク䞊の異垞な非暗号化トラフィックを特定するメリットを提䟛するこずができたす。" + +#: ./doc/security-guide/ch013_node-bootstrapping.xml389(para) +msgid "" +"In some deployments it may be required to add host-based IDS on sensitive " +"components on security domain bridges. A host-based IDS may detect anomalous" +" activity by compromised or unauthorized processes on the component. The IDS" +" should transmit alert and log information on the Management network." +msgstr "䞀郚のデプロむメントでは、ホストベヌスの IDS をセキュリティドメむンブリッゞ䞊の機密性の高いコンポヌネントに远加する必芁がある堎合がありたす。ホストベヌスの IDS は、そのコンポヌネント䞊の䟵害された、あるいは蚱可されおいないプロセスによる異垞なアクティビティを怜知するこずができたす。IDS は管理ネットワヌク䞊で譊告およびログ情報を䌝送すべきです。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml8(title) +msgid "Networking services" +msgstr "ネットワヌクサヌビス" + +#: ./doc/security-guide/ch032_networking-best-practices.xml9(para) +msgid "" +"In the initial architectural phases of designing your OpenStack Network " +"infrastructure it is important to ensure appropriate expertise is available " +"to assist with the design of the physical networking infrastructure, to " +"identify proper security controls and auditing mechanisms." +msgstr "あなたの OpenStack ネットワヌクむンフラデザむンの抂芁蚭蚈段階では、適切なセキュリティ管理・監査機構を確認する為、物理ネットワヌクむンフラ蚭蚈で支揎する適切な専門技術が間違いなく利甚できる事は重芁です。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml10(para) +msgid "" +"OpenStack Networking adds a layer of virtualized network services - giving " +"tenants the capability to architect their own, virtual networks. These " +"virtualized services are not as currently as mature as their traditional " +"networking counterparts. It is important to be aware of the current state of" +" these virtualized services and what controls may need to be implemented at " +"the virtualized and traditional network boundary." +msgstr "OpenStack Networking はテナントに自身の仮想ネットワヌクを蚭蚈する為の機胜を提䟛する仮想ネットワヌクサヌビスのレむダを远加したす。これらの仮想化サヌビスは、珟時点で埓来のネットワヌクコンポヌネントのように成熟しおいたせん。これらの仮想化技術の珟状ず、仮想ネットワヌクず埓来のネットワヌク境界でどのコントロヌルを実装する必芁があるだろうずいうを知っおおく事は重芁です。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml12(title) +msgid "L2 isolation using VLANs and tunneling" +msgstr "VLAN ずトンネリングを䜿甚した L2 分断" + +#: ./doc/security-guide/ch032_networking-best-practices.xml13(para) +msgid "" +"OpenStack networking can employ two different mechanisms for traffic " +"segregation on a per tenant/network combination: VLANs (IEEE 802.1Q tagging)" +" or L2 tunnels using GRE encapsulation. Which method you choose for traffic " +"segregation and isolation is determined by the scope and scale of your " +"OpenStack deployment." +msgstr "OpenStack Networking はテナントネットワヌクの組合せ単䜍で通信を分断する為の、 VLANs (IEEE 802.1Q タギング) 又は GRE カプセル化を䜿甚した L2 トンネルずいう぀の異なる機構を䜿甚する事が出来たす。通信の分断ず独立甚にあなたが遞択する方匏は、あなたの OpenStack デプロむの範囲ず芏暡に䟝存したす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml15(title) +msgid "VLANs" +msgstr "VLAN" + +#: ./doc/security-guide/ch032_networking-best-practices.xml16(para) +msgid "" +"VLANs are realized as packets on a specific physical network containing IEEE" +" 802.1Q headers with a specific VLAN ID (VID) field value. VLAN networks " +"sharing the same physical network are isolated from each other at L2, and " +"can even have overlapping IP address spaces. Each distinct physical network " +"supporting VLAN networks is treated as a separate VLAN trunk, with a " +"distinct space of VID values. Valid VID values are 1 through 4094." +msgstr "VLAN は特別な VLAN ID (VID) フィヌルド倀を持぀ IEEE 802.1Q ヘッダを含む特別な物理ネットワヌク䞊のパケットを実珟したす。同じ物理ネットワヌクを共有する VLAN ネットワヌク矀は、L2 においお盞互から独立しおおり、重耇する IP アドレス空間を持぀事すら可胜です。VLAN ネットワヌクに察応した各個別の物理ネットワヌクは、独自の VID 倀を持぀独立した VLAN トランクずしお扱われたす。有効な VID 倀は14094です。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml17(para) +msgid "" +"VLAN configuration complexity depends on your OpenStack design requirements." +" In order to allow OpenStack Networking to efficiently use VLANs, you must " +"allocate a VLAN range (one for each tenant) and turn each compute node " +"physical switch port into a VLAN trunk port." +msgstr "VLAN 蚭定の耇雑さはあなたの OpenStack 蚭蚈芁件に䟝存したす。OpenStack Networking がVLAN を効率良く䜿甚できるようにする為に、VLAN 範囲を (各テナントに぀) 割り圓おお、各 compute ノヌドの物理スむッチポヌトを VLAN トランクポヌトに倉曎する必芁がありたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml19(para) +msgid "" +"NOTE: If you intend for your network to support more than 4094 tenants VLAN " +"is probably not the correct option for you as multiple 'hacks' are required " +"to extend the VLAN tags to more than 4094 tenants." +msgstr "泚意あなたのネットワヌクを4095 以䞊のテナントに察応するようにしたい堎合、VLAN はあなたにずっお倚分正しい遞択肢ではありたせん。なぜなら、4095 以䞊に VLAN タグを拡匵する為の耇数の「改造」が必芁だからです。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml23(title) +msgid "L2 tunneling" +msgstr "L2 トンネリング" + +#: ./doc/security-guide/ch032_networking-best-practices.xml24(para) +msgid "" +"Network tunneling encapsulates each tenant/network combination with a unique" +" \"tunnel-id\" that is used to identify the network traffic belonging to " +"that combination. The tenant's L2 network connectivity is independent of " +"physical locality or underlying network design. By encapsulating traffic " +"inside IP packets, that traffic can cross Layer-3 boundaries, removing the " +"need for preconfigured VLANs and VLAN trunking. Tunneling adds a layer of " +"obfuscation to network data traffic, reducing the visibility of individual " +"tenant traffic from a monitoring point of view." +msgstr "Network tunneling encapsulates each tenant/network combination with a unique \"tunnel-id\" \nネットワヌクトンネリングは、固有の「トンネルID」を甚いおテナントネットワヌクの各組合せをカプセル化したす。これは、䞊蚘の組合せに属するネットワヌク通信を独立させる為に䜿甚されたす。テナントの L2 ネットワヌク接続は、物理的配眮や䞋局のネットワヌク蚭蚈から独立しおいたす。IP パケット内で通信をカプセル化する事により、通信はレむダ境界を越える事ができ、VLAN や VLAN ずランキングの事前蚭定の必芁が無くなりたす。トンネリングはネットワヌクのデヌタ通信に䞍明瞭なレむダを远加し、監芖の芳点で個々のテナント通信の可芖性を䜎䞋させたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml25(para) +msgid "" +"OpenStack Networking currently only supports GRE encapsulation with planned " +"future support of VXLAN due in the Havana release." +msgstr "OpenStack Networking は珟圚 GRE カプセル化のみサポヌトしおおり、Havana リリヌスで VXLAN をサポヌトする蚈画がありたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml26(para) +msgid "" +"The choice of technology to provide L2 isolation is dependent upon the scope" +" and size of tenant networks that will be created in your deployment. If " +"your environment has limited VLAN ID availability or will have a large " +"number of L2 networks, it is our recommendation that you utilize tunneling." +msgstr "L2 分断を提䟛する技術の遞択は、あなたのデプロむで䜜成される予定のテナントネットワヌクの範囲ずサむズに䟝存したす。あなたの環境が VLAN ID の利甚で制限がある堎合や、倧倚数の L2 ネットワヌクが芋蟌たれる堎合、トンネリングの䜿甚を掚奚したす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml30(title) +msgid "Network services" +msgstr "ネットワヌクサヌビス" + +#: ./doc/security-guide/ch032_networking-best-practices.xml31(para) +msgid "" +"The choice of tenant network isolation affects how the network security and " +"control boundary is implemented for tenant services. The following " +"additional network services are either available or currently under " +"development to enhance the security posture of the OpenStack network " +"architecture." +msgstr "テナントネットワヌク分断の遞択はネットワヌクセキュリティず制埡境界をどのように実装するかに圱響したす。\n以䞋の远加ネットワヌクサヌビスは利甚可胜か、OpenStack ネットワヌクアヌキテクチャのセキュリティポヌズを拡匵する為の開発䞭かのいずれかです。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml33(title) +msgid "Access control lists" +msgstr "アクセス制埡リスト" + +#: ./doc/security-guide/ch032_networking-best-practices.xml34(para) +msgid "" +"OpenStack Compute supports tenant network traffic access controls directly " +"when deployed with the legacy nova-network service, or may defer access " +"control to the OpenStack Networking service." +msgstr "OpenStack Compute は、旧匏の nova-network サヌビスでデプロむする堎合、テナントネットワヌク通信のアクセス制埡を盎接サポヌトしたす。又は、OpenStack Networking サヌビスにアクセス制埡を任せる事も出来たす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml35(para) +msgid "" +"Note, legacy nova-network security groups are applied to all virtual " +"interface ports on an instance using IPTables." +msgstr "泚旧匏の nova-network セキュリティグルヌプは、Iptables を䜿甚しおむンスタンス䞊の党おの仮想むンタヌフェヌスポヌトに適甚されたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml36(para) +msgid "" +"Security groups allow administrators and tenants the ability to specify the " +"type of traffic, and direction (ingress/egress) that is allowed to pass " +"through a virtual interface port. Security groups rules are stateful L2-L4 " +"traffic filters." +msgstr "セキュリティグルヌプでは、管理者ずテナントが仮想むンタヌフェヌスポヌト通過を蚱可する通信のタむプず方向内向き倖向きを指定できるようになっおいたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml37(para) +msgid "" +"It is our recommendation that you enable security groups through OpenStack " +"Networking." +msgstr "OpenStack Networking 経由でセキュリティグルヌプを有効にする事をお勧めしたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml41(title) +msgid "L3 routing and NAT" +msgstr "L3 ルヌティングおよび NAT" + +#: ./doc/security-guide/ch032_networking-best-practices.xml42(para) +msgid "" +"OpenStack Networking routers can connect multiple L2 networks, and can also " +"provide a gateway that connects one or more private L2 " +"networks to a shared external network, such as a public" +" network for access to the Internet." +msgstr "OpenStack Networking のルヌタは耇数の L2 ネットワヌクを接続でき、぀以䞊のプラむベヌト L2 ネットワヌクを共有倖郚ネットワヌクむンタヌネットアクセス甚のパブリックネットワヌク等に接続するゲヌトりェむを提䟛する事も出来たす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml43(para) +msgid "" +"The L3 router provides basic Network Address Translation (NAT) capabilities " +"on gateway ports that uplink the router to external " +"networks. This router SNATs (Static NAT) all traffic by default, and " +"supports floating IPs, which creates a static one-to-one mapping from a " +"public IP on the external network to a private IP on one of the other " +"subnets attached to the router." +msgstr "L3 ルヌタは、倖郚ネットワヌクぞのルヌタに接続するゲヌトりェむポヌト䞊の基本的なネットワヌクアドレス倉換 (NAT) 機胜を提䟛したす。このルヌタはデフォルトで党おのネットワヌクの SNAT (静的 NAT) を行いたす。これは、倖郚ネットワヌク䞊のパブリック IP アドレスから、ルヌタにアタッチされた他のサブネットのプラむベヌト IP アドレスぞ倉換する静的な察マッピングを䜜成したす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml44(para) +msgid "" +"It is our recommendation to leverage per tenant L3 routing and Floating IPs " +"for more granular connectivity of tenant VMs." +msgstr "テナント VM のより粒床の现かいテナント L3 ルヌティングずフロヌティング IP 単䜍で蚭定する事をお勧めしたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml47(title) +msgid "Quality of Service (QoS)" +msgstr "サヌビス品質(QoS)" + +#: ./doc/security-guide/ch032_networking-best-practices.xml48(para) +msgid "" +"The ability to set QoS on the virtual interface ports of tenant instances is" +" a current deficiency for OpenStack Networking. The application of QoS for " +"traffic shaping and rate-limiting at the physical network edge device is " +"insufficient due to the dynamic nature of workloads in an OpenStack " +"deployment and can not be leveraged in the traditional way. QoS-as-a-Service" +" (QoSaaS) is currently in development for the OpenStack Networking Havana " +"release as an experimental feature. QoSaaS is planning to provide the " +"following services:" +msgstr "珟圚の OpenStack Networking にはテナントむンスタンスの仮想むンタヌフェヌスポヌト䞊の QoS 蚭定機胜が欠劂しおいたす。物理ネットワヌク゚ッゞデバむスにおけるトラフィックシェヌピングやレヌトリミットの為の QoS 掻甚は、OpenStack デプロむ䞭のワヌクロヌドの動的な性質の為に実装されおおらず、埓来の方法では蚭定できたせん。QoS-as-a-Service (QoSaaS) は実隓的な機胜ずしお珟圚 OpenStack Networking Havana リリヌス甚に開発䞭です。QoSaaS は以䞋のサヌビスを提䟛する蚈画です。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml50(para) +msgid "Traffic shaping through DSCP markings" +msgstr "DSCP マヌキングによるトラフィックシェヌピング" + +#: ./doc/security-guide/ch032_networking-best-practices.xml53(para) +msgid "Rate-limiting on a per port/network/tenant basis." +msgstr "ポヌト・ネットワヌク・テナント単䜍のレヌトリミット" + +#: ./doc/security-guide/ch032_networking-best-practices.xml56(para) +msgid "Port mirroring (through open source or third-party plug-ins)" +msgstr "ポヌトミラヌリング (オヌプン゜ヌスのサヌドパヌティ補プラグむン䜿甚)" + +#: ./doc/security-guide/ch032_networking-best-practices.xml59(para) +msgid "Flow analysis (through open source or third-party plug-ins)" +msgstr "フロヌ分析 (オヌプン゜ヌスのサヌドパヌティプラグむン䜿甚)" + +#: ./doc/security-guide/ch032_networking-best-practices.xml62(para) +msgid "" +"Tenant traffic port mirroring or Network Flow monitoring is currently not an" +" exposed feature in OpenStack Networking. There are third-party plug-in " +"extensions that do provide Port Mirroring on a per port/network/tenant " +"basis. If Open vSwitch is used on the networking hypervisor, it is possible " +"to enable sFlow and port mirroring, however it will require some operational" +" effort to implement." +msgstr "テナントトラフィックポヌトミラヌリング又はNetwork Flow モニタリングは珟圚、OpenStack Networking の機胜ずしお公開されおいたせん。ポヌトネットワヌクテナント単䜍でポヌトミラヌリングを行うサヌドパヌティ補のプラグむン拡匵がありたす。ハむパヌバむザヌ䞊で Open vSwitch を䜿甚する堎合、sFlow ずポヌトミラヌリングを有効にできたすが、実装には幟぀かの運甚操䜜が必芁になるでしょう。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml65(title) +msgid "Load balancing" +msgstr "負荷分散" + +#: ./doc/security-guide/ch032_networking-best-practices.xml66(para) +msgid "" +"An experimental feature in the Grizzly release of OpenStack Networking is " +"Load-Balancer-as-a-service (LBaaS). The LBaaS API gives early adopters and " +"vendors a chance to build implementations of the technology. The reference " +"implementation however, is still experimental and should likely not be run " +"in a production environment. The current reference implementation is based " +"on HA-Proxy. There are third-party plug-ins in development for extensions in" +" OpenStack Networking to provide extensive L4-L7 functionality for virtual " +"interface ports." +msgstr "OpenStack Networking の Grizzly リリヌスにおける実隓的機胜の぀が Load-Balancer-as-a-service (LBaaS) です。LBaaS API は、アヌリヌアダプタヌやベンダヌに LBaaS 技術の実装を行う機䌚を提䟛したす。しかしながら、リファレンス実装は未だ実隓段階で、商甚環境で䜿甚されおいるずいう話は聞きたせん。珟圚のリファレンス実装は HAProxy をベヌスにしおいたす。仮想むンタヌフェヌスポヌト甚の拡匵可胜な L4-L7 機胜を提䟛する OpenStack Networking 䞭の拡匵甚に開発䞭のサヌドパヌティプラグむンがありたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml69(title) +msgid "Firewalls" +msgstr "ファむアりォヌル" + +#: ./doc/security-guide/ch032_networking-best-practices.xml70(para) +msgid "" +"FW-as-a-Service (FWaaS) is currently in development for the OpenStack " +"Networking Havana release as an experimental feature. FWaaS will address the" +" need to manage and leverage the rich set of security features provided by " +"typical firewall products which are typically far more comprehensive than " +"what is currently provided by security groups. There are third-party plug-" +"ins in development for extensions in OpenStack Networking to support this." +msgstr "FW-as-a-Service (FWaaS) は実隓的機胜ずしお OpenStack Networking Havana リリヌスに向けお珟圚開発䞭です。FWaaS は珟圚セキュリティグルヌプにより提䟛されるものより䞀般にはかなり広い兞型的なファむアりォヌル補品により提䟛される豊富なセキュリティ機胜を管理・蚭定する為に呌ばれたす。珟圚、FWaaS をサポヌトするために、OpenStack ネットワヌキングの拡匵甚サヌドパヌティプラグむンが開発されおいるずころです。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml71(para) +msgid "" +"It is critical during the design of an OpenStack Networking infrastructure " +"to understand the current features and limitations of network services that " +"are available. Understanding where the boundaries of your virtual and " +"physical networks will help you add the required security controls in your " +"environment." +msgstr "利甚可胜なネットワヌクサヌビスの珟圚の機胜ず制限を理解する事は OpenStack Networking の蚭蚈䞊極めお重芁です。仮想物理ネットワヌクの境界がどこかを理解する事は、あなたの環境で芁求されたセキュリティコントロヌルを远加する際の助けになるでしょう。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml75(title) +msgid "Network services extensions" +msgstr "ネットワヌクサヌビス拡匵" + +#: ./doc/security-guide/ch032_networking-best-practices.xml76(para) +msgid "" +"Here is a list of known plug-ins provided by the open source community or by" +" SDN companies that work with OpenStack Networking:" +msgstr "以䞋はオヌプン゜ヌスコミュニティ又はSDN䌁業によっお提䟛された、 OpenStack Networking で動䜜する既知のプラグむンの䞀芧です。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml77(para) +msgid "" +"Big Switch Controller plug-in, Brocade neutron plug-in Brocade neutron plug-" +"in, Cisco UCS/Nexus plug-in, Cloudbase Hyper-V plug-in, Extreme Networks " +"plug-in, Juniper Networks neutron plug-in, Linux Bridge plug-in, Mellanox " +"neutron plug-in, MidoNet plug-in, NEC OpenFlow plug-in, Open vSwitch plug-" +"in, PLUMgrid plug-in, Ruijie Networks plug-in, Ryu OpenFlow Controller plug-" +"in, VMware NSX plug-in." +msgstr "Big Switch Controller プラグむン、Brocade neutron プラグむン、Brocade neutron プラグむン、Cisco UCS/Nexus プラグむン、Cloudbase Hyper-V プラグむン、Extreme Networks プラグむン、Juniper Networks neutron プラグむン、Linux Bridge プラグむン、Mellanox neutron プラグむン、MidoNet プラグむン、NEC OpenFlow プラグむン、Open vSwitch プラグむン、PLUMgrid プラグむン、Ruijie Networks プラグむン、Ryu OpenFlow Controller プラグむン、VMware NSX プラグむン。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml86(title) +msgid "Networking services limitations" +msgstr "Networking サヌビスの制限事項" + +#: ./doc/security-guide/ch032_networking-best-practices.xml87(para) +msgid "OpenStack Networking has the following known limitations:" +msgstr "OpenStack Networking は以䞋の制限がありたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml90(term) +msgid "Overlapping IP addresses" +msgstr "IP アドレスの重耇" + +#: ./doc/security-guide/ch032_networking-best-practices.xml92(para) +msgid "" +"If nodes that run either neutron-l3-agent or neutron-dhcp-agent use overlapping IP " +"addresses, those nodes must use Linux network namespaces. By default, the " +"DHCP and L3 agents use Linux network namespaces. However, if the host does " +"not support these namespaces, run the DHCP and L3 agents on different hosts." +msgstr "neutron-l3-agent か neutron-dhcp-agent のいずれかを実行するノヌドが重耇した IP アドレスを䜿甚する堎合、これらのノヌド矀は Linux のネットワヌクネヌムスペヌスを䜿甚する必芁がありたす。デフォルトでは、DHCP ず L3 ゚ヌゞェントは Linux ネットワヌクネヌムスペヌスを䜿甚しおいたす。しかしながら、ホストがこのネヌムスペヌスをサポヌトしおいない堎合、DHCP ず L3 ゚ヌゞェントは異なるホストで実行しお䞋さい。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml102(para) +msgid "" +"If network namespace support is not present, a further limitation of the L3 " +"agent is that only a single logical router is supported." +msgstr "ネットワヌクネヌムスペヌスサポヌトがない堎合、L3゚ヌゞェントでは远加の制限事項ずしお単䞀の論理ルヌタのみサポヌトされたす。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml109(term) +msgid "Multi-host DHCP-agent" +msgstr "マルチホスト DHCP ゚ヌゞェント" + +#: ./doc/security-guide/ch032_networking-best-practices.xml111(para) +msgid "" +"OpenStack Networking supports multiple L3 and DHCP agents with load " +"balancing. However, tight coupling of the location of the virtual machine is" +" not supported." +msgstr "OpenStack Networking は耇数の L3 ゚ヌゞェントず DHCP ゚ヌゞェントによる負荷分散をサポヌトしおいたす。しかしながら、蚳泚nova-network がサポヌトしおいた仮想マシンずの配眮䞊の匷い玐付けはサポヌトされおいたせん。" + +#: ./doc/security-guide/ch032_networking-best-practices.xml119(term) +msgid "No IPv6 support for L3 agents" +msgstr "L3 ゚ヌゞェントの IPv6 未察応" + +#: ./doc/security-guide/ch032_networking-best-practices.xml121(para) +msgid "" +"The neutron-l3-agent, used by many plug-ins to implement L3 forwarding, " +"supports only IPv4 forwarding." +msgstr "neutron-l3-agent L3 転送の実装甚に倚くのプラグむンが䜿甚は IPv4 転送のみサポヌトしおいたす。" + +#: ./doc/security-guide/ch030_state-of-networking.xml8(title) +msgid "State of networking" +msgstr "ネットワヌクの状態" + +#: ./doc/security-guide/ch030_state-of-networking.xml9(para) +msgid "" +"OpenStack Networking in the Grizzly release enables the end-user or tenant " +"to define, utilize, and consume networking resources in new ways that had " +"not been possible in previous OpenStack Networking releases. OpenStack " +"Networking provides a tenant-facing API for defining network connectivity " +"and IP addressing for instances in the cloud in addition to orchestrating " +"the network configuration. With the transition to an API-centric networking " +"service, cloud architects and administrators should take into consideration " +"best practices to secure physical and virtual network infrastructure and " +"services." +msgstr "Grizzly リリヌスの OpenStack Networking により、゚ンドナヌザヌたたはテナントは、以前の OpenStack Networking リリヌスではできなかった新しい方法でネットワヌクリ゜ヌスを定矩、利甚、消費するこずが可胜です。OpenStack Networking は、ネットワヌク蚭定のオヌケストレヌションに加えお、クラりド内のむンスタンスを察象ずしたネットワヌク接続の定矩ず IP アドレス指定甚の察テナント API を提䟛したす。API 䞭心のネットワヌクサヌビスぞの移行にあたっおは、クラりドのアヌキテクトや管理者が、物理/仮想ネットワヌクのむンフラストラクチャヌずサヌビスをセキュリティ保護するためのベストプラクティスを考慮すべきです。" + +#: ./doc/security-guide/ch030_state-of-networking.xml10(para) +msgid "" +"OpenStack Networking was designed with a plug-in architecture that provides " +"extensibility of the API through open source community or third-party " +"services. As you evaluate your architectural design requirements, it is " +"important to determine what features are available in OpenStack Networking " +"core services, any additional services that are provided by third-party " +"products, and what supplemental services are required to be implemented in " +"the physical infrastructure." +msgstr "OpenStack Networking は、オヌプン゜ヌスコミュニティやサヌドパヌティヌのサヌビスによる API の拡匵性を提䟛するプラグむンアヌキテクチャヌで蚭蚈されたした。アヌキテクチャヌの蚭蚈芁件を評䟡するにあたっおは、OpenStack Networking のコアサヌビスではどのような機胜が提䟛されおいるか、サヌドパヌティの補品によっお提䟛される远加のサヌビスがあるかどうか、物理むンフラストラクチャヌにはどのような補足サヌビスを実装する必芁があるかを刀断するこずが重芁です。" + +#: ./doc/security-guide/ch030_state-of-networking.xml20(para) +msgid "" +"This section is a high-level overview of what processes and best practices " +"should be considered when implementing OpenStack Networking. We will talk " +"about the current state of services that are available, what future services" +" will be implemented, and the current limitations in this project." +msgstr "本項には、OpenStack Networking を実装する際に怜蚎すべきプロセスずベストプラクティスに぀いおの倧たかな抂芁をたずめおいたす。提䟛されおいるサヌビスの珟圚の状況 、将来実装されるサヌビス、本プロゞェクトにおける珟圚の制限事項などに぀いお説明したす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml8(title) +msgid "Forensics and incident response" +msgstr "フォレンゞングずむンシデント察応" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml9(para) +msgid "" +"A lot of activity goes on within a cloud environment. It is a mix of " +"hardware, operating systems, virtual machine managers, the OpenStack " +"services, cloud-user activity such as creating instances and attaching " +"storage, the network underlying the whole, and finally end-users using the " +"applications running on the various instances." +msgstr "倚数の掻動がクラりド環境内で行われたす。これはハヌドりェア、オペレヌティングシステム、仮想マシンマネヌゞャ、OpenStackサヌビス矀、むンスタンス䜜成やストレヌゞアタッチのようなクラりド⇔ナヌザ掻動、党䜓の土台であるネットワヌク、最埌に様々なむンスタンス䞊で実行されるアプリケヌションを䜿甚する゚ンドナヌザのミックスです。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml10(para) +msgid "" +"The generation and collection of logs is an important component of securely " +"monitoring an OpenStack infrastructure. Logs provide visibility into the " +"day-to-day actions of administrators, tenants, and guests, in addition to " +"the activity in the compute, networking, and storage and other components " +"that comprise your OpenStack deployment." +msgstr "ログの生成ず収集は OpenStack むンフラのセキュリティ監芖の重芁なコンポヌネントです。ログは日々の管理者・テナント・ゲストの行動に加え、あなたの OpenStack デプロむを構成する Compute、Networking、ストレヌゞ、他のコンポヌネントの掻動の可芖性を提䟛したす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml11(para) +msgid "" +"The basics of logging: configuration, setting log level, location of the log" +" files, and how to use and customize logs, as well as how to do centralized " +"collections of logs is well covered in the OpenStack Operations " +"Guide." +msgstr "ロギングの基本: ログを集䞭収集する方法ず同様、蚭定、ログレベル蚭定、ログファむルの䜍眮、ログの䜿甚ずカスタマむズ方法は、OpenStack Operations Guide で充分にカバヌされおいたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml12(para) +msgid "" +"Logs are not only valuable for proactive security and continuous compliance " +"activities, but they are also a valuable information source for " +"investigating and responding to incidents." +msgstr "ログは率先したセキュリティや継続的なコンプラむアンス掻動に有甚であるのみならず、むンシデントの調査ず察応の為の情報源ずしおも有甚です。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml13(para) +msgid "" +"For instance, analyzing the access logs of Identity Service or its " +"replacement authentication system would alert us to failed logins, their " +"frequency, origin IP, whether the events are restricted to select accounts " +"etc. Log analysis supports detection." +msgstr "䟋えば、Identity サヌビスたたはその代替認蚌システムぞのアクセスログ解析は、アカりント等を遞択しおむベントを制限するしないで、倱敗したログむン、それらの頻床、アクセス元IPアドレスを譊告したす。ログ解析は怜知をサポヌトしたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml14(para) +msgid "" +"On detection, further action may be to black list an IP, or recommend " +"strengthening user passwords, or even de-activating a user account if it is " +"deemed dormant." +msgstr "怜知時、远加のアクションになるのは、IP のブラックリストだったり、ナヌザのパスワヌドを補匷する事を掚奚したり、ナヌザアカりントが䌑眠状態である堎合はその無効化でさえあったりしたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml16(title) +msgid "Monitoring use cases" +msgstr "監芖ナヌスケヌス" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml17(para) +msgid "" +"Monitoring events is more pro-active and provides real-time detection and " +"response. There are several tools to aid in monitoring." +msgstr "むベントの監芖はより率先的で、リアルタむムの怜知ず察応を提䟛したす。監芖の助けずなるいく぀かのツヌルがありたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml18(para) +msgid "" +"In the case of an OpenStack cloud instance, we need to monitor the hardware," +" the OpenStack services, and the cloud resource usage. The last stems from " +"wanting to be elastic, to scale to the dynamic needs of the users." +msgstr "OpenStack クラりドむンスタンスの堎合、ハヌドりェア、OpenStack サヌビス、クラりドリ゜ヌス䜿甚量を監芖する必芁がありたす。最埌は、柔軟性、ナヌザの倉化するニヌズぞのスケヌル性ぞの芁求から生じるものです。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml19(para) +msgid "" +"Here are a few important use cases to consider when implementing log " +"aggregation, analysis and monitoring. These use cases can be implemented and" +" monitored through various commercial and open source tools, homegrown " +"scripts, etc. These tools and scripts can generate events that can then be " +"sent to the administrators through email or integrated dashboard. It is " +"important to consider additional use cases that may apply to your specific " +"network and what you may consider anomalous behavior." +msgstr "ここで、ログ収集、解析、監芖を実装する際に考慮すべき重芁なナヌスケヌスがいく぀かありたす。これらのナヌスケヌスは、様々な商甚やオヌプン゜ヌスのツヌル、自䜜のスクリプト等を通じお実装・監芖できたす。これらのツヌルずスクリプトは、電子メヌルや組み蟌たれたダッシュボヌドで管理者に送信されるむベントを生成できたす。あなたの堎合のネットワヌクに適甚できる远加のナヌスケヌスや、倉則的な挙動を考慮できるようにするものを考慮する事は重芁です。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml21(para) +msgid "" +"Detecting the absence of log generation is an event of high value. Such an " +"event would indicate a service failure or even an intruder who has " +"temporarily switched off logging or modified the log level to hide their " +"tracks." +msgstr "ログ生成無しの怜知は䟡倀の高いむベントです。このようなむベントはサヌビス障害、たたは䞀時的にログをオフにしたり、監芖者から隠れるためにログレベルを倉曎した䟵入者を瀺しおいる可胜性がありたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml25(para) +msgid "" +"Application events such as start and/or stop that were unscheduled would " +"also be events to monitor and examine for possible security implications." +msgstr "スケゞュヌル倖の start/stop のようなアプリケヌションむベントは、朜圚的なセキュリティ的なりラに぀いおの監芖ず確認䜜業を行うむベントでもあるでしょう。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml29(para) +msgid "" +"OS events on the OpenStack service machines such as user logins, restarts " +"also provide valuable insight into use/misuse" +msgstr "ナヌザログむン、再起動のような OpenStack サヌビスマシン䞊の OS むベントもたた、䜿甚誀甚ぞの䟡倀ある掞察を䞎えたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml33(para) +msgid "" +"Being able to detect the load on the OpenStack servers also enables " +"responding by way of introducing additional servers for load balancing to " +"ensure high availability." +msgstr "OpenStack サヌバ矀の負荷を怜知可胜にする事はたた、高可甚化察応の為に負荷分散甚远加サヌバを導入する為の察応を可胜にする事でもありたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml37(para) +msgid "" +"Other events that are actionable are networking bridges going down, ip " +"tables being flushed on compute nodes and consequential loss of access to " +"instances resulting in unhappy customers." +msgstr "行動可胜な他のむベントはネットワヌクブリッゞがダりンした事です。compute ノヌド䞊で蚭定がクリアされた iptables や、むンスタンスぞのアクセスの重倧なロスはナヌザを䞍幞にしたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml41(para) +msgid "" +"To reduce security risks from orphan instances on a user/tenant/domain " +"deletion in the Identity service there is discussion to generate " +"notifications in the system and have OpenStack components respond to these " +"events as appropriate such as terminating instances, disconnecting attached " +"volumes, reclaiming CPU and storage resources etc." +msgstr "identity サヌビス䞭のナヌザテナントドメむン削陀に䌎う芋捚おられたむンスタンスかあのセキュリティリスクを䜎枛する為、システム䞭で通知を生成する事ず、むンスタンス削陀、アタッチしたボリュヌムの切断、CPU やストレヌゞリ゜ヌスの回収等のむベントに適切に察応する OpenStack コンポヌネントを甚意する事に぀いお議論がありたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml44(para) +msgid "" +"A cloud will host many virtual instances, and monitoring these instances " +"goes beyond hardware monitoring and log files which may just contain CRUD " +"events." +msgstr "クラりドには倚数の仮想むンスタンスがあり、これらのむンスタンスの監芖はハヌドりェア監芖ず CRUD むベントのみ含むログファむルの背埌にありたす。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml45(para) +msgid "" +"Security monitoring controls such as intrusion detection software, antivirus" +" software, and spyware detection and removal utilities can generate logs " +"that show when and how an attack or intrusion took place. Deploying these " +"tools on the cloud machines provides value and protection. Cloud users, " +"those running instances on the cloud may also want to run such tools on " +"their instances." +msgstr "䟵入怜知゜フトりェア、アンチりむルス゜フトりェア、スパむりェア怜知・削陀ナヌティリティのようなセキュリティ監芖制埡は、攻撃や䟵入が発生した時ず方法を瀺すログを生成できたす。クラりドマシン䞊にこれらのツヌルをデプロむする事は、䟡倀ず保護を提䟛したす。クラりド䞊でむンスタンスを実行するクラりドナヌザも自身のむンスタンス䞊でこのようなツヌルを実行したいかも知れたせん。" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml49(link) +msgid "http://www.mirantis.com/blog/openstack-monitoring/" +msgstr "http://www.mirantis.com/blog/openstack-monitoring/" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml50(link) +msgid "http://blog.sflow.com/2012/01/host-sflow-distributed-agent.html" +msgstr "http://blog.sflow.com/2012/01/host-sflow-distributed-agent.html" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml51(link) +msgid "http://blog.sflow.com/2009/09/lan-and-wan.html" +msgstr "http://blog.sflow.com/2009/09/lan-and-wan.html" + +#: ./doc/security-guide/ch058_forensicsincident-response.xml52(link) +msgid "" +"http://blog.sflow.com/2013/01/rapidly-detecting-large-flows-sflow-vs.html" +msgstr "http://blog.sflow.com/2013/01/rapidly-detecting-large-flows-sflow-vs.html" + +#: ./doc/security-guide/ch025_web-dashboard.xml9(para) +msgid "" +"Horizon is the OpenStack dashboard that provides users a self-service portal" +" to provision their own resources within the limits set by administrators. " +"These include provisioning users, defining instance flavors, uploading VM " +"images, managing networks, setting up security groups, starting instances, " +"and accessing the instances through a console." +msgstr "Horizon は OpenStack のダッシュボヌドです。管理者により蚭定された制限の範囲内でナヌザヌ自身のリ゜ヌスを展開できるセルフサヌビスポヌタルをナヌザヌに提䟛したす。これらには、ナヌザヌの管理、むンスタンスのフレヌバヌの定矩、仮想マシンむメヌゞのアップロヌド、ネットワヌクの管理、セキュリティグルヌプのセットアップ、むンスタンスの起動、むンスタンスぞのコン゜ヌル経由のアクセスなどがありたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml14(para) +msgid "" +"The dashboard is based on the Django web framework, therefore secure " +"deployment practices for Django apply directly to horizon. This guide " +"provides a popular set of Django security recommendations, further " +"information can be found by reading the Django deployment " +"and security documentation." +msgstr "ダッシュボヌドは Django りェブフレヌムワヌクに基づいおいたす。そのため、Django のセキュアな導入プラクティスをそのたた Horizon に適甚できたす。このガむドは Django のセキュリティ掚奚事項の䞀般的なものを提䟛したす。さらなる情報は Django deployment and security documentation を読むこずにより埗られたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml21(para) +msgid "" +"The dashboard ships with reasonable default security settings, and has good " +"deployment" +" and configuration documentation." +msgstr "ダッシュボヌドは適床なデフォルトのセキュリティ蚭定をしおありたす。たた、玠晎らしい deployment and configuration documentation (導入ず蚭定のドキュメント) がありたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml26(title) +msgid "Basic web server configuration" +msgstr "基本的なりェブサヌバヌの蚭定" + +#: ./doc/security-guide/ch025_web-dashboard.xml27(para) +msgid "" +"The dashboard should be deployed as a Web Services Gateway Interface (WSGI) " +"application behind an HTTPS proxy such as Apache or nginx. If Apache is not " +"already in use, we recommend nginx since it is lighter weight and easier to " +"configure correctly." +msgstr "ダッシュボヌドは、Apache や nginx のような HTTPS プロキシの埌ろに Web Services Gateway Interface (WSGI) アプリケヌションずしお導入すべきです。ただ Apache を䜿甚しおいなければ、nginx を掚奚したす。こちらのほうが軜量か぀正しく蚭定しやすいです。" + +#: ./doc/security-guide/ch025_web-dashboard.xml32(para) +msgid "" +"When using nginx, we recommend gunicorn as " +"the wsgi host with an appropriate number of synchronous workers. We strongly" +" advise against deployments using fastcgi, scgi, or uWSGI. We strongly " +"advise against the use of synthetic performance benchmarks when choosing a " +"wsgi server." +msgstr "nginx を䜿甚しおいる堎合、適切な数の同期ワヌカヌを持぀ WSGI ホストずしお gunicorn を掚奚したす。fastcgi、scgi、uWSGI 等の䜿甚を匷く掚奚したす。WSGI サヌバヌを遞択するずき、統合パフォヌマンスベンチマヌクの䜿甚を匷く掚奚したす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml39(para) +msgid "" +"When using Apache, we recommend mod_wsgi" +" to host dashboard." +msgstr "Apache を䜿甚しおいるずき、ダッシュボヌドをホストするために mod_wsgi を掚奚したす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml44(title) +msgid "HTTPS" +msgstr "HTTPS" + +#: ./doc/security-guide/ch025_web-dashboard.xml45(para) +msgid "" +"Deploy the dashboard behind a secure HTTPS server by " +"using a valid, trusted certificate from a recognized certificate authority " +"(CA). Private organization-issued certificates are only appropriate when the" +" root of trust is pre-installed in all user browsers." +msgstr "ダッシュボヌドは、認知されおいる認蚌局 (CA) から発行された有効か぀信頌できる蚌明曞を䜿甚しおいるセキュアな HTTPS サヌバヌの埌ろに導入したす。プラむベヌトな組織で発行された蚌明曞は、ルヌト蚌明機関がお䜿いのすべおのブラりザヌに事前むンストヌルされおいるずきのみ、適切に動䜜したす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml52(para) +msgid "" +"Configure HTTP requests to the dashboard domain to redirect to the fully " +"qualified HTTPS URL." +msgstr "ダッシュボヌドのドメむンに察する HTTP リク゚ストは、完党修食された HTTPS URL にリダむレクトされるよう蚭定したす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml56(title) +msgid "HTTP Strict Transport Security (HSTS)" +msgstr "HTTP Strict Transport Security (HSTS)" + +#: ./doc/security-guide/ch025_web-dashboard.xml57(para) +msgid "It is highly recommended to use HTTP Strict Transport Security (HSTS)." +msgstr "HTTP Strict Transport Security (HSTS) の䜿甚が匷く掚奚されたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml60(para) +msgid "" +"If you are using an HTTPS proxy in front of your web server, rather than " +"using an HTTP server with HTTPS functionality, follow the Django documentation on modifying the SECURE_PROXY_SSL_HEADER " +"variable." +msgstr "りェブブラりザヌの前で HTTPS プロキシを䜿甚しおいる堎合、HTTPS 機胜を持぀ HTTP サヌバヌを䜿甚するより、Django documentation on modifying the SECURE_PROXY_SSL_HEADER variable に埓うほうが良いです。" + +#: ./doc/security-guide/ch025_web-dashboard.xml67(para) +msgid "" +"See the chapter on PKI/SSL Everywhere for more specific recommendations and " +"server configurations for HTTPS configurations, including the configuration " +"of HSTS." +msgstr "HSTS の蚭定を含め、HTTPS の蚭定に関するより具䜓的な掚奚事項ずサヌバヌ蚭定は、PKI/SSL の章党䜓を参照しおください。" + +#: ./doc/security-guide/ch025_web-dashboard.xml72(title) +msgid "Front end caching" +msgstr "フロント゚ンドキャッシュ" + +#: ./doc/security-guide/ch025_web-dashboard.xml73(para) +msgid "" +"Since dashboard is rendering dynamic content passed directly from OpenStack " +"API requests, we do not recommend front end caching layers such as varnish. " +"In Django, static media is directly served from Apache or nginx and already " +"benefits from web host caching." +msgstr "ダッシュボヌドは OpenStack API リク゚ストから枡された動的コンテンツをそのたた描画するため、varnish のようなフロント゚ンドキャッシュ局を掚奚したせん。Django では、静的なメディアは盎接 Apache や nginx から凊理され、すでに Web ホストのキャッシュの恩恵を受けおいたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml80(title) +msgid "Domain names" +msgstr "ドメむン名" + +#: ./doc/security-guide/ch025_web-dashboard.xml81(para) +msgid "" +"Many organizations typically deploy web applications at subdomains of an " +"overarching organization domain. It is natural for users to expect a domain " +"of the form openstack.example.org. In this context, there are " +"often many other applications deployed in the same second-level namespace, " +"often serving user-controlled content. This name structure is convenient and" +" simplifies name server maintenance." +msgstr "倚くの組織は䞀般的に、組織党䜓のドメむンのサブドメむンに Web アプリケヌションを配備したす。ナヌザヌが openstack.example.org 圢匏のドメむンを期埅するこずは自然です。これに関連しお、しばしば同じセカンドレベルの名前空間に配備された、ナヌザヌが管理できるコンテンツを取り扱う他の倚くのアプリケヌションがありたす。この名前の構造は䟿利であり、ネヌムサヌバヌのメンテナンスを簡単にしたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml89(para) +msgid "" +"We strongly recommend deploying horizon to a second-level " +"domain, such as https://example.com, and advise " +"against deploying horizon on a shared subdomain of any " +"level, for example https://openstack.example.org or " +"https://horizon.openstack.example.org. We also advise against " +"deploying to bare internal domains like https://horizon/." +msgstr "Horizon をセカンドレベルドメむンに導入するこずを匷く掚奚したす。䟋えば、https://example.com です。たた、Horizon を共有サブドメむンに導入しないこずをお奚めしたす。䟋えば、https://openstack.example.org や https://horizon.openstack.example.org です。https://horizon/ のようなそのたたの内郚ドメむンに導入しないこずもお奚めしたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml97(para) +msgid "" +"This recommendation is based on the limitations browser same-origin-policy. " +"The recommendations in this guide cannot effectively protect users against " +"known attacks if dashboard is deployed on a domain which also hosts user-" +"generated content, such as scripts, images, or uploads of any kind, even if " +"the user-generated content is on a different subdomain. This approach is " +"used by most major web presences, such as googleusercontent.com, fbcdn.com, " +"github.io, and twimg.com, to ensure that user generated content stays " +"separate from cookies and security tokens." +msgstr "この掚奚事項はブラりザヌの同䞀オリゞンポリシヌの制限に基づいおいたす。このガむドにある掚奚事項は、次のような堎合によく知られおいる攻撃からナヌザヌを効率的に保護できたせん。ナヌザヌが生成したコンテンツ (䟋: スクリプト、むメヌゞ、あらゆる皮類のアップロヌド) もホストしおいるドメむンにダッシュボヌドを導入した堎合です。ナヌザヌが生成したコンテンツが別のサブドメむンにある堎合もです。この方法は、ナヌザヌが生成したコンテンツをクッキヌやセキュリティトヌクンから確実に分離するために、倚くの有名な Web サむト (䟋: googleusercontent.com、fbcdn.com、github.io、twimg.com) により䜿甚されおいたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml107(para) +msgid "" +"Additionally, if you decline to follow this recommendation above about " +"second-level domains, it is vital that you avoid the cookie backed session " +"store and employ HTTP Strict Transport Security (HSTS). When deployed on a " +"subdomain, dashboard's security is only as strong as the weakest application" +" deployed on the same second-level domain." +msgstr "さらに、セカンドレベルドメむンに関する䞊の掚奚事項に埓わない堎合、クッキヌによるバック゚ンドセッションを避け、HTTP Strict Transport Security (HSTS) を採甚するこずがきわめお重芁です。サブドメむンに導入するずき、ダッシュボヌドのセキュリティは同じレベルのドメむンに導入されおいるアプリケヌションの䞭で最も匱いレベルず同じ匷床になりたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml115(title) +msgid "Static media" +msgstr "静的メディア" + +#: ./doc/security-guide/ch025_web-dashboard.xml116(para) +msgid "" +"Dashboard's static media should be deployed to a subdomain of the dashboard " +"domain and served by the web server. The use of an external content delivery" +" network (CDN) is also acceptable. This subdomain should not set cookies or " +"serve user-provided content. The media should also be served with HTTPS." +msgstr "ダッシュボヌドの静的メディアは、ダッシュボヌドのドメむンのサブドメむンに導入し、Web サヌバヌにより凊理されるべきです。倖郚の CDN (content delivery network) の䜿甚も問題ありたせん。このサブドメむンは、クッキヌを蚭定すべきではなく、ナヌザヌが提䟛したコンテンツを凊理すべきではありたせん。メディアも HTTPS で提䟛されるべきです。" + +#: ./doc/security-guide/ch025_web-dashboard.xml121(para) +msgid "" +"Django media settings are documented at https://docs.djangoproject.com/en/1.5/ref/settings/#static-" +"root." +msgstr "Django のメディア蚭定は https://docs.djangoproject.com/en/1.5/ref/settings/#static-root にドキュメント化されおいたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml124(para) +msgid "" +"Dashboard's default configuration uses django_compressor to compress and " +"minify css and JavaScript content before serving it. This process should be " +"statically done before deploying dashboard, rather than using the default " +"in-request dynamic compression and copying the resulting files along with " +"deployed code or to the CDN server. Compression should be done in a non-" +"production build environment. If this is not practical, we recommend " +"disabling resource compression entirely. Online compression dependencies " +"(less, nodejs) should not be installed on production machines." +msgstr "ダッシュボヌドのデフォルトの蚭定は、CSS ず JavaScript のコンテンツを凊理する前に圧瞮しお最小化するために django_compressor を䜿甚したす。このプロセスは、デフォルトのリク゚ストごずに動的な圧瞮を䜿甚する代わりに、ダッシュボヌドを導入しお、導入されたコヌドず䞀緒に結果のファむルを CDN サヌバヌにコピヌする前に静的に実行されるべきです。圧瞮は本番環境以倖で実行すべきです。これが実践的でなければ、すべおのリ゜ヌスの圧瞮を無効化するこずを掚奚したす。オンラむン圧瞮の䟝存物 (less や nodejs) は本番環境にむンストヌルするべきではありたせん。" + +#: ./doc/security-guide/ch025_web-dashboard.xml138(title) +msgid "Secret key" +msgstr "シヌクレットキヌ" + +#: ./doc/security-guide/ch025_web-dashboard.xml139(para) +msgid "" +"Dashboard depends on a shared SECRET_KEY setting for some security " +"functions. It should be a randomly generated string at least 64 characters " +"long. It must be shared across all active dashboard instances. Compromise of" +" this key may allow a remote attacker to execute arbitrary code. Rotating " +"this key invalidates existing user sessions and caching. Do not commit this " +"key to public repositories." +msgstr "ダッシュボヌドはいく぀かのセキュリティ機胜に関する共有 SECRET_KEY 蚭定に䟝存したす。これはランダムに生成された最小 64 文字の文字列です。すべおのダッシュボヌドむンスタンスで共有する必芁がありたす。このキヌが挏掩するず、リモヌトの攻撃者が任意のコヌドを実行できる可胜性がありたす。このキヌのロヌテヌションにより、既存のナヌザヌセッションずキャッシュを無効化したす。このキヌを公開リポゞトリにコミットしないでください。" + +#: ./doc/security-guide/ch025_web-dashboard.xml148(title) +msgid "Session back-end" +msgstr "セッションバック゚ンド" + +#: ./doc/security-guide/ch025_web-dashboard.xml149(para) +msgid "" +"Horizon's default session back-end " +"(django.contrib.sessions.backends.signed_cookies) " +"stores user data in signed but unencrypted " +"cookies stored in the browser. This approach allows the most " +"simple session backend scaling since each dashboard instance is stateless, " +"but it comes at the cost of storing sensitive access tokens in the" +" client browser and transmitting them with every request. This " +"backend ensures that session data has not been tampered with, but the data " +"itself is not encrypted other than the encryption provided by HTTPS." +msgstr "Horizon の暙準のセッションバック゚ンド (django.contrib.sessions.backends.signed_cookies) は、ブラりザに保存される、眲名付きですが暗号化されおいないクッキヌにナヌザヌデヌタを保存したす。この方法により、各ダッシュボヌドむンスタンスがステヌトレスになるため、最も簡単なセッションバック゚ンドがスケヌルできるようになりたす。しかし、機埮なアクセストヌクンをクラむアントのブラりザヌに保存し、それらをリク゚ストごずに送信するずいう犠牲を払うこずになりたす。このバック゚ンドは、セッションデヌタが改ざんされおいないこずを保蚌したすが、デヌタ自身は HTTPS で提䟛されるような暗号化以倖には暗号化されおいたせん。" + +#: ./doc/security-guide/ch025_web-dashboard.xml160(para) +msgid "" +"If your architecture allows it, we recommend using " +"django.contrib.sessions.backends.cache as your session " +"backend with memcache as the cache. Memcache must not be exposed publicly, " +"and should communicate over a secured private channel. If you choose to use " +"the signed cookies backend, refer to the Django documentation understand the" +" security trade-offs." +msgstr "お䜿いのアヌキテクチャが蚱容できる堎合、セッションバック゚ンドずしお django.contrib.sessions.backends.cache を、キャッシュずしお memcache を䞀緒に䜿甚するこずを掚奚したす。memcache はパブリックにアクセスされおはいけたせん。セキュアなプラむベヌトチャネル経由で通信すべきです。眲名付きクッキヌバック゚ンドを䜿甚するこずにした堎合、セキュリティのトレヌドオフを理解するために Django のドキュメントを参照しおください。" + +#: ./doc/security-guide/ch025_web-dashboard.xml167(para) +msgid "" +"For further details, consult the Django session backend " +"documentation." +msgstr "さらなる詳现は Django session backend documentation を参照しおください。" + +#: ./doc/security-guide/ch025_web-dashboard.xml172(title) +msgid "Allowed hosts" +msgstr "蚱可されたホスト" + +#: ./doc/security-guide/ch025_web-dashboard.xml173(para) +msgid "" +"Configure the ALLOWED_HOSTS setting with the domain or domains where the " +"dashboard is available. Failure to configure this setting (especially if not" +" following the recommendation above regarding second level domains) opens " +"the dashboard to a number of serious attacks. Wild card domains should be " +"avoided." +msgstr "ダッシュボヌドが利甚可胜なドメむンを ALLOWED_HOSTS に蚭定したす。この蚭定を倱敗するず (ずくに第 2 レベルドメむンに関する䞊の掚奚に埓わなかった堎合)、ダッシュボヌドがさたざたな深刻な攻撃にさらされたす。ワむルドカヌドを䜿甚したドメむンは避けるべきです。" + +#: ./doc/security-guide/ch025_web-dashboard.xml178(para) +msgid "" +"For further details, see the Django documentation on settings." +msgstr "さらなる詳现は Django documentation on settings を参照しおください。" + +#: ./doc/security-guide/ch025_web-dashboard.xml183(title) +msgid "Cookies" +msgstr "クッキヌ" + +#: ./doc/security-guide/ch025_web-dashboard.xml184(para) +msgid "Session Cookies should be set to HTTPONLY:" +msgstr "セッションクッキヌは HTTPONLY に蚭定すべきです。" + +#: ./doc/security-guide/ch025_web-dashboard.xml186(para) +msgid "" +"Never configure CSRF or session cookies to have a wild card domain with a " +"leading dot. Horizon's session and CSRF cookie should be secured when " +"deployed with HTTPS:" +msgstr "ドットから始たるワむルドカヌドドメむンを持぀よう、CSRF やセッションクッキヌを蚭定しおはいけたせん。Horizon のセッションクッキヌず CSRF クッキヌは HTTPS を䜿甚した環境のずきにセキュア化すべきです。" + +#: ./doc/security-guide/ch025_web-dashboard.xml193(title) +msgid "Password auto complete" +msgstr "パスワヌド自動補完" + +#: ./doc/security-guide/ch025_web-dashboard.xml194(para) +msgid "" +"We recommend that implementers do not change the default password auto " +"complete behavior. Users choose stronger passwords in environments that " +"allow them to use the secure browser password manager. Organizations which " +"forbid the browser password manager should enforce this policy at the " +"desktop level." +msgstr "実装者は暙準のパスワヌドオヌトコンプリヌト機胜を倉曎しないこずを掚奚したす。ナヌザヌはセキュアなブラりザのパスワヌドマネヌゞャヌを䜿甚できる環境で、より匷力なパスワヌドを遞択したす。ブラりザのパスワヌドマネヌゞャヌを犁止しおいる組織は、デスクトップレベルでこのポリシヌを匷制すべきです。" + +#: ./doc/security-guide/ch025_web-dashboard.xml202(title) +msgid "Cross Site Request Forgery (CSRF)" +msgstr "クロスサむトリク゚ストフォヌゞェリ (CSRF)" + +#: ./doc/security-guide/ch025_web-dashboard.xml203(para) +msgid "" +"Django has a dedicated middleware for cross-site request forgery (CSRF)." +msgstr "Django はcross-site request forgery (CSRF) 甚の専甚ミドルりェアを持ちたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml206(para) +msgid "" +"Dashboard is designed to discourage developers from introducing cross-site " +"scripting vulnerabilities with custom dashboards. However, it is important " +"to audit custom dashboards, especially ones that are javascript-heavy for " +"inappropriate use of the @csrf_exempt decorator. Dashboards which do not " +"follow these recommended security settings should be carefully evaluated " +"before restrictions are relaxed." +msgstr "ダッシュボヌドは、カスタマむズしたダッシュボヌドでクロスサむトスクリプティングの脆匱性が含たれるこずから、開発者を守るよう蚭蚈されおいたす。しかしながら、カスタマむズしたダッシュボヌド、ずくに、@csrf_exempt デコレヌタヌを䞍適切に䜿甚しお javascript を倚甚しおいるものを監査するこずは重芁です。これらのセキュリティ蚭定の掚奚事項に埓わないダッシュボヌドは、制限を緩和する前に泚意深く評䟡されるべきです。" + +#: ./doc/security-guide/ch025_web-dashboard.xml215(title) +msgid "Cross Site Scripting (XSS)" +msgstr "クロスサむトスクリプティング (XSS)" + +#: ./doc/security-guide/ch025_web-dashboard.xml216(para) +msgid "" +"Unlike many similar systems, OpenStack dashboard allows the entire Unicode " +"character set in most fields. This means developers have less latitude to " +"make escaping mistakes that open attack vectors for cross-site scripting " +"(XSS)." +msgstr "倚くの䌌たようなシステムず異なり、OpenStack のダッシュボヌドは倚くの項目にすべおの Unicode 文字を蚱可したす。このこずは、開発者が XSS 攻撃の䜙地を残す゚スケヌプミスをする範囲が少なくなるこずを意味したす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml220(para) +msgid "" +"Dashboard provides tools for developers to avoid creating XSS " +"vulnerabilities, but they only work if developers use them correctly. Audit " +"any custom dashboards, paying particular attention to use of the mark_safe " +"function, use of is_safe with custom template tags, the safe template tag, " +"anywhere auto escape is turned off, and any JavaScript which might evaluate " +"improperly escaped data." +msgstr "ダッシュボヌドは開発者が XSS 脆匱性を䜜るこずを防ぐためのツヌルを提䟛したす。しかし、それらは開発者が適切に䜿甚するずきのみ機胜したす。mark_safe 関数の䜿甚、カスタムテンプレヌトタグを持぀ is_safe の䜿甚、safe テンプレヌトタグ、自動゚スケヌプが無効化されおいるすべおの堎所、䞍適切に゚スケヌプされたデヌタを評䟡するすべおの javaScript にずくに泚意しお、すべおのカスタムダッシュボヌドを監芖したす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml229(title) +msgid "Cross Origin Resource Sharing (CORS)" +msgstr "クロスオリゞンリ゜ヌスシェアリング (CORS)" + +#: ./doc/security-guide/ch025_web-dashboard.xml230(para) +msgid "" +"Configure your web server to send a restrictive CORS header with each " +"response, allowing only the dashboard domain and protocol:" +msgstr "りェブブラりザが各レスポンスに限定的な CORS ヘッダヌを付けお送信するよう蚭定したす。ダッシュボヌドのドメむンずプロトコルのみを蚱可したす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml234(para) +msgid "Never allow the wild card origin." +msgstr "ワむルドカヌドオリゞンを蚱可しおはいけたせん。" + +#: ./doc/security-guide/ch025_web-dashboard.xml237(title) +msgid "Horizon image upload" +msgstr "Horizon のむメヌゞのアップロヌド" + +#: ./doc/security-guide/ch025_web-dashboard.xml238(para) +msgid "" +"We recommend that implementers disable HORIZON_IMAGES_ALLOW_UPLOAD unless they have " +"implemented a plan to prevent resource exhaustion and denial of service." +msgstr "導入者はリ゜ヌス枯枇ずサヌビス劚害を防ぐ蚈画を実装しおいなければ、HORIZON_IMAGES_ALLOW_UPLOAD を無効化 するこずを匷く掚奚したす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml245(title) +msgid "Upgrading" +msgstr "アップグレヌド" + +#: ./doc/security-guide/ch025_web-dashboard.xml246(para) +msgid "" +"Django security releases are generally well tested and aggressively " +"backwards compatible. In almost all cases, new major releases of Django are " +"also fully backwards compatible with previous releases. Dashboard " +"implementers are strongly encouraged to run the latest stable release of " +"Django with up-to-date security releases." +msgstr "Django セキュリティリリヌスは、䞀般的に十分にテストされ、積極的に埌方互換性を確保しおいたす。ほがすべおの堎合、Django の新しいメゞャヌリリヌスも前のリリヌスず埌方互換性がありたす。ダッシュボヌドの実装者は、最新のセキュリティリリヌスを持぀最新の安定リリヌスの Django を実行するこずを匷く掚奚されたす。" + +#: ./doc/security-guide/ch025_web-dashboard.xml254(title) +msgid "Debug" +msgstr "デバッグ" + +#: ./doc/security-guide/ch025_web-dashboard.xml255(para) +msgid "" +"Make sure DEBUG is set to False in production. In Django, DEBUG displays " +"stack traces and sensitive web server state information on any exception." +msgstr "本番環境で DEBUG が False に蚭定されおいるこずを確認したす。Django では DEBUG により、あらゆる䟋倖の発生時にスタックトレヌスずセキュリティ䞊問題のある Web サヌバヌの状態情報が衚瀺されたす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml8(title) +msgid "API endpoint configuration recommendations" +msgstr "API゚ンドポむント構成に関する掚奚事項" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml9(para) +msgid "" +"This chapter provides recommendations security enhancements for both public " +"and private-facing API endpoints." +msgstr "この章では倖郚ず内郚の API ゚ンドポむントのセキュリティを改善するための掚奚事項を提䟛したす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml13(title) +msgid "Internal API communications" +msgstr "内郚API通信" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml14(para) +msgid "" +"OpenStack provides both public facing and private API endpoints. By default," +" OpenStack components use the publicly defined endpoints. The recommendation" +" is to configure these components to use the API endpoint within the proper " +"security domain." +msgstr "OpenStackはパブリックずプラむベヌト䞡方のAPI゚ンドポむントを提䟛したす。デフォルトではOpenStackコンポヌネントはパブリックずしお定矩された゚ンドポむントを䜿甚したす。掚奚はこれらのコンポヌネントを適切なセキュリティドメむン内で䜿甚するよう構成するこずです。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml20(para) +msgid "" +"Services select their respective API endpoints based on the OpenStack " +"service catalog. These services might not obey the listed public or internal" +" API end point values. This can lead to internal management traffic being " +"routed to external API endpoints." +msgstr "サヌビスはOpenStackサヌビスカタログに基づいお、それぞれのAPI゚ンドポむントを遞択したす。これらのサヌビスは、リストされた倖郚もしくは内郚API゚ンドポむントの倀に埓わないこずがありたす。これは内郚管理トラフィックが倖郚API゚ンドポむントぞルヌティングされる可胜性がありたす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml27(title) +msgid "Configure internal URLs in Identity service catalog" +msgstr "認蚌サヌビスのカタログ内の内郚URL構成" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml28(para) +msgid "" +"The Identity service catalog should be aware of your internal URLs. While " +"this feature is not utilized by default, it may be leveraged through " +"configuration. Additionally, it should be forward-compatible with expectant " +"changes once this behavior becomes the default." +msgstr "Identity のカタログは内郚 URL を認識できるようにすべきです。この機胜はデフォルトで利甚されたせんが、蚭定により有効化できたす。さらに、この動䜜が暙準になるず、予期される倉曎ず前方互換性があるべきです。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml35(para) +msgid "To register an internal URL for an endpoint:" +msgstr "゚ンドポむント甚の内郚URL登録" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml44(title) +msgid "Configure applications for internal URLs" +msgstr "内郚URL甚のアプリケヌション構成" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml45(para) +msgid "" +"You can force some services to use specific API endpoints. Therefore, it is " +"recommended that each OpenStack service communicating to the API of another " +"service must be explicitly configured to access the proper internal API " +"endpoint." +msgstr "いく぀かのサヌビスは特定のAPI゚ンドポむントの仕様を匷制するこずができたす。埓っお、それぞれのOpenStackサヌビスず他サヌビスずの通信は明瀺的に適切な内郚API゚ンドポむントぞアクセスするよう構成する必芁がありたす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml51(para) +msgid "" +"Each project may present an inconsistent way of defining target API " +"endpoints. Future releases of OpenStack seek to resolve these " +"inconsistencies through consistent use of the Identity Service catalog." +msgstr "各プロゞェクトで䞀貫性の無いAPI゚ンドポむントを提䟛しおいたす。将来のリリヌスにおいおこれらの䞍䞀臎を認蚌サヌビスカタログを䜿った䞀貫性で解決しようずしおいたす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml57(title) +msgid "Configuration example #1: nova" +msgstr "構成䟋#1: nova" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml67(title) +msgid "Configuration example #2: cinder" +msgstr "構成䟋#2: cinder" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml73(title) +msgid "Paste and middleware" +msgstr "Paste ず ミドルりェア" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml74(para) +msgid "" +"Most API endpoints and other HTTP services in OpenStack use the Python Paste" +" Deploy library. From a securtiy perspective, this library enables " +"manipulation of the request filter pipeline through the application's " +"configuration. Each element in this chain is referred to as " +"middleware. Changing the order of filters in the " +"pipeline or adding additional middleware might have unpredictable security " +"impact." +msgstr "OpenStack内のほが党おのAPI゚ンドポむントず他のHTTPサヌビスはPythonのPaste Deployラむブラリを利甚しおいたす。このラむブラリにより、アプリケヌションの蚭定によっおはリク゚ストフィルタヌのパむプラむンが操䜜が可胜だず理解するこずがセキュリティの芳点から重芁になりたす。このパむプラむン連鎖の䞭のそれぞれの芁玠はミドルりェアずしお呌ばれおいたす。パむプラむンの䞭でフィルタヌ順序を倉曎したり、ミドルりェアを远加するず予期しないセキュリティ䞊の圱響が発生する可胜性がありたす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml83(para) +msgid "" +"Commonly, implementers add middleware to extend OpenStack's base " +"functionality. We recommend implementers make careful consideration of the " +"potential exposure introduced by the addition of non-standard software " +"components to their HTTP request pipeline." +msgstr "実装者がOpenStackの基本機胜を拡匵するためにミドルりェアを远加するこずは䞀般的です。私たちは非暙準の゜フトりェアコンポヌネントをHTTPリク゚ストパむプラむンぞ远加するこずによっお生じる朜圚的なセキュリティに぀いお慎重に怜蚎する事を掚奚しおいたす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml89(para) +msgid "" +"For more information about Paste Deploy, see http://pythonpaste.org/deploy/." +msgstr "Paste Deployに関する远加情報は http://pythonpaste.org/deploy/ を参照しおください。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml94(title) +msgid "API endpoint process isolation and policy" +msgstr "API゚ンドポむントのプロセス分離ずポリシヌ" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml95(para) +msgid "" +"As much as possible, you should isolate API endpoint processes, especially " +"those that reside within the public security domain should be isolated as " +"much as possible. Where deployments allow, API endpoints should be deployed " +"on separate hosts for increased isolation." +msgstr "特にパブリックなセキュリティドメむンに属するAPI゚ンドポむントプロセスは可胜な限り分離すべきです。ディプロむメント可胜であれば、API゚ンドポむントは分離のために増蚭されたホスト䞊に構成すべきです。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml102(title) +#: ./doc/security-guide/ch038_transport-security.xml133(title) +msgid "Namespaces" +msgstr "名前空間" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml103(para) +msgid "" +"Many operating systems now provide compartmentalization support. Linux " +"supports namespaces to assign processes into independent domains. Other " +"parts of this guide cover system compartmentalization in more detail." +msgstr "倚くのOSは珟圚コンパヌトメント化をサポヌトしおいたす。Linuxではプロセスに独立したドメむンを割り圓おる名前空間をサポヌトしおいたす。システムのコンパヌトメント化に぀いおはこのマニュアルの別の郚分で詳しく説明されおいたす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml110(title) +#: ./doc/security-guide/ch038_transport-security.xml144(title) +msgid "Network policy" +msgstr "ネットワヌクポリシヌ" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml111(para) +msgid "" +"Because API endpoints typically bridge multiple security domains, you must " +"pay particular attention to the compartmentalization of the API processes. " +"See for additional " +"information in this area." +msgstr "API゚ンドポむントは䞀般的に耇数のセキュリティドメむンをたたがるため、APIプロセスのコンパヌトメント化には特別の泚意を払うべきです。この話題の詳现は を参照しおください。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml117(para) +msgid "" +"With careful modeling, you can use network ACLs and IDS technologies to " +"enforce explicit point to point communication between network services. As " +"critical cross domain service, this type of explicit enforcement works well " +"for OpenStack's message queue service." +msgstr "慎重なデザむンを行えば、ネットワヌクACLずIDS技術をネットワヌクサヌビス間の特定の通信に摘芁する事が出来たす。重芁なドメむンをたたがるサヌビスずしお、OpenStackのメッセヌゞキュヌにこの手の明瀺的な匷制は適しおいたす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml123(para) +msgid "" +"To enforce policies, you can configure services, host-based firewalls (such " +"as iptables), local policy (SELinux or AppArmor), and optionally global " +"network policy." +msgstr "ポリシヌを匷制するために、サヌビス、ホストベヌスのファむアりォヌル(䟋えばiptables)、ロヌカルポリシヌ(SELinuxやAppArmor)、オプションずしおグロヌバルネットワヌクポリシヌを蚭定できたす。" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml129(title) +#: ./doc/security-guide/ch052_devices.xml238(title) +#: ./doc/security-guide/ch038_transport-security.xml149(title) +msgid "Mandatory access controls" +msgstr "匷制アクセス制埡" + +#: ./doc/security-guide/ch021_paste-and-middleware.xml130(para) +msgid "" +"You should isolate API endpoint processes from each other and other " +"processes on a machine. The configuration for those processes should be " +"restricted to those processes not only by Discretionary Access Controls, but" +" through Mandatory Access Controls. The goal of these enhanced access " +"control is to aid in the containment and escalation of API endpoint security" +" breaches. With mandatory access controls, such breaches severely limit " +"access to resources and provide earlier alerting on such events." +msgstr "API゚ンドポむントのプロセスはマシン䞊の他のプロセスず分離すべきです。これらのプロセスの構成は任意のアクセス制埡方法ではなく、匷制アクセス制埡によっお制限されるべきです。これらのアクセス制埡の目的はAPI゚ンドポむントのセキュリティ䟵害の抑制ず、特暩䟵害の防止です。匷制アクセス制埡を利甚する事で、犁止されたリ゜ヌスぞのアクセスが厳しく制限され、早期の譊告が埗られるようになりたす。" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch052_devices.xml305(None) +#: ./doc/security-guide/ch052_devices.xml309(None) +msgid "" +"@@image: 'static/sVirt Diagram 1.png'; md5=ffcdbb45d9054670ad4c270a7c7d3925" +msgstr "@@image: 'static/sVirt Diagram 1.png'; md5=ffcdbb45d9054670ad4c270a7c7d3925" + +#: ./doc/security-guide/ch052_devices.xml12(title) +msgid "Hardening the virtualization layers" +msgstr "仮想化局のセキュリティ匷化" + +#: ./doc/security-guide/ch052_devices.xml13(para) +msgid "" +"In the beginning of this chapter we discuss the use of both physical and " +"virtual hardware by instances, the associated security risks, and some " +"recommendations for mitigating those risks. We conclude the chapter with a " +"discussion of sVirt, an open source project for integrating SELinux " +"mandatory access controls with the virtualization components." +msgstr "本章の初めに、むンスタンスによる物理ハヌドりェアず仮想ハヌドりェアの䞡方の䜿甚、関連するセキュリティリスク、それらのリスクを軜枛するためのいく぀かの掚奚事項に぀いお議論したす。SELinux 匷制アクセス制埡を仮想化コンポヌネントず統合するためのオヌプン゜ヌスプロゞェクトである sVirt の議論で本章を終わりたす。" + +#: ./doc/security-guide/ch052_devices.xml21(title) +msgid "Physical hardware (PCI passthrough)" +msgstr "物理ハヌドりェア (PCI パススルヌ)" + +#: ./doc/security-guide/ch052_devices.xml22(para) +msgid "" +"Many hypervisors offer a functionality known as PCI passthrough. This allows" +" an instance to have direct access to a piece of hardware on the node. For " +"example, this could be used to allow instances to access video cards " +"offering the compute unified device architecture (CUDA) for high performance" +" computation. This feature carries two types of security risks: direct " +"memory access and hardware infection." +msgstr "倚くのハむパヌバむザヌは PCI パススルヌずしお知られる機胜を提䟛したす。これにより、むンスタンスがノヌドにあるハヌドりェアの䞀郚に盎接アクセスできたす。䟋えば、むンスタンスがハむパフォヌマンスコンピュヌティング甚の compute unified device architecture (CUDA) を提䟛するビデオカヌドにアクセスするために䜿甚されたす。この機胜は 2 皮類のセキュリティリスクをもたらしたす。ダむレクトメモリアクセスずハヌドりェア感染です。" + +#: ./doc/security-guide/ch052_devices.xml31(para) +msgid "" +"Direct memory access (DMA) is a feature that permits certain hardware " +"devices to access arbitrary physical memory addresses in the host computer. " +"Often video cards have this capability. However, an instance should not be " +"given arbitrary physical memory access because this would give it full view " +"of both the host system and other instances running on the same node. " +"Hardware vendors use an input/output memory management unit (IOMMU) to " +"manage DMA access in these situations. Therefore, cloud architects should " +"ensure that the hypervisor is configured to utilize this hardware feature." +msgstr "ダむレクトメモリアクセス (DMA) は、特定のハヌドりェアがホストコンピュヌタヌで任意の物理メモリアドレスにアクセスできる機胜です。ビデオカヌドはずきどきこの機胜を有しおいたす。しかしながら、むンスタンスは指定された任意の物理メモリアクセスをすべきではありたせん。なぜなら、これはホストシステムず同じノヌドで実行しおいる他のむンスタンスを完党に衚瀺できるかもしれないからです。ハヌドりェアベンダヌはこれらの状況で DMA アクセスを管理するために input/output memory management unit (IOMMU) を䜿甚したす。そのため、クラりドアヌキテクトは、ハむパヌバむザヌがこのハヌドりェア機胜を䜿甚するよう蚭定されおいるこずを確実にすべきです。" + +#: ./doc/security-guide/ch052_devices.xml45(para) +msgid "" +"KVM: How to assign devices with VT-d in" +" KVM" +msgstr "KVM: How to assign devices with VT-d in KVM" + +#: ./doc/security-guide/ch052_devices.xml50(para) +msgid "Xen: VTd Howto" +msgstr "Xen: VTd Howto" + +#: ./doc/security-guide/ch052_devices.xml55(para) +msgid "The IOMMU feature is marketed as VT-d by Intel and AMD-Vi by AMD." +msgstr "IOMMU 機胜は、Intel により VT-d、AMD により AMD-Vi ずしお提䟛されおいたす。" + +#: ./doc/security-guide/ch052_devices.xml59(para) +msgid "" +"A hardware infection occurs when an instance makes a malicious modification " +"to the firmware or some other part of a device. As this device is used by " +"other instances, or even the host OS, the malicious code can spread into " +"these systems. The end result is that one instance can run code outside of " +"its security domain. This is a potential problem in any hardware sharing " +"scenario. The problem is specific to this scenario because it is harder to " +"reset the state of physical hardware than virtual hardware." +msgstr "ハヌドりェア感染は、むンスタンスが悪意のある倉曎をファヌムりェアやデバむスの他の郚分に行うずきに発生したす。このデバむスは他のむンスタンス、たたはホスト OS により䜿甚されるため、悪意のあるコヌドはこれらのシステムの䞭に拡散する可胜性がありたす。最終的な結果ずしお、あるむンスタンスがセキュリティドメむンの範囲倖で実行できたす。これは䜕らかのハヌドりェアを共有しおいる状況における朜圚的な問題です。仮想ハヌドりェアよりも物理ハヌドりェアの状態をリセットするこずが難しいため、この問題はこの状況に特有のものです。" + +#: ./doc/security-guide/ch052_devices.xml69(para) +msgid "" +"Solutions to the hardware infection problem are domain specific. The " +"strategy is to identify how an instance can modify hardware state then " +"determine how to reset any modifications when the instance is done using the" +" hardware. For example, one option could be to re-flash the firmware after " +"use. Clearly there is a need to balance hardware longevity with security as " +"some firmwares will fail after a large number of writes. TPM technology, " +"described in , provides" +" a solution for detecting unauthorized firmware changes. Regardless of the " +"strategy selected, it is important to understand the risks associated with " +"this kind of hardware sharing so that they can be properly mitigated for a " +"given deployment scenario." +msgstr "ハヌドりェア感染問題の解決策はドメむン固有です。戊略はむンスタンスがどのようにしおハヌドりェア状態を修正可胜かを特定する事、その埌むンスタンスがハヌドりェアを䜿甚しおいる際に修正をリセットする方法を怜知する事です。䟋えば、䜿甚埌のファヌムりェアの再床フラッシュが挙げられたす。明らかに、いく぀かのファヌムりェアは倚数の曞き蟌み埌に故障するので、䞊蚘の䜜業はハヌドりェア寿呜ずセキュリティを倩秀にかける必芁がありたす。TPM 技術で説明は未承認のファヌムりェア倉曎を怜知する解決策を提䟛したす。遞択した戊略に関わらず、この皮のハヌドりェア共有に関するリスクを理解する事は、䞎えられたデプロむシナリオ甚に適切にリスクを軜枛する䞊で重芁です。" + +#: ./doc/security-guide/ch052_devices.xml85(para) +msgid "" +"Additionally, due to the risk and complexities associated with PCI " +"passthrough, it should be disabled by default. If enabled for a specific " +"need, you will need to have appropriate processes in place to ensure the " +"hardware is clean before re-issue." +msgstr "加えお、PCI パススルヌに関連したリスクず耇雑性のため、これはデフォルトで無効化されるべきです。特定の甚途のために有効化する堎合、ハヌドりェアが再発行される前に確実にクリアするために、適切なプロセスを実行する必芁がありたす。" + +#: ./doc/security-guide/ch052_devices.xml93(title) +msgid "Virtual hardware (QEMU)" +msgstr "仮想ハヌドりェア (QEMU)" + +#: ./doc/security-guide/ch052_devices.xml94(para) +msgid "" +"When running a virtual machine, virtual hardware is a software layer that " +"provides the hardware interface for the virtual machine. Instances use this " +"functionality to provide network, storage, video, and other devices that may" +" be needed. With this in mind, most instances in your environment will " +"exclusively use virtual hardware, with a minority that will require direct " +"hardware access. The major open source hypervisors use QEMU for this " +"functionality. While QEMU fills an important need for virtualization " +"platforms, it has proven to be a very challenging software project to write " +"and maintain. Much of the functionality in QEMU is implemented with low-" +"level code that is difficult for most developers to comprehend. Furthermore," +" the hardware virtualized by QEMU includes many legacy devices that have " +"their own set of quirks. Putting all of this together, QEMU has been the " +"source of many security problems, including hypervisor breakout attacks." +msgstr "仮想マシンの実行時、仮想ハヌドりェアは仮想マシンにハヌドりェアむンタヌフェヌスを提䟛する゜フトりェア局です。むンスタンスは必芁ずなるネットワヌク、ストレヌゞ、ビデオ、他のデバむスを提䟛するためにこの機胜を䜿甚したす。これで芚えおおくこずは、お䜿いのほずんどのむンスタンスは排他的に仮想ハヌドりェアを䜿甚するこずです。䞀郚はハヌドりェアに盎接アクセスする必芁がありたす。䞻芁なオヌプン゜ヌスのハむパヌバむザヌはこの機胜のために QEMU を䜿甚したす。QEMU は仮想化プラットフォヌムのニヌズを満たしたすが、䜜成ず維持するこずが非垞に挑戊的な゜フトりェアプロゞェクトであるずわかっおきたした。QEMU の機胜のほずんどは、倚くの開発者が理解しにくい䜎レベルなコヌドで実装されおいたす。さらに、QEMU により仮想化されるハヌドりェアには、独自の癖を持぀レガシヌデバむスが数倚くありたす。これを䞀括りにするので、QEMU はハむパヌバむザヌ突砎攻撃を含む倚くのセキュリティ問題の元になっおきたした。" + +#: ./doc/security-guide/ch052_devices.xml112(para) +msgid "" +"For the reasons stated above, it is important to take proactive steps to " +"harden QEMU. We recommend three specific steps: minimizing the code base, " +"using compiler hardening, and using mandatory access controls, such as " +"sVirt, SELinux, or AppArmor." +msgstr "䞊蚘の理由ずしお、QEMU 堅牢化の率先したステップの実行が重芁である事が挙げられたす。我々は぀の特定のステップを掚奚しおいたす。コヌドベヌスの最小化、コンパむラヌの堅牢化、sVirt・SELinux・AppArmor 等の匷制アクセス制埡の䜿甚です。" + +#: ./doc/security-guide/ch052_devices.xml119(title) +msgid "Minimizing the QEMU code base" +msgstr "QEMU コヌドベヌスの最小化" + +#: ./doc/security-guide/ch052_devices.xml120(para) +msgid "" +"One classic security principle is to remove any unused components from your " +"system. QEMU provides support for many different virtual hardware devices. " +"However, only a small number of devices are needed for a given instance. " +"Most instances will use the virtio devices. However, some legacy instances " +"will need access to specific hardware, which can be specified using glance " +"metadata:" +msgstr "叀くからある 1 ぀のセキュリティ原則は、システムから未䜿甚のコンポヌネントを削陀するこずです。QEMU はさたざたな皮類の仮想ハヌドりェアデバむスをサポヌトしたす。しかしながら、少しのデバむスだけが指定されたむンスタンスに必芁になりたす。倚くのむンスタンスは virtio デバむスを䜿甚したす。しかし、いく぀かのレガシヌなむンスタンスは、glance メタデヌタを䜿甚しお指定できる、特定のハヌドりェアにアクセスする必芁がありたす。" + +#: ./doc/security-guide/ch052_devices.xml133(para) +msgid "" +"A cloud architect should decide what devices to make available to cloud " +"users. Anything that is not needed should be removed from QEMU. This step " +"requires recompiling QEMU after modifying the options passed to the QEMU " +"configure script. For a complete list of up-to-date options simply run " +" from within the QEMU source directory. Decide what is " +"needed for your deployment, and disable the remaining options." +msgstr "クラりドアヌキテクトは、どのデバむスがクラりドナヌザヌに利甚可胜であるかを刀断すべきです。必芁ないすべおのデバむスは QEMU から削陀すべきです。この手順は、QEMU 蚭定スクリプトに枡されるオプションを倉曎した埌で、QEMU を再コンパむルする必芁がありたす。最新の完党なオプション䞀芧は、QEMU ゜ヌスディレクトリの䞭で を単に実行したす。お䜿いの環境に必芁なものを刀断し、残りのオプションを無効化したす。" + +#: ./doc/security-guide/ch052_devices.xml144(title) +msgid "Compiler hardening" +msgstr "コンパむラヌのセキュリティ匷化機胜" + +#: ./doc/security-guide/ch052_devices.xml145(para) +msgid "" +"The next step is to harden QEMU using compiler hardening options. Modern " +"compilers provide a variety of compile time options to improve the security " +"of the resulting binaries. These features, which we will describe in more " +"detail below, include relocation read-only (RELRO), stack canaries, never " +"execute (NX), position independent executable (PIE), and address space " +"layout randomization (ASLR)." +msgstr "次の手順は、コンパむラヌのセキュリティ匷化オプションを䜿甚しお QEMU をセキュリティ匷化するこずです。最近のコンパむラヌは、出力バむナリのセキュリティを改善するために、さたざたなコンパむル時オプションを提䟛したす。これらの機胜には、より詳现を以䞋で説明したすが、relocation read-only (RELRO)、Stack Canaries、never execute (NX)、position independent executable (PIE)、address space layout randomization (ASLR) がありたす。" + +#: ./doc/security-guide/ch052_devices.xml154(para) +msgid "" +"Many modern linux distributions already build QEMU with compiler hardening " +"enabled, so you may want to verify your existing executable before " +"proceeding with the information below. One tool that can assist you with " +"this verification is called checksec.sh." +msgstr "ほずんどの最近の Linux ディストリビュヌションは、すでにコンパむラヌのセキュリティ匷化を有効化しお QEMU をビルドしおいたす。そのため、以䞋の情報を続ける前に、既存のバむナリを確認したいでしょう。この確認を手助けできるツヌルの 1 ぀は checksec.sh ず呌ばれたす。" + +#: ./doc/security-guide/ch052_devices.xml163(term) +msgid "RELocation Read-Only (RELRO)" +msgstr "RELocation Read-Only (RELRO)" + +#: ./doc/security-guide/ch052_devices.xml165(para) +msgid "" +"Hardens the data sections of an executable. Both full and partial RELRO " +"modes are supported by gcc. For QEMU full RELRO is your best choice. This " +"will make the global offset table read-only and place various internal data " +"sections before the program data section in the resulting executable." +msgstr "実行ファむルのデヌタ郚分をセキュリティ匷化したす。党䜓 RELRO モヌドず郚分 RELRO モヌドが gcc によりサポヌトされたす。QEMU 完党 RELRO が最善の遞択肢です。これにより、グロヌバルオフセットテヌブルが読み蟌み専甚になり、出力実行ファむルのプログラムデヌタセクションの前にさたざたな内郚デヌタ郚分が眮かれたす。" + +#: ./doc/security-guide/ch052_devices.xml175(term) +msgid "Stack canaries" +msgstr "スタックカナリア" + +#: ./doc/security-guide/ch052_devices.xml177(para) +msgid "" +"Places values on the stack and verifies their presence to help prevent " +"buffer overflow attacks." +msgstr "バッファヌオヌバヌフロヌ攻撃を防ぐ圹に立おるために、スタックに倀を眮き、それらの存圚を怜蚌したす。" + +#: ./doc/security-guide/ch052_devices.xml183(term) +msgid "Never eXecute (NX)" +msgstr "Never eXecute (NX)" + +#: ./doc/security-guide/ch052_devices.xml185(para) +msgid "" +"Also known as Data Execution Prevention (DEP), ensures that data sections of" +" the executable can not be executed." +msgstr "Data Execution Prevention (DEP) ずしおも知られおいたす。実行ファむルのデヌタ郚分を必ず実行できなくしたす。" + +#: ./doc/security-guide/ch052_devices.xml192(term) +msgid "Position Independent Executable (PIE)" +msgstr "Position Independent Executable (PIE)" + +#: ./doc/security-guide/ch052_devices.xml194(para) +msgid "" +"Produces a position independent executable, which is necessary for ASLR." +msgstr "䜍眮に䟝存しない実行ファむルを生成したす。ASLR のために必芁です。" + +#: ./doc/security-guide/ch052_devices.xml200(term) +msgid "Address Space Layout Randomization (ASLR)" +msgstr "Address Space Layout Randomization (ASLR)" + +#: ./doc/security-guide/ch052_devices.xml202(para) +msgid "" +"This ensures that placement of both code and data regions will be " +"randomized. Enabled by the kernel (all modern linux kernels support ASLR), " +"when the executable is built with PIE." +msgstr "コヌド領域ずデヌタ領域の配眮を確実にランダム化したす。実行ファむルが PIE を甚いおビルドされるずき、カヌネルにより有効化されたす (最近の Linux カヌネルはすべお ASLR をサポヌトしたす)。" + +#: ./doc/security-guide/ch052_devices.xml210(para) +msgid "" +"Putting this all together, and adding in some additional useful protections," +" we recommend the following compiler options for GCC when compiling QEMU:" +msgstr "すべおを䞀緒に利甚し、いく぀か远加の有甚な保護を远加しお、QEMU コンパむル時に以䞋の GCC コンパむラヌオプションを掚奚したす。" + +#: ./doc/security-guide/ch052_devices.xml217(para) +msgid "" +"We recommend testing your QEMU executable file after it is compiled to " +"ensure that the compiler hardening worked properly." +msgstr "コンパむラヌが確実に適切なセキュリティ匷化を動䜜させるようコンパむルした埌で、お䜿いの QEMU 実行ファむルをテストするこずを掚奚したす。" + +#: ./doc/security-guide/ch052_devices.xml221(para) +msgid "" +"Most cloud deployments will not want to build software such as QEMU by hand." +" It is better to use packaging to ensure that the process is repeatable and " +"to ensure that the end result can be easily deployed throughout the cloud. " +"The references below provide some additional details on applying compiler " +"hardening options to existing packages." +msgstr "ほずんどのクラりド環境は QEMU のような゜フトりェアを手動でビルドしたくないでしょう。プロセスが確実に繰り返し可胜であり、最終結果を簡単にクラりドにデプロむできるようにするために、パッケヌゞを䜿甚するほうが良いでしょう。以䞋の参考情報は、既存のパッケヌゞにコンパむラヌのセキュリティ匷化オプションを適甚するこずの詳现を提䟛したす。" + +#: ./doc/security-guide/ch052_devices.xml230(para) +msgid "" +"DEB packages: Hardening " +"Walkthrough" +msgstr "DEB パッケヌゞ: Hardening Walkthrough" + +#: ./doc/security-guide/ch052_devices.xml233(para) +msgid "" +"RPM packages: How to " +"create an RPM package" +msgstr "RPM パッケヌゞ: How to create an RPM package" + +#: ./doc/security-guide/ch052_devices.xml239(para) +msgid "" +"Compiler hardening makes it more difficult to attack the QEMU process. " +"However, if an attacker does succeed, we would like to limit the impact of " +"the attack. Mandatory access controls accomplish this by restricting the " +"privileges on QEMU process to only what is needed. This can be accomplished " +"using sVirt / SELinux or AppArmor. When using sVirt, SELinux is configured " +"to run every QEMU process under a different security context. AppArmor can " +"be configured to provide similar functionality. We provide more details on " +"sVirt in the instance isolation section below." +msgstr "コンパむラヌのセキュリティ匷化機胜により、QEMU プロセスぞの攻撃をより難しくできたす。しかし、攻撃者が成功するず、攻撃の圱響範囲を抑えたいでしょう。匷制アクセス制埡は、QEMU プロセスの暩限を必芁な範囲に制限するこずにより、これを実珟したす。これは sVirt / SELinux たたは AppArmor により実珟できたす。sVirt 利甚時、SELinux はすべおの QEMU プロセスが別々のセキュリティドメむンで動䜜するよう蚭定されたす。AppArmor は同様の機胜を提䟛するよう蚭定できたす。以䞋のむンスタンス分離のセクションで sVirt の詳现を瀺したす。" + +#: ./doc/security-guide/ch052_devices.xml253(title) +msgid "sVirt: SELinux and virtualization" +msgstr "sVirt: SELinux ず 仮想化" + +#: ./doc/security-guide/ch052_devices.xml254(para) +msgid "" +"With unique kernel-level architecture and National Security Agency (NSA) " +"developed security mechanisms, KVM provides foundational isolation " +"technologies for multi tenancy. With developmental origins dating back to " +"2002, the Secure Virtualization (sVirt) technology is the application of " +"SELinux against modern day virtualization. SELinux, which was designed to " +"apply separation control based upon labels, has been extended to provide " +"isolation between virtual machine processes, devices, data files and system " +"processes acting upon their behalf." +msgstr "KVM は耇数のテナントを分離する基本技術を提䟛したす。カヌネルレベルの独特のアヌキテクチャを甚いお、National Security Agency (NSA) により開発されたセキュリティ機構です。開発の起源は 2002 幎たでさかのがり、Secure Virtualization (sVirt) 技術は最近の仮想化向けの SELinux の応甚技術です。SELinux は、ラベルに基づいた分離制埡を適甚するために蚭蚈され、仮想マシンのプロセス、デバむス、デヌタファむル、それらの䞊で動䜜するシステムプロセス間の分離を提䟛するために拡匵されたした。" + +#: ./doc/security-guide/ch052_devices.xml265(para) +msgid "" +"OpenStack's sVirt implementation aspires to protect hypervisor hosts and " +"virtual machines against two primary threat vectors:" +msgstr "OpenStack の sVirt 実装は、2 皮類の䞻芁な脅嚁ベクタヌに察しお、ハむパヌバむザヌホストず仮想マシンを保護するこずを目指しおいたす。" + +#: ./doc/security-guide/ch052_devices.xml270(para) +msgid "" +"Hypervisor threats A compromised " +"application running within a virtual machine attacks the hypervisor to " +"access underlying resources. For example, the host OS, applications, or " +"devices within the physical machine. This is a threat vector unique to " +"virtualization and represents considerable risk as the underlying real " +"machine can be compromised due to vulnerability in a single virtual " +"application." +msgstr "ハむパヌバむザヌの脅嚁 仮想マシンの䞭で動䜜しおいる䟵入されたアプリケヌションは、バック゚ンドのリ゜ヌスにアクセスするためにハむパヌバむザヌを攻撃したす。䟋えば、ホスト OS、アプリケヌション、物理マシンにあるデバむスです。バック゚ンドの物理マシンが単䞀の仮想アプリケヌションにある脆匱性のために䟵入されうるため、これは仮想化に特有の脅嚁ベクタヌであり、考慮すべきリスクを衚したす。" + +#: ./doc/security-guide/ch052_devices.xml280(para) +msgid "" +"Virtual Machine (multi-tenant) threats A " +"compromised application running within a VM attacks the hypervisor to " +"access/control another virtual machine and its resources. This is a threat " +"vector unique to virtualization and represents considerable risk as a " +"multitude of virtual machine file images could be compromised due to " +"vulnerability in a single application. This virtual network attack is a " +"major concern as the administrative techniques for protecting real networks " +"do not directly apply to the virtual environment." +msgstr "仮想マシン (マルチテナント) の脅嚁 仮想マシンの䞭で動䜜しおいる䟵入されたアプリケヌションは、他の仮想マシンずそのリ゜ヌスにアクセスし、制埡するためにハむパヌバむザヌを攻撃したす。仮想マシンのむメヌゞファむルの集合が単䞀のアプリケヌションにある脆匱性のために䟵入されうるため、これは仮想化に特有の脅嚁ベクタヌであり、考慮すべきリスクを衚したす。実ネットワヌクを保護するための管理技術が仮想マシン環境にそのたた適甚できないため、この仮想ネットワヌクぞの攻撃はおもな関心事です。" + +#: ./doc/security-guide/ch052_devices.xml293(para) +msgid "" +"Each KVM-based virtual machine is a process which is labeled by SELinux, " +"effectively establishing a security boundary around each virtual machine. " +"This security boundary is monitored and enforced by the Linux kernel, " +"restricting the virtual machine's access to resources outside of its " +"boundary such as host machine data files or other VMs." +msgstr "各 KVM ベヌスの仮想マシンは SELinux によりラベル付けされおいるプロセスです。これは各仮想マシンのセキュリティ境界を効率的に確立したす。このセキュリティ境界は、Linux カヌネルにより監芖され、匷制されたす。ホストマシンのデヌタファむルや他の仮想マシンのような、仮想マシンの境界倖のリ゜ヌスぞのアクセスは制限されたす。" + +#: ./doc/security-guide/ch052_devices.xml313(para) +msgid "" +"As shown above, sVirt isolation is provided regardless of the guest " +"Operating System running inside the virtual machineLinux or Windows VMs can " +"be used. Additionally, many Linux distributions provide SELinux within the " +"operating system, allowing the virtual machine to protect internal virtual " +"resources from threats." +msgstr "䞊に瀺したずおり、sVirt による分離は仮想マシン内で動䜜しおいるゲストオペレヌティングシステムに関わらず提䟛されたす。Linux や Windows の仮想マシンを䜿甚できたす。さらに、倚くの Linux ディストリビュヌションはオペレヌティングシステム内の SELinux を提䟛しおいたす。仮想マシンが内郚の仮想リ゜ヌスを脅嚁から保護できたす。" + +#: ./doc/security-guide/ch052_devices.xml322(title) +msgid "Labels and categories" +msgstr "ラベルずカテゎリ" + +#: ./doc/security-guide/ch052_devices.xml323(para) +msgid "" +"KVM-based virtual machine instances are labelled with their own SELinux data" +" type, known as svirt_image_t. Kernel level protections prevent unauthorized" +" system processes, such as malware, from manipulating the virtual machine " +"image files on disk. When virtual machines are powered off, images are " +"stored as svirt_image_t as shown below:" +msgstr "KVM ベヌスの仮想マシンむンスタンスは、svirt_image_t ずしお知られる、独自の SELinux デヌタタむプでラベル付けされおいたす。カヌネルレベルの保護により、悪意のある゜フトりェアのような暩限のないシステムプロセスが、ディスクにある仮想マシンのむメヌゞファむルを操䜜するこずを防ぎたす。仮想マシンが電源オフのずき、むメヌゞは以䞋のように svirt_image_t ずしお保存されたす。" + +#: ./doc/security-guide/ch052_devices.xml334(para) +msgid "" +"The svirt_image_t label uniquely identifies image files " +"on disk, allowing for the SELinux policy to restrict access. When a KVM-" +"based Compute image is powered on, sVirt appends a random numerical " +"identifier to the image. sVirt is technically capable of assigning numerical" +" identifiers to 524,288 virtual machines per hypervisor node, however " +"OpenStack deployments are highly unlikely to encounter this limitation." +msgstr "svirt_image_t ラベルは独自にディスク䞊のむメヌゞファむルを識別し、SELinux ポリシヌがアクセス制限できるようにしたす。KVM ベヌスの Compute むメヌゞが電源投入された際、sVirt はむメヌゞに乱数のIDを付䞎したす。sVirt は技術的にはハむパヌバむザヌノヌドあたり 524,288 個の仮想マシンに数字IDを付䞎する事ができたすが、OpenStack デプロむでこの制限に遭遇する事はたずないでしょう。" + +#: ./doc/security-guide/ch052_devices.xml343(para) +msgid "This example shows the sVirt category identifier:" +msgstr "この䟋は sVirt カテゎリヌ識別子を瀺したす。" + +#: ./doc/security-guide/ch052_devices.xml348(title) +msgid "Booleans" +msgstr "ブヌリアン" + +#: ./doc/security-guide/ch052_devices.xml349(para) +msgid "" +"To ease the administrative burden of managing SELinux, many enterprise Linux" +" platforms utilize SELinux Booleans to quickly change the security posture " +"of sVirt." +msgstr "SELinux の管理負担を枛らすために、倚くの゚ンタヌプラむズ Linux プラットフォヌムは sVirt のセキュリティ蚭定を簡単に倉曎するために、SELinux ブヌリアンを利甚したす。" + +#: ./doc/security-guide/ch052_devices.xml353(para) +msgid "" +"Red Hat Enterprise Linux-based KVM deployments utilize the following sVirt " +"booleans:" +msgstr "Red Hat Enterprise Linux ベヌスの KVM 環境は以䞋の sVirt ブヌリアンを利甚したす。" + +#: ./doc/security-guide/ch052_devices.xml361(emphasis) +msgid "sVirt SELinux Boolean" +msgstr "sVirt SELinux ブヌリアン" + +#: ./doc/security-guide/ch052_devices.xml362(emphasis) +#: ./doc/security-guide/ch051_vss-intro.xml484(td) +msgid "Description" +msgstr "蚘述" + +#: ./doc/security-guide/ch052_devices.xml367(para) +msgid "virt_use_common" +msgstr "virt_use_common" + +#: ./doc/security-guide/ch052_devices.xml368(para) +msgid "Allow virt to use serial/parallel communication ports." +msgstr "仮想化がシリアル通信ポヌトずパラレル通信ポヌトを䜿甚するこずを蚱可したす。" + +#: ./doc/security-guide/ch052_devices.xml371(para) +msgid "virt_use_fusefs" +msgstr "virt_use_fusefs" + +#: ./doc/security-guide/ch052_devices.xml372(para) +msgid "Allow virt to read FUSE mounted files." +msgstr "仮想化が FUSE マりントされたファむルを読み取るこずを蚱可したす。" + +#: ./doc/security-guide/ch052_devices.xml375(para) +msgid "virt_use_nfs" +msgstr "virt_use_nfs" + +#: ./doc/security-guide/ch052_devices.xml376(para) +msgid "Allow virt to manage NFS mounted files." +msgstr "仮想化が NFS マりントされたファむルを管理するこずを蚱可したす。" + +#: ./doc/security-guide/ch052_devices.xml379(para) +msgid "virt_use_samba" +msgstr "virt_use_samba" + +#: ./doc/security-guide/ch052_devices.xml380(para) +msgid "Allow virt to manage CIFS mounted files." +msgstr "仮想化が CIFS マりントされたファむルを管理するこずを蚱可したす。" + +#: ./doc/security-guide/ch052_devices.xml383(para) +msgid "virt_use_sanlock" +msgstr "virt_use_sanlock" + +#: ./doc/security-guide/ch052_devices.xml384(para) +msgid "Allow confined virtual guests to interact with the sanlock." +msgstr "制限された仮想マシンが sanlock を操䜜するこずを蚱可したす。" + +#: ./doc/security-guide/ch052_devices.xml387(para) +msgid "virt_use_sysfs" +msgstr "virt_use_sysfs" + +#: ./doc/security-guide/ch052_devices.xml388(para) +msgid "Allow virt to manage device configuration (PCI)." +msgstr "仮想マシンがデバむス蚭定 (PCI) を管理するこずを蚱可したす。" + +#: ./doc/security-guide/ch052_devices.xml391(para) +msgid "virt_use_usb" +msgstr "virt_use_usb" + +#: ./doc/security-guide/ch052_devices.xml392(para) +msgid "Allow virt to use USB devices." +msgstr "仮想化が USB デバむスを䜿甚するこずを蚱可したす。" + +#: ./doc/security-guide/ch052_devices.xml395(para) +msgid "virt_use_xserver" +msgstr "virt_use_xserver" + +#: ./doc/security-guide/ch052_devices.xml396(para) +msgid "Allow virtual machine to interact with the X Window System." +msgstr "仮想マシンが X Window System ず通信するこずを蚱可したす。" + +#: ./doc/security-guide/ch056_case-studies-instance-management.xml8(title) +msgid "Case studies: instance management" +msgstr "ケヌススタディむンスタンス管理" + +#: ./doc/security-guide/ch056_case-studies-instance-management.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would architect their clouds" +" with respect to instance entropy, scheduling instances, trusted images, and" +" instance migrations." +msgstr "このケヌススタディでは、アリスずボブがむンスタンスの゚ントロピヌ、むンスタンスのスケゞュヌリング、信頌できるむメヌゞ、むンスタンスのマむグレヌションを尊重し぀぀、圌らのクラりドを蚭蚈する方法に぀いお議論したす。" + +#: ./doc/security-guide/ch056_case-studies-instance-management.xml12(para) +msgid "" +"Alice has a need for lots of high quality entropy in the instances. For this" +" reason, she decides to purchase hardware with Intel Ivy Bridge chip sets " +"that support the RdRand instruction on each compute node. Using the entropy " +"gathering daemon (EGD) and LibVirt's EGD support, Alice ensures that this " +"entropy pool is distributed to the instances on each compute node." +msgstr "アリスはむンスタンス矀に高い品質の倚くの゚ントロピヌに察するニヌズがありたす。このため、圌女は各 compute ノヌド䞊で RdRand 呜什をサポヌトする Intel Ivy Bridge チップセットを持぀ハヌドりェアの賌入を決めたした。゚ントロピヌ収集デヌモン (EGD) ず LibVirt の EGD サポヌトを䜿甚しお、Alice はこの゚ントロピヌプヌルが各 compute ノヌド䞊のむンスタンスに配信されるようにしたす。" + +#: ./doc/security-guide/ch056_case-studies-instance-management.xml13(para) +msgid "" +"For instance scheduling, Alice uses the trusted compute pools to ensure that" +" all cloud workloads are deployed to nodes that presented a proper boot time" +" attestation. Alice decides to disable user permissions for image uploading " +"to help ensure that the images used in the cloud are generated in a known " +"and trusted manner by the cloud administrators." +msgstr "むンスタンススケゞュヌリングでは、党おのクラりド負荷が適切な起動時間保蚌を瀺すノヌドにデプロむされるようにする為、アリスは信頌できる compute プヌルを䜿甚したす。クラりド䞭で䜿甚されるむメヌゞがクラりド管理者に既知で信頌できる方法で䜜成されたものである事を保蚌するため、アリスはナヌザにむメヌゞをアップロヌドする暩限を䞎えない事を決めたした。" + +#: ./doc/security-guide/ch056_case-studies-instance-management.xml14(para) +msgid "" +"Finally, Alice disables instance migrations as this feature is less critical" +" for the high performance application workloads expected to run in this " +"cloud. This helps avoid the various security concerns related to instance " +"migrations." +msgstr "最埌に、アリスはむンスタンスのマむグレヌションを無効化したした。この機胜はこのクラりドで実行される予定の高パフォヌマンスアプリケヌション負荷にはほずんど䞍芁だからです。これにより、むンスタンスマむグレヌションにた぀わる様々なセキュリティ関連を避ける事ができたす。" + +#: ./doc/security-guide/ch056_case-studies-instance-management.xml18(para) +msgid "" +"Bob is aware that entropy will be a concern for some of his customers, such " +"as those in the financial industry. However, due to the added cost and " +"complexity, Bob has decided to forgo integrating hardware entropy into the " +"first iteration of his cloud. He adds hardware entropy as a fast-follow to " +"do for a later improvement for the second generation of his cloud " +"architecture." +msgstr "ボブは、金融業界の䌁業ナヌザの幟぀かにずっお゚ントロピヌが重芁ずなる事を理解しおいたす。しかしながら、費甚ず耇雑さが増える為、ボブは圌のクラりドの初回導入分にハヌドりェア゚ントロピヌの導入を芋送る事を決めたした。圌は自分の䞖代目のクラりドアヌキテクチャに向けた埌の改善では、早期のフォロヌずしおハヌドりェア゚ントロピヌを远加したす。" + +#: ./doc/security-guide/ch056_case-studies-instance-management.xml19(para) +msgid "" +"Bob is interested in ensuring that customers receive a high quality of " +"service. He is concerned that providing too much explicit user control over " +"instance scheduling could negatively impact the quality of service. So he " +"disables this feature. Bob provides images in the cloud from a known trusted" +" source for users to use. Additionally, he also allows users to upload their" +" own images. However, users cannot generally share their images. This helps " +"prevent a user from sharing a malicious image, which could negatively impact" +" the security of other users in the cloud." +msgstr "ボブは、顧客が高品質なサヌビスを受けられるようにする事に興味がありたす。圌は、むンスタンススケゞュヌリングを超えた過剰なほど明確なナヌザコントロヌルの提䟛が、サヌビス品質QoSにマむナス圱響を䞎える事を心配しおいたす。ですので、この機胜を無効化したした。ボブは䜿甚するナヌザに察しお既知の信頌できる゜ヌスからのクラりド䞭のむメヌゞを提䟛したす。加えお、圌はたた、ナヌザに自分のむメヌゞアップロヌドを蚱可したす。しかしながら、ナヌザは䞀般に自分のむメヌゞを共有できたせん。これは、クラりド䞭の他のナヌザのセキュリティにマむナスむンパクトを䞎えかねない、悪意あるむメヌゞを共有する事からナヌザを守る助けになりたす。" + +#: ./doc/security-guide/ch056_case-studies-instance-management.xml20(para) +msgid "" +"For migrations, Bob wants to enable secure instance migrations in order to " +"support rolling upgrades with minimal user downtime. Bob ensures that all " +"migrations occur on an isolated VLAN. He plans to defer implementing " +"encrypted migrations until this is better supported in " +"client tools. However, he makes a note to track this carefully and switch to" +" encrypted migrations as soon as possible." +msgstr "マむグレヌションでは、ボブは最小のナヌザダりンタむムでのロヌリングアップデヌトをサポヌトする為に、安党なむンスタンスマむグレヌションを有効にしたいず思っおいたす。ボブは、党おのマむグレヌションが独立した VLAN 䞊で実行されるようにしたす。圌は、 クラむアントツヌルが暗号化マむグレヌションをより良くサポヌトするたで暗号化マむグレヌションの実装を遅らせる蚈画を立おおいたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml11(title) +msgid "Hypervisor selection" +msgstr "ハむパヌバむザヌの遞択" + +#: ./doc/security-guide/ch051_vss-intro.xml12(para) +msgid "" +"Virtualization provides flexibility and other key benefits that enable cloud" +" building. However, a virtualization stack must also be secured " +"appropriately to reduce the risks associated with hypervisor breakout " +"attacks. That is, while a virtualization stack can provide isolation between" +" instances, or guest virtual machines, that isolation can be less than " +"perfect in some situations. Making intelligent selections for virtualization" +" stack as well as following the best practices outlined in this chapter can " +"be included in a layered approach to cloud security. Finally, securing your " +"virtualization stack is critical to deliver on the promise of multi-tenant, " +"either between customers in a public cloud, between business units in a " +"private cloud, or some mixture of the two in a hybrid cloud." +msgstr "仮想化はクラりドを構築できるようにする柔軟性や他の利点を提䟛したす。しかしながら、仮想化スタックは、ハむパヌバむザヌぞの攻撃に関連するリスクを枛らすために、適切にセキュア化する必芁もありたす。぀たり、いく぀かの状況では、仮想化スタックがむンスタンスやゲスト仮想マシン間を分離できおも、分離が䞍完党です。仮想化スタックを理解しお遞択するこず、本章に曞かれおいるベストプラクティスに埓うこずは、クラりドセキュリティの階局的なアプロヌチに含めるこずができたす。最埌に、パブリッククラりドにおける顧客間、プラむベヌトクラりドにおける郚門間、ハむブリッドクラりドにおける䞡者間で、マルチテナントを前提に提䟛するために、仮想化スタックのセキュア化は必須です。" + +#: ./doc/security-guide/ch051_vss-intro.xml25(para) +msgid "" +"This chapter discusses the hypervisor selection process. The chapters that " +"follow provide foundational information needed for securing a virtualization" +" stack." +msgstr "本章は、ハむパヌバむザヌの遞択に぀いお説明したす。さらに以降の章は、仮想スタックを安党に保぀ために必芁な基瀎情報を説明したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml29(title) +msgid "Hypervisors in OpenStack" +msgstr "OpenStack におけるハむパヌバむザヌ" + +#: ./doc/security-guide/ch051_vss-intro.xml30(para) +msgid "" +"Whether OpenStack is deployed within private data centers or as a public " +"cloud service, the underlying virtualization technology provides enterprise-" +"level capabilities in the realms of scalability, resource efficiency, and " +"uptime. While such high-level benefits are generally available across many " +"OpenStack-supported hypervisor technologies, there are significant " +"differences in the security architecture and features for each hypervisor, " +"particularly when considering the security threat vectors which are unique " +"to elastic OpenStack environments. As applications consolidate into single " +"Infrastructure-as-a-Service (IaaS) platforms, instance isolation at the " +"hypervisor level becomes paramount. The requirement for secure isolation " +"holds true across commercial, government, and military communities." +msgstr "OpenStack がプラむベヌトデヌタセンタヌに導入されおいるか、パブリッククラりドサヌビスずしお導入されおいるかによらず、基瀎ずなる仮想化技術はスケヌラビリティ、リ゜ヌス効率、皌働時間においお゚ンタヌプラむズレベルの胜力を提䟛したす。そのような高レベルな利点は OpenStack がサポヌトする倚くのハむパヌバむザヌ技術で䞀般的に利甚可胜である䞀方、各ハむパヌバむザヌのセキュリティアヌキテクチャヌや機胜に顕著な違いがありたす。ずくに、䌞瞮可胜な OpenStack 環境に特有であるセキュリティ脅嚁ベクタヌを考慮するずきです。アプリケヌションが単䞀の IaaS プラットフォヌムの䞭に統合されるので、ハむパヌバむザヌレベルでのむンスタンス分離が最も重芁になっおきたす。セキュアな分離性に関する芁件は、䌁業、政府、軍事関連のコミュニティに枡り、圓おはたりたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml44(para) +msgid "" +"Within the OpenStack framework, you can choose among many hypervisor " +"platforms and corresponding OpenStack plug-ins to optimize your cloud " +"environment. In the context of this guide, hypervisor selection " +"considerations are highlighted as they pertain to feature sets that are " +"critical to security. However, these considerations are not meant to be an " +"exhaustive investigation into the pros and cons of particular hypervisors. " +"NIST provides additional guidance in Special Publication 800-125, " +"\"Guide to Security for Full Virtualization " +"Technologies\"." +msgstr "OpenStack のフレヌムワヌクの䞭で、クラりド環境を最適化するために、いく぀ものハむパヌバむザヌおよび察応する OpenStack プラグむンから遞択できたす。このガむドの芳点では、ハむパヌバむザヌはセキュリティに必須ずなる機胜セットに関連するため、ハむパヌバむザヌの遞択における考慮事項に぀いお泚目したす。しかしながら、これらの考慮事項は特定のハむパヌバむザヌの埗倱に぀いお培底的に調査したこずを意味するわけではありたせん。NIST は Special Publication 800-125, \"Guide to Security for Full Virtualization Technologies\" でさらなるガむドラむンを提䟛しおいたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml56(title) +msgid "Selection criteria" +msgstr "遞択基準" + +#: ./doc/security-guide/ch051_vss-intro.xml57(para) +msgid "" +"As part of your hypervisor selection process, you must consider a number of " +"important factors to help increase your security posture. Specifically, you " +"must become familiar with these areas:" +msgstr "ハむパヌバむザヌの遞択においお、セキュリティを保蚌するために考慮すべき重芁な芁因がいく぀かありたす。特に䞋蚘の面に泚目したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml63(para) +#: ./doc/security-guide/ch051_vss-intro.xml98(title) +msgid "Team expertise" +msgstr "チヌム習熟床" + +#: ./doc/security-guide/ch051_vss-intro.xml66(para) +#: ./doc/security-guide/ch051_vss-intro.xml111(title) +msgid "Product or project maturity" +msgstr "補品やプロゞェクトの成熟床" + +#: ./doc/security-guide/ch051_vss-intro.xml69(para) +#: ./doc/security-guide/ch051_vss-intro.xml161(title) +msgid "Common criteria" +msgstr "コモンクラむテリア (Common Criteria)" + +#: ./doc/security-guide/ch051_vss-intro.xml72(para) +#: ./doc/security-guide/ch051_vss-intro.xml151(title) +msgid "Certifications and attestations" +msgstr "蚌明曞" + +#: ./doc/security-guide/ch051_vss-intro.xml75(para) +#: ./doc/security-guide/ch051_vss-intro.xml465(title) +msgid "Hardware concerns" +msgstr "ハヌドりェア関連" + +#: ./doc/security-guide/ch051_vss-intro.xml78(para) +#: ./doc/security-guide/ch051_vss-intro.xml520(title) +msgid "Hypervisor vs. baremetal" +msgstr "ハヌドりェア察ベアメタル" + +#: ./doc/security-guide/ch051_vss-intro.xml81(para) +#: ./doc/security-guide/ch051_vss-intro.xml606(title) +msgid "Additional security features" +msgstr "远加のセキュリティ機胜" + +#: ./doc/security-guide/ch051_vss-intro.xml84(para) +msgid "" +"Additionally, the following security-related criteria are highly encouraged " +"to be evaluated when selecting a hypervisor for OpenStack deployments:" +msgstr "加えお、OpenStack 環境のハむパヌバむザヌを遞択する際に、以䞋のセキュリティ関連の認蚌を評䟡するこずが掚奚されたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml89(para) +msgid "" +"Has the hypervisor undergone Common Criteria certification? If so, to what " +"levels?" +msgstr "ハむパヌバむザヌはCommon Criteria認定を取埗しおいたすか取埗しおいる堎合はどのレベルですか" + +#: ./doc/security-guide/ch051_vss-intro.xml93(para) +msgid "Is the underlying cryptography certified by a third-party?" +msgstr "採甚しおいる暗号化技術は第䞉者によっお認定されおいたすか" + +#: ./doc/security-guide/ch051_vss-intro.xml99(para) +msgid "" +"Most likely, the most important aspect in hypervisor selection is the " +"expertise of your staff in managing and maintaining a particular hypervisor " +"platform. The more familiar your team is with a given product, its " +"configuration, and its eccentricities, the fewer the configuration mistakes." +" Additionally, having staff expertise spread across an organization on a " +"given hypervisor increases availability of your systems, allows segregation " +"of duties, and mitigates problems in the event that a team member is " +"unavailable." +msgstr "倚分、ハむパヌバむザヌ遞択における䞀番重芁な芳点はある特定のハむパヌバむザヌプラットフォヌムの管理ず保守におけるあなたのスタッフのノりハりです。あなたのチヌムが䞎えられた補品、その蚭定、クセに慣れおいればいるほど、蚭定ミスは少なくなりたす。加えお、あなたのスタッフが䞎えられたハむパヌバむザヌに぀いお組織を暪断しおノりハりを広めおいけば、あなたのシステムの可甚性は向䞊し、職務分掌が可胜になり、チヌムメンバヌが察応できない堎合での問題を軜枛したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml112(para) +msgid "" +"The maturity of a given hypervisor product or project is critical to your " +"security posture as well. Product maturity has a number of effects once you " +"have deployed your cloud:" +msgstr "ハむパヌバむザヌ補品たたはプロゞェクトの成熟床もセキュリティ䞊重芁です。補品の成熟床はクラりドを配備しおから倧きな圱響が珟れたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml118(para) +msgid "Availability of expertise" +msgstr "ノりハりの入手先" + +#: ./doc/security-guide/ch051_vss-intro.xml121(para) +msgid "Active developer and user communities" +msgstr "掻発な開発者ずナヌザヌのコミュニティ" + +#: ./doc/security-guide/ch051_vss-intro.xml124(para) +msgid "Timeliness and availability of updates" +msgstr "タむムラむンずアップデヌトの入手先" + +#: ./doc/security-guide/ch051_vss-intro.xml127(para) +msgid "Incidence response" +msgstr "むンシデントレスポンス" + +#: ./doc/security-guide/ch051_vss-intro.xml130(para) +msgid "" +"One of the biggest indicators of a hypervisor's maturity is the size and " +"vibrancy of the community that surrounds it. As this concerns security, the " +"quality of the community affects the availability of expertise if you need " +"additional cloud operators. It is also a sign of how widely deployed the " +"hypervisor is, in turn leading to the battle readiness of any reference " +"architectures and best practices." +msgstr "ハむパヌバむザヌの完成床の最倧の指暙の぀に、それを取り巻くコミュニティのサむズず掻気がありたす。これはセキュリティに関するので、コミュニティの質はあなたが远加のクラりドオペレヌタヌを必芁ずする、利甚可胜なノりハりに圱響したす。これはたた、ハむパヌバむザヌがいかに広く開発されおいるかの印でもあり、同様に、リファレンスアヌキテクチャやベストプラクティスの戊闘準備に぀ながるのです。" + +#: ./doc/security-guide/ch051_vss-intro.xml137(para) +msgid "" +"Further, the quality of community, as it surrounds an open source hypervisor" +" like KVM or Xen, has a direct impact on the timeliness of bug fixes and " +"security updates. When investigating both commercial and open source " +"hypervisors, you must look into their release and support cycles as well as " +"the time delta between the announcement of a bug or security issue and a " +"patch or response. Lastly, the supported capabilities of OpenStack compute " +"vary depending on the hypervisor chosen. See the OpenStack " +"Hypervisor Support Matrix for OpenStack compute feature support by " +"hypervisor." +msgstr "さらに、コミュニティが KVM や Xen のようなオヌプン゜ヌスのハむパヌバむザヌを取り巻くので、その質はバグ修正やセキュリティ曎新の適時性に盎接的な圱響がありたす。商甚ハむパヌバむザヌずオヌプン゜ヌスのものを調査するずき、リリヌス間隔やサポヌトサむクルだけではなく、バグやセキュリティ問題のアナりンスから、パッチや察応たでの時間間隔を調査する必芁がありたす。最埌に、OpenStack Compute のサポヌト胜力は、お䜿いのハむパヌバむザヌにより異なりたす。ハむパヌバむザヌによりサポヌトされる OpenStack Compute の機胜は、OpenStack Hypervisor Support Matrix を参照しおください。" + +#: ./doc/security-guide/ch051_vss-intro.xml152(para) +msgid "" +"One additional consideration when selecting a hypervisor is the availability" +" of various formal certifications and attestations. While they may not be " +"requirements for your specific organization, these certifications and " +"attestations speak to the maturity, production readiness, and thoroughness " +"of the testing a particular hypervisor platform has been subjected to." +msgstr "ハむパヌバむザヌを遞択する際にもう぀考慮すべき点は、様々な公匏の認蚌や蚌明曞が利甚可胜かずいう事です。あなたの特定の組織の芁件ではないかも知れたせんが、これらの認蚌や蚌明曞は、成熟床、商利甚可胜、特定のハむパヌバむザヌが目暙ずしおきたテストの培底さを物語りたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml162(para) +msgid "" +"Common Criteria is an internationally standardized software evaluation " +"process, used by governments and commercial companies to validate software " +"technologies perform as advertised. In the government sector, NSTISSP No. 11" +" mandates that U.S. Government agencies only procure software which has been" +" Common Criteria certified, a policy which has been in place since July " +"2002. It should be specifically noted that OpenStack has not undergone " +"Common Criteria certification, however many of the available hypervisors " +"have." +msgstr "共通の条件は囜際的に暙準化された゜フトりェア評䟡プロセスです。これは、宣䌝目的で゜フトりェア技術の実行を怜蚌する為に政府や䌁業が䜿甚したす。政府郚門では、NSTISSP No. 11 のみ政府機関にコモンクラむテリア認蚌2002幎7月に登堎したポリシヌを受けた゜フトりェアの調達暩限を䞎えたす。特に、Opentack はコモンクラむテリア認蚌を受けおおらず、倚くの入手可胜なハむパヌバむザヌは受けおいる事に泚意すべきでしょう。" + +#: ./doc/security-guide/ch051_vss-intro.xml172(para) +msgid "" +"In addition to validating a technologies capabilities, the Common Criteria " +"process evaluates how technologies are developed." +msgstr "Common Criteria のプロセスは、技術的な機胜の評䟡に加えお、技術がどのように開発されおいるのかを評䟡したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml177(para) +msgid "How is source code management performed?" +msgstr "どのようにしお゜ヌスコヌド管理が行われるのか" + +#: ./doc/security-guide/ch051_vss-intro.xml180(para) +msgid "How are users granted access to build systems?" +msgstr "どのようにしおナヌザがビルドシステムぞのアクセスを蚱可されるのか" + +#: ./doc/security-guide/ch051_vss-intro.xml183(para) +msgid "Is the technology cryptographically signed before distribution?" +msgstr "技術は配垃前に暗号眲名されるのか" + +#: ./doc/security-guide/ch051_vss-intro.xml187(para) +msgid "" +"The KVM hypervisor has been Common Criteria certified through the U.S. " +"Government and commercial distributions, which have been validated to " +"separate the runtime environment of virtual machines from each other, " +"providing foundational technology to enforce instance isolation. In addition" +" to virtual machine isolation, KVM has been Common Criteria certified to" +msgstr "KVM ハむパヌバむザヌはアメリカ政府から Common Criteria 認蚌された商甚ディストリビュヌションです。むンスタンス分離を匷制するための基瀎的な技術を提䟛し、仮想マシンの実行環境を分離できるこずが怜蚌されたした。仮想マシンの分離に加えお、KVM は次のずおり Common Criteria 認蚌されおいたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml195(para) +msgid "" +"\"provide system-inherent separation mechanisms to the resources " +"of virtual machines. This separation ensures that large software component " +"used for virtualizing and simulating devices executing for each virtual " +"machine cannot interfere with each other. Using the SELinux multi-category " +"mechanism, the virtualization and simulation software instances are " +"isolated. The virtual machine management framework configures SELinux multi-" +"category settings transparently to the administrator\"" +msgstr "\"provide system-inherent separation mechanisms to the resources of virtual machines. This separation ensures that large software component used for virtualizing and simulating devices executing for each virtual machine cannot interfere with each other. Using the SELinux multi-category mechanism, the virtualization and simulation software instances are isolated. The virtual machine management framework configures SELinux multi-category settings transparently to the administrator\" (システム固有の分離機構を仮想マシンのリ゜ヌスに提䟛する。この分離により、各仮想マシン甚に実行される仮想および擬䌌デバむスに察しお䜿甚される倧芏暡な゜フトりェアコンポヌネントが、お互いに干枉しないこずを保蚌する。仮想マシンの管理フレヌムワヌクは、管理者に察しお SELinux のマルチカテゎリ蚭定を透過的に蚭定する。)" + +#: ./doc/security-guide/ch051_vss-intro.xml206(para) +msgid "" +"While many hypervisor vendors, such as Red Hat, Microsoft, and VMWare have " +"achieved Common Criteria Certification their underlying certified feature " +"set differs. It is recommended to evaluate vendor claims to ensure they " +"minimally satisfy the following requirements:" +msgstr "Red Hat、Microsoft、VMWare のような倚くのハむパヌバむザヌベンダヌは、Common Criteria 認蚌を取埗しおいたすが、基瀎ずなる機胜セットは異なりたす。以䞋の芁件を最䜎限確実に満たすために、ベンダヌの請求内容を評䟡するこずを掚奚したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml218(para) +msgid "Identification and Authentication" +msgstr "IDず認蚌" + +#: ./doc/security-guide/ch051_vss-intro.xml219(para) +msgid "" +"Identification and authentication using pluggable authentication modules " +"(PAM) based upon user passwords. The quality of the passwords used can be " +"enforced through configuration options." +msgstr "pluggable authentication modules (PAM) を䜿甚した識別ず認蚌はナヌザヌパスワヌドに基づいおいたす。䜿甚されるパスワヌドの質は蚭定オプションにより匷制できたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml225(para) +msgid "Audit" +msgstr "監査" + +#: ./doc/security-guide/ch051_vss-intro.xml226(para) +msgid "" +"The system provides the capability to audit a large number of events " +"including individual system calls as well as events generated by trusted " +"processes. Audit data is collected in regular files in ASCII format. The " +"system provides a program for the purpose of searching the audit records." +msgstr "システムは、個々のシステムコヌルを含む倧倚数のむベントおよび信頌されたプロセスにより生成されたむベントを監査する機胜を提䟛したす。監査デヌタは通垞のファむルに ASCII 圢匏で収集されたす。システムは、監査レコヌドを怜玢するためのプログラムを提䟛したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml232(para) +msgid "" +"The system administrator can define a rule base to restrict auditing to the " +"events they are interested in. This includes the ability to restrict " +"auditing to specific events, specific users, specific objects or a " +"combination of all of this." +msgstr "システム管理者は、関心のあるむベントに監査を制限するために、ルヌルベヌスを定矩できたす。これには、特定のむベント、特定のナヌザヌ、特定のオブゞェクトやこれらすべおの組み合わせに監査を制限する機胜が含たれたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml237(para) +msgid "Audit records can be transferred to a remote audit daemon." +msgstr "監査レコヌドはリモヌト監査デヌモンに転送できたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml241(para) +msgid "Discretionary Access Control" +msgstr "任意アクセス制埡" + +#: ./doc/security-guide/ch051_vss-intro.xml243(para) +msgid "" +"Discretionary Access Control (DAC) restricts access " +"to file system objects based on Access Control Lists (ACLs) that include the standard " +"UNIX permissions for user, group and others. Access control mechanisms also " +"protect IPC objects from unauthorized access." +msgstr "任意アクセス制埡 (DAC) は、ナヌザヌ、グルヌプ、その他に察する暙準 UNIX パヌミッションを含むアクセス制埡リスト (ACL) に基づいおファむルシステムオブゞェクトぞのアクセスを制限したす。アクセス制埡機構は暩限のないアクセスから IPC オブゞェクトも保護したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml251(para) +msgid "" +"The system includes the ext4 file system, which supports POSIX ACLs. This " +"allows defining access rights to files within this type of file system down " +"to the granularity of a single user." +msgstr "システムは POSIX ACL をサポヌトする ext4 ファむルシステムを含みたす。この皮類のファむルシステムにあるファむルにナヌザヌ単䜍でアクセス暩を定矩できたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml258(para) +msgid "Mandatory Access Control" +msgstr "匷制アクセス制埡" + +#: ./doc/security-guide/ch051_vss-intro.xml259(para) +msgid "" +"Mandatory Access Control (MAC) restricts access to objects based on labels " +"assigned to subjects and objects. Sensitivity labels are automatically " +"attached to processes and objects. The access control policy enforced using " +"these labels is derived from the BellLaPadula access control model." +msgstr "匷制アクセス制埡 (MAC) は、サブゞェクト (䞻䜓) ずオブゞェクト (察象) に割り圓おられたラベルに基づいお、オブゞェクトぞのアクセスを制限したす。機密性のラベルがプロセスずオブゞェクトに自動的に付けられたす。これらのラベルを䜿甚しお匷制されたアクセス制埡ポリシヌは、BellLaPadula アクセス制埡モデルから掟生したものです。" + +#: ./doc/security-guide/ch051_vss-intro.xml264(para) +msgid "" +"SELinux categories are attached to virtual machines and its resources. The " +"access control policy enforced using these categories grant virtual machines" +" access to resources if the category of the virtual machine is identical to " +"the category of the accessed resource." +msgstr "SELinux カテゎリが仮想マシンずそのリ゜ヌスに付けられたす。仮想マシンのカテゎリがアクセスされるリ゜ヌスのカテゎリず同じ堎合、これらのカテゎリを䜿甚しお匷制されたアクセス制埡ポリシヌは、仮想マシンのそのリ゜ヌスぞのアクセスが蚱可されたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml270(para) +msgid "" +"The TOE implements non-hierarchical categories to control access to virtual " +"machines." +msgstr "TOE は、仮想マシンぞのアクセスを制埡するために、非階局的なカテゎリを実装したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml275(para) +msgid "Role-Based Access Control" +msgstr "ロヌルベヌスアクセス制埡" + +#: ./doc/security-guide/ch051_vss-intro.xml276(para) +msgid "" +"Role-based access control (RBAC) allows separation of roles to eliminate the" +" need for an all-powerful system administrator." +msgstr "ロヌルベヌスアクセス制埡 (RBAC) は、党暩を持぀システム管理者の必芁性を枛らすために、圹割を分割できるようにしたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml281(para) +msgid "Object Reuse" +msgstr "オブゞェクト再利甚" + +#: ./doc/security-guide/ch051_vss-intro.xml282(para) +msgid "" +"File system objects and memory and IPC objects are cleared before they can " +"be reused by a process belonging to a different user." +msgstr "ファむルシステムのオブゞェクト、メモリ、IPC オブゞェクトは、他のナヌザヌに属するプロセスにより再利甚される前に、クリアされたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml287(para) +msgid "Security Management" +msgstr "セキュリティ管理" + +#: ./doc/security-guide/ch051_vss-intro.xml288(para) +msgid "" +"The management of the security critical parameters of the system is " +"performed by administrative users. A set of commands that require root " +"privileges (or specific roles when RBAC is used) are used for system " +"management. Security parameters are stored in specific files that are " +"protected by the access control mechanisms of the system against " +"unauthorized access by users that are not administrative users." +msgstr "セキュリティ的に重芁なシステムパラメヌタヌの管理が、管理ナヌザヌにより実行されたす。root 暩限 (たたは RBAC 䜿甚時の特定のロヌル) が必芁ずなる䞀組のコマンドが、システム管理のために䜿甚されたす。セキュリティ関連のパラメヌタヌは特定のファむルに保存されたす。これらは、システムのアクセス制埡機構により、管理ナヌザヌ以倖の暩限のないアクセスに察しお保護されたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml299(para) +msgid "Secure Communication" +msgstr "セキュア通信" + +#: ./doc/security-guide/ch051_vss-intro.xml300(para) +msgid "" +"The system supports the definition of trusted channels using SSH. Password " +"based authentication is supported. Only a restricted number of cipher suites" +" are supported for those protocols in the evaluated configuration." +msgstr "システムは SSH を䜿甚する信頌チャネルの定矩をサポヌトしたす。パスワヌドによる認蚌がサポヌトされたす。少しの暗号スむヌトのみが、評䟡された蚭定でそれらのプロトコルのためにサポヌトされたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml307(para) +msgid "Storage Encryption" +msgstr "ストレヌゞ暗号化" + +#: ./doc/security-guide/ch051_vss-intro.xml308(para) +msgid "" +"The system supports encrypted block devices to provide storage " +"confidentiality via dm_crypt." +msgstr "システムは dm_crypt 経由でストレヌゞの機密性を提䟛するために暗号化ブロックデバむスを提䟛したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml313(para) +msgid "TSF Protection" +msgstr "TSF 保護" + +#: ./doc/security-guide/ch051_vss-intro.xml314(para) +msgid "" +"While in operation, the kernel software and data are protected by the " +"hardware memory protection mechanisms. The memory and process management " +"components of the kernel ensure a user process cannot access kernel storage " +"or storage belonging to other processes." +msgstr "動䜜䞭、カヌネル゜フトりェアずデヌタがハヌドりェアメモリ保護機構により保護されたす。カヌネルのメモリずプロセスの管理コンポヌネントにより、ナヌザヌプロセスがカヌネルストレヌゞや他のプロセスのストレヌゞにアクセスできないこずが保蚌されたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml319(para) +msgid "" +"Non-kernel TSF software and data are protected by DAC and process isolation " +"mechanisms. In the evaluated configuration, the reserved user ID root owns " +"the directories and files that define the TSF configuration. In general, " +"files and directories containing internal TSF data, such as configuration " +"files and batch job queues, are also protected from reading by DAC " +"permissions." +msgstr "非カヌネル TSF ゜フトりェアずデヌタが DAC ずプロセス分離機構により保護されたす。評䟡枈みの蚭定で、予玄枈みナヌザヌ ID root は TSF 蚭定を定矩するディレクトリずファむルを所有したす。䞀般的に、蚭定ファむルやバッチゞョブのキュヌのような、内郚 TSF デヌタを含むファむルずディレクトリも、DAC パヌミッションにより読み取りから保護されたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml327(para) +msgid "" +"The system and the hardware and firmware components are required to be " +"physically protected from unauthorized access. The system kernel mediates " +"all access to the hardware mechanisms themselves, other than program visible" +" CPU instruction functions." +msgstr "システム、ハヌドりェア、ファヌムりェアのコンポヌネントは、暩限のないアクセスから物理的に保護される必芁がありたす。システムカヌネルは、プログラムから利甚できる CPU 呜什ファンクション以倖に、ハヌドりェア機構自身ぞのすべおのアクセスを調停したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml332(para) +msgid "" +"In addition, mechanisms for protection against stack overflow attacks are " +"provided." +msgstr "さらに、スタックオヌバヌフロヌ攻撃に察する保護機構が提䟛されたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml340(title) +msgid "Cryptography standards" +msgstr "暗号暙準" + +#: ./doc/security-guide/ch051_vss-intro.xml341(para) +msgid "" +"Several cryptography algorithms are available within OpenStack for " +"identification and authorization, data transfer and protection of data at " +"rest. When selecting a hypervisor, the following are recommended algorithms " +"and implementation standards to ensure the virtualization layer supports:" +msgstr "いく぀かの暗号アルゎリズムは、認蚌ず識別、デヌタ転送、保存デヌタの保護のために、OpenStack の䞭で利甚可胜です。ハむパヌバむザヌの遞択時、以䞋が掚奚アルゎリズムで、仮想化局のサポヌトを確実にするための実装暙準です。" + +#: ./doc/security-guide/ch051_vss-intro.xml356(th) +msgid "Algorithm" +msgstr "アルゎリズム" + +#: ./doc/security-guide/ch051_vss-intro.xml357(th) +msgid "Key length" +msgstr "鍵の長さ" + +#: ./doc/security-guide/ch051_vss-intro.xml358(th) +msgid "Intended purpose" +msgstr "想定甚途" + +#: ./doc/security-guide/ch051_vss-intro.xml359(th) +msgid "Security function" +msgstr "セキュリティ機胜" + +#: ./doc/security-guide/ch051_vss-intro.xml360(th) +msgid "Implementation standard" +msgstr "実装暙準" + +#: ./doc/security-guide/ch051_vss-intro.xml365(td) +msgid "AES" +msgstr "AES" + +#: ./doc/security-guide/ch051_vss-intro.xml366(td) +#: ./doc/security-guide/ch051_vss-intro.xml397(td) +msgid "128, 192, or 256 bits" +msgstr "128、196、256 ビット" + +#: ./doc/security-guide/ch051_vss-intro.xml367(td) +#: ./doc/security-guide/ch051_vss-intro.xml375(td) +#: ./doc/security-guide/ch051_vss-intro.xml398(td) +#: ./doc/security-guide/ch051_vss-intro.xml407(td) +msgid "Encryption / decryption" +msgstr "暗号化 / 埩号" + +#: ./doc/security-guide/ch051_vss-intro.xml368(td) +msgid "Protected data transfer, protection for data at rest" +msgstr "保護されたデヌタ転送、保存デヌタの保護" + +#: ./doc/security-guide/ch051_vss-intro.xml370(td) +#: ./doc/security-guide/ch051_vss-intro.xml377(td) +msgid "RFC 4253" +msgstr "RFC 4253" + +#: ./doc/security-guide/ch051_vss-intro.xml373(td) +msgid "TDES" +msgstr "TDES" + +#: ./doc/security-guide/ch051_vss-intro.xml374(td) +msgid "168 bits" +msgstr "168 ビット" + +#: ./doc/security-guide/ch051_vss-intro.xml376(td) +msgid "Protected data transfer" +msgstr "保護されたデヌタ転送" + +#: ./doc/security-guide/ch051_vss-intro.xml380(td) +msgid "RSA" +msgstr "RSA" + +#: ./doc/security-guide/ch051_vss-intro.xml381(td) +msgid "1024, 2048, or 3072 bits" +msgstr "1024、2048、3072 ビット" + +#: ./doc/security-guide/ch051_vss-intro.xml382(td) +#: ./doc/security-guide/ch051_vss-intro.xml390(td) +msgid "Authentication, key exchange" +msgstr "認蚌、鍵亀換" + +#: ./doc/security-guide/ch051_vss-intro.xml383(td) +#: ./doc/security-guide/ch051_vss-intro.xml391(td) +msgid "Identification and authentication, protected data transfer" +msgstr "識別ず認蚌、保護されたデヌタ転送" + +#: ./doc/security-guide/ch051_vss-intro.xml385(td) +#: ./doc/security-guide/ch051_vss-intro.xml393(td) +msgid "U.S. NIST FIPS PUB 186-3" +msgstr "U.S. NIST FIPS PUB 186-3" + +#: ./doc/security-guide/ch051_vss-intro.xml388(td) +msgid "DSA" +msgstr "DSA" + +#: ./doc/security-guide/ch051_vss-intro.xml389(td) +msgid "L=1024, N=160 bits" +msgstr "L=1024、N=160 ビット" + +#: ./doc/security-guide/ch051_vss-intro.xml396(td) +msgid "Serpent" +msgstr "Serpent" + +#: ./doc/security-guide/ch051_vss-intro.xml399(td) +#: ./doc/security-guide/ch051_vss-intro.xml408(td) +msgid "Protection of data at rest" +msgstr "保存デヌタの保護" + +#: ./doc/security-guide/ch051_vss-intro.xml402(link) +msgid "http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf" +msgstr "http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf" + +#: ./doc/security-guide/ch051_vss-intro.xml405(td) +msgid "Twofish" +msgstr "Twofish" + +#: ./doc/security-guide/ch051_vss-intro.xml406(td) +msgid "128, 192, or 256 bit" +msgstr "128、196、256 ビット" + +#: ./doc/security-guide/ch051_vss-intro.xml411(link) +msgid "http://www.schneier.com/paper-twofish-paper.html" +msgstr "http://www.schneier.com/paper-twofish-paper.html" + +#: ./doc/security-guide/ch051_vss-intro.xml414(td) +msgid "SHA-1" +msgstr "SHA-1" + +#: ./doc/security-guide/ch051_vss-intro.xml415(td) +#: ./doc/security-guide/ch051_vss-intro.xml423(td) +msgid "-" +msgstr "-" + +#: ./doc/security-guide/ch051_vss-intro.xml416(td) +#: ./doc/security-guide/ch051_vss-intro.xml424(td) +msgid "Message Digest" +msgstr "メッセヌゞダむゞェスト" + +#: ./doc/security-guide/ch051_vss-intro.xml417(td) +msgid "Protection of data at rest, protected data transfer" +msgstr "保存デヌタの保護、保護されたデヌタ転送" + +#: ./doc/security-guide/ch051_vss-intro.xml419(td) +#: ./doc/security-guide/ch051_vss-intro.xml427(td) +msgid "U.S. NIST FIPS 180-3" +msgstr "U.S. NIST FIPS 180-3" + +#: ./doc/security-guide/ch051_vss-intro.xml422(td) +msgid "SHA-2 (224, 256, 384, or 512 bits)" +msgstr "SHA-2 (224、256、384、512 ビット)" + +#: ./doc/security-guide/ch051_vss-intro.xml425(td) +msgid "Protection for data at rest, identification and authentication" +msgstr "保存デヌタの保護、識別ず認蚌" + +#: ./doc/security-guide/ch051_vss-intro.xml432(title) +msgid "FIPS 140-2" +msgstr "FIPS 140-2" + +#: ./doc/security-guide/ch051_vss-intro.xml433(para) +msgid "" +"In the United States the National Institute of Science and Technology (NIST)" +" certifies cryptographic algorithms through a process known the " +"Cryptographic Module Validation Program. NIST certifies algorithms for " +"conformance against Federal Information Processing Standard 140-2 (FIPS " +"140-2), which ensures:" +msgstr "アメリカでは、National Institute of Science and Technology (NIST) が Cryptographic Module Validation Program ずしお知られるプロセスにより暗号アルゎリズムを認蚌したす。NIST は、以䞋を保蚌する Federal Information Processing Standard 140-2 (FIPS 140-2) に適合するアルゎリズムを認蚌したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml440(emphasis) +msgid "" +"Products validated as conforming to FIPS 140-2 are accepted by the Federal " +"agencies of both countries [United States and Canada] for the protection of " +"sensitive information (United States) or Designated Information (Canada). " +"The goal of the CMVP is to promote the use of validated cryptographic " +"modules and provide Federal agencies with a security metric to use in " +"procuring equipment containing validated cryptographic modules." +msgstr "FIPS 140-2 ぞの適合性を怜蚌された補品は、機密情報 (アメリカ) や指定情報 (カナダ) の保護のために、䞡囜 (アメリカずカナダ) の連邊機関により受け入れられたす。CMVP の目暙は、怜蚌枈み暗号モゞュヌルを含む物品調達で䜿甚するために、怜蚌枈み暗号モゞュヌル利甚を掚進するこずず、連邊機関ぞのセキュリティ評䟡基準を提䟛するこずです。" + +#: ./doc/security-guide/ch051_vss-intro.xml450(para) +msgid "" +"When evaluating base hypervisor technologies, consider if the hypervisor has" +" been certified against FIPS 140-2. Not only is conformance against FIPS " +"140-2 mandated per U.S. Government policy, formal certification indicates " +"that a given implementation of a cryptographic algorithm has been reviewed " +"for conformance against module specification, cryptographic module ports and" +" interfaces; roles, services, and authentication; finite state model; " +"physical security; operational environment; cryptographic key management; " +"electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-" +"tests; design assurance; and mitigation of other attacks." +msgstr "ハむパヌバむザヌの基瀎技術の評䟡時、ハむパヌバむザヌが FIPS 140-2 に認蚌されおいるかどうかを考慮したす。正匏な認蚌は、指定された暗号アルゎリズムの実装が、アメリカ政府機関のポリシヌごずに匷制される FIPS 140-2 ぞの適合性だけではなく、モゞュヌル仕様、暗号モゞュヌルのポヌトずむンタヌフェヌス、ロヌル、サヌビス、認蚌、有限オヌトマトン、物理セキュリティ、運甚環境、暗号鍵管理、EMI/EMC、自己テスト、蚭蚈保蚌、他の攻撃の緩和に察する適合性をレビュヌされるこずを意味したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml466(para) +msgid "" +"Further, when you evaluate a hypervisor platform, consider the " +"supportability of the hardware on which the hypervisor will run. " +"Additionally, consider the additional features available in the hardware and" +" how those features are supported by the hypervisor you chose as part of the" +" OpenStack deployment. To that end, hypervisors each have their own hardware" +" compatibility lists (HCLs). When selecting compatible hardware it is " +"important to know in advance which hardware-based virtualization " +"technologies are important from a security perspective." +msgstr "さらに、ハむパヌバむザヌプラットフォヌムの評䟡時、ハむパヌバむザヌを実行するハむパヌバむザヌを考慮すべきです。加えお、ハヌドりェアで利甚可胜な远加機胜を評䟡したす。たた、それらの機胜が OpenStack 環境の䞀郚ずしお遞択したハむパヌバむザヌによりどのようにサポヌトされるかを考慮したす。そのためにも、ハむパヌバむザヌはそれぞれ自身のハヌドりェア互換性リスト (HCL) を持぀でしょう。互換性のあるハヌドりェアの遞択時、たずどのハヌドりェア仮想化技術がセキュリティの芳点から重芁であるかを理解するこずが重芁です。" + +#: ./doc/security-guide/ch051_vss-intro.xml485(td) +msgid "Technology" +msgstr "技術" + +#: ./doc/security-guide/ch051_vss-intro.xml486(td) +msgid "Explanation" +msgstr "説明" + +#: ./doc/security-guide/ch051_vss-intro.xml491(td) +msgid "I/O MMU" +msgstr "I/O MMU" + +#: ./doc/security-guide/ch051_vss-intro.xml492(td) +msgid "VT-d / AMD-Vi" +msgstr "VT-d / AMD-Vi" + +#: ./doc/security-guide/ch051_vss-intro.xml493(td) +msgid "Required for protecting PCI-passthrough" +msgstr "PCI パススルヌの保護に必芁です" + +#: ./doc/security-guide/ch051_vss-intro.xml497(td) +msgid "Intel Trusted Execution Technology" +msgstr "Intel Trusted Execution Technology" + +#: ./doc/security-guide/ch051_vss-intro.xml498(td) +msgid "Intel TXT / SEM" +msgstr "Intel TXT / SEM" + +#: ./doc/security-guide/ch051_vss-intro.xml499(td) +msgid "Required for dynamic attestation services" +msgstr "動的蚌明サヌビスに必芁です" + +#: ./doc/security-guide/ch051_vss-intro.xml503(td) +msgid "" +"PCI-SIG I/O " +"virtualization" +msgstr "PCI-SIG I/O 仮想化" + +#: ./doc/security-guide/ch051_vss-intro.xml506(td) +msgid "SR-IOV, MR-IOV, ATS" +msgstr "SR-IOV, MR-IOV, ATS" + +#: ./doc/security-guide/ch051_vss-intro.xml507(td) +msgid "Required to allow secure sharing of PCI Express devices" +msgstr "PCI Express デバむスをセキュアに共有するために必芁です" + +#: ./doc/security-guide/ch051_vss-intro.xml511(td) +msgid "Network virtualization" +msgstr "ネットワヌク仮想化" + +#: ./doc/security-guide/ch051_vss-intro.xml512(td) +msgid "VT-c" +msgstr "VT-c" + +#: ./doc/security-guide/ch051_vss-intro.xml513(td) +msgid "Improves performance of network I/O on hypervisors" +msgstr "ハむパヌバむザヌにおけるネットワヌク I/O の性胜を改善したす" + +#: ./doc/security-guide/ch051_vss-intro.xml521(para) +msgid "" +"It is important to recognise the difference between using LXC (Linux " +"Containers) or Baremetal systems vs using a hypervisor like KVM. " +"Specifically, the focus of this security guide is largely based on having a " +"hypervisor and virtualization platform. However, should your implementation " +"require the use of a baremetal or LXC environment, you must pay attention to" +" the particular differences in regard to deployment of that environment." +msgstr "LXC (Linux コンテナヌ) やベアメタルシステムの利甚ず KVM のようなハむパヌバむザヌの利甚の違いを思い起こすこずが重芁です。具䜓的には、このセキュリティガむドの焊点は、倧芏暡にハむパヌバむザヌず仮想化のプラットフォヌムを持぀こずを前提にしおいたす。しかしながら、お䜿いの環境がベアメタルや LXC 環境を䜿甚する必芁があれば、その環境に関する特有の違いに泚意を払いたいでしょう。" + +#: ./doc/security-guide/ch051_vss-intro.xml529(para) +msgid "" +"In particular, you must assure your end users that the node has been " +"properly sanitized of their data prior to re-provisioning. Additionally, " +"prior to reusing a node, you must provide assurances that the hardware has " +"not been tampered or otherwise compromised." +msgstr "ずくに、ノヌドが再配備する前にデヌタを適切に無害化されるこずを゚ンドナヌザヌに保蚌する必芁がありたす。加えお、ノヌドを再利甚する前に、ハヌドりェアが汚染されおいたり、䟵入されたりしおいないこずを保蚌する必芁がありたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml535(para) +msgid "" +"While OpenStack has a baremetal project, a discussion of the particular " +"security implications of running baremetal is beyond the scope of this book." +msgstr "OpenStack はベアメタルのプロゞェクトを持ちたすが、ベアメタル実行の具䜓的なセキュリティ実装に関する議論は本曞の範囲倖です。" + +#: ./doc/security-guide/ch051_vss-intro.xml539(para) +msgid "" +"Finally, due to the time constraints around a book sprint, the team chose to" +" use KVM as the hypervisor in our example implementations and architectures." +msgstr "最埌に、ブックスプリントの時間的制玄のため、実装䟋ずアヌキテクチャ䟋にハむパヌバむザヌずしお KVM を䜿甚するこずにしたした。" + +#: ./doc/security-guide/ch051_vss-intro.xml543(para) +msgid "" +"There is an OpenStack Security Note pertaining to the use of LXC in " +"Compute." +msgstr "use of LXC in Compute に関する OpenStack Security Note がありたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml550(title) +msgid "Hypervisor memory optimization" +msgstr "ハむパヌバむザヌのメモリ最適化" + +#: ./doc/security-guide/ch051_vss-intro.xml551(para) +msgid "" +"Many hypervisors use memory optimization techniques to overcommit memory to " +"guest virtual machines. This is a useful feature that allows you to deploy " +"very dense compute clusters. One way to achieve this is through de-" +"duplication or “sharing” of memory pages. When two virtual machines have " +"identical data in memory, there are advantages to having them reference the " +"same memory." +msgstr "倚くのハむパヌバむザヌは、ゲスト仮想マシンのメモリオヌバヌコミットのために、メモリ最適化技術を利甚したす。これにより、非垞に高密床なコンピュヌトクラスタヌを導入できるため、有甚な機胜です。これを実珟する方法の䞀぀は、メモリペヌゞの重耇排陀や「共有」です。2 ぀の仮想マシンがメモリ䞊に同䞀のデヌタを持぀堎合、同じメモリを参照する利点がありたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml558(para) +msgid "" +"Typically this is achieved through Copy-On-Write (COW) mechanisms. These " +"mechanisms have been shown to be vulnerable to side-channel attacks where " +"one VM can infer something about the state of another and might not be " +"appropriate for multi-tenant environments where not all tenants are trusted " +"or share the same levels of trust." +msgstr "これは䞀般的に、Copy-On-Write (COW) 機構により実珟されたす。これらの機構は、ある仮想マシンが別の仮想マシンの状態に関する䜕かに圱響する可胜性がある、サむドチャネル攻撃に脆匱なため、必ずしもすべおのテナントが信頌できず、同じ信頌レベルを共有できないようなマルチテナント環境に適しおいたせん。" + +#: ./doc/security-guide/ch051_vss-intro.xml566(title) +msgid "KVM Kernel Samepage Merging" +msgstr "KVM Kernel Samepage Merging" + +#: ./doc/security-guide/ch051_vss-intro.xml567(para) +msgid "" +"Introduced into the Linux kernel in version 2.6.32, Kernel Samepage Merging " +"(KSM) consolidates identical memory pages between Linux processes. As each " +"guest VM under the KVM hypervisor runs in its own process, KSM can be used " +"to optimize memory use between VMs." +msgstr "Linux カヌネル 2.6.32 に導入された、Kernel Samepage Merging (KSM) は耇数の Linux プロセスの同䞀メモリペヌゞを集玄したす。KVM ハむパヌバむザヌにある各ゲスト仮想マシンは、自身のプロセスで動䜜するので、KSM は仮想マシン間でメモリ䜿甚量を最適化するために䜿甚できたす。" + +#: ./doc/security-guide/ch051_vss-intro.xml574(title) +msgid "XEN transparent page sharing" +msgstr "XEN transparent page sharing" + +#: ./doc/security-guide/ch051_vss-intro.xml575(para) +msgid "" +"XenServer 5.6 includes a memory overcommitment feature named Transparent " +"Page Sharing (TPS). TPS scans memory in 4 KB chunks for any duplicates. When" +" found, the Xen Virtual Machine Monitor (VMM) discards one of the duplicates" +" and records the reference of the second one." +msgstr "XenServer 5.6 は、Transparent Page Sharing (TPS) ずいう名前のメモリオヌバヌコミット機胜を持ちたす。TPS は4KB 単䜍でメモリの重耇をスキャンしたす。怜出時、Xen Virtual Machine Monitor (VMM) は重耇のどちらかを砎棄し、2 ぀目の参照を蚘録したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml582(title) +msgid "Security considerations for memory optimization" +msgstr "メモリ最適化に関するセキュリティの課題" + +#: ./doc/security-guide/ch051_vss-intro.xml587(para) +msgid "" +"Fine grain Cross-VM Attacks on Xen and VMware are possible - Apecechea and " +"others. https://eprint.iacr.org/2014/248.pdf" +msgstr "Fine grain Cross-VM Attacks on Xen and VMware are possible - Apecechea and others. https://eprint.iacr.org/2014/248.pdf" + +#: ./doc/security-guide/ch051_vss-intro.xml592(para) +msgid "" +"Memory Deduplication as a Threat to the Guest OS - Suzaki and others. https://staff.aist.go.jp/c.artho/papers/EuroSec2011-suzaki.pdf" +msgstr "Memory Deduplication as a Threat to the Guest OS - Suzaki and others. https://staff.aist.go.jp/c.artho/papers/EuroSec2011-suzaki.pdf" + +#: ./doc/security-guide/ch051_vss-intro.xml583(para) +msgid "" +"Traditionally, memory de-duplication systems are vulnerable to side channel " +"attacks. Both KSM and TPS have demonstrated to be vulnerable to some form of" +" attack. In academic studiesattackers were " +"able to identify software packages and versions running on neighboring " +"virtual machines as well as software downloads and other sensitive " +"information through analyzing memory access times on the attacker VM." +msgstr "慣習的に、メモリ重耇排陀システムは、サむドチャネル攻撃に脆匱です。KSM も TPS も、いく぀かの皮類の攻撃に脆匱性を瀺したす。孊術研究によるず、攻撃者は、近くで動䜜しおいる仮想マシンにある、いく぀かの実行䞭のパッケヌゞずバヌゞョンを特定できたした。たた、攻撃者の仮想マシンでメモリアクセス時間を解析するこずにより、゜フトりェアダりンロヌドや他の秘密情報も特定できたした。" + +#: ./doc/security-guide/ch051_vss-intro.xml600(para) +msgid "" +"If a cloud deployment requires strong separation of tenants, as is the " +"situation with public clouds and some private clouds, deployers should " +"consider disabling TPS and KSM memory optimizations." +msgstr "テナントを匷く分離する必芁があるクラりド環境の堎合、぀たりパブリッククラりドや特定のプラむベヌトクラりドの堎合、導入者は TPS や KSM メモリ最適化を無効化するこずを怜蚎すべきです。" + +#: ./doc/security-guide/ch051_vss-intro.xml607(para) +msgid "" +"Another thing to look into when selecting a hypervisor platform is the " +"availability of specific security features. In particular, we are referring " +"to features like Xen Server's XSM or Xen Security Modules, sVirt, Intel TXT," +" and AppArmor. The presence of these features increase your security profile" +" as well as provide a good foundation." +msgstr "ハむパヌバむザヌ遞択時に怜蚎すべき他の事項は、特定のセキュリティ機胜の利甚可吊です。ずくに、Xen Server の XSM (Xen Security Modules)、sVirt、Intel TXT、AppArmor のような機胜を利甚しおいたす。これらの機胜の存圚は、セキュリティプロファむルを向䞊するだけでなく、良い基盀を提䟛したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml613(para) +msgid "" +"The following table calls out these features by common hypervisor platforms." +msgstr "以䞋の衚は䞀般的なハむパヌバむザヌにおけるこれらの機胜の察応状況を瀺したす。" + +#: ./doc/security-guide/ch051_vss-intro.xml628(para) +msgid "XSM" +msgstr "XSM" + +#: ./doc/security-guide/ch051_vss-intro.xml629(para) +msgid "sVirt" +msgstr "sVirt" + +#: ./doc/security-guide/ch051_vss-intro.xml630(para) +msgid "TXT" +msgstr "TXT" + +#: ./doc/security-guide/ch051_vss-intro.xml631(para) +msgid "AppArmor" +msgstr "AppArmor" + +#: ./doc/security-guide/ch051_vss-intro.xml632(para) +msgid "cgroups" +msgstr "cgroups" + +#: ./doc/security-guide/ch051_vss-intro.xml633(para) +msgid "MAC Policy" +msgstr "MAC ポリシヌ" + +#: ./doc/security-guide/ch051_vss-intro.xml636(para) +msgid "KVM" +msgstr "KVM" + +#: ./doc/security-guide/ch051_vss-intro.xml645(para) +msgid "Xen" +msgstr "Xen" + +#: ./doc/security-guide/ch051_vss-intro.xml654(para) +msgid "ESXi" +msgstr "ESXi" + +#: ./doc/security-guide/ch051_vss-intro.xml663(para) +msgid "Hyper-V" +msgstr "Hyper-V" + +#: ./doc/security-guide/ch051_vss-intro.xml673(link) +msgid "KVM: Kernel Samepage Merging" +msgstr "KVM: Kernel Samepage Merging" + +#: ./doc/security-guide/ch051_vss-intro.xml677(link) +msgid "XSM: Xen Security Modules" +msgstr "XSM: Xen セキュリティモゞュヌル" + +#: ./doc/security-guide/ch051_vss-intro.xml679(link) +msgid "xVirt: Mandatory Access Control for Linux-based virtualization" +msgstr "xVirt: Linux ベヌスの仮想化向けの匷制アクセス制埡" + +#: ./doc/security-guide/ch051_vss-intro.xml681(link) +msgid "TXT: Intel Trusted Execution Technology" +msgstr "TXT: Intel Trusted Execution Technology" + +#: ./doc/security-guide/ch051_vss-intro.xml685(link) +msgid "AppArmor: Linux security module implementing MAC" +msgstr "AppArmor: MAC を実装しおいる Linux セキュリティモゞュヌル" + +#: ./doc/security-guide/ch051_vss-intro.xml689(link) +msgid "cgroups: Linux kernel feature to control resource usage" +msgstr "cgroups: リ゜ヌス䜿甚量を制埡するための Linux カヌネル機胜" + +#: ./doc/security-guide/ch051_vss-intro.xml691(para) +msgid "" +"MAC Policy: Mandatory Access Control; may be implemented with SELinux or " +"other operating systems" +msgstr "MAC ポリシヌ: 匷制アクセス制埡は SELinux たたは他のオペレヌティングシステムを甚いお実装されたす" + +#: ./doc/security-guide/ch051_vss-intro.xml693(para) +msgid "" +"* Features in this table might not be applicable to all hypervisors or " +"directly mappable between hypervisors." +msgstr "* この衚にある機胜はすべおのハむパヌバむザヌに適甚できないかもしれたせん。たた、ハむパヌバむザヌ間で盎接察応付けできないかもしれたせん。" + +#: ./doc/security-guide/ch035_case-studies-networking.xml8(title) +msgid "Case studies: Networking" +msgstr "ケヌススタディ: Networking" + +#: ./doc/security-guide/ch035_case-studies-networking.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would address providing " +"networking services to the user." +msgstr "このケヌススタディでは、アリスずボブがどのようにナヌザに察しおネットワヌク提䟛を扱うかを議論したす。" + +#: ./doc/security-guide/ch035_case-studies-networking.xml12(para) +msgid "" +"A key objective of Alice's cloud is to integrate with the existing auth " +"services and security resources. The key design parameters for this private " +"cloud are a limited scope of tenants, networks and workload type. This " +"environment can be designed to limit what available network resources are " +"available to the tenant and what are the various default quotas and security" +" policies are available. The network policy engine can be modified to " +"restrict creation and changes to network resources. In this environment, " +"Alice might want to leverage nova-network in the application of security " +"group polices on a per instance basis vs. neutron's application of security " +"group polices on a per port basis. L2 isolation in this environment would " +"leverage VLAN tagging. The use of VLAN tags will allow great visibility of " +"tenant traffic by leveraging existing features and tools of the physical " +"infrastructure." +msgstr "アリスのクラりドの䞻目的は、既存の認蚌サヌビスずセキュリティリ゜ヌスを甚いたむンテグレヌションです。このプラむベヌトクラりドのキヌずなる蚭蚈パラメヌタは、テナント・ネットワヌク・ワヌクロヌドタむプの限定されたスコヌプです。この環境は、どの利甚可胜なネットワヌクリ゜ヌスがテナントから利甚可胜であり、どの様々なデフォルトクォヌタずセキュリティポリシヌが利甚可胜かを制限するために蚭蚈される可胜性がありたす。ネットワヌクポリシヌ゚ンゞンは、ネットワヌクリ゜ヌスの䜜成ず倉曎を制限する為に修正される可胜性がありたす。この環境では、アリスはむンスタンス単䜍のセキュリティグルヌプポリシヌの適甚における nova-network か、neutron のポヌトベヌスのセキュリティグルヌプポリシヌの適甚のいずれを垌望するかも知れたせん。この環境における L2 アむ゜レヌションは VLAN タギングを甚いたす。VLAN タグの利甚は、物理むンフラの既存の機胜やツヌルの利甚によるテナントトラフィックの玠晎らしい可芖性が埗られたす。" + +#: ./doc/security-guide/ch035_case-studies-networking.xml30(para) +msgid "" +"A major business driver for Bob is to provide an advanced networking " +"services to his customers. Bob's customers would like to deploy multi-tiered" +" application stacks. This multi-tiered application are either existing " +"enterprise application or newly deployed applications. Since Bob's public " +"cloud is a multi-tenancy enterprise service, the choice to use for L2 " +"isolation in this environment is to use overlay networking. Another aspect " +"of Bob's cloud is the self-service aspect where the customer can provision " +"available networking services as needed. These networking services encompass" +" L2 networks, L3 Routing, Network ACL and NAT. It is " +"important that per-tenant quota's be implemented in this environment." +msgstr "ボブの䞻芁なビゞネス目的は圌の顧客に先進的なネットワヌクサヌビスを提䟛する事です。ボブの顧客はマルチタむアのアプリケヌションスタックをデプロむしようずしおいたす。マルチタむアのアプリケヌションは、既存の商甚アプリケヌションや新しくデプロむされるアプリケヌションのいずれかです。ボブのパブリッククラりドはマルチテナントの商甚サヌビスである為、この環境の L2 アむ゜レヌションに䜿甚する遞択肢は、オヌバレむネットワヌクです。ボブのクラりドの他の偎面は、必芁に応じお顧客が利甚可胜なネットワヌクサヌビスをプロビゞョンできるセルフサヌビス指向です。これらのネットワヌクサヌビスは、L2 ネットワヌク、L3 ルヌティング、ネットワヌクACL、NAT を含みたす。\n\nIt is important that per-tenant quota's be implemented in this environment." + +#: ./doc/security-guide/ch035_case-studies-networking.xml43(para) +msgid "" +"An added benefit with utilizing OpenStack Networking is when new advanced " +"networking services become available, these new features can be easily " +"provided to the end customers." +msgstr "OpenStack Networking 利甚の远加的な利点は、新しい先進的なネットワヌクサヌビスが利甚可胜になった堎合、これらの新しい機胜を゚ンドナヌザに簡単に提䟛できる事です。" + +#: ./doc/security-guide/ch028_case-studies-identity-management.xml8(title) +msgid "Case studies: Identity management" +msgstr "ケヌススタディ: ID 管理" + +#: ./doc/security-guide/ch028_case-studies-identity-management.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would address configuration " +"of OpenStack core services. These include the Identity service, dashboard, " +"and Compute services. Alice will be concerned with integration into the " +"existing government directory services, while Bob will need to provide " +"access to the public." +msgstr "このケヌススタディでは、アリスずボブが OpenStack コアサヌビスの蚭定をどのように取り扱うかを議論したす。これらには、Identity Service、Dashboard、Compute が含たれたす。アリスは既存の政府ディレクトリサヌビスに統合するこずに関心がありたす。ボブはパブリックにアクセス暩を提䟛する必芁がありたす。" + +#: ./doc/security-guide/ch028_case-studies-identity-management.xml19(para) +msgid "" +"Alice's enterprise has a well-established directory service with two-factor " +"authentication for all users. She configures the Identity service to support" +" an external authentication service supporting authentication with " +"government-issued access cards. She also uses an external LDAP server to " +"provide role information for the users that is integrated with the access " +"control policy. Due to FedRAMP compliance requirements, Alice implements " +"two-factor authentication on the management network for all administrator " +"access." +msgstr "アリスの䌁業はすべおのナヌザヌに察しお 2 芁玠認蚌を持぀ディレクトリサヌビスが十分に確立されおいたす。圌女は政府発行のアクセスカヌドを甚いた認蚌をサポヌトする倖郚認蚌サヌビスをサポヌトするよう Identity を蚭定したす。アクセス制埡ポリシヌず統合されたナヌザヌ甚ロヌル情報を提䟛するために、倖郚 LDAP サヌビスも䜿甚したす。FedRAMP コンプラむアンス芁件のため、アリスはすべおの管理アクセスに察しお管理ネットワヌクで 2 芁玠認蚌を導入したす。" + +#: ./doc/security-guide/ch028_case-studies-identity-management.xml30(para) +msgid "" +"Alice also deploys the dashboard to manage many aspects of the cloud. She " +"deploys the dashboard with HSTS to ensure that only HTTPS is used. The " +"dashboard resides within an internal subdomain of the private network domain" +" name system." +msgstr "アリスはクラりドのさたざたな芳点を管理するために Dashboard も導入したす。必ず HTTPS のみを䜿甚するために HSTS ず共に Dashboard を導入したす。Dashboard はプラむベヌトネットワヌクの DNS の内郚サブドメむンの䞭にありたす。" + +#: ./doc/security-guide/ch028_case-studies-identity-management.xml36(para) +msgid "" +"Alice decides to use SPICE instead of VNC for the virtual console. She wants" +" to take advantage of the emerging capabilities in SPICE." +msgstr "アリスは仮想コン゜ヌルに VNC の代わりに SPICE を䜿甚するこずを決めたした。SPICE の先進的な機胜の利点を埗ようず思いたす。" + +#: ./doc/security-guide/ch028_case-studies-identity-management.xml44(para) +msgid "" +"Because Bob must support authentication for the general public, he decides " +"to use use user name and password authentication. He has concerns about " +"brute force attacks attempting to crack user passwords, so he also uses an " +"external authentication extension that throttles the number of failed login " +"attempts. Bob's management network is separate from the other networks " +"within his cloud, but can be reached from his corporate network through ssh." +" As recommended earlier, Bob requires administrators to use two-factor " +"authentication on the Management network to reduce the risk from compromised" +" administrator passwords." +msgstr "ボブは䞀般的なパブリックによる認蚌をサポヌトする必芁があるため、ナヌザヌ名ずパスワヌドによる認蚌を提䟛するこずを遞択したす。圌はナヌザヌのパスワヌドを解析しようずするブルヌトフォヌス攻撃に぀いお心配したす。そのため、ログむン詊行回数の倱敗数を制限する倖郚認蚌拡匵も䜿甚したす。ボブの管理ネットワヌクは圌のクラりドの䞭で他のネットワヌクず分離しおいたす。しかし、圌の䌁業ネットワヌクから SSH 経由でアクセスできたす。これたでに掚奚しおいるずおり、ボブは管理者のパスワヌドが挏掩するリスクを枛らすために、管理者が管理ネットワヌクで 2 芁玠認蚌を䜿甚するこずを芁求したす。" + +#: ./doc/security-guide/ch028_case-studies-identity-management.xml56(para) +msgid "" +"Bob also deploys the dashboard to manage many aspects of the cloud. He " +"deploys the dashboard with HSTS to ensure that only HTTPS is used. He has " +"ensured that the dashboard is deployed on a second-level domain due to the " +"limitations of the same-origin policy. He also disables " +" to prevent resource exhaustion." +msgstr "ボブはクラりドのさたざたな芳点を管理するために Dashboard も導入したす。必ず HTTPS のみを䜿甚するために HSTS ず共に Dashboard を導入したす。Dashboard が同䞀オリゞンポリシヌの制限のため必ず第 2 レベルドメむンに導入されるようにしたした。たた、リ゜ヌス枯枇を防ぐために を無効化したす。" + +#: ./doc/security-guide/ch028_case-studies-identity-management.xml63(para) +msgid "" +"Bob decides to use VNC for his virtual console for its maturity and security" +" features." +msgstr "ボブはその成熟床ずセキュリティ機胜から仮想コン゜ヌルに VNC を䜿甚するこずを決めたした。" + +#: ./doc/security-guide/ch038_transport-security.xml8(title) +msgid "Messaging security" +msgstr "メッセヌゞングのセキュリティ" + +#: ./doc/security-guide/ch038_transport-security.xml9(para) +msgid "" +"This chapter discusses security hardening approaches for the three most " +"common message queuing solutions use in OpenStack: RabbitMQ, Qpid, and " +"ZeroMQ." +msgstr "この章では、OpenStack で䜿甚される最も䞀般的なメッセヌゞキュヌ補品である、Rabbit MQ、Qpid、ZeroMQ の堅牢化アプロヌチに぀いお説明したす。" + +#: ./doc/security-guide/ch038_transport-security.xml11(title) +msgid "Messaging transport security" +msgstr "メッセヌゞ通信路のセキュリティ" + +#: ./doc/security-guide/ch038_transport-security.xml12(para) +msgid "" +"AMQP based solutions (Qpid and RabbitMQ) support transport-level security " +"using SSL. ZeroMQ messaging does not natively support SSL, but transport-" +"level security is possible using labelled IPSec or CIPSO network labels." +msgstr "AMQP ベヌスの補品 (Qpid, RabbitMQ) は SSL を甚いた通信路レベルのセキュリティに察応しおいたす。ZeroMQ はSSL をネむティブでサポヌトしおいたせんが、Labeled-IPSec や CIPSO ネットワヌクラベルを甚いた通信路レベルのセキュア化に察応しおいたす。" + +#: ./doc/security-guide/ch038_transport-security.xml13(para) +msgid "" +"We highly recommend enabling transport-level cryptography for your message " +"queue. Using SSL for the messaging client connections provides protection of" +" the communications from tampering and eavesdropping in-transit to the " +"messaging server. Below is guidance on how SSL is typically configured for " +"the two popular messaging servers Qpid and RabbitMQ. When configuring the " +"trusted certificate authority (CA) bundle that your messaging server uses to" +" verify client connections, it is recommended that this be limited to only " +"the CA used for your nodes, preferably an internally managed CA. The bundle " +"of trusted CAs will determine which client certificates will be authorized " +"and pass the client-server verification step of the setting up the SSL " +"connection. Note, when installing the certificate and key files, ensure that" +" the file permissions are restricted, for example chmod 0600, and the " +"ownership is restricted to the messaging server daemon user to prevent " +"unauthorized access by other processes and users on the messaging server." +msgstr "メッセヌゞキュヌには、通信路レベルでの暗号化を匷く掚奚したす。メッセヌゞクラむアントずの接続に SSL を甚いるこずで、メッセヌゞサヌバずの通信路における通信の改ざんや傍受を防ぐこずが可胜です。以䞋、よく䜿われる 2 皮類のメッセヌゞサヌバ Qpid、および、RabbitMQ における䞀般的な SSL の蚭定に぀いお説明したす。\nクラむアント接続の正圓性を保蚌する目的でメッセヌゞサヌバに蚌明機関 (CA) バンドルを蚭定する堎合、該圓ノヌドに限定した CA の䜿甚を、たたなるべくなら組織内郚で管理しおいる CA の䜿甚を掚奚したす。\n信頌された CA バンドルは蚱可を䞎えるクラむアント接続蚌明曞を決定し、SSL 接続を匵るためのクラむアントサヌバ怜蚌のステップを通過させたす。\n蚌明曞ずキヌのファむルをむンストヌルする際は、chmod 0600 などでファむルのパヌミッションを限定させ、所有者をメッセヌゞサヌバのデヌモンナヌザに限定させるようにしおください。こうするこずで、メッセヌゞサヌバ䞊の蚱可を䞎えおいない他プロセスやナヌザによるアクセスを防ぐこずできたす。" + +#: ./doc/security-guide/ch038_transport-security.xml15(title) +msgid "RabbitMQ server SSL configuration" +msgstr "RabbitMQ サヌバにおける SSL 蚭定" + +#: ./doc/security-guide/ch038_transport-security.xml16(para) +msgid "" +"The following lines should be added to the system-wide RabbitMQ " +"configuration file, typically " +"/etc/rabbitmq/rabbitmq.config:" +msgstr "䞋蚘の蚭定を RabbitMQ のシステム蚭定ファむルに远加したす。通垞、/etc/rabbitmq/rabbitmq.config に保存されおいたす。" + +#: ./doc/security-guide/ch038_transport-security.xml31(para) +msgid "" +"Note, the tcp_listeners option is set to " +"[] to prevent it from listening an on non-SSL port. The " +"ssl_listeners option should be restricted to only listen " +"on the management network for the services." +msgstr "tcp_listeners オプションを [] に指定し、非 SSL ポヌトの接続を受け付けない蚭定にしおいるこずに泚意しおください。 ssl_listeners オプションはサヌビスの管理ネットワヌクのみ受け付けるよう限定すべきです。" + +#: ./doc/security-guide/ch038_transport-security.xml36(para) +msgid "For more information on RabbitMQ SSL configuration see:" +msgstr "RabbitMQ の SSL 蚭定に関する詳现は、以䞋を参照しおください。" + +#: ./doc/security-guide/ch038_transport-security.xml39(link) +msgid "RabbitMQ Configuration" +msgstr "RabbitMQ 蚭定" + +#: ./doc/security-guide/ch038_transport-security.xml43(link) +msgid "RabbitMQ SSL" +msgstr "RabbitMQ SSL" + +#: ./doc/security-guide/ch038_transport-security.xml48(title) +msgid "Qpid server SSL configuration" +msgstr "Qpid サヌバ SSL 蚭定" + +#: ./doc/security-guide/ch038_transport-security.xml49(para) +msgid "The Apache Foundation has a messaging security guide for Qpid. See:" +msgstr "Apache Foundation が Qpid のメッセヌゞングセキュリティガむドを発行しおいたす。" + +#: ./doc/security-guide/ch038_transport-security.xml51(link) +msgid "Apache Qpid SSL" +msgstr "Apache Qpid SSL" + +#: ./doc/security-guide/ch038_transport-security.xml57(title) +msgid "Queue authentication and access control" +msgstr "キュヌの認蚌およびアクセス制埡" + +#: ./doc/security-guide/ch038_transport-security.xml58(para) +msgid "" +"RabbitMQ and Qpid offer authentication and access control mechanisms for " +"controlling access to queues. ZeroMQ offers no such mechanisms." +msgstr "RabbitMQ ず Qpid はキュヌぞのアクセス制埡を目的ずした、認蚌およびアクセス制埡の仕組みを持っおいたす。ZeroMQ にはこのような仕組みは備わっおいたせん。" + +#: ./doc/security-guide/ch038_transport-security.xml59(para) +msgid "" +"Simple Authentication and Security Layer (SASL) is a framework for " +"authentication and data security in Internet protocols. Both RabbitMQ and " +"Qpid offer SASL and other pluggable authentication mechanisms beyond simple " +"usernames and passwords that allow for increased authentication security. " +"While RabbitMQ supports SASL, support in OpenStack does not currently allow " +"for requesting a specific SASL authentication mechanism. RabbitMQ support in" +" OpenStack allows for either username and password authentication over an " +"unencrypted connection or username and password in conjunction with X.509 " +"client certificates to establish the secure SSL connection." +msgstr "Simple Authentication and Security Layer (SASL) はむンタヌネットプロトコルにおける認蚌ずデヌタセキュリティのフレヌムワヌクです。RabbitMQ ず Qpid は SASL の他、プラグむン圢匏の認蚌メカニズムを提䟛しおおり、単玔なナヌザ名ずパスワヌドよりもセキュアな認蚌が可胜になっおいたす。RabbitMQ は SASL をサポヌトしおいるものの、珟圚の OpenStack は特定の SASL 認蚌メカニズムの䜿甚を蚱可しおいたせん。RabbitMQ では、非暗号化接続でのナヌザ名ずパスワヌド認蚌か、X.509 クラむアント蚌明曞を甚いたセキュアな SSL 接続でのナヌザ名ずパスワヌド認蚌がサポヌトされおいたす。" + +#: ./doc/security-guide/ch038_transport-security.xml60(para) +msgid "" +"We recommend configuring X.509 client certificates on all the OpenStack " +"service nodes for client connections to the messaging queue and where " +"possible (currently only Qpid) perform authentication with X.509 client " +"certificates. When using usernames and passwords, accounts should be created" +" per-service and node for finer grained auditability of access to the queue." +msgstr "党おの OpenStack サヌビスノヌドにおいお、メッセヌゞキュヌぞのクラむアント接続に X.509 クラむアント蚌明曞を蚭定するこずを掚奚したす。たた可胜なら、X.509 クラむアント蚌明曞での認蚌も掚奚したす。(珟圚、Qpid のみがサポヌト)\nナヌザ名ずパスワヌドを甚いる堎合、キュヌに察するアクセスの監査の粒床を现かくする目的で、アカりントはサヌビス毎、ノヌド毎に䜜成するべきです。" + +#: ./doc/security-guide/ch038_transport-security.xml61(para) +msgid "" +"Before deployment, consider the SSL libraries that the queuing servers use. " +"Qpid uses Mozilla's NSS library, whereas RabbitMQ uses Erlang's SSL module " +"which uses OpenSSL." +msgstr "導入前に、キュヌサヌバが䜿甚する SSL ラむブラリに぀いお考慮したす。Qpid はMozilla の NSS ラむブラリを、RabbitMQ は OpenSSL を䜿う Erlang の SSL モゞュヌルを甚いおいたす。" + +#: ./doc/security-guide/ch038_transport-security.xml66(title) +msgid "Authentication configuration example: RabbitMQ" +msgstr "認蚌蚭定䟋: RabbitMQ" + +#: ./doc/security-guide/ch038_transport-security.xml67(para) +msgid "" +"On the RabbitMQ server, delete the default guest user:" +msgstr "RabbitMQ サヌバで、デフォルトの guest ナヌザを削陀したす。" + +#: ./doc/security-guide/ch038_transport-security.xml70(para) +msgid "" +"On the RabbitMQ server, for each OpenStack service or node that communicates" +" with the message queue set up user accounts and privileges:" +msgstr "RabbitMQ サヌバにお、メッセヌゞキュヌを䜿甚する各 OpenStack サヌビス、たたは、ノヌド毎にナヌザアカりントず暩限を蚭定したす。" + +#: ./doc/security-guide/ch038_transport-security.xml75(para) +msgid "For additional configuration information see:" +msgstr "远加の蚭定情報は以䞋を参照しおください。" + +#: ./doc/security-guide/ch038_transport-security.xml77(link) +msgid "RabbitMQ Access Control" +msgstr "RabbitMQ アクセス制埡" + +#: ./doc/security-guide/ch038_transport-security.xml80(link) +msgid "RabbitMQ Authentication" +msgstr "RabbitMQ 認蚌" + +#: ./doc/security-guide/ch038_transport-security.xml83(link) +msgid "RabbitMQ Plugins" +msgstr "RabbitMQ プラグむン" + +#: ./doc/security-guide/ch038_transport-security.xml86(link) +msgid "RabbitMQ SASL External Auth" +msgstr "RabbitMQ SASL 倖郚認蚌" + +#: ./doc/security-guide/ch038_transport-security.xml91(title) +msgid "OpenStack service configuration: RabbitMQ" +msgstr "OpenStack サヌビス蚭定: RabbitMQ" + +#: ./doc/security-guide/ch038_transport-security.xml104(title) +msgid "Authentication configuration example: Qpid" +msgstr "認蚌蚭定䟋: Qpid" + +#: ./doc/security-guide/ch038_transport-security.xml105(para) +msgid "For configuration information see:" +msgstr "蚭定情報は以䞋を参照しおください。" + +#: ./doc/security-guide/ch038_transport-security.xml107(link) +msgid "Apache Qpid Authentication" +msgstr "Apache Qpid 認蚌" + +#: ./doc/security-guide/ch038_transport-security.xml110(link) +msgid "Apache Qpid Authorization" +msgstr "Apache Qpid 認可" + +#: ./doc/security-guide/ch038_transport-security.xml115(title) +msgid "OpenStack service configuration: Qpid" +msgstr "OpenStack サヌビス蚭定: Qpid" + +#: ./doc/security-guide/ch038_transport-security.xml124(para) +msgid "" +"Optionally, if using SASL with Qpid specify the SASL mechanisms in use by " +"adding:" +msgstr "オプションずしお Qpid で SASL を䜿甚する堎合は、䞋蚘のように SASL メカニズムを指定したす。" + +#: ./doc/security-guide/ch038_transport-security.xml129(title) +msgid "Message queue process isolation and policy" +msgstr "メッセヌゞキュヌプロセスのアむ゜レヌションずポリシヌ" + +#: ./doc/security-guide/ch038_transport-security.xml130(para) +msgid "" +"Each project provides a number of services which send and consume messages. " +"Each binary which sends a message is expected to consume messages, if only " +"replies, from the queue." +msgstr "各プロゞェクトは倚数のサヌビスを提䟛し、それぞれがメッセヌゞを送信、消費したす。メッセヌゞを送信した各バむナリは、リプラむのみの堎合、該圓キュヌからメッセヌゞを消費するはずです。" + +#: ./doc/security-guide/ch038_transport-security.xml131(para) +msgid "" +"Message queue service processes should be isolated from each other and other" +" processes on a machine." +msgstr "メッセヌゞキュヌサヌビスのプロセスは、他のキュヌサヌビスのプロセスや、同䞀マシン䞊の他プロセスず分離すべきです。" + +#: ./doc/security-guide/ch038_transport-security.xml134(para) +msgid "" +"Network namespaces are highly recommended for all services running on " +"OpenStack Compute Hypervisors. This will help prevent against the bridging " +"of network traffic between VM guests and the management network." +msgstr "ネットワヌク名前空間の蚭定は、OpenStack コンピュヌトハむパヌバむザを動䜜させる党おのサヌビスで匷く掚奚したす。ネットワヌク名前空間を甚いるこずで、VM ゲストず管理ネットワヌクのトラフィックがブリッゞングされるこずを防ぎたす。" + +#: ./doc/security-guide/ch038_transport-security.xml135(para) +msgid "" +"When using ZeroMQ messaging, each host must run at least one ZeroMQ message " +"receiver to receive messages from the network and forward messages to local " +"processes through IPC. It is possible and advisable to run an independent " +"message receiver per project within an IPC namespace, along with other " +"services within the same project." +msgstr "ZeroMQ メッセヌゞングを䜿甚する堎合、ネットワヌク経由のメッセヌゞ受信ず、IPC経由によるロヌカルプロセスぞのメッセヌゞ送信のために、各ホストに最䜎 1 ぀の ZeroMQ メッセヌゞレシヌバヌを走らせる必芁がありたす。IPC 名前空間内にプロゞェクト毎で独立したメッセヌゞレシヌバヌを構築するこずが可胜であり望たしいです。たた同様に、同䞀プロゞェクト内でも異なるサヌビスごずに独立したメッセヌゞレシヌバヌを構築するこずが望たしいです。" + +#: ./doc/security-guide/ch038_transport-security.xml145(para) +msgid "" +"Queue servers should only accept connections from the management network. " +"This applies to all implementations. This should be implemented through " +"configuration of services and optionally enforced through global network " +"policy." +msgstr "キュヌサヌバヌは管理ネットワヌクからの接続のみを受け付けるべきであり、この方針はあらゆる実装に適甚されたす。サヌビスの蚭定を通しお実装し、任意でグロヌバルネットワヌクポリシヌを远加で実装したす。" + +#: ./doc/security-guide/ch038_transport-security.xml146(para) +msgid "" +"When using ZeroMQ messaging, each project should run a separate ZeroMQ " +"receiver process on a port dedicated to services belonging to that project. " +"This is equivalent to the AMQP concept of control exchanges." +msgstr "ZeroMQ を䜿甚するのであれば、各プロゞェクトで独立した専甚のポヌト䞊で動䜜する ZeroMQ レシヌバヌプロセスを甚意すべきです。これは、AMQP のコントロヌル exchange の抂念に盞圓したす。" + +#: ./doc/security-guide/ch038_transport-security.xml150(para) +msgid "" +"Use both mandatory access controls (MACs) and discretionary access controls " +"(DACs) to restrict the configuration for processes to only those processes. " +"This restriction prevents these processes from being isolated from other " +"processes that run on the same machine.(s)." +msgstr "匷制アクセス制埡ず任意アクセス制埡を䜵甚しお、プロセスの蚭定をそれらのプロセスのみに制限したす。この制限により、これらのプロセスが、同じマシンで動䜜しおいる他のプロセスから分離されるこずを防ぎたす。" + +#: ./doc/security-guide/ch024_authentication.xml8(title) +msgid "Identity" +msgstr "Identity" + +#: ./doc/security-guide/ch024_authentication.xml9(para) +msgid "" +"The OpenStack Identity service (keystone) supports multiple methods of " +"authentication, including username & password, LDAP, and external " +"authentication methods. Upon successful authentication, The Identity Service" +" provides the user with an authorization token used for subsequent service " +"requests." +msgstr "OpenStack Identity Service (keystone) は、ナヌザヌ名・パスワヌド、LDAP、倖郚認蚌方匏など、耇数の認蚌方匏をサポヌトしたす。認蚌に成功するず、Identity Service は埌続のサヌビスリク゚ストに䜿甚する認可トヌクンをナヌザヌに返したす。" + +#: ./doc/security-guide/ch024_authentication.xml14(para) +msgid "" +"Transport Layer Security TLS/SSL provides authentication between services " +"and persons using X.509 certificates. Although the default mode for SSL is " +"server-side only authentication, certificates may also be used for client " +"authentication." +msgstr "Transport Layer Security TLS/SSL は、サヌビスず人の間で X.509 を䜿甚した認蚌を提䟛したす。SSL の芏定のモヌドはサヌバヌのみを認蚌したすが、蚌明曞はクラむアント認蚌にも䜿甚できたす。" + +#: ./doc/security-guide/ch024_authentication.xml19(title) +msgid "Authentication" +msgstr "認蚌" + +#: ./doc/security-guide/ch024_authentication.xml21(title) +msgid "Invalid login attempts" +msgstr "無効なログむン詊行" + +#: ./doc/security-guide/ch024_authentication.xml22(para) +msgid "" +"The Identity Service does not provide a method to limit access to accounts " +"after repeated unsuccessful login attempts. Repeated failed login attempts " +"are likely brute-force attacks (Refer figure Attack-types). This is a more " +"significant issue in Public clouds." +msgstr "Identity は、ログむン詊行が連続しお倱敗した埌に、アカりントぞのアクセスを制限する方法を提䟛しおいたせん。䜕床も倱敗するログむン詊行は総圓たり攻撃 (図「攻撃の皮類」参照) のようなものです。これは、パブリッククラりドでは、より重芁な問題です。" + +#: ./doc/security-guide/ch024_authentication.xml27(para) +msgid "" +"Prevention is possible by using an external authentication system that " +"blocks out an account after some configured number of failed login attempts." +" The account then may only be unlocked with further side-channel " +"intervention." +msgstr "ログむン詊行を指定した回数だけ倱敗するず、アカりントをブロックするような倖郚認蚌システムを䜿甚するこずにより、防止するこずができたす。アカりントは、別の連絡手段を介しおのみ、ロック解陀するようにできたす。" + +#: ./doc/security-guide/ch024_authentication.xml31(para) +msgid "" +"If prevention is not an option, detection can be used to mitigate " +"damage.Detection involves frequent review of access control logs to identify" +" unauthorized attempts to access accounts. Possible remediation would " +"include reviewing the strength of the user password, or blocking the network" +" source of the attack through firewall rules. Firewall rules on the keystone" +" server that restrict the number of connections could be used to reduce the " +"attack effectiveness, and thus dissuade the attacker." +msgstr "もし防止するこずが遞択肢になければ、被害を枛らすために、怜知するこずができたす。怜知は、アカりントぞの暩限のないアクセスを特定するために、アクセス制埡ログを頻繁にレビュヌするこずを意味したす。その他の改善法ずしおは、ナヌザヌパスワヌドの匷床のレビュヌ、ファむアりォヌルルヌルで攻撃のネットワヌク送信元のブロックなどがありたす。接続数を制限するずいう、Keystone サヌバのファむアりォヌルルヌルは、攻撃の効率を悪くし、攻撃者をあきらめさせるために䜿甚できたす。" + +#: ./doc/security-guide/ch024_authentication.xml40(para) +msgid "" +"In addition, it is useful to examine account activity for unusual login " +"times and suspicious actions, with possibly disable the account. Oftentimes " +"this approach is taken by credit card providers for fraud detection and " +"alert." +msgstr "さらに、普通でないログむン回数や疑わしいアクションに察しお、アカりントの掻動状況を確認するこずは有甚です。可胜ならば、アカりントを無効化したす。しばしば、このアプロヌチはクレゞットカヌド提䟛者により、詐欺の怜出や譊告のために䜿甚されたす。" + +#: ./doc/security-guide/ch024_authentication.xml46(title) +msgid "Multi-factor authentication" +msgstr "倚芁玠認蚌" + +#: ./doc/security-guide/ch024_authentication.xml47(para) +msgid "" +"Employ multi-factor authentication for network access to privileged user " +"accounts. The Identity Service supports external authentication services " +"through the Apache web server that can provide this functionality. Servers " +"may also enforce client-side authentication using certificates." +msgstr "暩限のあるナヌザヌアカりントにネットワヌクアクセス甚の倚芁玠認蚌を䜿甚したす。Identity はこの機胜を提䟛できる Apache Web サヌバヌを通しお倖郚認蚌サヌビスをサポヌトしたす。サヌバヌは蚌明曞を䜿甚したクラむアント認蚌を匷制するこずもできたす。" + +#: ./doc/security-guide/ch024_authentication.xml52(para) +msgid "" +"This recommendation provides insulation from brute force, social " +"engineering, and both spear and mass phishing attacks that may compromise " +"administrator passwords." +msgstr "このお勧めの方匏は、管理者パスワヌドを流出させる可胜性のある、総圓たり、゜ヌシャル゚ンゞニアリング、暙的型ず無差別のフィッシング攻撃に察する防埡になりたす。" + +#: ./doc/security-guide/ch024_authentication.xml58(title) +msgid "Authentication methods" +msgstr "認蚌方匏" + +#: ./doc/security-guide/ch024_authentication.xml60(title) +msgid "Internally implemented authentication methods" +msgstr "内郚実装認蚌方匏" + +#: ./doc/security-guide/ch024_authentication.xml61(para) +msgid "" +"The Identity Service can store user credentials in an SQL Database, or may " +"use an LDAP-compliant directory server. The Identity database may be " +"separate from databases used by other OpenStack services to reduce the risk " +"of a compromise of the stored credentials." +msgstr "Identity はナヌザヌのクレデンシャルを SQL デヌタベヌスに保存できたす。たたは、LDAP 察応のディレクトリサヌバヌを䜿甚できたす。Identity のデヌタベヌスは、保存されおいるクレデンシャルが挏掩するリスクを枛らすために、他の OpenStack サヌビスが䜿甚するデヌタベヌスず分離するこずもできたす。" + +#: ./doc/security-guide/ch024_authentication.xml66(para) +msgid "" +"When you use a user name and password to authenticate, Identity does not " +"enforce policies on password strength, expiration, or failed authentication " +"attempts as recommended by NIST Special Publication 800-118 (draft). " +"Organizations that desire to enforce stronger password policies should " +"consider using Identity extensions or external authentication services." +msgstr "認蚌のためにナヌザヌ名ずパスワヌドを䜿甚する堎合、Identity は NIST Special Publication 800-118 (draft) により掚奚されおいる、パスワヌド匷床、有効期限、ログむン詊行回数制限に関するポリシヌを匷制できたせん。より匷固なパスワヌドポリシヌを匷制したい組織は、Identity 拡匵や倖郚認蚌サヌビスの䜿甚を怜蚎すべきです。" + +#: ./doc/security-guide/ch024_authentication.xml74(para) +msgid "" +"LDAP simplifies integration of Identity authentication into an " +"organization's existing directory service and user account management " +"processes." +msgstr "LDAP により、組織の既存のディレクトリサヌビスやナヌザヌアカりント管理プロセスに Identity 認蚌をシンプルに統合できたす。" + +#: ./doc/security-guide/ch024_authentication.xml77(para) +msgid "" +"Authentication and authorization policy in OpenStack may be delegated to an " +"external LDAP server. A typical use case is an organization that seeks to " +"deploy a private cloud and already has a database of employees, the users. " +"This may be in an LDAP system. Using LDAP as a source of authority " +"authentication, requests to Identity Service are delegated to the LDAP " +"service, which will authorize or deny requests based on locally set " +"policies. A token is generated on successful authentication." +msgstr "OpenStack の認蚌ず認可のポリシヌは、倖郚 LDAP サヌバヌに暩限委譲するこずができたす。䞀般的なナヌスケヌスは、プラむベヌトクラりドの導入を怜蚎しおいお、すでに埓業員ずナヌザヌのデヌタヌベヌスを持っおいる組織です。これは LDAP システムにあるかもしれたせん。暩限のある認蚌の゜ヌスずしお LDAP を䜿甚するこずが、LDAP サヌビスに暩限委譲しおいる Identity に芁求されたす。このサヌビスがロヌカルに蚭定されたポリシヌに基づいお認可たたは拒吊したす。トヌクンは認蚌が成功した堎合に生成されたす。" + +#: ./doc/security-guide/ch024_authentication.xml86(para) +msgid "" +"Note that if the LDAP system has attributes defined for the user such as " +"admin, finance, HR etc, these must be mapped into roles and groups within " +"Identity for use by the various OpenStack services. The " +"/etc/keystone.conf file maps LDAP attributes to " +"Identity attributes." +msgstr "LDAP システムがナヌザヌに察しお定矩された、幹郚瀟員、経理、人事などのような属性を持っおいる堎合、これらはさたざたな OpenStack サヌビスにより䜿甚するために Identity の䞭でロヌルずグルヌプにマッピングされる必芁がありたす。/etc/keystone.conf ファむルは、LDAP の属性をIdentity の属性にマッピングしたす。" + +#: ./doc/security-guide/ch024_authentication.xml91(para) +msgid "" +"The Identity Service MUST NOT be allowed " +"to write to LDAP services used for authentication outside of the OpenStack " +"deployment as this would allow a sufficiently privileged keystone user to " +"make changes to the LDAP directory. This would allow privilege escalation " +"within the wider organization or facilitate unauthorized access to other " +"information and resources. In such a deployment, user provisioning would be " +"out of the realm of the OpenStack deployment." +msgstr "Identity Service は OpenStack の倖郚にある認蚌甚 LDAP サヌビスに曞き蟌みを蚱可しおはいけたせん。十分な暩限を持぀ keystone ナヌザヌが LDAP ディレクトリに倉曎を加えられるようになるからです。これにより、より広い範囲の組織に暩限が増えたり、他の情報やリ゜ヌスに暩限のアクセスが容易になったりするかもしれたせん。このような環境では、ナヌザヌの払い出しが OpenStack 環境のレルムの範囲倖になるかもしれたせん。" + +#: ./doc/security-guide/ch024_authentication.xml101(para) +msgid "" +"There is an OpenStack Security " +"Note (OSSN) regarding keystone.conf permissions." +msgstr "keystone.conf のパヌミッションに関する OpenStack Security Note (OSSN) がありたす。" + +#: ./doc/security-guide/ch024_authentication.xml105(para) +msgid "" +"There is an OpenStack Security " +"Note (OSSN) regarding potential DoS attacks." +msgstr "朜圚的な DoS 攻撃に関する OpenStack Security Note (OSSN) がありたす。" + +#: ./doc/security-guide/ch024_authentication.xml112(title) +msgid "External authentication methods" +msgstr "倖郚認蚌方匏" + +#: ./doc/security-guide/ch024_authentication.xml113(para) +msgid "" +"Organizations may desire to implement external authentication for " +"compatibility with existing authentication services or to enforce stronger " +"authentication policy requirements. Although passwords are the most common " +"form of authentication, they can be compromised through numerous methods, " +"including keystroke logging and password compromise. External authentication" +" services can provide alternative forms of authentication that minimize the " +"risk from weak passwords." +msgstr "組織は、既存の認蚌サヌビスずの互換性のために倖郚認蚌を実装したいかもしれたせん。たたは、より匷固な認蚌ポリシヌ芁件を匷制するためかもしれたせん。パスワヌドが認蚌のもっずも䞀般的な圢匏ですが、キヌ入力ロギングやパスワヌド掚枬など、さたざたな方法で砎られる可胜性がありたす。倖郚認蚌サヌビスにより、匱いパスワヌドのリスクを最小化する他の認蚌圢匏を提䟛できたす。" + +#: ./doc/security-guide/ch024_authentication.xml122(para) +msgid "These include:" +msgstr "これらは以䞋のものが含たれたす。" + +#: ./doc/security-guide/ch024_authentication.xml125(para) +msgid "" +"Password policy enforcement: Requires user passwords to conform to minimum " +"standards for length, diversity of characters, expiration, or failed login " +"attempts." +msgstr "パスワヌドポリシヌ匷制: ナヌザヌパスワヌドが、長さ、文字皮の量、有効期限、倱敗詊行回数の最䜎基準を満たしおいるこずを芁求したす。" + +#: ./doc/security-guide/ch024_authentication.xml130(para) +msgid "" +"Multi-factor authentication: The authentication service requires the user to" +" provide information based on something they have, such as a one-time " +"password token or X.509 certificate, and something they know, such as a " +"password." +msgstr "倚芁玠認蚌: 認蚌サヌビスが、ナヌザヌが持っおいるもの (䟋: ワンタむムパスワヌドトヌクン、X.509 蚌明曞) ず知っおいるこず (䟋: パスワヌド) に基づいた情報を提瀺するよう芁求したす。" + +#: ./doc/security-guide/ch024_authentication.xml137(para) +msgid "Kerberos" +msgstr "Kerberos" + +#: ./doc/security-guide/ch024_authentication.xml143(title) +msgid "Authorization" +msgstr "認可" + +#: ./doc/security-guide/ch024_authentication.xml144(para) +msgid "" +"The Identity Service supports the notion of groups and roles. Users belong " +"to groups. A group has a list of roles. OpenStack services reference the " +"roles of the user attempting to access the service. The OpenStack policy " +"enforcer middleware takes into consideration the policy rule associated with" +" each resource and the user's group/roles and tenant association to " +"determine if he/she has access to the requested resource." +msgstr "Identity はグルヌプずロヌルの抂念をサポヌトしたす。ナヌザヌはグルヌプに所属したす。グルヌプはロヌルの䞀芧を持ちたす。OpenStack サヌビスはナヌザヌがサヌビスにアクセスしようずしおいるロヌルを参照したす。OpenStack ポリシヌ刀定ミドルりェアにより、各リ゜ヌスに関連付けられたポリシヌルヌル、ナヌザヌのグルヌプずロヌル、テナント割り圓おを考慮しお、芁求されたリ゜ヌスぞのアクセスが刀断されたす。" + +#: ./doc/security-guide/ch024_authentication.xml151(para) +msgid "" +"The Policy enforcement middleware enables fine-grained access control to " +"OpenStack resources. Only admin users can provision new users and have " +"access to various management functionality. The cloud tenant would be able " +"to only spin up instances, attach volumes, etc." +msgstr "ポリシヌ匷制ミドルりェアにより OpenStack リ゜ヌスに现かなアクセス制埡を実珟できたす。管理ナヌザヌのみが新しいナヌザヌを䜜成でき、さたざたな管理機胜にアクセスできたす。クラりドのテナントはむンスタンスの皌動、ボリュヌムの接続などのみが実行できたす。" + +#: ./doc/security-guide/ch024_authentication.xml157(title) +msgid "Establish formal access control policies" +msgstr "公匏なアクセス制埡ポリシヌの確立" + +#: ./doc/security-guide/ch024_authentication.xml158(para) +msgid "" +"Prior to configuring roles, groups, and users, document your required access" +" control policies for the OpenStack installation. The policies should be " +"consistent with any regulatory or legal requirements for the organization. " +"Future modifications to access control configuration should be done " +"consistently with the formal policies. The policies should include the " +"conditions and processes for creating, deleting, disabling, and enabling " +"accounts, and for assigning privileges to the accounts. Periodically review " +"the policies and ensure that configuration is in compliance with approved " +"policies." +msgstr "ロヌル、グルヌプ、ナヌザヌを蚭定する前に、OpenStack に必芁なアクセス制埡ポリシヌをドキュメント化したす。ポリシヌは組織に察するあらゆる芏制や法什の芁求事項に沿っおいるべきです。アクセス制埡蚭定のさらなる倉曎は公匏なポリシヌに埓っお実行されるべきです。ポリシヌは、アカりントの䜜成、削陀、無効化、有効化、および暩限の割り圓おに関する条件ずプロセスを含めるべきです。定期的にポリシヌをレビュヌし、蚭定が承認されたポリシヌに埓っおいるこずを確認したす。" + +#: ./doc/security-guide/ch024_authentication.xml171(title) +msgid "Service authorization" +msgstr "サヌビス認可" + +#: ./doc/security-guide/ch024_authentication.xml172(para) +msgid "" +"As described in the OpenStack Cloud Administrator " +"Guide, cloud administrators must define a user for each " +"service, with a role of Admin. This service user account provides the " +"service with the authorization to authenticate users." +msgstr "OpenStack Cloud Administrator Guide に蚘茉されおいるずおり、クラりド管理者は各サヌビスに察しお Admin ロヌルを持぀ナヌザヌを定矩する必芁がありたす。このサヌビスナヌザヌアカりントは、サヌビスがナヌザヌを認蚌するための暩限を提䟛したす。" + +#: ./doc/security-guide/ch024_authentication.xml179(para) +msgid "" +"The Compute and Object Storage services can be configured to use either the " +"\"tempAuth\" file or Identity Service to store authentication information. " +"The \"tempAuth\" solution MUST NOT be deployed in a production environment " +"since it stores passwords in plain text." +msgstr "Nova ず Swift のサヌビスは認蚌情報を保存するために \"tempAuth\" ファむルず Identity を䜿甚するよう蚭定できたす。\"tempAuth\" ゜リュヌションは、パスワヌドを平文で保存するため、本番環境で䜿甚しおはいけたせん。" + +#: ./doc/security-guide/ch024_authentication.xml184(para) +msgid "" +"The Identity Service supports client authentication for SSL which may be " +"enabled. SSL client authentication provides an additional authentication " +"factor, in addition to the username / password, that provides greater " +"reliability on user identification. It reduces the risk of unauthorized " +"access when user names and passwords may be compromised. However, there is " +"additional administrative overhead and cost to issue certificates to users " +"that may not be feasible in every deployment." +msgstr "Identity は SSL のクラむアント認蚌を有効化しおいるず、それをサポヌトしたす。SSL クラむアント認蚌はナヌザヌ名、パスワヌドに加えお、ナヌザヌ識別により信頌性を䞎えるために远加の認蚌芁玠を提䟛したす。ナヌザヌ名ずパスワヌドが挏えいした堎合に、暩限のないアクセスのリスクを枛らすこずができたす。しかしながら、蚌明曞をナヌザヌに発行する远加の管理䜜業ずコストが発生したす。これはすべおの環境で実珟できるずは限りたせん。" + +#: ./doc/security-guide/ch024_authentication.xml194(para) +msgid "" +"We recommend that you use client authentication with SSL for the " +"authentication of services to the Identity Service." +msgstr "Identity にサヌビスの認蚌をするずき、SSL を䜿甚したクラむアント認蚌を䜿甚するこずを掚奚したす。" + +#: ./doc/security-guide/ch024_authentication.xml198(para) +msgid "" +"The cloud administrator should protect sensitive configuration files for " +"unauthorized modification. This can be achieved with mandatory access " +"control frameworks such as SELinux, including " +"/etc/keystone.conf and X.509 certificates." +msgstr "クラりド管理者は暩限のない倉曎から重芁な蚭定ファむルを保護すべきです。これは SELinux のような匷制アクセス制埡のフレヌムワヌクで実珟できたす。これらには /etc/keystone.conf や X.509 蚌明曞などがありたす。" + +#: ./doc/security-guide/ch024_authentication.xml204(para) +msgid "" +"For client authentication with SSL, you need to issue certificates. These " +"certificates can be signed by an external authority or by the cloud " +"administrator. OpenStack services by default check the signatures of " +"certificates and connections fail if the signature cannot be checked. If the" +" administrator uses self-signed certificates, the check might need to be " +"disabled. To disable these certificates, set insecure=False in " +"the [filter:authtoken] section in the " +"/etc/nova/api.paste.ini file. This setting also " +"disables certificates for other components." +msgstr "SSL を甚いたクラむアント認蚌のために、蚌明曞を発行する必芁がありたす。これらの蚌明曞は倖郚の認蚌局やクラりド管理者により眲名できたす。OpenStack のサヌビスはデフォルトで蚌明曞の眲名を確認したす。蚌明が確認できなければ、接続に倱敗したす。管理者が自己眲名蚌明曞を䜿甚しおいる堎合、確認を無効化する必芁があるかもしれたせん。これらの蚌明曞を無効化するために、/etc/nova/api.paste.ini の [filter:authtoken] セクションに insecure=False を蚭定したす。これらの蚭定は他のコンポヌネントの蚌明曞も無効化したす。" + +#: ./doc/security-guide/ch024_authentication.xml218(title) +msgid "Administrative users" +msgstr "管理ナヌザヌ" + +#: ./doc/security-guide/ch024_authentication.xml219(para) +msgid "" +"We recommend that admin users authenticate using Identity Service and an " +"external authentication service that supports 2-factor authentication, such " +"as a certificate. This reduces the risk from passwords that may be " +"compromised. This recommendation is in compliance with NIST 800-53 IA-2(1) " +"guidance in the use of multi factor authentication for network access to " +"privileged accounts." +msgstr "管理ナヌザヌは Identity や蚌明曞のような 2 芁玠認蚌をサポヌトする倖郚認蚌サヌビスを䜿甚しお認蚌するこずを掚奚したす。これにより、パスワヌド掚枬によるリスクを枛らすこずができたす。この掚奚事項は特暩アカりントぞのネットワヌクアクセスに倚芁玠認蚌を䜿甚するずいう NIST 800-53 IA-2(1) ガむドに適合しおいたす。" + +#: ./doc/security-guide/ch024_authentication.xml228(title) +msgid "End users" +msgstr "゚ンドナヌザヌ" + +#: ./doc/security-guide/ch024_authentication.xml229(para) +msgid "" +"The Identity Service can directly provide end-user authentication, or can be" +" configured to use external authentication methods to conform to an " +"organization's security policies and requirements." +msgstr "Identity は盎接゚ンドナヌザヌ認蚌を提䟛できたす。たたは、組織のセキュリティポリシヌや芁求事項を確認するために倖郚認蚌方匏を䜿甚するよう蚭定できたす。" + +#: ./doc/security-guide/ch024_authentication.xml236(title) +msgid "Policies" +msgstr "ポリシヌ" + +#: ./doc/security-guide/ch024_authentication.xml237(para) +msgid "" +"Each OpenStack service has a policy file in JSON format, called " +"policy.json. The policy file specifies rules, and the " +"rule that governs each resource. A resource could be API access, the ability" +" to attach to a volume, or to fire up instances." +msgstr "各 OpenStack サヌビスは policy.json ずいう JSON 圢匏のポリシヌファむルを持ちたす。ポリシヌファむルはルヌルを指定したす。ルヌルは各リ゜ヌスを決定したす。リ゜ヌスは API アクセスできたす。ボリュヌムの接続やむンスタンスの起動などです。" + +#: ./doc/security-guide/ch024_authentication.xml242(para) +msgid "" +"The policies can be updated by the cloud administrator to further control " +"access to the various resources. The middleware could also be further " +"customized. Note that your users must be assigned to groups/roles that you " +"refer to in your policies." +msgstr "さたざたなリ゜ヌスぞのアクセス暩をさらに制埡するために、クラりド管理者がポリシヌを曎新できたす。ミドルりェアによりさらにカスタマむズするこずもできたす。そのポリシヌを参照しおいるグルヌプやロヌルにナヌザヌを割り圓おる必芁があるこずに泚意しおください。" + +#: ./doc/security-guide/ch024_authentication.xml247(para) +msgid "" +"Below is a snippet of the Block Storage service " +"policy.json file." +msgstr "以䞋は Block Storage Service の policy.json ファむルの抜粋です。" + +#: ./doc/security-guide/ch024_authentication.xml250(para) +msgid "" +"Note the default rule specifies that the " +"user must be either an admin or the owner of the volume. It essentially says" +" only the owner of a volume or the admin may create/delete/update volumes. " +"Certain other operations such as managing volume types are accessible only " +"to admin users." +msgstr "デフォルトのルヌルは、ナヌザヌが管理者であるか、ボリュヌムの所有者である必芁があるこずを指定しおいたす。぀たり、ボリュヌムの所有者ず管理者のみがボリュヌムを䜜成、削陀、曎新できたす。ボリュヌム圢匏の管理など、他の特定の操䜜は管理ナヌザヌのみがアクセス可胜です。" + +#: ./doc/security-guide/ch024_authentication.xml258(title) +msgid "Tokens" +msgstr "トヌクン" + +#: ./doc/security-guide/ch024_authentication.xml259(para) +msgid "" +"Once a user is authenticated, a token is generated and used internally in " +"OpenStack for authorization and access. The default token lifespan is 24 " +"hours. It is recommended that this value be set lower but caution" +" needs to be taken as some internal services will need sufficient time to " +"complete their work. The cloud may not provide services if tokens expire too" +" early. An example of this would be the time needed by the Compute service " +"to transfer a disk image onto the hypervisor for local caching." +msgstr "ナヌザヌが認蚌されるず、トヌクンが生成され、認可ずアクセスのために OpenStack で内郚的に䜿甚されたす。デフォルトのトヌクンの有効期間は 24 時間です。この倀はより短く蚭定するこずが掚奚されたすが、いく぀かの内郚サヌビスが凊理を完了するために十分な時間が必芁であるので泚意する必芁がありたす。トヌクンがすぐに倱効するず、クラりドがサヌビスを提䟛できないかもしれたせん。これの䟋は、Compute Service がディスクむメヌゞをハむパヌバむザヌのロヌカルキャッシュに転送するために必芁な時間です。" + +#: ./doc/security-guide/ch024_authentication.xml269(para) +msgid "" +"The following example shows a PKI token. Note that, in practice, the token " +"id value is about 3500 bytes. We shorten it in this example." +msgstr "以䞋は PKI トヌクンの䟋です。実際は token id の倀が玄3500バむトであるこずに泚意しおください。この䟋では短くしおいたす。" + +#: ./doc/security-guide/ch024_authentication.xml273(para) +msgid "" +"Note that the token is often passed within the structure of a larger context" +" of an Identity Service response. These responses also provide a catalog of " +"the various OpenStack services. Each service is listed with its name, access" +" endpoints for internal, admin, and public access." +msgstr "トヌクンは Identity の応答のより倧きなコンテキスト構造の䞭で枡されるこずに泚意しおください。これらの応答はさたざたな OpenStack サヌビスのカタログも提䟛しおいたす。各サヌビスはその名前ず、内郚、管理、パブリックなアクセス甚の゚ンドポむントを䞀芧にしたす。" + +#: ./doc/security-guide/ch024_authentication.xml278(para) +msgid "" +"The Identity Service supports token revocation. This manifests as an API to " +"revoke a token, to list revoked tokens and individual OpenStack services " +"that cache tokens to query for the revoked tokens and remove them from their" +" cache and append the same to their list of cached revoked tokens." +msgstr "Identity はトヌクン倱効をサポヌトしたす。これは、トヌクンを倱効するため、倱効枈みトヌクンを䞀芧衚瀺するために API ずしお宣蚀されたす。たた、トヌクンをキャッシュしおいる各 OpenStack サヌビスが倱効枈みトヌクンを問い合わせるため、それらのキャッシュから倱効枈みトヌクンを削陀するため、キャッシュした倱効枈みトヌクンの䞀芧に远加するためにもありたす。" + +#: ./doc/security-guide/ch024_authentication.xml285(title) +msgid "Future" +msgstr "将来" + +#: ./doc/security-guide/ch024_authentication.xml286(para) +msgid "" +"Domains are high-level containers for projects, users and groups. As such, " +"they can be used to centrally manage all keystone-based identity components." +" With the introduction of account domains, server, storage and other " +"resources can now be logically grouped into multiple projects (previously " +"called tenants) which can themselves be grouped under a master account-like " +"container. In addition, multiple users can be managed within an account " +"domain and assigned roles that vary for each project." +msgstr "ドメむンはプロゞェクト、ナヌザヌ、グルヌプの高いレベルでのコンテナヌです。そのように、すべおの keystone ベヌスの識別コンポヌネントを䞀元的に管理するために䜿甚されたす。アカりントドメむンを導入するず、サヌバヌ、ストレヌゞ、他のリ゜ヌスは耇数のプロゞェクト (以前はテナントず呌ばれおいたした) の䞭で論理的にグルヌプ化できたす。これは、アカりントのようなマスタヌコンテナヌの䞋でグルヌプ化できたす。さらに、耇数のナヌザヌがアカりントドメむンの䞭で管理でき、各プロゞェクトで倉化するロヌルを割り圓おられたす。" + +#: ./doc/security-guide/ch024_authentication.xml295(para) +msgid "" +"The Identity V3 API supports multiple domains. Users of different domains " +"may be represented in different authentication backends and even have " +"different attributes that must be mapped to a single set of roles and " +"privileges, that are used in the policy definitions to access the various " +"service resources." +msgstr "Identity V3 API はマルチドメむンをサポヌトしたす。異なるドメむンのナヌザヌは、異なる認蚌バック゚ンドで衚珟され、単䞀セットのロヌルず暩限にマッピングされる異なる属性を持ちたす。これらはさたざたなサヌビスリ゜ヌスにアクセスするために、ポリシヌ定矩で䜿甚されたす。" + +#: ./doc/security-guide/ch024_authentication.xml301(para) +msgid "" +"Where a rule may specify access to only admin users and users belonging to " +"the tenant, the mapping may be trivial. In other scenarios the cloud " +"administrator may need to approve the mapping routines per tenant." +msgstr "ルヌルにより管理ナヌザヌずテナントに所属するナヌザヌのみにアクセス暩を蚭定されるかもしれないため、マッピングは些现なこずかもしれたせん。他のシナリオの堎合、クラりド管理者がテナントごずのマッピング䜜業を承認する必芁があるかもしれたせん。" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch001_acknowledgements.xml12(None) +#: ./doc/security-guide/ch001_acknowledgements.xml15(None) +msgid "" +"@@image: 'static/book-sprint-all-logos.png'; " +"md5=f2d97c3130c32f31412f5af41ad72d39" +msgstr "@@image: 'static/book-sprint-all-logos.png'; md5=f2d97c3130c32f31412f5af41ad72d39" + +#: ./doc/security-guide/ch001_acknowledgements.xml7(title) +msgid "Acknowledgments" +msgstr "謝蟞" + +#: ./doc/security-guide/ch001_acknowledgements.xml8(para) +msgid "" +"The OpenStack Security Group would like to acknowledge contributions from " +"the following organizations who were instrumental in making this book " +"possible. These are:" +msgstr "OpenStack Security Group は、このドキュメントの䜜成を支揎しおいただいた以䞋の組織の貢献に感謝いたしたす。" + +#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml8(title) +msgid "Case studies: monitoring and logging" +msgstr "ケヌススタディ: 監芖ずログ採取" + +#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would address monitoring and" +" logging in the public vs a private cloud. In both instances, time " +"synchronization and a centralized store of logs become extremely important " +"for performing proper assessments and troubleshooting of anomalies. Just " +"collecting logs is not very useful, a robust monitoring system must be built" +" to generate actionable events." +msgstr "このケヌススタディでは、アリスずボブがパブリッククラりドずプラむベヌトクラりドの䞭で監芖ずロギングを実行する方法を議論したす。どちらのむンスタンスでも、時間同期ずログの集䞭保存が適切なアセスメントの実斜ず倉則的な事のトラブル察応に極めお重芁ずなりたす。単なるログの収集はそれほど有甚ではなく、利甚できるむベントを生成する為のロバストな監芖システムを構築する必芁がありたす。" + +#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml12(para) +msgid "" +"In the private cloud, Alice has a better understanding of the tenants " +"requirements and accordingly can add appropriate oversight and compliance on" +" monitoring and logging. Alice should identify critical services and data " +"and ensure that logging is turned at least on those services and is being " +"aggregated to a central log server. She should start with simple and known " +"use cases and implement correlation and alerting to limit the number of " +"false positives. To implement correlation and alerting, she sends the log " +"data to her organization's existing SIEM tool. Security monitoring should be" +" an ongoing process and she should continue to define use cases and alerts " +"as she has better understanding of the network traffic activity and usage " +"over time." +msgstr "プラむベヌトクラりドでは、アリスはテナントの芁件に぀いおより深く理解しおおり、そのため監芖やログ採取䞊で適切な党景や法什遵守を远加できたす。アリスは重芁なサヌビスずデヌタを認識し、少なくずもこれらのサヌビス䞊でログが採取されるようにし、䞭倮ログサヌバにログが集玄されるようにする必芁がありたす。たた、障害可胜性の数を制限する為、盞互関係・譊告を実装する必芁がありたす。盞互関係ず譊告を実装するために、アリスはログデヌタを圌女の組織の既存の SIEM ツヌルに送信したす。セキュリティ監芖は継続プロセスであり、ネットワヌクトラフィック掻動ず䜿甚量に぀いおより深く理解する為に、アリスはナヌスケヌスず譊告の定矩を継続する必芁がありたす。" + +#: ./doc/security-guide/ch059_case-studies-monitoring-logging.xml16(para) +msgid "" +"When it comes to logging, as a public cloud provider, Bob is interested in " +"logging both for situational awareness as well as compliance. That is, " +"compliance that Bob as a provider is subject to as well as his ability to " +"provide timely and relevant logs or reports on the behalf of his customers " +"for their compliance audits. With that in mind, Bob configures all of his " +"instances, nodes, and infrastructure devices to perform time synchronization" +" with an external, known good time device. Additionally, Bob's team has " +"built a Django based web applications for his customers to perform self-" +"service log retrieval from Bob's SIEM tool. Bob also uses this SIEM tool " +"along with a robust set of alerts and integration with his CMDB to provide " +"operational awareness to both customers and cloud administrators." +msgstr "ログが䜜成された際、パブリッククラりドプロバむダずしお法埋順守ず状況刀断の䞡方で、ボブはログ採取に興味がありたす。これは぀たり、ボブの顧客のコンプラむアンス監査の為、圌らの代わりにタむムリヌか぀関連のあるログ又はレポヌトを提䟛する為の圌の胜力ず同様、コンプラむアンスはプロバむダずしおのボブが埓うべきものであるずいう事です。それを念頭に眮いお、ボブは圌のむンスタンス、ノヌド、むンフラデバむス党おで倖郚の良奜ず知られおいる時間デバむスを甚いお時間同期を実行するよう蚭定しおいたす。加えお、ボブのチヌムは圌の顧客甚に、ボブの SIEM ツヌルからセルフサヌビスでログ取埗を実行する為の Django ベヌスの Web アプリケヌションを構築しおいたす。ボブは、顧客ずクラりド管理者の双方に運甚刀断を提䟛する為、ロバストな譊告セットがあり、圌の CMDB むンテグレヌションを持぀SIEM ツヌルも䜿甚したす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml8(title) +msgid "Management interfaces" +msgstr "管理むンタヌフェヌス" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml9(para) +msgid "" +"It is necessary for administrators to perform command and control over the " +"cloud for various operational functions. It is important these command and " +"control facilities are understood and secured." +msgstr "管理者は、様々な運甚機胜に察しおクラりドの管理統制を行う必芁がありたす。たた、これらの管理統制機胜を理解しお、セキュリティの確保を行うこずが重芁です。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml13(para) +msgid "" +"OpenStack provides several management interfaces for operators and tenants:" +msgstr "OpenStack は、オペレヌタヌやプロゞェクト向けに耇数の管理むンタヌフェヌスを提䟛しおいたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml15(para) +msgid "OpenStack dashboard (horizon)" +msgstr "OpenStack dashboard (horizon)" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml18(para) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml95(title) +msgid "OpenStack API" +msgstr "OpenStack API" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml21(para) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml128(title) +msgid "Secure shell (SSH)" +msgstr "secure shell (SSH)" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml24(para) +msgid "" +"OpenStack management utilities such as nova-" +"manage and glance-" +"manage" +msgstr "nova-manage、glance-manage などの OpenStack 管理ナヌティリティ" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml29(para) +msgid "Out-of-band management interfaces, such as IPMI" +msgstr "垯域倖管理むンタヌフェヌス (IPMI など)" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml34(para) +msgid "" +"The OpenStack dashboard (horizon) provides administrators and tenants with a" +" web-based graphical interface to provision and access cloud-based " +"resources. The dashboard communicates with the back-end services through " +"calls to the OpenStack API." +msgstr "OpenStack dashboard (horizon) は、管理者やプロゞェクトに察しお、クラりドベヌスのリ゜ヌスのプロビゞョンやアクセスができるように Web ベヌスのグラフィカルむンタヌフェヌスを提䟛したす。ダッシュボヌドは、OpenStack API に呌び出しを行うこずでバック゚ンドサヌビスず察話したす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml41(title) +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml103(title) +#: ./doc/security-guide/ch026_compute.xml22(title) +#: ./doc/security-guide/ch026_compute.xml67(title) +msgid "Capabilities" +msgstr "機胜" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml43(para) +msgid "" +"As a cloud administrator, the dashboard provides an overall view of the size" +" and state of your cloud. You can create users and tenants/projects, assign " +"users to tenant/projects and set limits on the resources available for them." +msgstr "クラりド管理者ずしお、ダッシュボヌドはクラりドのサむズや状態の俯瞰図を確認できたす。たた、ナヌザヌやプロゞェクト (テナント) の䜜成、プロゞェクトぞのナヌザヌの割り圓お、ナヌザヌやプロゞェクトで利甚可胜なリ゜ヌスの制限蚭定が可胜です。 " + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml46(para) +msgid "" +"The dashboard provides tenant-users a self-service portal to provision their" +" own resources within the limits set by administrators." +msgstr "ダッシュボヌドでは、プロゞェクト/ナヌザヌに察しお、管理者が蚭定した制限倀内で自身のリ゜ヌスをプロビゞョニングするためのセルフサヌビスポヌタルを提䟛したす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml49(para) +msgid "" +"The dashboard provides GUI support for routers and load-balancers. For " +"example, the dashboard now implements all of the main Networking features." +msgstr "たた、ダッシュボヌドではルヌタヌやロヌドバランサヌにも GUI 察応しおいたす。䟋えば、ダッシュボヌドは䞻な Networking 機胜をすべお実装するようになりたした。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml52(para) +msgid "" +"It is an extensible Django web application that " +"allows easy plug-in of third-party products and services, such as billing, " +"monitoring, and additional management tools." +msgstr "Hirozon は拡匵可胜な Django Web アプリケヌションで、請求、監芖、远加管理ツヌルなど、サヌドパヌティヌの補品やサヌビスを簡単にプラグむンできるようにしたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml55(para) +msgid "" +"The dashboard can also be branded for service providers and other commercial" +" vendors." +msgstr "たた、ダッシュボヌドはサヌビスプロバむダヌや他の商業ベンダヌ向けにブランディングするこずも可胜です。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml62(para) +msgid "" +"The dashboard requires cookies and JavaScript to be enabled in the web " +"browser." +msgstr "ダッシュボヌドは Web ブラりザヌのクッキヌず JavaScript を有効にする必芁がありたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml65(para) +msgid "" +"The web server that hosts dashboard should be configured for SSL to ensure " +"data is encrypted." +msgstr "ダッシュボヌドをホストする Web サヌバヌは、デヌタの暗号化が確実に行われるように SSL の蚭定をしおください。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml68(para) +msgid "" +"Both the horizon web service and the OpenStack API it uses to communicate " +"with the back-end are susceptible to web attack vectors such as denial of " +"service and must be monitored." +msgstr "バック゚ンドずの察話に䜿甚する horizon Web サヌビスおよび OpenStack API はいずれも、サヌビス劚害 (DoS) などの Web 攻撃ベクトルからの圱響を受けるため、必ず監芖が必芁です。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml71(para) +msgid "" +"It is now possible (though there are numerous deployment/security " +"implications) to upload an image file directly from a user’s hard disk to " +"OpenStack Image Service through the dashboard. For multi-gigabyte images it " +"is still strongly recommended that the upload be done using the " +" CLI." +msgstr "(デプロむメント/セキュリティ関連の問題は倚数ありたすが) ダッシュボヌドでナヌザヌのハヌドディスクから OpenStack Image Service に盎接むメヌゞファむルをアップロヌドするこずができるようになりたした。サむズが GB レベルのむメヌゞに぀いおは、 CLI を䜿甚しおむメヌゞをアップロヌドするよう匷く掚奚しおいたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml81(para) +msgid "" +"Create and manage security groups through dashboard. The security groups " +"allows L3-L4 packet filtering for security policies to protect virtual " +"machines." +msgstr "ダッシュボヌドからセキュリティグルヌプを䜜成・管理したす。セキュリティグルヌプにより、セキュリティポリシヌに関する L3-L4 パケットをフィルダリングしお仮想マシンの保護が可胜になりたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml91(citetitle) +msgid "Grizzly Release Notes" +msgstr "Grizzly リリヌスノヌト" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml96(para) +msgid "" +"The OpenStack API is a RESTful web service endpoint to access, provision and" +" automate cloud-based resources. Operators and users typically access the " +"API through command-line utilities (for example, or " +"), language-specific libraries, or third-party tools." +msgstr "OpenStack API はクラりドベヌスのリ゜ヌスのアクセス、プロビゞョニング、自動化を行う RESTful Web サヌビスの゚ンドポむントです。オペレヌタヌやナヌザヌは通垞、コマンドラむンナヌティリティ (、 など)、蚀語固有のラむブラリ、たたはサヌドパヌティのツヌルで API にアクセスしたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml105(para) +msgid "" +"To the cloud administrator, the API provides an overall view of the size and" +" state of the cloud deployment and allows the creation of users, " +"tenants/projects, assigning users to tenants/projects, and specifying " +"resource quotas on a per tenant/project basis." +msgstr "API はクラりド管理者がクラりドデプロむメントのサむズや状態の抂芁を把握できるようにするだけでなく、ナヌザヌ、プロゞェクトの䜜成、プロゞェクトぞのナヌザヌの割り圓お、プロゞェクトベヌスのリ゜ヌスクォヌタの指定などができるようにしたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml112(para) +msgid "" +"The API provides a tenant interface for provisioning, managing, and " +"accessing their resources." +msgstr "API はリ゜ヌスのプロビゞョニング、管理、アクセスに䜿甚するプロゞェクトむンタヌフェヌスを提䟛したす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml119(para) +msgid "" +"The API service should be configured for SSL to ensure data is encrypted." +msgstr "API サヌビスはデヌタが確実に暗号化されるように SSL の蚭定が必芁です。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml122(para) +msgid "" +"As a web service, OpenStack API is susceptible to familiar web site attack " +"vectors such as denial of service attacks." +msgstr "Web サヌビスずしお OpenStack API は、サヌビス劚害 (DoS) 攻撃など、よく知られおいる Web サむト攻撃ベクトルからの圱響を受けたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml129(para) +msgid "" +"It has become industry practice to use secure shell (SSH) access for the " +"management of Linux and Unix systems. SSH uses secure cryptographic " +"primitives for communication. With the scope and importance of SSH in " +"typical OpenStack deployments, it is important to understand best practices " +"for deploying SSH." +msgstr "Linux や Unix システムの管理にはセキュアシェル (SSH) を䜿甚するのが業界の慣習ずなっおいたす。SSH は通信にセキュアな暗号化機胜を䜿甚したす。䞀般的な OpenStack デプロむメントでの SSH の範囲や重芁性においお、SSH デプロむメントのベストプラクティスを把握するこずが重芁です。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml131(title) +msgid "Host key fingerprints" +msgstr "ホストキヌのフィンガヌプリント" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml132(para) +msgid "" +"Often overlooked is the need for key management for SSH hosts. As most or " +"all hosts in an OpenStack deployment will provide an SSH service, it is " +"important to have confidence in connections to these hosts. It cannot be " +"understated that failing to provide a reasonably secure and accessible " +"method to verify SSH host key fingerprints is ripe for abuse and " +"exploitation." +msgstr "頻繁に芋逃されるのが SSH ホストのキヌ管理の必芁性です。OpenStack デプロむメントホストのすべおたたは倚くが SSH サヌビスを提䟛したす。このようなホストぞの接続の信頌性を確保するこずが重芁です。SSH ホストキヌのフィンガヌプリントの怜蚌に関しお比范的セキュアでアクセス可胜なメ゜ッドを提䟛できないず、悪甚や゚クスプロむトの枩床ずなるずいっおも過蚀ではありたせん。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml133(para) +msgid "" +"All SSH daemons have private host keys and, upon connection, offer a host " +"key fingerprint. This host key fingerprint is the hash of an unsigned public" +" key. It is important these host key fingerprints are known in advance of " +"making SSH connections to those hosts. Verification of host key fingerprints" +" is instrumental in detecting man-in-the-middle attacks." +msgstr "SSH デヌモンにはすべおプラむベヌトのホストキヌがあり、接続するずホストキヌのフィンガヌプリントが提䟛されたす。このホストキヌのフィンガヌプリントは未眲名のパブリックキヌのハッシュです。これらのホストに SSH 接続する前に、ホストキヌのフィンガヌプリントを把握しおおくこずが重芁です。ホストキヌのフィンガヌプリントの怜蚌は䞭間者攻撃の怜出に圹立ちたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml134(para) +msgid "" +"Typically, when an SSH daemon is installed, host keys will be generated. It " +"is necessary that the hosts have sufficient entropy during host key " +"generation. Insufficient entropy during host key generation can result in " +"the possibility to eavesdrop on SSH sessions." +msgstr "通垞、SSH デヌモンがむンストヌルされるず、ホストキヌが生成されたす。ホストキヌの生成時に、ホストには十分な゚ントロピヌが必芁になりたす。ホストキヌの生成時に゚ントロピヌが十分にないず、SSH セッションの傍受が発生しおしたう可胜性がありたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml135(para) +msgid "" +"Once the SSH host key is generated, the host key fingerprint should be " +"stored in a secure and queriable location. One particularly convenient " +"solution is DNS using SSHFP resource records as defined in RFC-4255. For " +"this to be secure, it is necessary that DNSSEC be deployed." +msgstr "SSH ホストキヌが生成されるず、ホストキヌのフィンガヌプリントはセキュアでク゚リ可胜な堎所に保存されるはずです。特に有甚な゜リュヌションは、RFC-4255 で定矩されおいるように SSHFP リ゜ヌスレコヌドを䜿甚した DNS です。これをセキュアにするには、DNSSEC のデプロむメントが必芁になりたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml139(title) +msgid "Management utilities" +msgstr "管理ナヌティリティ" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml140(para) +msgid "" +"The OpenStack Management Utilities are open-source Python command-line " +"clients that make API calls. There is a client for each OpenStack service " +"(for example, nova, glance). In addition to the standard CLI " +"client, most of the services have a management command-line utility which " +"makes direct calls to the database. These dedicated management utilities are" +" slowly being deprecated." +msgstr "OpenStack 管理ナヌテリティは、API 呌び出しを行う、オヌプン゜ヌスの Python のコマンドラむンクラむアントです。OpenStack サヌビス (nova、glance など) 毎にクラむアントがありたす。暙準の CLI クラむアントに加え、サヌビスの倚くには管理コマンドラむンがあり、デヌタベヌスぞ盎接呌び出しを行いたす。これらの専甚の管理ナヌテリティは埐々に廃止予定ずなっおいたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml152(para) +msgid "" +"The dedicated management utilities (*-manage) in some cases use the direct " +"database connection." +msgstr "堎合によっおは専甚の管理ナヌテリティ (*-manage) は盎接デヌタベヌスぞの接続を䜿甚するこずがありたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml155(para) +msgid "" +"Ensure that the .rc file which has your credential information is secured." +msgstr "認蚌情報が含たれおいる .rc ファむルのセキュリティが確保されおいるようにしたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml161(para) +msgid "" +"OpenStack End User Guide section command-line clients " +"overview" +msgstr "OpenStack ゚ンドナヌザヌガむド の項: コマンドラむンクラむアントの抂芁" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml162(para) +msgid "" +"OpenStack End User Guide section Download and source the OpenStack RC " +"file" +msgstr "OpenStack ゚ンドナヌザヌガむド の項 OpenStack RC ファむルのダりンロヌドず読み蟌み" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml166(title) +msgid "Out-of-band management interface" +msgstr "垯域倖管理むンタヌフェヌス" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml167(para) +msgid "" +"OpenStack management relies on out-of-band management interfaces such as the" +" IPMI protocol to access into nodes running OpenStack components. IPMI is a " +"very popular specification to remotely manage, diagnose, and reboot servers " +"whether the operating system is running or the system has crashed." +msgstr "OpenStack コンポヌネントを実行するノヌドにアクセスする堎合、OpenStack の管理は IPMI プロトコルなどのアりトオブバンド管理むンタヌフェヌスに䟝存したす。IPMI は非垞に有名な仕様で、オペレヌティングシステムが実行䞭である堎合やシステムがクラッシュした堎合でもリモヌトでのサヌバヌ管理、蚺断、リブヌトを行えたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml176(para) +msgid "" +"Use strong passwords and safeguard them, or use client-side SSL " +"authentication." +msgstr "匷力なパスワヌドを䜿甚しおセヌフガヌドするか、クラむアント偎の SSL 認蚌を䜿甚しおください。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml179(para) +msgid "" +"Ensure that the network interfaces are on their own private(management or a " +"separate) network. Segregate management domains with firewalls or other " +"network gear." +msgstr "ネットワヌクむンタヌフェヌスはプラむベヌト (管理たたは個別) ネットワヌクに蚭定されおいるこずを確認したす。管理ドメむンはファむアりォヌルか他のネットワヌク機噚で分離しおください。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml182(para) +msgid "" +"If you use a web interface to interact with the " +"BMC/IPMI, always use the SSL interface, such as https" +" or port 443. This SSL interface should NOT use self-signed certificates, as is often " +"default, but should have trusted certificates using the correctly defined " +"fully qualified domain names (FQDNs)." +msgstr "Web むンタヌフェヌスを䜿甚しお BMC/IPMI ず察話する堎合、垞に SSL むンタヌフェヌスを䜿甚するようにしおください (䟋: https たたはポヌト 443)。この SSL むンタヌフェヌスは自己眲名蚌明曞を䜿甚しないようにしおください。通垞、これがデフォルトずなっおいたすが、正しく定矩された完党修食ドメむン名 (FQDN) を䜿甚しお信頌枈みの蚌明曞を䜿甚するようにしおください。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml191(para) +msgid "" +"Monitor the traffic on the management network. The anomalies might be easier" +" to track than on the busier compute nodes." +msgstr "管理ネットワヌクのトラフィックを監芖したす。トラフィックの倚いコンピュヌトノヌドよりも䟋倖のトラッキングが簡単になる堎合がありたす。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml196(para) +msgid "" +"Out of band management interfaces also often include graphical machine " +"console access. It is often possible, although not necessarily default, that" +" these interfaces are encrypted. Consult with your system software " +"documentation for encrypting these interfaces." +msgstr "たた、アりトオブバンド管理むンタヌフェヌスはグラフィカルのコン゜ヌルアクセスが可胜な堎合が倚くありたす。デフォルトではない可胜性もありたすが、これらのむンタヌフェヌスは暗号化されおいるこずがありたす。これらのむンタヌフェヌスの暗号化に぀いおは、お䜿いのシステムの゜フトりェア文曞を確認しおください。" + +#: ./doc/security-guide/ch014_best-practices-for-operator-mode-access.xml200(link) +msgid "Hacking servers that are turned off" +msgstr "オフ状態のサヌバヌのハッキング" + +#: ./doc/security-guide/ch043_database-transport-security.xml8(title) +msgid "Database transport security" +msgstr "デヌタベヌス通信セキュリティ" + +#: ./doc/security-guide/ch043_database-transport-security.xml9(para) +msgid "" +"This chapter covers issues related to network communications to and from the" +" database server. This includes IP address bindings and encrypting network " +"traffic with SSL." +msgstr "本章はデヌタベヌスずのネットワヌク通信に関連する問題を取り扱いたす。これには、IP アドレスのバむンドや SSL を甚いた暗号化ネットワヌク通信を含みたす。" + +#: ./doc/security-guide/ch043_database-transport-security.xml14(title) +msgid "Database server IP address binding" +msgstr "デヌタベヌスサヌバヌの IP アドレスバむンド" + +#: ./doc/security-guide/ch043_database-transport-security.xml15(para) +msgid "" +"To isolate sensitive database communications between the services and the " +"database, we strongly recommend that the database server(s) be configured to" +" only allow communications to and from the database over an isolated " +"management network. This is achieved by restricting the interface or IP " +"address on which the database server binds a network socket for incoming " +"client connections." +msgstr "サヌビスずデヌタベヌス間の機埮なデヌタベヌス通信を隔離するために、デヌタベヌスサヌバヌが隔離された管理ネットワヌク経由のみでデヌタベヌスず通信できるように蚭定するこずを匷く掚奚したす。デヌタベヌスサヌバヌがクラむアントからの通信甚のネットワヌク゜ケットをバむンドするむンタヌフェヌスたたは IP アドレスを制限するこずにより、これを実珟できたす。" + +#: ./doc/security-guide/ch043_database-transport-security.xml24(title) +msgid "Restricting bind address for MySQL" +msgstr "MySQL のバむンドアドレスの制限" + +#: ./doc/security-guide/ch043_database-transport-security.xml25(para) +#: ./doc/security-guide/ch043_database-transport-security.xml63(para) +msgid "In my.cnf:" +msgstr "my.cnf:" + +#: ./doc/security-guide/ch043_database-transport-security.xml31(title) +msgid "Restricting listen address for PostgreSQL" +msgstr "PostgreSQL のバむンドアドレスの制限" + +#: ./doc/security-guide/ch043_database-transport-security.xml32(para) +msgid "In postgresql.conf:" +msgstr "postgresql.conf:" + +#: ./doc/security-guide/ch043_database-transport-security.xml37(title) +msgid "Database transport" +msgstr "デヌタベヌス通信" + +#: ./doc/security-guide/ch043_database-transport-security.xml38(para) +msgid "" +"In addition to restricting database communications to the management " +"network, we also strongly recommend that the cloud administrator configure " +"their database backend to require SSL. Using SSL for the database client " +"connections protects the communications from tampering and eavesdropping. As" +" will be discussed in the next section, using SSL also provides the " +"framework for doing database user authentication through X.509 certificates " +"(commonly referred to as PKI). Below is guidance on how SSL is typically " +"configured for the two popular database backends MySQL and PostgreSQL." +msgstr "デヌタベヌス通信を管理ネットワヌクに制限するこずに加えお、クラりド管理者がそれらのデヌタベヌスのバック゚ンドに SSL を芁求するように蚭定するこずを匷く掚奚したす。デヌタベヌスのクラむアント接続に SSL を䜿甚するこずにより、改ざんや盗聎から通信を保護できたす。次のセクションで議論するように、SSL を䜿甚するこずにより、デヌタベヌスのナヌザヌ認蚌に X.509 蚌明曞 (䞀般的に PKI ずしお参照されたす) を䜿甚するフレヌムワヌクも提䟛できたす。以䞋は、2 ぀の有名なデヌタベヌスバック゚ンド MySQL ず PostgreSQL に SSL を兞型的に蚭定する方法に぀いお瀺したす。" + +#: ./doc/security-guide/ch043_database-transport-security.xml50(para) +msgid "" +"When installing the certificate and key files, ensure that the file " +"permissions are restricted, for example , and the ownership " +"is restricted to the database daemon user to prevent unauthorized access by " +"other processes and users on the database server." +msgstr "蚌明曞ず鍵ファむルをむンストヌルするずき、ファむルのパヌミッションが制限されおいるこずを確認したす。たずえば、 を実行するず、デヌタベヌスサヌバヌ䞊の他のプロセスやナヌザヌによる暩限のないアクセスを防ぐために、所有者がデヌタベヌスデヌモンのナヌザヌに制限されたす。" + +#: ./doc/security-guide/ch043_database-transport-security.xml60(title) +msgid "MySQL SSL configuration" +msgstr "MySQL SSL 蚭定" + +#: ./doc/security-guide/ch043_database-transport-security.xml61(para) +msgid "" +"The following lines should be added in the system-wide MySQL configuration " +"file:" +msgstr "以䞋の行をシステム党䜓の MySQL 蚭定ファむルに远加する必芁がありたす。" + +#: ./doc/security-guide/ch043_database-transport-security.xml69(para) +#: ./doc/security-guide/ch043_database-transport-security.xml80(para) +msgid "" +"Optionally, if you wish to restrict the set of SSL ciphers used for the " +"encrypted connection. See http://www.openssl.org/docs/apps/ciphers.html" +" for a list of ciphers and the syntax for specifying the cipher string:" +msgstr "オプションずしお、暗号化通信に䜿甚される SSL 暗号を制限したい堎合、暗号の䞀芧ず暗号文字列を蚭定するための構文は http://www.openssl.org/docs/apps/ciphers.html を参照しおください。" + +#: ./doc/security-guide/ch043_database-transport-security.xml74(title) +msgid "PostgreSQL SSL configuration" +msgstr "PostgreSQL SSL 蚭定" + +#: ./doc/security-guide/ch043_database-transport-security.xml75(para) +msgid "" +"The following lines should be added in the system-wide PostgreSQL " +"configuration file, postgresql.conf." +msgstr "以䞋の行をシステム党䜓の PostgreSQL 蚭定ファむル postgresql.conf に远加する必芁がありたす。" + +#: ./doc/security-guide/ch043_database-transport-security.xml82(para) +msgid "" +"The server certificate, key, and certificate authority (CA) files should be " +"placed in the $PGDATA directory in the following files:" +msgstr "サヌバヌ蚌明曞、鍵、認蚌局 (CA) のファむルを $PGDATA ディレクトリの以䞋のファむルに眮く必芁がありたす。" + +#: ./doc/security-guide/ch043_database-transport-security.xml86(para) +msgid "$PGDATA/server.crt - Server certificate" +msgstr "$PGDATA/server.crt - サヌバヌ蚌明曞" + +#: ./doc/security-guide/ch043_database-transport-security.xml90(para) +msgid "" +"$PGDATA/server.key - Private key corresponding to " +"server.crt" +msgstr "$PGDATA/server.key - server.crt に察応する秘密鍵" + +#: ./doc/security-guide/ch043_database-transport-security.xml94(para) +msgid "" +"$PGDATA/root.crt - Trusted certificate authorities" +msgstr "$PGDATA/root.crt - 信頌された認蚌局" + +#: ./doc/security-guide/ch043_database-transport-security.xml98(para) +msgid "$PGDATA/root.crl - Certificate revocation list" +msgstr "$PGDATA/root.crl - 蚌明曞倱効リスト" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch055_security-services-for-instances.xml49(None) +#: ./doc/security-guide/ch055_security-services-for-instances.xml52(None) +msgid "" +"@@image: 'static/filteringWorkflow1.png'; " +"md5=c144af5cbdee1bd17a7bde0bea5b5fe7" +msgstr "@@image: 'static/filteringWorkflow1.png'; md5=c144af5cbdee1bd17a7bde0bea5b5fe7" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml8(title) +msgid "Security services for instances" +msgstr "むンスタンスのセキュリティサヌビス" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml9(para) +msgid "" +"One of the virtues of running instances in a virtualized environment is that" +" it opens up new opportunities for security controls that are not typically " +"available when deploying onto bare metal. There are several technologies " +"that can be applied to the virtualization stack that bring improved " +"information assurance for cloud tenants." +msgstr "仮想環境でむンスタンスを運甚する長所の䞀぀は、ベアメタルで配備した際には利甚できないセキュリティ管理方法の遞択肢が増えるこずです。仮想スタック䞊のクラりドテナントの情報管理を改善する技術は倚数存圚したす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml10(para) +msgid "" +"Deployers or users of OpenStack with strong security requirements may want " +"to consider deploying these technologies. Not all are applicable in every " +"situation, indeed in some cases technologies may be ruled out for use in a " +"cloud because of prescriptive business requirements. Similarly some " +"technologies inspect instance data such as run state which may be " +"undesirable to the users of the system." +msgstr "高いセキュリティ芁件を持぀OpenStackナヌザヌや配備者はこれらの技術の採甚を怜蚎するず良いかもしれたせんが、状況によっおは適甚できない堎合がありたす。クラりド運甚においおは、芏範的なビゞネス芁件のために技術の遞択肢が削られるこずがありたす。たた、run stateなど、仕組みによっおはむンスタンス内のデヌタを調べる機構もあり、システムのナヌザヌからは奜たれないものもありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml11(para) +msgid "" +"In this chapter we explore these technologies and describe the situations " +"where they can be used to enhance security for instances or underlying " +"instances. We also seek to highlight where privacy concerns may exist. These" +" include data pass through, introspection, or providing a source of entropy." +" In this section we highlight the following additional security services:" +msgstr "本章では、これらの仕組みの詳现ずどのような状況においおむンスタンスのセキュリティが向䞊されるかを説明したす。たた、プラむバシヌ芳点における懞念箇所にも焊点をあおたす。デヌタのパススルヌ、むントロスペクション、たた゚ントロピヌ元の提䟛などが該圓したす。本セクションでは、䞋蚘のセキュリティサヌビスに焊点を圓おたす:" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml13(para) +#: ./doc/security-guide/ch055_security-services-for-instances.xml26(title) +msgid "Entropy to instances" +msgstr "むンスタンスぞの゚ントロピヌ" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml16(para) +#: ./doc/security-guide/ch055_security-services-for-instances.xml33(title) +msgid "Scheduling instances to nodes" +msgstr "ノヌドぞのむンスタンスのスケゞュヌリング" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml19(para) +#: ./doc/security-guide/ch055_security-services-for-instances.xml90(title) +msgid "Trusted images" +msgstr "信頌されたむメヌゞ" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml22(para) +#: ./doc/security-guide/ch055_security-services-for-instances.xml160(title) +msgid "Instance migrations" +msgstr "むンスタンスのマむグレヌション" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml27(para) +msgid "" +"We consider entropy to refer to the quality and source of random data that " +"is available to an instance. Cryptographic technologies typically rely " +"heavily on randomness, requiring a high quality pool of entropy to draw " +"from. It is typically hard for a virtual machine to get enough entropy to " +"support these operations. Entropy starvation can manifest in instances as " +"something seemingly unrelated for example, slow boot times because the " +"instance is waiting for ssh key generation. Entropy starvation may also " +"motivate users to employ poor quality entropy sources from within the " +"instance, making applications running in the cloud less secure overall." +msgstr "゚ントロピヌずは、むンスタンスがアクセスできるランダムデヌタの質ず提䟛元のこずを捉えおいたす。暗号化技術は䞀般的にランダム性を採甚しおおり、高品質な゚ントロピヌのプヌルが必芁です。通垞、仮想マシンは十分な゚ントロピヌを確保するこずが容易ではありたせん。゚ントロピヌ䞍足は䞀芋たったく関係のないずころで露芋するこずがありたす。䟋えば、むンスタンスがSSHキヌの生成を埅っおいるため、ブヌトが遅くなるこずがありたす。たた、゚ントロピヌ䞍足を解決するためにナヌザヌがむンスタンス内郚から䜎品質な゚ントロピヌ元を採甚し、結果的にクラりド内で皌働するアプリケヌションのセキュリティを䞋げるこずもありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml28(para) +msgid "" +"Fortunately, a cloud architect may address these issues by providing a high " +"quality source of entropy to the cloud instances. This can be done by having" +" enough hardware random number generators (HRNG) in the cloud to support the" +" instances. In this case, \"enough\" is somewhat domain specific. For " +"everyday operations, a modern HRNG is likely to produce enough entropy to " +"support 50-100 compute nodes. High bandwidth HRNGs, such as the RdRand " +"instruction available with Intel Ivy Bridge and newer processors could " +"potentially handle more nodes. For a given cloud, an architect needs to " +"understand the application requirements to ensure that sufficient entropy is" +" available." +msgstr "これらの課題は、クラりドアヌキテクトが高品質の゚ントロピヌをクラりドむンスタンスに提䟛するこずで察応できたす。䟋えば、クラりド内にむンスタンス甚に適量なハヌドりェア乱数生成噚(HRNG)があれば解決できたす適量はドメむンによっお異なる。䞀般的なハヌドりェア乱数生成噚なら通垞運甚されおいる50-100台のコンピュヌトノヌド分の゚ントロピヌを生成するこずが可胜です。高垯域ハヌドりェア乱数生成噚Intel Ivy Bridgeや最新プロセッサなどず提䟛されるRdRand instructionなどはさらに倚くのノヌドに察応できたす。゚ントロピヌの量が十分かどうかを刀断するためには、クラりド䞊で運甚するアプリケヌションの芁求を理解しおいる必芁がありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml29(para) +msgid "" +"Once the entropy is available in the cloud, the next step is getting that " +"entropy into the instances. Tools such as the entropy gathering daemon " +"(EGD) provide a way to " +"fairly and securely distribute entropy through a distributed system. Support" +" exists for using the EGD as an entropy source for LibVirt." +msgstr "クラりド䞊で゚ントロピヌが利甚可胜ずなったら、次はむンスタンスから゚ントロピヌを䟛絊できるようにしたす。゚ントロピヌ収集デヌモン(Entropy Gathering Daemon EGD)では、分散システム䞊で゚ントロピヌを平等か぀安党な配垃を実珟しおいたす。libvirtの゚ントロピヌ元ずしおEGDを䜿甚するためのサポヌトも提䟛されおいたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml30(para) +msgid "" +"Compute support for these features is not generally available, but it would " +"only require a moderate amount of work for implementors to integrate this " +"functionality." +msgstr "これらの機胜に察しお、コンピュヌトは未察応です。これらの機胜ずの連携のため、開発者による実装の䜜業はあたり倚く発生しないず思われたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml34(para) +msgid "" +"Before an instance is created, a host for the image instantiation must be " +"selected. This selection is performed by the nova-scheduler which determines how to dispatch compute and " +"volume requests." +msgstr "むンスタンスを生成する前に、むメヌゞのむンスタンス化のためのホストを遞択する必芁がありたす。この遞択はnova-schedulerによっお行われ、さらにコンピュヌトずボリュヌム芁求の䌝達方法も決定したす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml35(para) +msgid "" +"The filter scheduler is the default scheduler for OpenStack Compute, " +"although other schedulers exist (see the section Scheduling in the " +"OpenStack Configuration Reference). The filter " +"scheduler works in collaboration with 'filters' to decide where an instance " +"should be started. This process of host selection allows administrators to " +"fulfill many different security requirements. Depending on the cloud " +"deployment type for example, one could choose to have tenant instances " +"reside on the same hosts whenever possible if data isolation was a primary " +"concern, conversely one could attempt to have instances for a tenant reside " +"on as many different hosts as possible for availability or fault tolerance " +"reasons. The following diagram demonstrates how the filter scheduler works:" +msgstr "filter スケゞュラ―は OpenStack Compute のデフォルトのスケゞュヌラヌです。他にもスケゞュヌラヌは存圚したす(詳现はOpenStack Configuration ReferenceのSchedulingを参照)。フィルタヌスケゞュヌラヌはフィルタヌず連携し、むンスタンスの起動堎所を決めたす。このホスト遞択䜜業があるこずによっお、管理者は様々なセキュリティ芁件を満たすこずができたす。クラりド配備皮別によっおは、次のような構成が組めたす。䟋えばデヌタ分離が倧きな懞念事項の堎合、テナントのむンスタンスは必ず同䞀のホスト䞊に配眮するように蚭定できたす。たたは、耐障害性のためにテナントのむンスタンスをできるだけ異なるホスト䞊に配眮するように蚭定できたす。䞋の図は、フィルタヌスケゞュラ―の働きを衚しおいたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml55(para) +msgid "" +"The use of scheduler filters may be used to segregate customers, data, or " +"even discard machines of the cloud that cannot be attested as secure. This " +"generally applies to all OpenStack projects offering a scheduler. When " +"building a cloud, you may choose to implement scheduling filters for a " +"variety of security-related purposes." +msgstr "スケゞュヌラヌを提䟛しおいるすべおのOpenStackプロゞェクトにおいお、スケゞュヌルフィルタを䜿甚するこずによっおお客様やデヌタを分離できたす。さらに安党ではないず刀断されたクラりド䞊のマシンの砎棄も行えたす。クラりドを構築する際には、あらゆるセキュリティ目的のためにスケゞュヌルフィルタヌの実装を遞択できたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml56(para) +msgid "" +"Below we highlight a few of the filters that may be useful in a security " +"context, depending on your requirements, the full set of filter " +"documentation is documented in the Filter Scheduler section of the OpenStack" +" Configuration Reference." +msgstr "䞋蚘ではセキュリティコンテキストにおいお圹に立぀幟぀かのフィルタヌを玹介したす。OpenStack Configuration ReferenceのFilter Schedulerセクションにすべおのフィルタヌ関連ドキュメントが掲茉されおいたす。芁件に合わせおご参照ください。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml57(emphasis) +msgid "Tenant Driven Whole Host Reservation" +msgstr "テナントによるホスト党䜓予玄" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml58(para) +msgid "" +"There currently exists a blueprint for whole host reservation - This would allow " +"a tenant to exclusively reserve hosts for only it's instances, incurring " +"extra costs." +msgstr "珟圚、ホスト党䜓予玄のブルヌプリントが公開されおいたす。これによっお効率面の負担はありたすが、テナントは抱えるむンスタンスのみのためにホストを確保できたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml60(title) +msgid "Host aggregates" +msgstr "ホスト・アグリゲヌト" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml61(para) +msgid "" +"While not a filter in themselves, host aggregates allow administrators to " +"assign key-value pairs to groups of machines. This allows cloud " +"administrators, not users, to partition up their compute host resources. " +"Each node can have multiple aggregates (see the Host aggregates section of the OpenStack" +" Configuration Reference for more information on creating and " +"managing aggregates)." +msgstr "ホストアグリゲヌト自䜓はフィルタヌではありたせんが、管理者にマシンの集合䜓ぞキヌバリュヌペアの割り圓おを可胜にしたす。これによっおナヌザヌではなく、クラりド管理者によるコンピュヌトホストリ゜ヌスの分配ができたす。各ノヌドは耇数のアグリゲヌトを持぀こずができたす。(詳现はOpenStack Configuration ReferenceのHost Aggregatesセクションを参照ください。)" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml72(title) +msgid "AggregateMultiTenancyIsolation" +msgstr "AggregateMultiTenancyIsolation" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml73(para) +msgid "" +"Isolates tenants to specific host aggregates. If a host is in an aggregate " +"that has the metadata key filter_tenant_id it will only " +"create instances from that tenant (or list of tenants). A host can be in " +"multiple aggregates. If a host does not belong to an aggregate with the " +"metadata key, it can create instances from all tenants." +msgstr "テナントを特定のホストアグリゲヌト集合䜓に分離したす。ホストがfilter_tenant_idずいうメタデヌタキヌを持぀アグリゲヌトの堎合、そのテナント(あるいはそのテナント䞀芧)のみからむンスタンスを䜜成したす。ホストは耇数のアグリゲヌトに所属するこずができたす。メタデヌタキヌを持たないアグリゲヌトに属する堎合、すべおのテナントからむンスタンスを䜜成できたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml76(title) +msgid "DifferentHostFilter" +msgstr "DifferentHostFilter" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml77(para) +msgid "" +"Schedule the instance on a different host from a set of instances. To take " +"advantage of this filter, the requester must pass a scheduler hint, using " +"different_host as the key and a list of instance uuids as" +" the value. This filter is the opposite of the " +"SameHostFilter." +msgstr "特定のむンスタンスのグルヌプずは異なるホスト䞊にむンスタンスをスケゞュヌルしたす。このフィルタを利甚するには、芁求時にスケゞュヌル情報ずしおキヌにdifferent_hostを指定し、倀にはむンスタンスuuidのリストを枡す必芁がありたす。SameHostFilterずは反察の働きを持぀フィルタヌです。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml80(title) +msgid "GroupAntiAffinityFilter" +msgstr "GroupAntiAffinityFilter" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml81(para) +msgid "" +"The GroupAntiAffinityFilter ensures that each instance in a group is on a " +"different host. To take advantage of this filter, the requester must pass a " +"scheduler hint, using group as the key and a list of " +"instance uuids as the value." +msgstr "GroupAntiAffinityFilterはグルヌプに含たれるすべおのむンスタンスは異なるホストで皌働しおいるこずを保蚌したす。このフィルタを利甚するには、芁求時にスケゞュヌル情報ずしおキヌにgroupを指定し、倀にはむンスタンスuuidのリストを枡す必芁がありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml84(title) +msgid "Trusted compute pools" +msgstr "信頌枈コンピュヌトプヌル" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml85(para) +msgid "" +"There exists a scheduler filter which integrates with the Open Attestation" +" Project (OATS) to define scheduler behavior according to the " +"attestation of PCRs received from a system using Intel TXT." +msgstr "Intel TXTを䜿甚したシステムから送られたPCRの認蚌によっおスケゞュヌラヌの察応を定矩するためにOpen Attestation Project (OATS)ず連携するスケゞュヌラヌフィルタヌがありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml86(para) +msgid "" +"It is unclear if this feature is compatible with AMD's similar SEM, although" +" the OpenAttestation agent relies on the vendor-agnostic TrouSerS library." +msgstr "OpenAttestation゚ヌゞェントはベンダヌ䟝存ではないTrouSerSラむブラリを採甚しおいたすが、本機胜は類䌌したAMD瀟のSEMず互換性があるかは䞍明です。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml91(para) +msgid "" +"With regards to images, users will be working with pre-installed images or " +"images that they upload themselves. In both cases, users will want to ensure" +" that the image they are ultimately running has not been tampered with. This" +" requires some source of truth such as a checksum for the known good version" +" of an image as well as verification of the running image. This section " +"describes the current best practices around image handling, while also " +"calling out some of the existing gaps in this space." +msgstr "ナヌザヌはむンストヌル枈むメヌゞあるいは自身がアップロヌドしたむメヌゞを䜿甚したす。どちらの堎合においおも、採甚したむメヌゞは改ざんされおいないこずを確認したいでしょう。確認のためには、正匏版のチェックサムなどの怜蚌甚情報ず皌働しおいるむメヌゞの蚌明情報が必芁です。このセクションでは、むメヌゞの扱いに関するベストプラクティスず関連する既知の課題に぀いお説明したす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml93(title) +msgid "Image creation process" +msgstr "むメヌゞ䜜成プロセス" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml94(para) +msgid "" +"The OpenStack Documentation provides guidance on how to create and upload an" +" image to the Image Service. Additionally it is assumed that you have a " +"process by which you install and harden operating systems. Thus, the " +"following items will provide additional guidance on how to ensure your " +"images are built securely prior to upload. There are a variety of options " +"for obtaining images. Each has specific steps that help validate the image's" +" provenance." +msgstr "OpenStackが提䟛するドキュメントではむメヌゞの䜜成ず Image Service ぞのアップロヌド方法に぀いお説明しおいたす。ただし、オペレヌティングシステムのむンストヌルや匷化のための蚭定方法やプロセスに関しおは利甚者が既に知識を持っおいるず想定しおいたす。参考ずしお、アップロヌド前にむメヌゞがセキュアかどうかを確認するため情報を䞋蚘に説明したす。たた、むメヌゞの採取には様々な方法があり、それぞれにおいおむメヌゞの出所を怜蚌するための独自の手順がありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml104(para) +msgid "The first option is to obtain boot media from a trusted source." +msgstr "最初の遞択肢は、信頌された提䟛元からブヌトメディアを入手するこずです。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml111(para) +msgid "" +"The second option is to use the OpenStack Virtual Machine Image " +"Guide. In this case, you will want to follow your " +"organizations OS hardening guidelines or those provided by a trusted third-" +"party such as the RHEL6 STIG." +msgstr "次の遞択肢は、OpenStack Virtual Machine Image Guideの掻甚です。こちらの堎合、あなたの所属する組織のOS匷化ガむドラむンやRHEL6 STIGのような信頌性の高い第䞉者団䜓が提䟛するガむドラむンに埓うこずを掚奚したす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml112(para) +msgid "" +"The final option is to use an automated image builder. The following example" +" uses the Oz image builder. The OpenStack community has recently created a " +"newer tool worth investigating: disk-image-builder. We have not evaluated " +"this tool from a security perspective." +msgstr "最埌の手段ずしお説明するのはむメヌゞの自動生成機構の䜿甚です。次の䟋では、Oz image builderを採甚しおいたす。OpenStackコミュニティでは、disk-image-builderずいうさらに新しいツヌルが公開されおいたす。本ツヌルはセキュリティ芳点においお未怜蚌です。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml113(para) +msgid "" +"Example of RHEL 6 CCE-26976-1 which will help implement NIST 800-53 " +"SectionAC-19(d) in Oz." +msgstr "OzでNIST 800-53 セクションAC-19(d) の実装を手助けするRHEL 6 CCE-26976-1の䟋" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml149(para) +msgid "" +"Note, it is the recommendation of this guide to shy away from the manual " +"image building process as it is complex and prone to error. Further, using " +"an automated system like Oz or disk-image-builder for image building, or a " +"configuration management utility like Chef or Puppet for post boot image " +"hardening gives you the ability to produce a consistent image as well as " +"track compliance of your base image to its respective hardening guidelines " +"over time." +msgstr "本ガむドでは、手動むメヌゞ構築プロセスは耇雑で人為ミスが生たれやすいため掚奚しおいたせん。Ozやdisk-image-builderのような自動システム、ブヌト埌のむメヌゞ匷化のためにChefやPuppetのような構成管理ツヌルなどを採甚するこずによっお䞀貫したむメヌゞの䜜成だけでなく、時間が経過しおも匷化ガむドラむンずベヌスむメヌゞのコンプラむアンス远跡が可胜です。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml150(para) +msgid "" +"If subscribing to a public cloud service, you should check with the cloud " +"provider for an outline of the process used to produce their default images." +" If the provider allows you to upload your own images, you will want to " +"ensure that you are able to verify that your image was not modified before " +"you spin it up. To do this, refer to the following section on Image " +"Provenance." +msgstr "パブリッククラりドサヌビスを䜿甚する堎合、クラりドプロバむダヌにデフォルトむメヌゞの䜜成プロセスのアりトラむンを確認するこずを掚奚したす。たた、自身が䜜成したむメヌゞのアップロヌドが可胜な堎合、起動する前にむメヌゞに倉曎が加えられおいないかを確認したいでしょう。これらの手順に぀いおは、むメヌゞの出所に関する次のセクションを参照しおください。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml153(title) +msgid "Image provenance and validation" +msgstr "むメヌゞの出所ず劥圓性確認" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml154(para) +msgid "" +"Unfortunately, it is not currently possible to force Compute to validate an " +"image hash immediately prior to starting an instance. To understand the " +"situation, we begin with a brief overview of how images are handled around " +"the time of image launch." +msgstr "残念ながら、珟圚はむンスタンス起動盎前にコンピュヌトにむメヌゞのハッシュを怜蚌を匷制する方法がありたせん。状況を理解するために、むメヌゞ起動の際にむメヌゞがどのように扱われるのかを簡単に説明したす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml155(para) +msgid "" +"Images come from the glance service to the nova service on a node. This " +"transfer should be protected by running over SSL. Once the image is on the " +"node, it is verified with a basic checksum and then it's disk is expanded " +"based on the size of the instance being launched. If, at a later time, the " +"same image is launched with the same instance size on this node, it will be " +"launched from the same expanded image. Since this expanded image is not re-" +"verified before launching, it could be tampered with and the user would not " +"have any way of knowing, beyond a manual inspection of the files in the " +"resulting image." +msgstr "むメヌゞはGlanceサヌビスからノヌドのNovaサヌビスぞ䟛絊されたす。この転送はSSLによっお保護されおいる必芁がありたす。むメヌゞがノヌドに転送されたら、䞀般的なchecksumで怜蚌され、起動するむンスタンスのサむズに合わせおディスクが拡匵したす。以降、このノヌドで同じサむズの同䞀むメヌゞを起動する堎合はこの拡匵されたむメヌゞから起動されたす。拡匵されたむメヌゞは起動前に再怜蚌されないため、改ざんの可胜性がありたす。これでは䜜成されたむメヌゞのファむルの手動確認以倖に確認方法がありたせん。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml156(para) +msgid "" +"We hope that future versions of Compute and/or the Image Service will offer " +"support for validating the image hash before each instance launch. An " +"alternative option that would be even more powerful would be allow users to " +"sign an image and then have the signature validated when the instance is " +"launched." +msgstr "将来的にコンピュヌトたたはむメヌゞサヌビスでむンスタンス起動の前にむメヌゞのハッシュを怜蚌する機構を提䟛するこずが期埅されおいたす。さらに考えられる匷力な代替手段はナヌザヌにむメヌゞを眲名させ、むンスタンスの起動前に眲名の怜蚌を実行させるこずです。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml161(para) +msgid "" +"OpenStack and the underlying virtualization layers provide for the live " +"migration of images between OpenStack nodes allowing you to seamlessly " +"perform rolling upgrades of your OpenStack compute nodes without instance " +"downtime. However, live migrations also come with their fair share of risk. " +"To understand the risks involved, it is important to first understand how a " +"live migration works. The following are the high level steps preformed " +"during a live migration." +msgstr "OpenStackず䞋局の仮想レむダヌによっおOpenStackノヌド間のむメヌゞのラむブマむグレヌションを実珟しおいたす。これにより、むンスタンスのダりンタむムなくOpenStackコンピュヌトノヌドのシヌムレスなロヌリングアップデヌトが可胜です。ただし、ラむブマむグレヌションにはそれなりのリスクが䌎うこずを泚意する必芁がありたす。リスクを理解するために、ラむブマむグレヌションの動䜜を理解するこずが重芁です。次はラむブマむグレヌションの際のおおたかな流れを玹介しおいたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml172(para) +msgid "Start instance on destination host" +msgstr "目的先ホストでむンスタンスを起動" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml173(para) +msgid "Transfer memory" +msgstr "メモリを転送" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml174(para) +msgid "Stop the guest & sync disks" +msgstr "ゲスト&syncディスクを停止" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml175(para) +msgid "Transfer state" +msgstr "転送状態ずなる" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml176(para) +msgid "Start the guest" +msgstr "ゲストを起動" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml179(title) +msgid "Live migration risks" +msgstr "ラむブマむグレヌションのリスク" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml180(para) +msgid "" +"At various stages of the live migration process the contents of an instances" +" run time memory and disk are transmitted over the network in plain text. " +"Thus there are several risks that need to be addressed when using live " +"migration. The following in-exhaustive list details some of these risks:" +msgstr "ラむブマむグレヌションのステヌゞによっおは、むンスタンスのランタむムメモリやディスクの今テンスが平文でネットワヌク䞊転送されたす。そのため、ラむブマむグレヌション䞭には察凊が必芁なリスクがありたす。次は䞀郚のリスクの詳现を列挙しおいたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml182(para) +msgid "" +"Denial of Service (DoS): If something fails during the " +"migration process, the instance could be lost." +msgstr "Denial of Service (DoS): マむグレヌションプロセス䞭に䜕かが倱敗した堎合、むンスタンスを倱う可胜性がありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml185(para) +msgid "" +"Data exposure: Memory or disk transfers must be handled" +" securely." +msgstr "デヌタの公開: メモリやディスクの転送は安党に行う必芁がありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml188(para) +msgid "" +"Data manipulation: If memory or disk transfers are not " +"handled securely, then an attacker could manipulate user data during the " +"migration." +msgstr "デヌタの操䜜: メモリやディスクの転送がセキュアに凊理されなければ、攻撃者がマむグレヌション䞭にナヌザヌデヌタを操䜜できる可胜性がありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml191(para) +msgid "" +"Code injection: If memory or disk transfers are not " +"handled securely, then an attacker could manipulate executables, either on " +"disk or in memory, during the migration." +msgstr "コヌドの挿入: メモリやディスクの転送が安党ではない堎合、マむグレヌション䞭に攻撃者によっおディスクやメモリ䞊の実行ファむルが操䜜される可胜性がありたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml196(title) +msgid "Live migration mitigations" +msgstr "ラむブマむグレヌションのリスクの軜枛" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml197(para) +msgid "" +"There are several methods to mitigate some of the risk associated with live " +"migrations, the following list details some of these:" +msgstr "ラむブマむグレヌションに関連するリスクを軜枛するためには様々な手法がありたす。次のリストで詳しく説明したす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml199(para) +#: ./doc/security-guide/ch055_security-services-for-instances.xml209(title) +msgid "Disable live migration" +msgstr "ラむブマむグレヌションの無効化" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml202(para) +msgid "Isolated migration network" +msgstr "マむグレヌションネットワヌクの分離" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml205(para) +#: ./doc/security-guide/ch055_security-services-for-instances.xml222(title) +msgid "Encrypted live migration" +msgstr "ラむブマむグレヌションの暗号化" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml210(para) +msgid "" +"At this time, live migration is enabled in OpenStack by default. Live " +"migrations can be disabled by adding the following lines to the nova " +"policy.json file:" +msgstr "珟圚、OpenStackではデフォルトでラむブマむグレヌションを有効にしおいたす。ラむブマむグレヌションは nova policy.json ファむルぞ䞋蚘の行を远加するこずによっお無効化できたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml218(title) +msgid "Migration network" +msgstr "マむグレヌションネットワヌク" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml219(para) +msgid "" +"As a general practice, live migration traffic should be restricted to the " +"management security domain. Indeed live migration traffic, due to its plain " +"text nature and the fact that you are transferring the contents of disk and " +"memory of a running instance, it is recommended you further separate live " +"migration traffic onto a dedicated network. Isolating the traffic to a " +"dedicated network can reduce the risk of exposure." +msgstr "䞀般的には、ラむブマむグレヌションで発生するトラフィックは管理セキュリティドメむンに制限するべきです。平文であり、皌働䞭のむンスタンスのディスクずメモリを転送するずいうこずを螏たえるず、安党性を確保するためにはラむブマむグレヌションのトラフィックを専甚のネットワヌクに分離するこずを掚奚したす。専甚ネットワヌクにトラフィックを分離するこずで、露出の危険性を䞋げるこずができたす。" + +#: ./doc/security-guide/ch055_security-services-for-instances.xml223(para) +msgid "" +"If your use case involves keeping live migration enabled, then libvirtd can " +"provide tunneled, encrypted live migrations. That said, this feature is not " +"currently exposed in OpenStack Dashboard, nor the nova-client commands and " +"can only be accessed through manual configuration of libvirtd. Encrypted " +"live migration modifies the live migration process by first copying the " +"instance data from the running hypervisor to libvirtd. From there an " +"encrypted tunnel is created between the libvirtd processes on both hosts. " +"Finally, the destination libvirtd process copies the instance back to the " +"underlying hypervisor." +msgstr "あなたのナヌスケヌスでラむブマむグレヌションが有効な堎合、libvirtdによるトンネル化、暗号化されたラむブマむグレヌションが行えたす。ただし、この機胜は珟圚のOpenStackダッシュボヌドやnova-clientコマンドで実装されおおらず、libvirtdの手動蚭定のみでしか利甚できたせん。暗号化されたラむブマむグレヌションず通垞のラむブマむグレヌションの違いは、次のずおりです。最初に、皌働しおいるハむパヌバむザヌからむンスタンスのデヌタをlibvirtdぞコピヌしたす。次に、䞡ホストのlibvirtdプロセス間に暗号化されたトンネルが䜜成されたす。最埌に、目的先libvirtdプロセスがむンスタンスを䞋局のハむパヌバむザヌぞコピヌしたす。" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch008_system-roles-types.xml101(None) +#: ./doc/security-guide/ch008_system-roles-types.xml106(None) +msgid "" +"@@image: 'static/services-protocols-ports.png'; " +"md5=fb1e9f47d969127b7a5ca683d38cfe20" +msgstr "@@image: 'static/services-protocols-ports.png'; md5=fb1e9f47d969127b7a5ca683d38cfe20" + +#: ./doc/security-guide/ch008_system-roles-types.xml8(title) +msgid "System documentation requirements" +msgstr "システムの文曞化における芁件" + +#: ./doc/security-guide/ch008_system-roles-types.xml9(para) +msgid "" +"The system documentation for an OpenStack cloud deployment should follow the" +" templates and best practices for the Enterprise Information Technology " +"System in your organization. Organizations often have compliance " +"requirements which may require an overall System Security Plan to inventory " +"and document the architecture of a given system. There are common challenges" +" across the industry related to documenting the dynamic cloud infrastructure" +" and keeping the information up-to-date." +msgstr "OpenStack クラりドデプロむメントのシステム文曞化は、その組織の゚ンタヌプラむズ IT システムを察象ずするテンプレヌトずベストプラクティスに埓っお行うべきです。組織には倧抵、コンプラむアンス芁件が蚭定されおおり、それによっお察象システムのむンベントリ䜜成ずアヌキテクチャの文曞化を行う党䜓的なシステムセキュリティ蚈画が矩務付けられおいる堎合がありたす。動的なクラりドむンフラストラクチャヌを文曞化し、情報を最新の状態に維持するのあたっおは、業界党䜓の共通課題がありたす。 " + +#: ./doc/security-guide/ch008_system-roles-types.xml18(title) +msgid "System roles and types" +msgstr "システムのロヌルずタむプ" + +#: ./doc/security-guide/ch008_system-roles-types.xml19(para) +msgid "" +"The two broadly defined types of nodes that generally make up an OpenStack " +"installation are:" +msgstr "通垞 OpenStack のむンストヌルを構成しおいる、広く定矩された 2 ぀のノヌドタむプは次のずおりです。" + +#: ./doc/security-guide/ch008_system-roles-types.xml23(para) +msgid "" +"Infrastructure nodes. The nodes that run the cloud related services such as " +"the OpenStack Identity Service, the message queuing service, storage, " +"networking, and other services required to support the operation of the " +"cloud." +msgstr "むンフラストラクチャヌノヌド。OpenStack Identity、メッセヌゞキュヌサヌビス、ストレヌゞ、ネットワヌク、およびクラりドの運甚をサポヌトするために必芁なその他のサヌビスなどのクラりド関連サヌビスを実行するノヌドです。" + +#: ./doc/security-guide/ch008_system-roles-types.xml30(para) +msgid "" +"Compute, storage, or other resource nodes. Provide storage capacity or " +"virtual machines for your cloud." +msgstr "コンピュヌト、ストレヌゞ、その他のリ゜ヌスのノヌド。クラりド甚のストレヌゞ容量や仮想マシンを提䟛するノヌドです。" + +#: ./doc/security-guide/ch008_system-roles-types.xml37(title) +msgid "System inventory" +msgstr "システムむンベントリ" + +#: ./doc/security-guide/ch008_system-roles-types.xml38(para) +msgid "" +"Documentation should provide a general description of the OpenStack " +"environment and cover all systems used (production, development, test, " +"etc.). Documenting system components, networks, services, and software often" +" provides the bird's-eye view needed to thoroughly cover and consider " +"security concerns, attack vectors and possible security domain bridging " +"points. A system inventory may need to capture ephemeral resources such as " +"virtual machines or virtual disk volumes that would otherwise be persistent " +"resources in a traditional IT system." +msgstr "文曞には、OpenStack 環境の抂芁を蚘茉し、䜿甚する党システム (実皌働、開発、テストなど) を察象ずするべきです。倚くの堎合、システムコンポヌネント、ネットワヌク、サヌビス、および゜フトりェアに぀いお文曞化するこずにより、セキュリティ課題、攻撃ベクトル、考えられるセキュリティドメむンのブリッゞングポむントを完党に網矅しお怜蚎するにあたっお必芁な抂芳が提䟛されたす。システムむンベントリには、埓来の IT システムでは氞続的なリ゜ヌスずされおいる、仮想マシンや仮想ディスクボリュヌムなどの䞀時的なリ゜ヌスを取り蟌む必芁がある堎合がありたす。" + +#: ./doc/security-guide/ch008_system-roles-types.xml48(title) +msgid "Hardware inventory" +msgstr "ハヌドりェアむンベントリ" + +#: ./doc/security-guide/ch008_system-roles-types.xml49(para) +msgid "" +"Clouds without stringent compliance requirements for written documentation " +"might benefit from having a Configuration Management Database " +"(CMDB). CMDBs are normally used for hardware asset " +"tracking and overall life-cycle management. By leveraging a CMDB, an " +"organization can quickly identify cloud infrastructure hardware. For " +"example, compute nodes, storage nodes, and network devices that exist on the" +" network but that might not be adequately protected and/or forgotten. " +"OpenStack provisioning system might provide some CMDB-like functions " +"especially if auto-discovery features of hardware attributes are available." +msgstr "文曞化に察する厳密なコンプラむアンス芁件のないクラりドの堎合は、少なくずも構成管理デヌタベヌス (CMDB) を䜿甚するこずによっおメリットが埗られる可胜性がありたす。CMDB は通垞、ハヌドりェア資産の远跡や党般的なラむフサむクル管理に䜿甚されたす。CMDB を掻甚するこずにより、組織はネットワヌク䞊に存圚するクラりドむンフラストラクチャヌハヌドりェア (䟋: コンピュヌトノヌド、ストレヌゞノヌド、ネットワヌクデバむスなど) の䞭で適切に保護されおいないハヌドりェアや忘れられおいるハヌドりェアを迅速に特定するこずができたす。OpenStack のプロビゞョニングシステムは、ハヌドりェア属性の自動怜出機胜が利甚できる堎合は特に、CMDB のような機胜を䞀郚提䟛するこずが可胜です。" + +#: ./doc/security-guide/ch008_system-roles-types.xml63(title) +msgid "Software inventory" +msgstr "゜フトりェアむンベントリ" + +#: ./doc/security-guide/ch008_system-roles-types.xml64(para) +msgid "" +"Just as with hardware, all software components within the OpenStack " +"deployment should be documented. Components here should include system " +"databases; OpenStack software components and supporting sub-components; and," +" supporting infrastructure software such as load-balancers, reverse proxies," +" and network address translators. Having an authoritative list like this may" +" be critical toward understanding total system impact due to a compromise or" +" vulnerability of a specific class of software." +msgstr "ハヌドりェアず同様に、OpenStack デプロむメント内の゜フトりェアコンポヌネントはすべお文曞化しおおくべきです。このコンポヌネントには、システムデヌタベヌス、OpenStack ゜フトりェアコンポヌネントおよびサポヌトサブコンポヌネント、ロヌドバランサヌ/リバヌスプロキシ/ネットワヌクアドレストランスレヌタヌなどのサポヌトむンフラストラクチャヌ゜フトりェアなどが含たれたす。このような信頌できる䞀芧を甚意しおおくこずは、゜フトりェアの特定のクラスの䟵害や脆匱性によっおシステムが受ける党䜓的な圱響を把握するために極めお重芁ずなりたす。" + +#: ./doc/security-guide/ch008_system-roles-types.xml76(title) +msgid "Network topology" +msgstr "ネットワヌクトポロゞヌ" + +#: ./doc/security-guide/ch008_system-roles-types.xml77(para) +msgid "" +"A network topology should be provided with highlights specifically calling " +"out the data flows and bridging points between the security domains. Network" +" ingress and egress points should be identified along with any OpenStack " +"logical system boundaries. Multiple diagrams may be needed to provide " +"complete visual coverage of the system. A network topology document should " +"include virtual networks created on behalf of tenants by the system along " +"with virtual machine instances and gateways created by OpenStack." +msgstr "ネットワヌクトポロゞヌは、セキュリティドメむン間のデヌタフロヌずブリッゞングポむントをはっきりず識別しお匷調するようにしお䜜成すべきです。OpenStack の論理的なシステム境界ずずもに、ネットワヌクの受信および送信ポむントを明確にするこずを掚奚したす。システムを完党に芖芚的に網矅するには、図を耇数䜜成する必芁がある堎合がありたす。たた、ネットワヌクトポロゞヌの文曞には、テナントに代わっおシステムが䜜成した仮想ネットワヌクや、OpenStack によっお䜜成された仮想マシンむンスタンスずゲヌトりェむを含めるべきです。" + +#: ./doc/security-guide/ch008_system-roles-types.xml88(title) +msgid "Services, protocols and ports" +msgstr "サヌビス、プロトコル、およびポヌト" + +#: ./doc/security-guide/ch008_system-roles-types.xml89(para) +msgid "" +"The service, protocols and ports table provides important additional detail " +"of an OpenStack deployment. A table view of all services running within the " +"cloud infrastructure can immediately inform, guide, and help check security " +"procedures. Firewall configuration, service port conflicts, security " +"remediation areas, and compliance requirements become easier to manage when " +"you have concise information available. Consider the following table:" +msgstr "サヌビス、プロトコル、ポヌトの衚には OpenStack デプロむメントの重芁な远加情報を蚘茉したす。クラりドむンフラストラクチャヌ内で皌働䞭の党サヌビスを衚にたずめるず、情報や指針を盎ちに確認するこずができ、セキュリティプロシヌゞャヌをチェックするのに圹立ちたす。簡朔な情報が提䟛されるず、ファむアりォヌルの蚭定やサヌビスポヌトの競合、セキュリティ修埩領域、コンプラむアンス芁件をより容易に管理できるようになりたす。以䞋の衚を怜蚎しおください。 " + +#: ./doc/security-guide/ch008_system-roles-types.xml109(para) +msgid "" +"Referencing a table of services, protocols and ports can help in " +"understanding the relationship between OpenStack components. It is highly " +"recommended that OpenStack deployments have information similar to this on " +"record." +msgstr "サヌビス、プロトコル、ポヌトの衚を参照するず、OpenStack のコンポヌネント間の関係を理解するのに圹立ちたす。OpenStack のデプロむメントには、これず同様の情報を蚘録するこずを匷く掚奚したす。" + +#: ./doc/security-guide/ch018_case-studies-pkissl.xml8(title) +msgid "Case studies: PKI and certificate management" +msgstr "ケヌススタディ: PKI ず蚌明曞管理" + +#: ./doc/security-guide/ch018_case-studies-pkissl.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would address deployment of " +"PKI certification authorities (CA) and certificate management." +msgstr "このケヌススタディでは、アリスずボグがPKI認蚌局(CA)の構築ず蚌明曞管理をどのように行うのかに぀いお解説したす。" + +#: ./doc/security-guide/ch018_case-studies-pkissl.xml12(para) +msgid "" +"Alice as a cloud architect within a government agency knows that her agency " +"operates its own certification authority. Alice contacts the PKI office in " +"her agency that manages her PKI and certificate issuance. Alice obtains " +"certificates issued by this CA and configures the services within both the " +"public and management security domains to use these certificates. Since " +"Alice's OpenStack deployment exists entirely on a disconnected from the " +"Internet network, she makes sure to remove all default CA bundles that " +"contain external public CA providers to ensure the OpenStack services only " +"accept client certificates issued by her agency's CA." +msgstr "アリスは政府機関のクラりドアヌキテクトで、圌女の機関が独自のCAを運甚しおいる事を知っおいたす。アリスは、圌女のPKIを管理しお蚌明曞を発行する職堎の PKI オフィスにコンタクトしたす。アリスはこのCAによっお発行された蚌明曞を入手し、これらの蚌明曞を䜿甚するようパブリックず管理セキュリティドメむンの䞡方のサヌビスを蚭定したす。アリスの OpenStack デプロむが完党にむンタヌネットから独立しお存圚するので、OpenStack サヌビスが圌女の組織の CA から発行されたクラむアント蚌明曞のみ蚱可するよう、倖郚のパブリックな CA プロバむダを含むデフォルトの党 CA バンドルが削陀されおいる事を確認しおいたす。" + +#: ./doc/security-guide/ch018_case-studies-pkissl.xml16(para) +msgid "" +"Bob is architecting a public cloud and needs to ensure that the publicly " +"facing OpenStack services are using certificates issued by a major public " +"CA. Bob acquires certificates for his public OpenStack services and " +"configures the services to use PKI and SSL and includes the public CAs in " +"his trust bundle for the services. Additionally, Bob also wants to further " +"isolate the internal communications amongst the services within the " +"management security domain. Bob contacts the team within his organization " +"that is responsible for managing his organizations PKI and issuance of " +"certificates using their own internal CA. Bob obtains certificates issued by" +" this internal CA and configures the services that communicate within the " +"management security domain to use these certificates and configures the " +"services to only accept client certificates issued by his internal CA." +msgstr "ボブはパブリッククラりドのアヌキテクトで、むンタヌネットに接続された OpenStack サヌビスが䞻芁な公的 CA から発行された蚌明曞をちゃんず䜿甚する必芁がありたす。ボブは圌のパブリックな OpenStack サヌビス甚の蚌明曞を受領し、PKI ず SSL を䜿甚するようサヌビスを蚭定し、圌のサヌビス甚の信甚バンドル䞭に公的CAが含たれるようにしたす。曎に、ボブはセキュリティ管理ドメむン内でサヌビス間の内郚通信の曎なる分断をしたいずも思っおいたす。ボブは、圌の組織䞭で、内郚CAを䜿甚しお圌の組織の PKI 管理ず蚌明曞の発行を担圓しおいるチヌムにコンタクトしたす。ボブはこの内郚CAが発行した蚌明曞を入手し、これらの蚌明曞を䜿甚するよう管理セキュリティドメむン䞭での通信を行うサヌビスを蚭定し、内郚CAが発行したクラむアント蚌明曞のみ蚱可するようサヌビスを蚭定したす。" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml7(title) +msgid "Database back-end considerations" +msgstr "デヌタベヌスバック゚ンドの考慮事項" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml8(para) +msgid "" +"The choice of database server is an important consideration in the security " +"of an OpenStack deployment. While security considerations are not the only " +"basis on which a database server must be chosen, security considerations are" +" the only ones within the scope of this book. In practice, OpenStack only " +"supports two database types: PostgreSQL and MySQL." +msgstr "デヌタベヌスサヌバヌの遞択は OpenStack 環境のセキュリティにおける重芁な考慮事項です。セキュリティの考慮事項はデヌタベヌスサヌバヌの遞択における唯䞀の基準ではありたせんが、このドキュメントではこれらのみを取り扱いたす。実際のずころ、OpenStack は 2 皮類のデヌタベヌス PostgreSQL ず MySQL のみをサポヌトしたす。" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml9(para) +msgid "" +"PostgreSQL has a number of desirable security features such as Kerberos " +"authentication, object-level security, and encryption support. The " +"PostgreSQL community has done well to provide solid guidance, documentation," +" and tooling to promote positive security practices." +msgstr "PostgreSQL は、Kerberos 認蚌、オブゞェクトレベルのセキュリティ、暗号化のサポヌトなど、数倚くの望たしいセキュリティ機胜を有したす。PostgreSQL コミュニティは実甚的なセキュリティ実践を掚進するために、わかりやすいガむダンス、ドキュメント、ツヌルを十分に提䟛しおきたした。" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml10(para) +msgid "" +"MySQL has a large community, widespread adoption, and provides high " +"availability options. MySQL also has the ability to provide enhanced client " +"authentication by way of plug-in authentication mechanisms. Forked " +"distributions in the MySQL community provide many options for consideration." +" It is important to choose a specific implementation of MySQL based on a " +"thorough evaluation of the security posture and the level of support " +"provided for the given distribution." +msgstr "MySQL は倧芏暡なコミュニティを持ち、幅広く適甚され、高可甚性のオプションを提䟛しおいたす。MySQL も、プラグむン認蚌機構の方法により高床なクラむアント認蚌を提䟛する機胜がありたす。MySQL コミュニティから掟生したディストリビュヌションは、考慮事項に察する倚くのオプションを提䟛しおいたす。セキュリティの考え方やディストリビュヌションに提䟛されるサポヌトレベルの評䟡に基づいお、特定の MySQL ディストリビュヌションを遞択するこずが重芁です。" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml12(title) +msgid "Security references for database back-ends" +msgstr "デヌタベヌスバック゚ンドのセキュリティ参考資料" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml13(para) +msgid "" +"Those deploying MySQL or PostgreSQL are advised to refer to existing " +"security guidance. Some references are listed below:" +msgstr "MySQL や PostgreSQL を導入する人は、既存のセキュリティガむダンスを参照するこずが掚奚されたす。いく぀かの参考資料を以䞋に䞀芧化したす。" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml14(para) +msgid "MySQL:" +msgstr "MySQL:" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml16(link) +msgid "OWASP MySQL Hardening" +msgstr "OWASP MySQL Hardening" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml19(link) +msgid "MySQL Pluggable Authentication" +msgstr "MySQL Pluggable Authentication" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml22(link) +msgid "Security in MySQL" +msgstr "Security in MySQL" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml25(para) +msgid "PostgreSQL:" +msgstr "PostgreSQL:" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml27(link) +msgid "OWASP PostgreSQL Hardening" +msgstr "OWASP PostgreSQL Hardening" + +#: ./doc/security-guide/ch041_database-backend-considerations.xml30(link) +msgid "Total security in a PostgreSQL database" +msgstr "Total security in a PostgreSQL database" + +#: ./doc/security-guide/ch039_case-studies-messaging.xml8(title) +msgid "Case studies: messaging" +msgstr "ケヌススタディ: メッセヌゞング" + +#: ./doc/security-guide/ch039_case-studies-messaging.xml9(para) +msgid "" +"The message queue is a critical piece of infrastructure that supports a " +"number of OpenStack services but is most strongly associated with the " +"Compute service. Due to the nature of the message queue service, Alice and " +"Bob have similar security concerns. One of the larger concerns that remains " +"is that many systems have access to this queue and there is no way for a " +"consumer of the queue messages to verify which host or service placed the " +"messages on the queue. An attacker who is able to successfully place " +"messages on the queue is able to create and delete VM instances, attach the " +"block storage of any tenant and a myriad of other malicious actions. There " +"are a number of solutions on the horizon to fix this, with several proposals" +" for message signing and encryption making their way through the OpenStack " +"development process." +msgstr "メッセヌゞキュヌは、倚数の OpenStack サヌビスを支える重芁なむンフラストラクチャであり、特にコンピュヌトサヌビスず匷く結び぀いおいたす。メッセヌゞキュヌサヌビスの性質䞊、アリスずボブが抱えるセキュリティ䞊の懞念はよく䌌おいたす。特に倧きな残課題は、数倚くのシステムがキュヌにアクセスしおいるものの、キュヌメッセヌゞのコンシュヌマヌには、キュヌを発行したホストやサヌビスを確かめる手立おがないこずです。攻撃者がキュヌの発行に成功するず、仮想マシンの䜜成や削陀をしたり、あらゆるテナントのブロックストレヌゞに接続するなど、他にも無数の悪意のある攻撃が可胜になっおしたいたす。\nこれを防ぐための゜リュヌションが出始めおおり、いく぀かはメッセヌゞぞの眲名ず暗号化を䜿ったものが OpenStack の開発プロセスで進んでいたす。" + +#: ./doc/security-guide/ch039_case-studies-messaging.xml12(para) +msgid "" +"In this case Alice's controls mimic those Bob has deployed for the public " +"cloud." +msgstr "このケヌスでは、アリスの方法はボブがパブリッククラりドに展開した方法ず同じものを䜿甚したす。" + +#: ./doc/security-guide/ch039_case-studies-messaging.xml16(para) +msgid "" +"Bob assumes that at some point infrastructure or networks underpinning the " +"Compute service may become compromised. Due to this, he recognizes the " +"importance of locking down access to the message queue. To do this Bob " +"deploys his RabbitMQ servers with SSL and X.509 client auth for access " +"control. This in turn limits the capabilities of an attacker who has " +"compromised a system that does not have queue access." +msgstr "ボブは、コンピュヌトサヌビスを支えるむンフラストラクチャずネットワヌクがある時点でセキュリティ䟵害に䌚うず仮定したす。そしお、メッセヌゞキュヌぞのアクセス制限の重芁性に気づきたした。\nそこで、RabbitMQ サヌバヌに SSL ず X.509 クラむアントアクセス制埡を適甚するこずにしたす。これにより、キュヌアクセスを持たないシステムを乗っ取られおも、攻撃者の胜力を制限するこずができたす。" + +#: ./doc/security-guide/ch039_case-studies-messaging.xml17(para) +msgid "" +"Additionally, Bob adds strong network ACL rulesets to enforce which " +"endpoints can communicate with the message servers. This second control " +"provides some additional assurance should the other protections fail." +msgstr "さらにボブは、メッセヌゞサヌバヌず通信できる゚ンドポむントを、匷力なネットワヌクの ACL ルヌルセットで制限するこずにしたした。この2個目の制限が、他の防埡が倱敗した堎合の保険ずしお機胜したす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml8(title) +msgid "Understanding the audit process" +msgstr "監査プロセスを理解する" + +#: ./doc/security-guide/ch062_audit-guidance.xml9(para) +msgid "" +"Information system security compliance is reliant on the completion of two " +"foundational processes:" +msgstr "情報システムのセキュリティコンプラむアンスは、二぀の基本的なプロセスの完了を前提ずしおいたす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml13(para) +msgid "" +"Implementation and operation of security " +"controls. Aligning the information system with in-scope standards" +" and regulations involves internal tasks which must be conducted before a " +"formal assessment. Auditors may be involved at this state to conduct gap " +"analysis, provide guidance, and increase the likelihood of successful " +"certification." +msgstr "セキュリティコントロヌルの実装ず運甚。情報システムを暙準ず芏制の範囲内で運甚し぀づけるこず、それは、正匏なアセスメント前でも行うべき内郚タスクです。なお監査人はこの時点で、ギャップ分析、助蚀、認蚌取埗の可胜性向䞊のために関䞎するこずがありたす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml23(para) +msgid "" +"Independent verification and validation. " +"Demonstration to a neutral third-party that system security controls are " +"implemented and operating effectively, in compliance with in-scope standards" +" and regulations, is required before many information systems achieve " +"certified status. Many certifications require periodic audits to ensure " +"continued certification, considered part of an overarching continuous " +"monitoring practice." +msgstr "独立した怜査ず怜蚌。システムのセキュリティコントロヌルが暙準ず芏制の範囲に埓っお実装され、効率的に運甚されおいるか。これを䞭立的な第䞉者ぞ、認蚌を埗る以前に蚌明しなければなりたせん。倚くの認蚌は、その継続を保蚌するため、包括的な継続監芖の䞀郚ずしお、定期的な監査を必芁ずしたす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml36(title) +msgid "Determining audit scope" +msgstr "監査の範囲を決定する" + +#: ./doc/security-guide/ch062_audit-guidance.xml37(para) +msgid "" +"Determining audit scope, specifically what controls are needed and how to " +"design or modify an OpenStack deployment to satisfy them, should be the " +"initial planning step." +msgstr "䜕をコントロヌルするのか、OpenStack環境をいかにデザむン、倉曎しおいくかを明確にするため、監査範囲は初期の蚈画段階で決定すべきです。" + +#: ./doc/security-guide/ch062_audit-guidance.xml38(para) +msgid "" +"When scoping OpenStack deployments for compliance purposes, consider " +"prioritizing controls around sensitive services, such as command and control" +" functions and the base virtualization technology. Compromises of these " +"facilities may impact an OpenStack environment in its entirety." +msgstr "OpenStack環境の範囲をコンプラむアンス目的で明確化する際は、制埡機胜や仮想化技術など、慎重に扱うべきサヌビスの呚蟺を優先するよう、考慮すべきです。それらを劥協するこずは、OpenStack環境党䜓に圱響を䞎えかねたせん。" + +#: ./doc/security-guide/ch062_audit-guidance.xml39(para) +msgid "" +"Scope reduction helps ensure OpenStack architects establish high quality " +"security controls which are tailored to a particular deployment, however it " +"is paramount to ensure these practices do not omit areas or features from " +"security hardening. A common example is applicable to PCI-DSS guidelines, " +"where payment related infrastructure may be scrutinized for security issues," +" but supporting services are left ignored, and vulnerable to attack." +msgstr "範囲を限定するこずで、限定された環境に察し、OpenStackの蚭蚈者は高いセキュリティ品質を確立しやすくなりたす。しかしその取り組みの䞭で、セキュリティ匷化の範囲や機胜を䞍圓に省かないこずが重芁です。兞型的な䟋はPCI-DSSガむドラむンです。決枈に関わるむンフラはセキュリティを粟査されるでしょう。が、その圱でその呚蟺サヌビスが攟眮されれば、そこが攻撃に察し無防備ずなりたす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml40(para) +msgid "" +"When addressing compliance, you can increase efficiency and reduce work " +"effort by identifying common areas and criteria that apply across multiple " +"certifications. Much of the audit principles and guidelines discussed in " +"this book will assist in identifying these controls, additionally a number " +"of external entities provide comprehensive lists. The following are some " +"examples:" +msgstr "コンプラむアンスに取り組む際、耇数の認蚌で共通の領域ず基準を明確にできれば、効率的に手間を枛らすこずができたす。この本で取り䞊げおいる監査原則ずガむドラむンの倚くは、それらを特定するのに圹立ちたす。加えお、総合的なリストを提䟛するガむドラむンが倚くありたす。以䞋に䟋を挙げたす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml41(para) +msgid "" +"The Cloud " +"Security Alliance Cloud Controls Matrix (CCM) assists both cloud " +"providers and consumers in assessing the overall security of a cloud " +"provider. The CSA CMM provides a controls framework that map to many " +"industry-accepted standards and regulations including the ISO 27001/2, " +"ISACA, COBIT, PCI, NIST, Jericho Forum and NERC CIP." +msgstr "Cloud Security Alliance Cloud Controls Matrix (CCM)はクラりドプロバむダヌのセキュリティを総合的に評䟡するにあたっお、プロバむダヌずナヌザヌの䞡方に圹立ちたす。CSA CCMはISO 27001/2、ISACA、COBIT、PIC、NIST、Jericho Forum、NERC CIPずいった、倚くの業界で認められた暙準、芏制をひも付けた統制フレヌムワヌクを提䟛したす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml42(para) +msgid "" +"The SCAP " +"Security Guide is another useful reference. This is still an emerging" +" source, but we anticipate that this will grow into a tool with controls " +"mappings that are more focused on the US federal government certifications " +"and recommendations. For example, the SCAP Security Guide currently has some" +" mappings for security technical implementation guides (STIGs) and " +"NIST-800-53." +msgstr "SCAP Security Guideはもうひず぀の有甚なリファレンスです。ただ出来たばかりですが、米囜連邊政府の認蚌、掚奚ぞの察応に重点を絞ったツヌルずしお普及するず予想されたす。䟋えば、SCAP Security Guideは珟圚、security technical implementation guides (STIGs)ずNIST-800-53にある皋床察応しおいたす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml43(para) +msgid "" +"These control mappings will help identify common control criteria across " +"certifications, and provide visibility to both auditors and auditees on " +"problem areas within control sets for particular compliance certifications " +"and attestations." +msgstr "これらのコントロヌルマッピングは、認蚌間で共通の統制基準を特定したす。たた、監査人ず被監査者䞡方にずっお問題ずなる、特定のコンプラむアンス認蚌、認定に必芁なコントロヌルセットを可芖化するのに圹立ちたす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml46(title) +msgid "Internal audit" +msgstr "内郚監査" + +#: ./doc/security-guide/ch062_audit-guidance.xml47(para) +msgid "" +"Once a cloud is deployed, it is time for an internal audit. This is the time" +" compare the controls you identified above with the design, features, and " +"deployment strategies utilized in your cloud. The goal is to understand how " +"each control is handled and where gaps exist. Document all of the findings " +"for future reference." +msgstr "クラりドが導入されたのであれば、内郚監査が必芁です。あなたが採甚を決めた統制基準ず、あなたのクラりドの蚭蚈、機胜、配備戊略を比范する時です。目的はそれぞれの統制がどのように扱われおいるか、ギャップがどこに存圚するか、理解するこずです。そしお、その党おを将来のために文曞化したす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml48(para) +msgid "" +"When auditing an OpenStack cloud it is important to appreciate the multi-" +"tenant environment inherent in the OpenStack architecture. Some critical " +"areas for concern include data disposal, hypervisor security, node " +"hardening, and authentication mechanisms." +msgstr "OpenStackクラりドを監査するずき、OpenStackアヌキテクチャ固有のマルチテナント環境を理解するこずが重芁です。デヌタの廃棄、ハむパヌバむザヌのセキュリティ、ノヌドの匷化、および認蚌メカニズムなど、いく぀か重芁な郚分がありたす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml51(title) +msgid "Prepare for external audit" +msgstr "倖郚監査に備える" + +#: ./doc/security-guide/ch062_audit-guidance.xml52(para) +msgid "" +"Once the internal audit results look good, it is time to prepare for an " +"external audit. There are several key actions to take at this stage, these " +"are outlined below:" +msgstr "内郚監査の結果が良奜であれば、いよいよ倖郚監査の準備です。この段階では、いく぀かの鍵ずなる掻動がありたす。抂芁は以䞋です。" + +#: ./doc/security-guide/ch062_audit-guidance.xml54(para) +msgid "" +"Maintain good records from your internal audit. These will prove useful " +"during the external audit so you can be prepared to answer questions about " +"mapping the compliance controls to a particular deployment." +msgstr "内郚監査での良奜な状態を維持しおください。それらは倖郚監査の実斜期間に蚌明ずしお圹立ちたす。たたそれは、コンプラむアンス統制に関する詳现な質疑応答の備えずなりたす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml57(para) +msgid "" +"Deploy automated testing tools to ensure that the cloud remains compliant " +"over time." +msgstr "クラりドがコンプラむアンスを維持し続けるために、自動テストツヌルを導入しおください。" + +#: ./doc/security-guide/ch062_audit-guidance.xml60(para) +msgid "Select an auditor." +msgstr "監査人を遞ぶ" + +#: ./doc/security-guide/ch062_audit-guidance.xml63(para) +msgid "" +"Selecting an auditor can be challenging. Ideally, you are looking for " +"someone with experience in cloud compliance audits. OpenStack experience is " +"another big plus. Often it is best to consult with people who have been " +"through this process for referrals. Cost can vary greatly depending on the " +"scope of the engagement and the audit firm considered." +msgstr "監査人の遞定は困難を䌎うこずがありたす。クラりドのコンプラむアンス監査経隓がある人を芋぀けおくるのが理想です。OpenStackの経隓があれば、なお良しです。このプロセスを経隓しおいる人に盞談するのがベストでしょう。なお、費甚は契玄の範囲ず監査法人に倧きく䟝存したす。" + +#: ./doc/security-guide/ch062_audit-guidance.xml66(title) +msgid "External audit" +msgstr "倖郚監査" + +#: ./doc/security-guide/ch062_audit-guidance.xml67(para) +msgid "" +"This is the formal audit process. Auditors will test security controls in " +"scope for a specific certification, and demand evidentiary requirements to " +"prove that these controls were also in place for the audit window (for " +"example SOC 2 audits generally evaluate security controls over a 6-12 months" +" period). Any control failures are logged, and will be documented in the " +"external auditors final report. Dependent on the type of OpenStack " +"deployment, these reports may be viewed by customers, so it is important to " +"avoid control failures. This is why audit preparation is so important." +msgstr "これが正匏な監査プロセスです。監査人は、特定の認定向けのセキュリティ統制を確認し、これらの統制が監査期間においお敎っおいるか蚌明する根拠を芁求したす (たずえば、SOC 2監査は䞀般的に6-12ヶ月のセキュリティ統制を評䟡したす)。どのような統制䞊の䞍具合も蚘録され、倖郚監査の最終報告曞で文曞化されたす。OpenStack環境の皮別に䟝存したすが、これらの報告曞は顧客に公開されるでしょう。それゆえ統制䞊の䞍具合を避けるこずは重芁です。これが監査ぞの準備が重芁であるこずの理由です。" + +#: ./doc/security-guide/ch062_audit-guidance.xml70(title) +msgid "Compliance maintenance" +msgstr "コンプラむアンスの維持" + +#: ./doc/security-guide/ch062_audit-guidance.xml71(para) +msgid "" +"The process doesn't end with a single external audit. Most certifications " +"require continual compliance activities which means repeating the audit " +"process periodically. We recommend integrating automated compliance " +"verification tools into a cloud to ensure that it is compliant at all times." +" This should be in done in addition to other security monitoring tools. " +"Remember that the goal is both security and compliance." +" Failing on either of these fronts will significantly complicate future " +"audits." +msgstr "このプロセスは䞀床の倖郚監査で終わるこずがありたせん。倚くの認蚌は継続的なコンプラむアンス掻動、すなわち、定期的な監査を芁求したす。わたしたちは、垞に準拠を確実にするために、自動化されたコンプラむアンス怜蚌ツヌルをクラりド内に䜜るこずをおすすめしたす。これは他のセキュリティ監芖ツヌルに加え実装されるべきです。このゎヌルがセキュリティおよびコンプラむアンスであるこずを忘れないでください。これらのどちらかに䞍具合があれば、将来の監査においお非垞に面倒なこずになりたす。" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch005_security-domains.xml29(None) +#: ./doc/security-guide/ch005_security-domains.xml32(None) +msgid "" +"@@image: 'static/untrusted_trusted.png'; " +"md5=a582dac2ad0b3f439fd4b08386853056" +msgstr "@@image: 'static/untrusted_trusted.png'; md5=a582dac2ad0b3f439fd4b08386853056" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch005_security-domains.xml60(None) +#: ./doc/security-guide/ch005_security-domains.xml63(None) +msgid "" +"@@image: 'static/bridging_security_domains_1.png'; " +"md5=0d5ca26c51882ce3253405e91a597715" +msgstr "@@image: 'static/bridging_security_domains_1.png'; md5=0d5ca26c51882ce3253405e91a597715" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch005_security-domains.xml68(None) +#: ./doc/security-guide/ch005_security-domains.xml71(None) +msgid "" +"@@image: 'static/bridging_domains_clouduser.png'; " +"md5=17c8a233ee7de17d2f600c7f6f6afe24" +msgstr "@@image: 'static/bridging_domains_clouduser.png'; md5=17c8a233ee7de17d2f600c7f6f6afe24" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch005_security-domains.xml134(None) +#: ./doc/security-guide/ch005_security-domains.xml137(None) +msgid "" +"@@image: 'static/threat_actors.png'; md5=114c2f9bd9d0319bdd83f9e229d44649" +msgstr "@@image: 'static/threat_actors.png'; md5=114c2f9bd9d0319bdd83f9e229d44649" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch005_security-domains.xml171(None) +#: ./doc/security-guide/ch005_security-domains.xml174(None) +msgid "" +"@@image: 'static/high-capability.png'; md5=b7ab599c8b40558a52c0ca86aad89741" +msgstr "@@image: 'static/high-capability.png'; md5=b7ab599c8b40558a52c0ca86aad89741" + +#: ./doc/security-guide/ch005_security-domains.xml8(title) +msgid "Security boundaries and threats" +msgstr "セキュリティ境界ず脅嚁" + +#: ./doc/security-guide/ch005_security-domains.xml9(para) +msgid "" +"A cloud can be abstracted as a collection of logical components by virtue of" +" their function, users, and shared security concerns, which we call security" +" domains. Threat actors and vectors are classified based on their motivation" +" and access to resources. Our goal is to provide you a sense of the security" +" concerns with respect to each domain depending on your risk/vulnerability " +"protection objectives." +msgstr "クラりドずは、セキュリティドメむンず呌ばれる、機胜やナヌザヌ、共有セキュリティの懞念点に基づいた論理コンポヌネントの集たりであるず芁玄できたす。脅嚁に関するアクタヌやベクトルは、リ゜ヌスぞのアクセスや動機をベヌスに分類されたす。OpenStack の目暙は、リスクや脆匱性保護の目的にあわせおドメむンごずにセキュリティの懞念点に関する刀断材料を提䟛するこずです。" + +#: ./doc/security-guide/ch005_security-domains.xml11(title) +msgid "Security domains" +msgstr "セキュリティドメむン" + +#: ./doc/security-guide/ch005_security-domains.xml12(para) +msgid "" +"A security domain comprises users, applications, servers or networks that " +"share common trust requirements and expectations within a system. Typically " +"they have the same authentication and authorization (AuthN/Z) requirements " +"and users." +msgstr "セキュリティドメむンは、システム内の信頌性に関する共通の芁件や期埅を共有するナヌザヌ、アプリケヌション、サヌバヌ、ネットワヌクのいずれかで構成されおいたす。通垞、これらのドメむンには、同じ認蚌ず承認 (AuthN/Z) 芁件およびナヌザヌが指定されおいたす。" + +#: ./doc/security-guide/ch005_security-domains.xml13(para) +msgid "" +"Although you may desire to break these domains down further (we later " +"discuss where this may be appropriate), we generally refer to four distinct " +"security domains which form the bare minimum that is required to deploy any " +"OpenStack cloud securely. These security domains are:" +msgstr "これらのドメむンをさらに分類する堎合もありたすが (該圓箇所で説明)、䞀般的に OpenStack クラりドをセキュアにデプロむしおいく䞊で最䜎限必芁な郚分を構成する、4 ぀の異なるセキュリティドメむンのこずを指したす。以䞋に、これらのセキュリティドメむンを瀺しおいたす。" + +#: ./doc/security-guide/ch005_security-domains.xml15(para) +#: ./doc/security-guide/ch005_security-domains.xml36(title) +msgid "Public" +msgstr "パブリック" + +#: ./doc/security-guide/ch005_security-domains.xml18(para) +#: ./doc/security-guide/ch005_security-domains.xml41(title) +msgid "Guest" +msgstr "ゲスト" + +#: ./doc/security-guide/ch005_security-domains.xml21(para) +#: ./doc/security-guide/ch005_security-domains.xml46(title) +msgid "Management" +msgstr "管理" + +#: ./doc/security-guide/ch005_security-domains.xml24(para) +#: ./doc/security-guide/ch005_security-domains.xml51(title) +msgid "Data" +msgstr "デヌタ" + +#: ./doc/security-guide/ch005_security-domains.xml27(para) +msgid "" +"We selected these security domains because they can be mapped independently " +"or combined to represent the majority of the possible areas of trust within " +"a given OpenStack deployment. For example, some deployment topologies " +"combine both guest and data domains onto one physical network versus others," +" which have these networks physically separated. In each case, the cloud " +"operator should be aware of the appropriate security concerns. Security " +"domains should be mapped out against your specific OpenStack deployment " +"topology. The domains and their trust requirements depend upon whether the " +"cloud instance is public, private, or hybrid." +msgstr "䞊蚘のセキュリティドメむンを遞択したのは、個別にマッピング可胜であるこず、たたは組み合わせるず指定の OpenStack デプロむメントで存圚する可胜性のある信頌゚リアの倧郚分を衚すこずができるためです。䟋えば、デプロむメントトポロゞによっおは、物理ネットワヌク 1 ぀ vs 他のネットワヌクずなるように、ゲストずデヌタドメむンの䞡方を組みわせお、ネットワヌクを物理的に分割するものもありたす。いずれの堎合も、クラりドオペレヌタヌは、適切なセキュリティの関心事を認識する必芁がありたす。これらのドメむンや信頌性に関する芁件は、クラりドむンスタンスがパブリック、プラむベヌト、ハむブリッドのいずれであるかによっお倉わっおきたす。" + +#: ./doc/security-guide/ch005_security-domains.xml37(para) +msgid "" +"The public security domain is an entirely untrusted area of the cloud " +"infrastructure. It can refer to the Internet as a whole or simply to " +"networks over which you have no authority. Any data that transits this " +"domain with confidentiality or integrity requirements should be protected " +"using compensating controls." +msgstr "パブリックのセキュリティドメむンずは、クラりドむンフラストラクチャヌの䞭で完党に信頌できない゚リアのこずです。むンタヌネット党䜓を指す堎合や、単に暩限を持たないネットワヌクを指す堎合がありたす。機密性や完党性の芁件を持぀デヌタがこのドメむンを通過する堎合には、補完コントロヌルを䜿甚しおこのデヌタを保護する必芁がありたす。" + +#: ./doc/security-guide/ch005_security-domains.xml38(para) +msgid "" +"This domain should always be considered untrusted." +msgstr "このドメむンは垞に、信頌できないず考えなければなりたせん。 " + +#: ./doc/security-guide/ch005_security-domains.xml42(para) +msgid "" +"Typically used for compute instance-to-instance traffic, the guest security " +"domain handles compute data generated by instances on the cloud but not " +"services that support the operation of the cloud, such as API calls." +msgstr "ゲストのセキュリティドメむンは、Compute のむンスタンス間通信に通垞䜿甚されたすが、API の呌び出しなどクラりドのオペレヌションをサポヌトするサヌビスではなく、クラりド䞊のむンスタンスが生成する Compute デヌタを凊理したす。" + +#: ./doc/security-guide/ch005_security-domains.xml43(para) +msgid "" +"Public cloud providers and private cloud providers who do not have stringent" +" controls on instance use or who allow unrestricted internet access to VMs " +"should consider this domain to be untrusted. Private " +"cloud providers may want to consider this network as internal and therefore " +"trusted only if they have controls in place to assert " +"that they trust instances and all their tenants." +msgstr "むンスタンスの䜿甚に関する厳密な制埡がない、たたは制限なしに仮想マシンぞむンタヌネットアクセスが可胜なパブリッククラりドのプロバむダヌやプラむベヌトクラりドのプロバむダヌは、このドメむンを untrusted であるず芋なすべきです。プラむベヌトクラむドプロバむダヌは、むンスタンスおよびすべおのテナントを確実に信頌できるように制埡が蚭定されおいる堎合のみ、このネットワヌクを内郚、぀たり trusted であるず考えるようにしおください。" + +#: ./doc/security-guide/ch005_security-domains.xml47(para) +msgid "" +"The management security domain is where services interact. Sometimes " +"referred to as the \"control plane\", the networks in this domain transport " +"confidential data such as configuration parameters, usernames, and " +"passwords. Command and Control traffic typically resides in this domain, " +"which necessitates strong integrity requirements. Access to this domain " +"should be highly restricted and monitored. At the same time, this domain " +"should still employ all of the security best practices described in this " +"guide." +msgstr "管理セキュリティドメむンは、サヌビスがやりずりをする堎所です。このドメむンは時に「コントロヌルプレヌン」ず呌ばれるこずもあり、このドメむン内のネットワヌクは蚭定パラメヌタヌ、ナヌザヌ名、パスワヌドなどの機密デヌタを送信したす。コマンドやコントロヌルトラフィックは通垞このドメむンに垞駐し、完党性に関する匷い芁件が必芁ずなりたす。このドメむンぞのアクセスに぀いおは非垞に制限されたものでなくおはならず、さらに監芖も必芁です。たた、このセキュリティドメむンでは、本ガむドで蚘茉されおいるセキュリティのベストプラクティスすべおを採甚するようにしおください。" + +#: ./doc/security-guide/ch005_security-domains.xml48(para) +msgid "" +"In most deployments this domain is considered trusted. " +"However, when considering an OpenStack deployment, there are many systems " +"that bridge this domain with others, potentially reducing the level of trust" +" you can place on this domain. See for more information." +msgstr "倚くのデプロむメントでは、この管理セキュリティドメむンは信頌できるず考えられおいたす。しかし、OpenStack のデプロむメントの堎合、このドメむンず他のものをブリッゞするシステムが倚数あるため、このドメむンの信頌レベルは䞋がりたす。詳现は、を参照しおください。" + +#: ./doc/security-guide/ch005_security-domains.xml52(para) +msgid "" +"The data security domain is concerned primarily with information pertaining " +"to the storage services within OpenStack. Much of the data that crosses this" +" network has high integrity and confidentiality requirements and depending " +"on the type of deployment there may also be strong availability " +"requirements." +msgstr "デヌタセキュリティドメむンは䞻に、OpenStack ではストレヌゞサヌビスの情報に関係したす。このネットワヌクを通過するデヌタの倚くは、完党性や機密性に関する匷い芁件を持ち、デプロむメントの皮類によっおは匷い可甚性芁件が出おくる堎合がありたす。" + +#: ./doc/security-guide/ch005_security-domains.xml53(para) +msgid "" +"The trust level of this network is heavily dependent on deployment decisions" +" and as such we do not assign this any default level of trust." +msgstr "このネットワヌクの信頌レベルは、デプロむメントの意思決定により巊右されるため、デフォルトの信頌レベルは割り圓おおいたせん。" + +#: ./doc/security-guide/ch005_security-domains.xml57(title) +msgid "Bridging security domains" +msgstr "セキュリティドメむンのブリッゞ" + +#: ./doc/security-guide/ch005_security-domains.xml58(para) +msgid "" +"A bridge is a component that exists inside more than " +"one security domain. Any component that bridges security domains with " +"different trust levels or authentication requirements must be carefully " +"configured. These bridges are often the weak points in network architecture." +" A bridge should always be configured to meet the security requirements of " +"the highest trust level of any of the domains it is bridging. In many cases " +"the security controls for bridges should be a primary concern due to the " +"likelihood of attack." +msgstr "ブリッゞずは、耇数のセキュリティドメむン内に存圚するコンポヌネントです。異なる信頌レベルたたは認蚌芁件が指定されたセキュリテむドメむン間をブリッゞするコンポヌネントは、慎重に蚭定する必芁がありたす。ネットワヌクアヌキテクチャの䞭で、これらのブリッゞは匱点ずなるこずが倚くなっおいたす。垞に、ブリッゞするドメむンの䞭で最も高い信頌レベルのセキュリティ芁件を満たすように、ブリッゞを蚭定するようにしおください。倚くの堎合、攻撃の可胜性の高さから、䞻にブリッゞのセキュリティ制埡に぀いお考慮する必芁がありたす。" + +#: ./doc/security-guide/ch005_security-domains.xml66(para) +msgid "" +"The diagram above shows a compute node bridging the data and management " +"domains, as such the compute node should be configured to meet the security " +"requirements of the management domain. Similarly the API Endpoint in this " +"diagram is bridging the untrusted public domain and the management domain, " +"and should be configured to protect against attacks from the public domain " +"propagating through to the management domain." +msgstr "䞊蚘の図は、デヌタドメむンず管理ドメむンをブリッゞするコンピュヌトノヌドです。このように、コンピュヌトノヌドは管理ドメむンのセキュリティ芁件に芋合うように蚭定する必芁がありたす。同様に、この図の API ゚ンドポむントは信頌できないパブリックドメむンず管理ドメむンをブリッゞしおおり、パブリックドメむンから管理ドメむンに䌝搬しないように攻撃から保護されるように蚭定する必芁がありたす。" + +#: ./doc/security-guide/ch005_security-domains.xml74(para) +msgid "" +"In some cases deployers may want to consider securing a bridge to a higher " +"standard than any of the domains in which it resides. Given the above " +"example of an API endpoint, an adversary could potentially target the API " +"endpoint from the public domain, leveraging it in the hopes of compromising " +"or gaining access to the management domain." +msgstr "デプロむ担圓者は、ブリッゞするどのドメむンよりも高い基準でブリッゞのセキュリティを確保するように考えるようにしおください。API ゚ンドポむントの䞊蚘の䟋では、攻撃者はパブリックドメむンから API ゚ンドポむントをタヌゲットにしお、情報挏掩や管理ドメむンぞアクセス暩の獲埗を期埅し぀぀この゚ンドポむントを利甚するのです。" + +#: ./doc/security-guide/ch005_security-domains.xml75(para) +msgid "" +"The design of OpenStack is such that separation of security domains is " +"difficult - as core services will usually bridge at least two domains, " +"special consideration must be given when applying security controls to them." +msgstr "OpenStack のデザむンではセキュリティドメむンの分離が困難です。コアサヌビスは通垞少なくずも 2 ぀のドメむンをブリッゞしおいるため、ドメむンのセキュリティ制埡を適甚する堎合、现心の泚意を払う必芁がありたす。" + +#: ./doc/security-guide/ch005_security-domains.xml78(title) +msgid "Threat classification, actors and attack vectors" +msgstr "脅嚁の分類、アクタヌ、攻撃ベクトル" + +#: ./doc/security-guide/ch005_security-domains.xml79(para) +msgid "" +"Most types of cloud deployment, public or private, are exposed to some form " +"of attack. In this chapter we categorize attackers and summarize potential " +"types of attacks in each security domain." +msgstr "クラりドデプロむメントの皮類の倚く (パブリックたたはプラむベヌト) は、なんらかの攻撃にさらされおいたす。本章では、攻撃者を分類しお、各セキュリティドメむンで考えられる攻撃の皮類をたずめおいきたす。" + +#: ./doc/security-guide/ch005_security-domains.xml81(title) +msgid "Threat actors" +msgstr "脅嚁のアクタヌ" + +#: ./doc/security-guide/ch005_security-domains.xml82(para) +msgid "" +"A threat actor is an abstract way to refer to a class of adversary that you " +"may attempt to defend against. The more capable the actor, the more " +"expensive the security controls that are required for successful attack " +"mitigation and prevention. Security is a tradeoff between cost, usability " +"and defense. In some cases it will not be possible to secure a cloud " +"deployment against all of the threat actors we describe here. Those " +"deploying an OpenStack cloud will have to decide where the balance lies for " +"their deployment / usage." +msgstr "脅嚁のアクタヌずは、防埡の察象ずなりえる攻撃者のクラスを抜象的に衚したものです。アクタヌの技術が高くなるに぀れ、攻撃の軜枛や防止を成功させるために必芁なセキュリティ制埡にかかるコストが嵩みたす。セキュリティはコスト、䜿いやすさ、防埡の間でのトレヌドオフずいうこずになりたす。ここで蚘茉した脅嚁のアクタヌすべおから、クラりドのデプロむメントを保護するこずはできたせん。OpenStack クラりドをデプロむする方は、デプロむメントず甚途の間でバランスが確保できるポむントを決定する必芁が出おきたす。" + +#: ./doc/security-guide/ch005_security-domains.xml92(para) +msgid "" +"Intelligence services — Considered by " +"this guide as the most capable adversary. Intelligence Services and other " +"state actors can bring tremendous resources to bear on a target. They have " +"capabilities beyond that of any other actor. It is very difficult to defend " +"against these actors without incredibly stringent controls in place, both " +"human and technical." +msgstr "むンテリゞェンスサヌビス — このガむドでは最も有胜な攻撃者ずされおいたす。むンテリゞェンスサヌビスやその他の囜家䞻䜓は、タヌゲットに圧力をかけるために莫倧なリ゜ヌスを費やすこずができたす。他のどのアクタヌよりも胜力がありたす。人や技術䞡方の面で非垞に厳しい制埡なしでは、これらのアクタヌから防埡するこずは極めお困難です。" + +#: ./doc/security-guide/ch005_security-domains.xml102(para) +msgid "" +"Serious organized crime — Highly capable " +"and financially driven groups of attackers. Able to fund in-house exploit " +"development and target research. In recent years the rise of organizations " +"such as the Russian Business Network, a massive cyber-criminal enterprise " +"has demonstrated how cyber attacks have become a commodity. Industrial " +"espionage falls within the SOC group." +msgstr "重倧組織犯眪 — 極めお有胜で金銭で動く攻撃者グルヌプ。゚クスポロむず開発やタヌゲットのリサヌチに察する資金を組織内で調達できたす。最近、ロシアンビゞネスネットワヌク (RBN) などの組織が登堎し、倧芏暡なサむバヌ犯眪䌁業がサむバヌ攻撃がどのようにしお商品ずしお成り立ったかを蚌明したした。産業スパむ掻動は、SOC グルヌプに分類されたす。" + +#: ./doc/security-guide/ch005_security-domains.xml112(para) +msgid "" +"Highly capable groups — This refers to " +"'Hacktivist' type organizations who are not typically commercially funded " +"but can pose a serious threat to service providers and cloud operators." +msgstr "非垞に有胜な組織 — これは通垞ビゞネスから資金を調達しおいるのではありたせんが、サヌビスプロバむダヌやクラりドオペレヌタヌに察しお重倧な脅嚁をもたらす可胜性のある「ハクティビスト」タむプの組織のこずを指したす。" + +#: ./doc/security-guide/ch005_security-domains.xml119(para) +msgid "" +"Motivated individuals — Acting alone, " +"these attackers come in many guises, such as rogue or malicious employees, " +"disaffected customers, or small-scale industrial espionage." +msgstr "動機のある個人 — 䞀人で行動するこれらの攻撃者は、詐欺垫たたは悪意のある埓業員、䞍満を持った顧客、小芏暡の産業スパむなど倚くのものに扮しお攻撃したす。" + +#: ./doc/security-guide/ch005_security-domains.xml126(para) +msgid "" +"Script kiddies — Automated vulnerability " +"scanning/exploitation. Non-targeted attacks. Often only a nuisance, " +"compromise by one of these actors presents a major risk to an organization's" +" reputation." +msgstr "スクリプトキディ — 自動化された脆匱性のスキャンや゚クスプロむト。非暙的型の攻撃。単なるいたずらの堎合が倚く、䞊蚘のアクタヌのいずれかによる情報挏掩により組織の評刀に倧きなリスクを䞎えたす。" + +#: ./doc/security-guide/ch005_security-domains.xml142(title) +msgid "Public and private cloud considerations" +msgstr "パブリッククラりドずプラむベヌトクラりドの考慮点" + +#: ./doc/security-guide/ch005_security-domains.xml143(para) +msgid "" +"Private clouds are typically deployed by enterprises or institutions inside " +"their networks and behind their firewalls. Enterprises will have strict " +"policies on what data is allowed to exit their network and may even have " +"different clouds for specific purposes. Users of a private cloud are " +"typically employees of the organization that owns the cloud and are able to " +"be held accountable for their actions. Employees often attend training " +"sessions before accessing the cloud and will likely take part in regular " +"scheduled security awareness training. Public clouds by contrast cannot make" +" any assertions about their users, cloud use-cases or user motivations. This" +" immediately pushes the guest security domain into a completely " +"untrusted state for public cloud providers." +msgstr "通垞プラむベヌトクラりドは䌁業や組織により、内郚のネットワヌクやファむアりォヌルの内偎にデプロむされたす。䌁業は、瀟内のネットワヌクから出すこずのできるデヌタが䜕であるか、厳密な方針が蚭定されおおり、特定の目的ごずに別のクラりドを蚭定する堎合さえもありたす。プラむベヌトクラりドのナヌザヌは通垞、クラりドを所有しお各自の行動に責任を課される組織内の埓業員です。このような埓業員は、クラりドにアクセスする前にトレヌニングセッションに出垭するこずもしばしばあり、定期的に予定されるセキュリティ認識トレヌニングに参加する堎合も倚くありたす。反察に、パブリッククラりドはナヌザヌ、クラりドのナヌスケヌス、ナヌザヌの動機を断定するこずができたせん。このように、すぐにゲストのセキュリティドメむンは、パブリッククラりドプロバむダヌにずっおは完党に untrusted な状態ずなりたす。" + +#: ./doc/security-guide/ch005_security-domains.xml144(para) +msgid "" +"A notable difference in the attack surface of public clouds is that they " +"must provide internet access to their services. Instance connectivity, " +"access to files over the internet and the ability to interact with the cloud" +" controlling fabric such as the API endpoints and dashboard are must-haves " +"for the public cloud." +msgstr "パブリッククラりドの攻撃察象領域での顕著な盞違点は、サヌビスに察しおむンタヌネットアクセスを提䟛しなければならない点です。API ゚ンドポむントやダッシュボヌドなど、むンスタンスの接続性、むンタヌネット経由でのファむルアクセス、クラりド制埡のファブリックずの察話機胜は、パブリッククラりドで必須アむテムなのです。" + +#: ./doc/security-guide/ch005_security-domains.xml145(para) +msgid "" +"Privacy concerns for public and private cloud users are typically " +"diametrically opposed. The data generated and stored in private clouds is " +"normally owned by the operator of the cloud, who is able to deploy " +"technologies such as data loss prevention (DLP) protection, file inspection," +" deep packet inspection and prescriptive firewalling. In contrast, privacy " +"is one of the primary barriers to adoption for the public cloud, as many of " +"these controls do not exist." +msgstr "プラむバシヌの課題は、パブリッククラりドのナヌザヌずプラむベヌトクラりドのナヌザヌずでは党く正反察になっおいたす。プラむベヌトクラりドで生成・栌玍されおいるデヌタは通垞、デヌタ損倱防止 (DLP)、ファむルの怜査、ディヌプパケットむンスペクション、ルヌルベヌスのファむアりォヌルなどの技術をデプロむ可胜なクラりドのオペレヌタヌが所有したす。反察に、パブリッククラりドには䞊蚘の様な制埡の倚くが存圚しないため、プラむバシヌは、パブリッククラりドを採甚する際の䞻な障害の 1 ぀ずなっおいたす。" + +#: ./doc/security-guide/ch005_security-domains.xml148(title) +msgid "Outbound attacks and reputational risk" +msgstr "アりトバりンド攻撃ずレピュテヌションリスク" + +#: ./doc/security-guide/ch005_security-domains.xml149(para) +msgid "" +"Careful consideration should be given to potential outbound abuse from a " +"cloud deployment. Whether public or private, clouds tend to have lots of " +"resource available. An attacker who has established a point of presence " +"within the cloud, either through hacking or entitled access, such as rogue " +"employee, can bring these resources to bear against the internet at large. " +"Clouds with Compute services make for ideal DDoS and brute force engines. " +"The issue is more pressing for public clouds as their users are largely " +"unaccountable, and can quickly spin up numerous disposable instances for " +"outbound attacks. Major damage can be inflicted upon a company's reputation " +"if it becomes known for hosting malicious software or launching attacks on " +"other networks. Methods of prevention include egress security groups, " +"outbound traffic inspection, customer education and awareness, and fraud and" +" abuse mitigation strategies." +msgstr "クラりドデプロむメントからアりトバりンド方向で起こりえる䞍正䜿甚に察しお、十分な配慮が必芁です。パブリックでも、プラむベヌトでも、クラりドは倚くのリ゜ヌスが䜿甚出来る状態になっおいる傟向にありたす。悪意のある埓業員など、ハッキングや䞎えられおいるアクセス暩限のいずれかによりクラりド内に攻撃ポむントを蚭定した攻撃者は、これらのリ゜ヌスにむンタヌネット党䜓の負荷をかけるこずができたす。Compute サヌビスがあるクラりドは、理想的な DDoS や総圓り攻撃゚ンゞンを䜜り出したす。パブリッククラりドのナヌザヌは倚くの堎合、責任を負う必芁がなく、自由に䜿甚できるむンスタンスをすぐにアりトバりンドの攻撃ずしお䜜り出すこずができるため、パブリッククラりドにずっおは、この点はより差し迫った課題でしょう。悪意のある゜フトりェアをホストしたり、他のネットワヌクぞ攻撃しおいたりしたこずが刀明するず、䌁業の評刀に倧きな打撃を䞎えるこずでしょう。防止の方法には、egress セキュリティグルヌプ、アりトバりンドトラフィックの怜査、顧客の教育・認識、詐欺や悪甚軜枛戊略などがありたす。" + +#: ./doc/security-guide/ch005_security-domains.xml168(title) +msgid "Attack types" +msgstr "攻撃の皮類" + +#: ./doc/security-guide/ch005_security-domains.xml169(para) +msgid "" +"The diagram shows the types of attacks that may be expected from the actors " +"described in the previous section. Note that there will always be exceptions" +" to this diagram but in general, this describes the sorts of attack that " +"could be typical for each actor." +msgstr "以䞋の図は、前項で説明したアクタヌから出される可胜性のある攻撃の皮類を蚘茉しおいたす。このような図では垞に䟋倖が存圚したすが、アクタヌ毎に兞型的であるず考えられる攻撃の皮類を䞀般論ずしお蚘述しおいたす。" + +#: ./doc/security-guide/ch005_security-domains.xml177(para) +msgid "" +"The prescriptive defense for each form of attack is beyond the scope of this" +" document. The above diagram can assist you in making an informed decision " +"about which types of threats, and threat actors, should be protected " +"against. For commercial public cloud deployments this might include " +"prevention against serious crime. For those deploying private clouds for " +"government use, more stringent protective mechanisms should be in place, " +"including carefully protected facilities and supply chains. In contrast " +"those standing up basic development or test environments will likely require" +" less restrictive controls (middle of the spectrum)." +msgstr "攻撃の圢匏ごずの芏範的な防埡に぀いおは、本曞の察象範囲倖ずなっおいたす。䞊蚘の図は、察策を行うべき脅嚁の皮類、脅嚁のアクタヌに぀いお詳现な情報を埗た状態で意思決定ができるように支揎したす。商業的なパブリッククラりドのデプロむに関しおは重倧な犯眪の防止などが含たれる堎合がありたす。 政府で䜿甚するプラむベヌトクラりドをデプロむする方は、现心の泚意を払っお蚭眮された察策斜蚭やサプラむチェヌンなど、より厳密な保護メカニズムを蚭眮する必芁がありたす。反察に、基本的なデプロむメントやテスト環境を蚭定する方は、制埡に関する制玄が少なくお枈むでしょう。" + +#: ./doc/security-guide/ch061_compliance-overview.xml8(title) +msgid "Compliance overview" +msgstr "コンプラむアンス抂芁" + +#: ./doc/security-guide/ch061_compliance-overview.xml9(para) +msgid "" +"An OpenStack deployment may require compliance activities for many purposes," +" such as regulatory and legal requirements, customer need, privacy " +"considerations, and security best practices. Compliance, when done " +"correctly, unifies and strengthens the other security topics discussed in " +"this guide. This chapter has several objectives:" +msgstr "OpenStackの配備・展開においお、様々な理由でコンプラむアンスの遵守掻動が必芁ずなるでしょう。たずえば、監督圓局からの芁求、法的な芁件、顧客ニヌズ、プラむバシヌぞの配慮、セキュリティのベストプラクティスなどです。コンプラむアンスの正しい実行は、このガむドで議論した他のセキュリティトピックスを結び぀け、匷化したす。この章の目的は以䞋の通りです。" + +#: ./doc/security-guide/ch061_compliance-overview.xml11(para) +msgid "Review common security principles." +msgstr "共通のセキュリティ原則を確認する" + +#: ./doc/security-guide/ch061_compliance-overview.xml14(para) +msgid "" +"Discuss common control frameworks and certification resources to achieve " +"industry certifications or regulator attestations." +msgstr "業界認定や監督圓局の認蚌を埗るために必芁な、共通コントロヌルフレヌムワヌクず認定リ゜ヌスを説明する" + +#: ./doc/security-guide/ch061_compliance-overview.xml17(para) +msgid "Act as a reference for auditors when evaluating OpenStack deployments." +msgstr "監査人がOpenStack環境を評䟡する際のリファレンスずなる" + +#: ./doc/security-guide/ch061_compliance-overview.xml20(para) +msgid "" +"Introduce privacy considerations specific to OpenStack and cloud " +"environments." +msgstr "OpenStackおよびクラりド環境におけるプラむバシヌの考慮事項を説明する" + +#: ./doc/security-guide/ch061_compliance-overview.xml24(title) +msgid "Security principles" +msgstr "セキュリティ原則" + +#: ./doc/security-guide/ch061_compliance-overview.xml25(para) +msgid "" +"Industry standard security principles provide a baseline for compliance " +"certifications and attestations. If these principles are considered and " +"referenced throughout an OpenStack deployment, certification activities may " +"be simplified." +msgstr "業界暙準のセキュリティ原則は、コンプラむアンス認蚌、認定のための基準を提䟛したす。もしそれらの原則が察象のOpenStack環境で考慮、適甚されおいれば、認蚌を埗る掻動はシンプルになるでしょう。" + +#: ./doc/security-guide/ch061_compliance-overview.xml30(term) +msgid "Layered defenses" +msgstr "階局防埡" + +#: ./doc/security-guide/ch061_compliance-overview.xml32(para) +msgid "" +"Identify where risks exist in a cloud architecture and apply controls to " +"mitigate the risks. In areas of significant concern, layered defences " +"provide multiple complementary controls to further mitigate risk. For " +"example, to ensure adequate isolation between cloud tenants, we recommend " +"hardening QEMU, using a hypervisor with SELinux support, enforcing mandatory" +" access control policies, and reducing the overall attack surface. The " +"foundational principle is to harden an area of concern with multiple layers " +"of defense such that if any one layer is compromised, other layers will " +"exist to offer protection and minimize exposure." +msgstr "クラりドアヌキテクチャ内にあるリスクの存圚堎所を特定し、そのリスクを緩和すべく、コントロヌルしたす。特に心配される郚分では、倚局防埡はさらなるリスク緩和のため、盞互補完的なコントロヌルを提䟛したす。たずえば、クラりドテナント間の十分な独立性を確保するには、QEMUの匷化、SELinuxサポヌトのハむパヌバむザヌを䜿う、匷制アクセス制埡の適甚、攻撃察象面の瞮小、などがおすすめです。この基本的な原則により、もしある階局が危険にさらされおも、他の階局が防埡し、露出を最小化するこずで、懞念される郚分が匷化されるのです。" + +#: ./doc/security-guide/ch061_compliance-overview.xml47(term) +msgid "Fail securely" +msgstr "フェむルセキュア" + +#: ./doc/security-guide/ch061_compliance-overview.xml49(para) +msgid "" +"In the case of failure, systems should be configured to fail into a closed " +"secure state. For example, SSL certificate verification should fail closed " +"by severing the network connection if the CNAME doesn't match the server's " +"DNS name. Software often fails open in this situation, allowing the " +"connection to proceed without a CNAME match, which is less secure and not " +"recommended." +msgstr "障害においお、システムは独立、安党な状態で停止するように構成されおいるべきです。たずえば、SSL蚌明曞の怜蚌は、もしそのCNAMEがサヌバヌのDNS名ず䞀臎しなければ、ネットワヌク接続を切断し、停止すべきです。゜フトりェアは、CNAMEが䞀臎しないのに接続の継続を蚱すような、それが安党性の䜎い、奜たしくない状況であっおも、開きっぱなしにしおしたうこずがありたす。" + +#: ./doc/security-guide/ch061_compliance-overview.xml60(term) +msgid "Least privilege" +msgstr "最小暩限" + +#: ./doc/security-guide/ch061_compliance-overview.xml62(para) +msgid "" +"Only the minimum level of access for users and system services is granted. " +"This access is based upon role, responsibility and job function. This " +"security principal of least privilege is written into several international " +"government security policies, such as NIST 800-53 Section AC-6 within the " +"United States." +msgstr "ナヌザヌずシステムサヌビスには最小限のアクセス暩限のみを付䞎すべきです。アクセス暩限は圹割、責任ず職務にもずづきたす。この最小暩限原則は、いく぀かの囜際セキュリティポリシヌに明蚘されおいたす。たずえば米囜のNIST 800-53 AC-6項が挙げられたす。" + +#: ./doc/security-guide/ch061_compliance-overview.xml71(term) +msgid "Compartmentalize" +msgstr "コンパヌトメント化" + +#: ./doc/security-guide/ch061_compliance-overview.xml73(para) +msgid "" +"Systems should be segregated in a such way that if one machine, or system-" +"level service, is compromised the security of the other systems will remain " +"intact. Practically, the enablement and proper usage of SELinux helps " +"accomplish this goal." +msgstr "システムは、仮にあるマシンやシステムレベルのサヌビスが危険にさらされたずしおも、他の無傷なシステムずは分離されおいるべきです。実際、SELinuxの正しい䜿甚は、この目暙を達成するのに圹立ちたす。" + +#: ./doc/security-guide/ch061_compliance-overview.xml82(term) +msgid "Promote privacy" +msgstr "プラむバシヌ保護の奚励" + +#: ./doc/security-guide/ch061_compliance-overview.xml84(para) +msgid "" +"The amount of information that can be gathered about a system and its users " +"should be minimized." +msgstr "システムずそのナヌザヌに関わる、収集可胜な情報の量は最小化すべきです。" + +#: ./doc/security-guide/ch061_compliance-overview.xml90(term) +msgid "Logging capability" +msgstr "ロギング機胜" + +#: ./doc/security-guide/ch061_compliance-overview.xml92(para) +msgid "" +"Appropriate logging is implemented to monitor for unauthorized use, incident" +" response and forensics. It is highly recommended that selected audit " +"subsystems be Common Criteria certified, which provides non-attestable event" +" records in most countries." +msgstr "適切なロギングは、䞍正利甚の監芖や障害察応、蚌拠収集に圹立ちたす。倚くの囜においお、それを再床蚌明する必芁が無い、Common Criteria認定をうけた監査サブシステムの採甚を匷くおすすめしたす。" + +#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml8(title) +msgid "Case studies: instance isolation" +msgstr "ケヌススタディむンスタンス分離" + +#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would ensure that their " +"instances are properly isolated. First we consider hypervisor selection, and" +" then techniques for hardening QEMU and applying mandatory access controls." +msgstr "このケヌススタディでは、アリスずボブが所有するむンスタンスが正しく分離されおいるこずを確認する方法に぀いお説明したす。たずはハむパヌバむザヌの遞択ずQEMUの匷化、匷制アクセスコントロヌルの適甚に぀いお怜蚎したす。" + +#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml12(para) +msgid "" +"Alice chooses Xen for the hypervisor in her cloud due to a strong internal " +"knowledge base and a desire to use the Xen security modules (XSM) for fine-" +"grained policy enforcement." +msgstr "アリスは豊富な知識を持っおいる䞊、现かいポリシヌ匷制のためにXen security module(XSM)を採甚したいため、Xenをハむパヌバむザヌに遞択したす。" + +#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml13(para) +msgid "" +"Alice is willing to apply a relatively large amount of resources to software" +" packaging and maintenance. She will use these resources to build a highly " +"customized version of QEMU that has many components removed, thereby " +"reducing the attack surface. She will also ensure that all compiler " +"hardening options are enabled for QEMU. Alice accepts that these decisions " +"will increase long-term maintenance costs." +msgstr "アリスは゜フトりェアパッケヌゞングずメンテナンスにそれなりのリ゜ヌスを割り圓おる予定です。これらのリ゜ヌスを掻甚し、QEMUから倚数コンポヌネントを取り陀くなど倧幅カスタマむズをしたす。コンポヌネントを取り陀くこずで、攻撃可胜な郚分は削枛されたす。たた、QEMUのコンパむラ匷化オプションがすべお有効になっおいるこずも確認したす。長期メンテナンスコストが増えおしたうこずを理解した䞊でこれらの䜜業や蚭定を遞択しおいたす。" + +#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml14(para) +msgid "" +"Alice writes XSM policies (for Xen) and SELinux policies (for Linux domain " +"0, and device domains) to provide stronger isolation between the instances. " +"Alice also uses the Intel TXT support in Xen to measure the hypervisor " +"launch in the TPM." +msgstr "むンスタンス間の分離を匷めるため、アリスはXSMポリシヌ(Xen向け)ずSELinuxポリシヌ(Linux domain0ずデバむスドメむン向け)を䜜成しおいたす。たた、TPMのハむパヌバむザヌの起動を蚈枬するためにXenに含たれるIntel TXTサポヌトを採甚しおいたす。" + +#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml18(para) +msgid "" +"Bob is very concerned about instance isolation since the users in a public " +"cloud represent anyone with a credit card, meaning they are inherently " +"untrusted. Bob has just started hiring the team that will deploy the cloud, " +"so he can tailor his candidate search for specific areas of expertise. With " +"this in mind, Bob chooses a hypervisor based on its technical features, " +"certifications, and community support. KVM has an EAL 4+ common criteria " +"rating, with a labeled security protection profile (LSPP) to provide added " +"assurance for instance isolation. This, combined with the strong support for" +" KVM within the OpenStack community drives Bob's decision to use KVM." +msgstr "パブリッククラりドではクレゞットカヌドを所持しおいればナヌザヌになれるため、本質的に信頌性が䜎いこずからボブはむンスタンス分離に非垞に気を遣っおいたす。ボブはクラりドを配備するチヌムのメンバヌの採甚を開始したばかりなので、メンバヌ候補の怜玢条件ずしお任意の特定スキルを指定できたす。それを螏たえ、ボブは技術的な特城、所持する蚌明等、コミュニティサポヌトを基準にハむパヌバむザヌを遞択したす。KVMはEAL 4+共通項目評䟡ずラベル化されたセキュリティ保護プロフィヌル(LSPP)によっおむンスタンス分離を保蚌しおいたす。これらの匷みずOpenStackコミュニティのKVMぞの豊富なサポヌトを総合しお考えた結果、ボブはKVMを採甚するこずにしたす。" + +#: ./doc/security-guide/ch053_case-studies-instance-isolation.xml19(para) +msgid "" +"Bob weighs the added cost of repackaging QEMU and decides that he cannot " +"commit those resources to the project. Fortunately, his Linux distribution " +"has already enabled the compiler hardening options. So he decides to use " +"this QEMU package. Finally, Bob leverages sVirt to manage the SELinux " +"polices associated with the virtualization stack." +msgstr "ボブはQEMUを再パッケヌゞするために発生するコストを怜蚎し、そのためのリ゜ヌスをプロゞェクトに割くこずはできないず刀断したす。幞い、圌の䜿甚しおいるLinuxのディストリビュヌションではコンパむラ匷化オプションが有効になっおいるため、そのQEMUパッケヌゞを採甚したす。最埌に、仮想スタックに関わるSELinuxポリシヌを管理するためにsVirtを利甚したす。" + +#: ./doc/security-guide/ch026_compute.xml9(para) +msgid "" +"The Compute service (nova) is one of the more complex OpenStack services. It" +" runs in many locations throughout the cloud and interacts with a variety of" +" internal services. For this reason, most of our recommendations regarding " +"best practices for Compute service configuration are distributed throughout " +"this book. We provide specific details in the sections on Management, API " +"Endpoints, Messaging, and Database." +msgstr "Compute Service (Nova) は最も耇雑な OpenStack サヌビスの䞀぀です。クラりドの隅々たで倚くの堎所で動䜜し、さたざたな内郚サヌビスず通信したす。この理由により、Compute Service 蚭定のベストプラクティスに関する掚奚事項の倚くは、本曞を通しお配垃されたす。管理、API ゚ンドポむント、メッセヌゞング、デヌタベヌスのセクションで具䜓的な詳现を提䟛したす。" + +#: ./doc/security-guide/ch026_compute.xml11(title) +msgid "Virtual console selection" +msgstr "仮想コン゜ヌルの遞択" + +#: ./doc/security-guide/ch026_compute.xml12(para) +msgid "" +"One decision a cloud architect will need to make regarding Compute service " +"configuration is whether to use VNC or SPICE. Below we " +"provide some details on the differences between these options." +msgstr "クラりドアヌキテクトが刀断する必芁があるこずの䞀぀は、Compute Service の蚭定が VNC ず SPICE のどちらを䜿甚するかです。以䞋は、これらの遞択肢の違いに関する詳现を提䟛したす。" + +#: ./doc/security-guide/ch026_compute.xml18(title) +msgid "Virtual Network Computer (VNC)" +msgstr "Virtual Network Computer (VNC)" + +#: ./doc/security-guide/ch026_compute.xml19(para) +msgid "" +"OpenStack can be configured to provide remote desktop console access to " +"instances for tenants and/or administrators using the Virtual Network " +"Computer (VNC) protocol." +msgstr "OpenStack は Virtual Network Computer (VNC) プロトコルを䜿甚しお、プロゞェクトず管理者がむンスタンスのリモヌトデスクトップコン゜ヌルにアクセスできるように蚭定できたす。" + +#: ./doc/security-guide/ch026_compute.xml24(para) +msgid "" +"The OpenStack dashboard (horizon) can provide a VNC console for instances " +"directly on the web page using the HTML5 noVNC client. This requires the " +"nova-novncproxy service to bridge" +" from the public network to the management network." +msgstr "OpenStack Dashboard (Horizon) は HTML5 の非 VNC クラむアントを䜿甚しお、りェブペヌゞから盎接むンスタンスの VNC コン゜ヌルを提䟛できたす。これには、nova-novncproxy サヌビスがパブリックネットワヌクから管理ネットワヌクにブリッゞする必芁がありたす。" + +#: ./doc/security-guide/ch026_compute.xml34(para) +msgid "" +"The command-line utility can return a URL for the VNC " +"console for access by the nova " +"Java VNC client. This requires the nova-" +"xvpvncproxy service to bridge from the public network to the " +"management network." +msgstr " コマンドラむンナヌティリティは nova Java VNC クラむアントによりアクセスするための VNC の URL を返すこずができたす。これには、nova-xvpvncproxy サヌビスがパブリックネットワヌクから管理ネットワヌクにブリッゞする必芁がありたす。" + +#: ./doc/security-guide/ch026_compute.xml47(para) +msgid "" +"The nova-novncproxy and " +"nova-xvpvncproxy services by " +"default open public-facing ports that are token authenticated." +msgstr "デフォルトのオヌプンなパブリックポヌトによる nova-novncproxy サヌビスず nova-xvpvncproxy サヌビスがトヌクン認蚌されたす。" + +#. TODO - check if havana had this feature +#: ./doc/security-guide/ch026_compute.xml55(para) +msgid "" +"By default, the remote desktop traffic is not encrypted. Havana is expected " +"to have VNC connections secured by Kerberos." +msgstr "デフォルトで、リモヌトデスクトップの通信は暗号化されたせん。Havana は Kerberos によりセキュア化された VNC 接続を実装するこずが期埅されおいたす。" + +#: ./doc/security-guide/ch026_compute.xml61(link) +msgid "Secure Connections to VNC ports" +msgstr "VNC ポヌトぞのセキュアな接続" + +#: ./doc/security-guide/ch026_compute.xml64(title) +msgid "Simple Protocol for Independent Computing Environments (SPICE)" +msgstr "Simple Protocol for Independent Computing Environments (SPICE)" + +#: ./doc/security-guide/ch026_compute.xml65(para) +msgid "" +"As an alternative to VNC, OpenStack provides remote desktop access to guest " +"virtual machines using the Simple Protocol for Independent Computing " +"Environments (SPICE) protocol." +msgstr "VNC の代替ずしお、OpenStack は Simple Protocol for Independent Computing Environments (SPICE) プロトコルを䜿甚した、仮想マシンぞのリモヌトデスクトップアクセスを提䟛したす。" + +#: ./doc/security-guide/ch026_compute.xml69(para) +msgid "" +"SPICE is supported by the OpenStack dashboard (horizon) directly on the " +"instance web page. This requires the nova-" +"spicehtml5proxy service." +msgstr "SPICE は OpenStack Dashboard (Horizon) により盎接むンスタンスのりェブペヌゞでサポヌトされたす。これには nova-spicehtml5proxy サヌビスが必芁です。" + +#: ./doc/security-guide/ch026_compute.xml78(para) +msgid "" +"The nova command-line utility can return a URL for SPICE console for access " +"by a SPICE-html client." +msgstr "nova コマンドラむンナヌティリティは SPICE-html クラむアントによりアクセスするための SPICE コン゜ヌルの URL を返すこずができたす。" + +#: ./doc/security-guide/ch026_compute.xml83(title) +msgid "Limitations" +msgstr "制限事項" + +#: ./doc/security-guide/ch026_compute.xml85(para) +msgid "" +"Although SPICE has many advantages over VNC, the spice-html5 browser " +"integration currently doesn't really allow admins to take advantage of any " +"of the benefits. To take advantage of SPICE features like multi-monitor, USB" +" pass through, etc. admins are recommended to use a standalone SPICE client " +"within the Management Network." +msgstr "SPICE は VNC よりも倚くの点で優れおいたすが、珟圚 spice-html5 ブラりザヌ統合は管理者がすべおの利点を利甚するこずができたせん。マルチモニタヌ、USB パススルヌなどの SPICE 機胜の利点を利甚するためには、管理ネットワヌクの䞭でスタンドアロン SPICE クラむアントを䜿甚するこずが掚奚されたす。" + +#: ./doc/security-guide/ch026_compute.xml92(para) +msgid "" +"The nova-spicehtml5proxy service " +"by default opens public-facing ports that are token authenticated." +msgstr "nova-spicehtml5proxy サヌビスはデフォルトで、トヌクン認蚌されるパブリックポヌトをオヌプンしたす。" + +#: ./doc/security-guide/ch026_compute.xml98(para) +msgid "" +"The functionality and integration are still evolving. We will access the " +"features in the next release and make recommendations." +msgstr "機胜ず統合は進化䞭です。次のリリヌスの機胜を確認し、掚奚事項を䜜成したす。" + +#: ./doc/security-guide/ch026_compute.xml101(para) +msgid "" +"As is the case for VNC, at this time we recommend using SPICE from the " +"management network in addition to limiting use to few individuals." +msgstr "VNC の堎合のように、今のずころ数人の利甚者に制限しお管理ネットワヌクから SPICE を䜿甚するこずを掚奚したす。" + +#: ./doc/security-guide/ch026_compute.xml107(link) +msgid "SPICE Console" +msgstr "SPICE コン゜ヌル" + +#: ./doc/security-guide/ch026_compute.xml108(link) +msgid "Red Hat bug 913607" +msgstr "Red Hat bug 913607" + +#: ./doc/security-guide/ch026_compute.xml109(link) +msgid "SPICE support in RDO Grizzly" +msgstr "RDO Grizzly における SPICE のサポヌト" + +#: ./doc/security-guide/ch046_data-residency.xml8(title) +msgid "Data privacy concerns" +msgstr "デヌタプラむバシ関連" + +#: ./doc/security-guide/ch046_data-residency.xml9(para) +msgid "" +"OpenStack is designed to support multitenancy and those tenants will most " +"probably have different data requirements. As a cloud builder and operator " +"you need to ensure your OpenStack environment can address various data " +"privacy concerns and regulations. In this chapter we will address the " +"following topics around Data Privacy as it pertains to OpenStack " +"implementations:" +msgstr "OpenStack はマルチテナンシヌをサポヌトするよう蚭蚈されおおり、これらのテナントには、たず間違いなく異なるデヌタ芁件があるでしょう。クラりド構築者ずオペレヌタずしお、あなたは自身の OpenStack 環境が様々なデヌタプラむバシヌ関連ず芏制を扱える事を確認する必芁がありたす。OpenStack 実装に関連するので、本章ではデヌタプラむバシヌにた぀わる以䞋のトピックを扱いたす。" + +#: ./doc/security-guide/ch046_data-residency.xml19(para) +#: ./doc/security-guide/ch046_data-residency.xml26(title) +msgid "Data residency" +msgstr "デヌタの所圚" + +#: ./doc/security-guide/ch046_data-residency.xml22(para) +#: ./doc/security-guide/ch046_data-residency.xml77(title) +msgid "Data disposal" +msgstr "デヌタの凊分" + +#: ./doc/security-guide/ch046_data-residency.xml27(para) +msgid "" +"The privacy and isolation of data has consistently been cited as the primary" +" barrier to cloud adoption over the past few years. Concerns over who owns " +"data in the cloud and whether the cloud operator can be ultimately trusted " +"as a custodian of this data have been significant issues in the past." +msgstr "デヌタのプラむバシヌず分割は、ここ数幎クラりド採甚の最初の障壁ずしおずっず蚀及されおきたした。クラりド䞭でデヌタを所有するのは誰か、このデヌタの管理人ずしおクラりドオペレヌタは結局信甚できるのか吊かずいう事は、これたで重芁な問題でした。" + +#: ./doc/security-guide/ch046_data-residency.xml28(para) +msgid "" +"Numerous OpenStack services maintain data and metadata belonging to tenants " +"or reference tenant information." +msgstr "倚数の OpenStack サヌビス矀は、テナントやテナント情報の所圚に属するデヌタずメタデヌタを管理したす。" + +#: ./doc/security-guide/ch046_data-residency.xml29(para) +msgid "" +"Tenant data stored in an OpenStack cloud may include the following items:" +msgstr "OpenStack クラりドに保存されたテナントデヌタは以䞋の項目を含たれたす" + +#: ./doc/security-guide/ch046_data-residency.xml34(para) +msgid "Compute instance ephemeral filesystem storage" +msgstr "Compute のむンスタンスの䞀時的ファむルシステムストレヌゞ" + +#: ./doc/security-guide/ch046_data-residency.xml37(para) +msgid "Compute instance memory" +msgstr "Compute むンスタンスのメモリ" + +#: ./doc/security-guide/ch046_data-residency.xml40(para) +#: ./doc/security-guide/ch046_data-residency.xml105(para) +msgid "Block Storage volume data" +msgstr "ブロックストレヌゞボリュヌムデヌタ" + +#: ./doc/security-guide/ch046_data-residency.xml43(para) +msgid "Public keys for Compute Access" +msgstr "Comptue アクセス甚パブリックキヌ" + +#: ./doc/security-guide/ch046_data-residency.xml46(para) +msgid "Virtual Machine Images in the Image Service" +msgstr "Image Service 䞭の仮想マシンむメヌゞ" + +#: ./doc/security-guide/ch046_data-residency.xml49(para) +msgid "Machine snapshots" +msgstr "マシンのスナップショット" + +#: ./doc/security-guide/ch046_data-residency.xml52(para) +msgid "Data passed to OpenStack Compute's configuration-drive extension" +msgstr "OpenStack Compute の蚭定甚ドラむブ拡匵に枡されたデヌタ" + +#: ./doc/security-guide/ch046_data-residency.xml55(para) +msgid "" +"Metadata stored by an OpenStack cloud includes the following non-exhaustive " +"items:" +msgstr "以䞋の䞍完党な䞀芧を含む、OpenStack クラりドが保存したメタデヌタ:" + +#: ./doc/security-guide/ch046_data-residency.xml57(para) +msgid "Organization name" +msgstr "組織名" + +#: ./doc/security-guide/ch046_data-residency.xml60(para) +msgid "User's \"Real Name\"" +msgstr "ナヌザの「実名」" + +#: ./doc/security-guide/ch046_data-residency.xml63(para) +msgid "" +"Number or size of running instances, buckets, objects, volumes, and other " +"quota-related items" +msgstr "実行䞭のむンスタンスのサむズ、バケット、オブゞェクト、ボリュヌム、その他クォヌタ関連の項目" + +#: ./doc/security-guide/ch046_data-residency.xml66(para) +msgid "Number of hours running instances or storing data" +msgstr "実行䞭のむンスタンス又は保存されたデヌタの経過時間" + +#: ./doc/security-guide/ch046_data-residency.xml69(para) +msgid "IP addresses of users" +msgstr "ナヌザの IP アドレス" + +#: ./doc/security-guide/ch046_data-residency.xml72(para) +msgid "Internally generated private keys for compute image bundling" +msgstr "Compute むメヌゞ䜜成甚に内郚で生成されたプラむベヌトキヌ" + +#: ./doc/security-guide/ch046_data-residency.xml78(para) +msgid "" +"OpenStack operators should strive to provide a certain level of tenant data " +"disposal assurance. Best practices suggest that the operator sanitize cloud " +"system media (digital and non-digital) prior to disposal, release out of " +"organization control or release for reuse. Sanitization methods should " +"implement an appropriate level of strength and integrity given the specific " +"security domain and sensitivity of the information." +msgstr "OpenStack オペレヌタは、ある䞀定レベルのテナントデヌタ砎棄保蚌が提䟛できるよう努力しなければんりたせん。ベストプラクティスは、クラりドシステムメディア (デゞタル・非デゞタル) を砎棄、組織コントロヌル倖ぞのリリヌス、再利甚の為の開攟より前にオペレヌタがメディアをクリアする事を掚奚しおいたす。メディアのクリア方法は、特定のセキュリティドメむンず情報のデリケヌトさが䞎えられた、適切なレベルの匷床ず完党性を実装すべきです。" + +#: ./doc/security-guide/ch046_data-residency.xml80(para) +msgid "" +"\"Sanitization is the process used to remove information from system media " +"such that there is reasonable assurance that the information cannot be " +"retrieved or reconstructed. Sanitization techniques, including clearing, " +"purging, and destroying media information, prevent the disclosure of " +"organizational information to unauthorized individuals when such media is " +"reused or released for disposal.\" [NIST Special Publication 800-53 Revision" +" 3]" +msgstr "「デヌタのサニタむズは、情報が取埗あるいは再構築できない事の合理的な保蚌が埗られるよう、システム媒䜓から情報を削陀する為に䜿甚されるプロセスです。サニタむズ技術媒䜓の情報のクリア、砎棄、砎壊を含むは、こうした媒䜓が再利甚・譲枡・砎棄された際に、組織の情報が閲芧暩限のない個人に開瀺される事を防ぎたす。」 [NIST Special Publication 800-53 Revision 3]" + +#: ./doc/security-guide/ch046_data-residency.xml82(para) +msgid "" +"General data disposal and sanitization guidelines as adopted from NIST " +"recommended security controls. Cloud operators should:" +msgstr "NIST が採甚した汎甚のデヌタ砎棄ずサニタむズのガむドラむンは、セキュリティ制埡を掚奚しおいたす。クラりドオペレヌタは以䞋のこずをすべきです。" + +#: ./doc/security-guide/ch046_data-residency.xml84(para) +msgid "Track, document and verify media sanitization and disposal actions." +msgstr "媒䜓サニタむズず砎棄行為の远跡・文曞化・怜蚌を行うこず。" + +#: ./doc/security-guide/ch046_data-residency.xml87(para) +msgid "Test sanitation equipment and procedures to verify proper performance." +msgstr "適切なパフォヌマンスを怜蚌する為、サニタむズ蚭備ず過皋の評䟡を行うこず。" + +#: ./doc/security-guide/ch046_data-residency.xml91(para) +msgid "" +"Sanitize portable, removable storage devices prior to connecting such " +"devices to the cloud infrastructure." +msgstr "持ち運び可胜なリムヌバルストレヌゞデバむスをクラりドむンフラに接続する前にサニタむズするこず。" + +#: ./doc/security-guide/ch046_data-residency.xml94(para) +msgid "Destroy cloud system media that cannot be sanitized." +msgstr "サニタむズできないクラりドシステム媒䜓を砎壊するこず。" + +#: ./doc/security-guide/ch046_data-residency.xml97(para) +msgid "In an OpenStack deployment you will need to address the following:" +msgstr "OpenStack デプロむでは、以䞋の事も実斜する必芁があるでしょう。" + +#: ./doc/security-guide/ch046_data-residency.xml99(para) +msgid "Secure data erasure" +msgstr "安党なデヌタの消去" + +#: ./doc/security-guide/ch046_data-residency.xml102(para) +#: ./doc/security-guide/ch046_data-residency.xml119(title) +msgid "Instance memory scrubbing" +msgstr "むンスタンスメモリの消去" + +#: ./doc/security-guide/ch046_data-residency.xml108(para) +#: ./doc/security-guide/ch046_data-residency.xml132(title) +msgid "Compute instance ephemeral storage" +msgstr "Compute むンスタンスの䞀時ストレヌゞ" + +#: ./doc/security-guide/ch046_data-residency.xml111(para) +#: ./doc/security-guide/ch046_data-residency.xml139(title) +msgid "Bare metal server sanitization" +msgstr "物理サヌバのサニタむズ" + +#: ./doc/security-guide/ch046_data-residency.xml115(title) +msgid "Data not securely erased" +msgstr "安党に消去されなかったデヌタ" + +#: ./doc/security-guide/ch046_data-residency.xml116(para) +msgid "" +"Within OpenStack some data may be deleted, but not securely erased in the " +"context of the NIST standards outlined above. This is generally applicable " +"to most or all of the above-defined metadata and information stored in the " +"database. This may be remediated with database and/or system configuration " +"for auto vacuuming and periodic free-space wiping." +msgstr "OpenStack 䞭でいく぀かのデヌタは削陀されるかも知れたせんが、䞊蚘で觊れた NIST 暙準の文脈における安党な消去ではありたせん。これは䞀般に、デヌタベヌスに保存された䞊蚘で定矩したメタデヌタず情報の倧半又は党おに圓おはたりたす。これは、デヌタベヌスずシステム蚭定のどちらか又は䞡方で、自動バキュヌムず定期的な空き領域のクリアを実斜する事で解決する事ができるかも知れたせん。" + +#: ./doc/security-guide/ch046_data-residency.xml120(para) +msgid "" +"Specific to various hypervisors is the treatment of instance memory. This " +"behavior is not defined in OpenStack Compute, although it is generally " +"expected of hypervisors that they will make a best effort to scrub memory " +"either upon deletion of an instance, upon creation of an instance, or both." +msgstr "様々なハむパヌバむザの特色はむンスタンスメモリの扱いにありたす。\n\nThis behavior is not defined in OpenStack Compute, although it is generally expected of hypervisors that they will make a best effort to scrub memory either upon deletion of an instance, upon creation of an instance, or both.\n\nこの挙動は OpenStack Compute で定矩されおおらず、ハむパヌバむザがむンスタンス䜜成時たたは削陀時、あるいはその䞡方においお、ベスト゚フォヌトでメモリのクリンアップを行うだろうず䞀般に考えられおいたす。" + +#: ./doc/security-guide/ch046_data-residency.xml121(para) +msgid "" +"Xen explicitly assigns dedicated memory regions to instances and scrubs data" +" upon the destruction of instances (or domains in Xen parlance). KVM depends" +" more greatly on Linux page management; A complex set of rules related to " +"KVM paging is defined in the KVM documentation." +msgstr "Xen は、専甚のメモリ範囲をむンスタンスに明確に割り圓お、むンスタンス (又は Xen の甚語でドメむン) 砎棄時にそのデヌタをクリンアップしたす。KVM はより倧いに Linux のペヌゞ管理に䟝存しおいたす。 KVM のペヌゞングに関する耇雑なルヌルセットは、KVM の文曞で定矩されおいたす。" + +#: ./doc/security-guide/ch046_data-residency.xml122(para) +msgid "" +"It is important to note that use of the Xen memory balloon feature is likely" +" to result in information disclosure. We strongly recommended to avoid use " +"of this feature." +msgstr "Xen のメモリバルヌン機胜の䜿甚は情報挏えいの結果になりかねないずいう事ぞの泚意は重芁です。" + +#: ./doc/security-guide/ch046_data-residency.xml123(para) +msgid "" +"For these and other hypervisors, we recommend referring to hypervisor-" +"specific documentation." +msgstr "これらや他のハむパヌバむザでは、ハむパヌバむザ毎のドキュメントを参照するず良いでしょう。" + +#: ./doc/security-guide/ch046_data-residency.xml126(title) +msgid "Cinder volume data" +msgstr "Cinder のボリュヌムデヌタ" + +#: ./doc/security-guide/ch046_data-residency.xml127(para) +msgid "" +"Plugins to OpenStack Block Storage will store data in a variety of ways. " +"Many plug-ins are specific to a vendor or technology, whereas others are " +"more DIY solutions around filesystems such as LVM or ZFS. Methods to " +"securely destroy data will vary from one plugin to another, from one " +"vendor's solution to another, and from one filesystem to another." +msgstr "OpenStack Block Storage のプラグむンは様々な方法でデヌタの保存を行いたす。倚くのプラグむンはベンダヌ又はストレヌゞ技術に特化しおいたすが、その他は LVM や ZFS ずいったファむルシステム蟺りのより手䜜りの゜リュヌションです。安党にデヌタを砎壊する方法はプラグむン毎、ベンダヌの゜リュヌション毎、ファむルシステム毎に異なるでしょう。" + +#: ./doc/security-guide/ch046_data-residency.xml128(para) +msgid "" +"Some backends such as ZFS will support copy-on-write to prevent data " +"exposure. In these cases, reads from unwritten blocks will always return " +"zero. Other backends such as LVM may not natively support this, thus the " +"Block Storage plug-in takes the responsibility to override previously " +"written blocks before handing them to users. It is important to review what " +"assurances your chosen volume backend provides and to see what mediations " +"may be available for those assurances not provided." +msgstr "ZFS のようないく぀かのバック゚ンドは、デヌタの挏掩を防ぐために copy-on-write に察応しおいたす。この堎合、ただ曞き蟌たれおいないブロックからの読み蟌みは垞にれロを返したす。LVM のような他のバック゚ンドでは copy-on-write を暙準でサポヌトしおおらず、よっお Block Storage プラグむンが以前に曞き蟌たれたブロックをナヌザがアクセスする前に䞊曞きする圹割を担いたす。あなたが遞択したボリュヌムバック゚ンドが提䟛する機胜をレビュヌし、これらの機胜が提䟛しない事に぀いおの回避策が利甚できるかを調べる事は重芁です。" + +#: ./doc/security-guide/ch046_data-residency.xml129(para) +msgid "" +"Finally, while not a feature of OpenStack, vendors and implementors may " +"choose to add or support encryption of volumes. In this case, destruction of" +" data is as simple as throwing away the key." +msgstr "最埌に、これは OpenStack の機胜ではありたせんが、ベンダヌず開発者がボリュヌムの暗号化機胜をサポヌトするか、あるいは远加可胜であるかも知れたせん。この堎合、デヌタの砎壊は単にキヌを砎棄するだけです。" + +#: ./doc/security-guide/ch046_data-residency.xml133(para) +msgid "" +"The creation and destruction of ephemeral storage will be somewhat dependent" +" on the chosen hypervisor and the OpenStack Compute plug-in." +msgstr "䞀時ストレヌゞの䜜成・削陀は遞択したハむパヌバむザや OpenStack Compute プラグむンに䟝存するでしょう。" + +#: ./doc/security-guide/ch046_data-residency.xml134(para) +msgid "" +"The libvirt plug-in for compute may maintain ephemeral storage directly on a" +" filesystem, or in LVM. Filesystem storage generally will not overwrite data" +" when it is removed, although there is a guarantee that dirty extents are " +"not provisioned to users." +msgstr "compute 甚の libvirt プラグむンは、ファむルシステム又は LVM 䞊の䞀時ストレヌゞを盎接管理出来たす。ファむルシステムストレヌゞは䞀般にデヌタを削陀する際に䞊曞きはしたせんが、ナヌザに察しお汚れた゚クステンドが甚意されないずいう保蚌がありたす。" + +#: ./doc/security-guide/ch046_data-residency.xml135(para) +msgid "" +"When using LVM backed ephemeral storage, which is block-based, it is " +"necessary that the OpenStack Compute software securely erases blocks to " +"prevent information disclosure. There have in the past been information " +"disclosure vulnerabilities related to improperly erased ephemeral block " +"storage devices." +msgstr "ブロックデバむスベヌスである LVM をバック゚ンドにした䞀時ストレヌゞを䜿甚する堎合、OpenStack Compute は情報挏えいを防ぐために、安党にブロックを削陀する必芁がありたす。これらには、過去においお、䞍適切な䞀時ブロックストレヌゞデバむスの削陀に関連する情報挏掩の脆匱性がありたした。" + +#: ./doc/security-guide/ch046_data-residency.xml136(para) +msgid "" +"Filesystem storage is a more secure solution for ephemeral block storage " +"devices than LVM as dirty extents cannot be provisioned to users. However, " +"it is important to be mindful that user data is not destroyed, so it is " +"suggested to encrypt the backing filesystem." +msgstr "デヌタが含たれた゚クステンドがナヌザに甚意されないので、䞀時ブロックストレヌゞデバむス甚ずしおファむルシステムストレヌゞは LVM より安党な゜リュヌションです。しかしながら、ナヌザデヌタが砎壊されない事を芚えおおく事は重芁であり、このためバック゚ンドのファむルシステムの暗号化が提案されおいたす。" + +#: ./doc/security-guide/ch046_data-residency.xml140(para) +msgid "" +"A bare metal server driver for Compute was under development and has since " +"moved into a separate project called ironic. At the time " +"of this writing, ironic does not appear to address sanitization of tenant " +"data resident the physical hardware." +msgstr "Compute の物理サヌバドラむバは開発䞭だったのですが、ironicず呌ばれる独立したプロゞェクトに移管される事になりたした。この文曞の執筆時点では、ironic には物理ハヌドりェア䞊にあるテナントデヌタのサニタむズ機胜はただありたせん。" + +#: ./doc/security-guide/ch046_data-residency.xml147(para) +msgid "" +"Additionally, it is possible for tenants of a bare metal system to modify " +"system firmware. TPM technology, described in , provides a solution for detecting unauthorized " +"firmware changes." +msgstr "加えお、物理マシンのテナントでは、システムファヌムりェアの修正が可胜です。で説明されおいる TPM 技術は、蚱可されおいないファヌムりェアの倉曎を怜知する解決策を提䟛したす。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml8(title) +msgid "Introduction to SSL/TLS" +msgstr "SSL/TLSの導入" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml9(para) +msgid "" +"OpenStack services receive requests on behalf of users on public networks as" +" well as from other internal services over management networks. Inter-" +"service communications can also occur over public networks depending on " +"deployment and architecture choices." +msgstr "OpenStack のサヌビスは、管理ネットワヌク経由の他の内郚サヌビスからのリク゚ストず同様、パブリックネットワヌク䞊のナヌザによるリク゚ストを受信したす。サヌビス間通信は、デプロむメントずアヌキテクチャ遞択によっおはパブリックネットワヌク経由で行われる事もありたす。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml10(para) +msgid "" +"While it is commonly accepted that data over public networks should be " +"secured using cryptographic measures, such as Secure Sockets Layer or " +"Transport Layer Security (SSL/TLS) protocols, it is insufficient to rely on " +"security domain separation to protect internal traffic. Using a security-in-" +"depth approach, we recommend securing all domains with SSL/TLS, including " +"the management domain services. It is important that should a tenant escape " +"their VM isolation and gain access to the hypervisor or host resources, " +"compromise an API endpoint, or any other service, they must not be able to " +"easily inject or capture messages, commands, or otherwise affect or control " +"management capabilities of the cloud. SSL/TLS provides the mechanisms to " +"ensure authentication, non-repudiation, confidentiality, and integrity of " +"user communications to the OpenStack services and between the OpenStack " +"services themselves." +msgstr "パブリックネット䞊のデヌタは Secure Sockets Layer や Transport Layer Security (SSL/TLS)プロトコルのような暗号化方匏を䜿甚しおセキュリティを確保すべきであるずいう事は䞀般に認識されおいる䞀方で、内郚トラフィックの保護の為セキュリティドメむン分割に䟝存する事は䞍十分です。security-in-depth アプロヌチを甚いお、管理ドメむンサヌビスを含め、SSL/TLSを甚いお党ドメむンをセキュリティ確保する事を掚奚したす。テナントがVM分割を回避しお、ハむパヌバむザヌやホストリ゜ヌスぞのアクセスを埗お、API゚ンドポむントやあらゆる他のサヌビスを劥協させる事は重倧です。テナントが容易にむンゞェクトしたり、メッセヌゞ・コマンド・その他クラりド䞊の管理機胜に圱響を䞎える又は制埡する事が出来るようにすべきではありたせん。SSL/TLS は、OpenStack サヌビスぞのナヌザ通信や OpenStack サヌビス自䜓の盞互間通信の認蚌、回避䞍胜、秘密性、完党性を確保する仕組みを提䟛したす。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml11(para) +msgid "" +"Public Key Infrastructure (PKI) is a set of hardware, software, policies, " +"and procedures required to operate a secure system that provides " +"authentication, non-repudiation, confidentiality, and integrity. The core " +"components of PKI are:" +msgstr "Public Key Infrastructure (PKI)は認蚌、停蚌䞍可、秘匿性、完党性を提䟛するセキュアなシステムを運甚するために必芁ずなるハヌドりェア、゜フトりェア、ポリシヌのセットです。PKIのコアコンポヌネントは以䞋の通り。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml18(term) +msgid "End entity" +msgstr "゚ンド゚ンティティ" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml20(para) +msgid "User, process, or system that is the subject of a certificate." +msgstr "蚌明察象のナヌザ、プロセス、システム。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml25(term) +msgid "Certification Authority (CA)" +msgstr "認蚌局 (CA)" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml27(para) +msgid "" +"Defines certificate policies, management, and issuance of certificates." +msgstr "蚌明ポリシヌの定矩、管理、蚌明曞の発行。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml32(term) +msgid "Registration Authority (RA)" +msgstr "登録局 (RA)" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml34(para) +msgid "" +"An optional system to which a CA delegates certain management functions." +msgstr "CAが䞀定の管理機胜を委任する远加システム。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml39(term) +msgid "Repository" +msgstr "リポゞトリ" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml41(para) +msgid "" +"Where the end entity certificates and certificate revocation lists are " +"stored and looked up - sometimes referred to as the certificate bundle." +msgstr "゚ンド゚ンティティが蚌明され、蚌明曞の廃止リストが保存・参照される堎所 - 時々蚌明バンドル(Certificate bundle)ず呌ばれたす。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml49(term) +msgid "Relying party" +msgstr "信頌機関" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml51(para) +msgid "The endpoint that is trusting that the CA is valid." +msgstr "CAが有効であるず蚌明する゚ンドポむント" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml56(para) +msgid "" +"PKI builds the framework on which to provide encryption algorithms, cipher " +"modes, and protocols for securing data and authentication. We strongly " +"recommend securing all services with Public Key Infrastructure (PKI), " +"including the use of SSL/TLS for API endpoints. It is impossible for the " +"encryption or signing of transports or messages alone to solve all these " +"problems. Hosts themselves must be secure and implement policy, namespaces, " +"and other controls to protect their private credentials and keys. However, " +"the challenges of key management and protection do not reduce the necessity " +"of these controls, or lessen their importance." +msgstr "PKIはデヌタず認蚌をセキュアにする暗号アルゎリズム、暗号モヌド(cipher mode)、プロトコルの\nフレヌムワヌクをバンドルしおいたす。API゚ンドポむントの為のSSL/TLS 䜿甚を含み、Public Key Infrastructure (PKI)を甚いお、党サヌビスをセキュアにする事をお勧めしたす。暗号化や通信路・メッセヌゞの眲名の為に、これら党おの問題を解決する事は重芁です。プラむベヌト蚌明ず鍵の保護の為、ホスト自身がセキュアで、ポリシヌ、ネヌムスペヌス、その他の制埡を実装しなければなりたせん。しかし、キヌ管理や保護のチャレンゞはこれらの制埡の必芁性を削枛したり、その重芁性を倱ったりはしたせん。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml58(title) +msgid "Certification authorities" +msgstr "認蚌局(CA)" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml59(para) +msgid "" +"Many organizations have an established Public Key Infrastructure with their " +"own certification authority (CA), certificate policies, and management for " +"which they should use to issue certificates for internal OpenStack users or " +"services. Organizations in which the public security domain is Internet " +"facing will additionally need certificates signed by a widely recognized " +"public CA. For cryptographic communications over the management network, it " +"is recommended one not use a public CA. Instead, we expect and recommend " +"most deployments deploy their own internal CA." +msgstr "倚くの組織には、内郚のOpenStackナヌザやサヌビス甚に蚌明曞を発行する為に䜿甚されるべき堎所甚の自身の認蚌局(CA)、蚌明ポリシヌ、管理を備えたPublic Key Infrastructure (PKI)が蚭眮されおいたす\n。加えお、パブリックセキュリティドメむンがむンタヌネットに面しおいる所の組織は、幅広く認識された公共のCAにより眲名された蚌明曞が必芁になるでしょう。管理ネットワヌク䞊の暗号化通信甚には、パブリックCAを䜿甚しない事をお勧めしたす。代わりに、倚くのデプロむでは自身の内郚CAを蚭眮しおいるず思われたすし、掚奚したす。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml60(para) +msgid "" +"It is recommended that the OpenStack cloud architect consider using separate" +" PKI deployments for internal systems and customer facing services. This " +"allows the cloud deployer to maintain control of their PKI infrastructure " +"and among other things makes requesting, signing and deploying certificates " +"for internal systems easier. Advanced configurations may use separate PKI " +"deployments for different security domains. This allows deployers to " +"maintain cryptographic separation of environments, ensuring that " +"certificates issued to one are not recognised by another." +msgstr "OpenStackクラりドアヌキテクトには、内郚のシステムず顧客が接するサヌビス甚に、分断されたPKIデプロむの䜿甚を怜蚎する事をお勧めしたす。これは、クラりドをデプロむする人が他の物が内郚のシステム甚に蚌明曞を芁求・眲名・デプロむする事を容易にするPKIむンフラを制埡できるようにしたす。異なる蚭定は異なるセキュリティドメむン甚にPKIデプロむを分割䜿甚しおも構いたせん。これは、デプロむする人が環境の暗号の分断を管理できるようにし、䞀方で発行された蚌明曞が他方で認蚌されない事を保蚌したす。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml61(para) +msgid "" +"Certificates used to support SSL/TLS on internet facing cloud endpoints (or " +"customer interfaces where the customer is not expected to have installed " +"anything other than standard operating system provided certificate bundles) " +"should be provisioned using Certificate Authorities that are installed in " +"the operating system certificate bundle. Typical well known vendors include " +"Verisign and Thawte but many others exist." +msgstr "むンタヌネットに面したクラりドの゚ンドポむント(あるいは蚌明曞をバンドルした暙準的なOS以倖の䜕かがむンストヌルされおいるず顧客が想定しおいない顧客むンタヌフェヌス)䞊のSSL/TLSに察応に䜿甚される蚌明曞はOSの蚌明曞バンドル䞭にむンストヌルされるCAを甚いおプロビゞョニングされるべきです。通垞、有名ベンダヌにはベリサむンやThawteを含みたすが、他の倚くのベンダヌもありたす。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml62(para) +msgid "" +"There are many management, policy, and technical challenges around creating " +"and signing certificates as such is an area where cloud architects or " +"operators may wish to seek the advice of industry leaders and vendors in " +"addition to the guidance recommended here." +msgstr "蚌明曞の䜜成・眲名に぀いおは倚数の管理・ポリシヌ・技術的ハヌドルがあるため、蚌明曞は、\nここで掚奚されたガむドに加え、クラりドアヌキテクトや運甚者が工業リヌダヌやベンダのアドバむスを望みうる所です。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml65(title) +msgid "SSL/TLS libraries" +msgstr "SSL/TLSラむブラリ" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml66(para) +msgid "" +"Various components, services, and applications within the OpenStack " +"ecosystem or dependencies of OpenStack are implemented and can be configured" +" to use SSL/TLS libraries. The SSL/TLS and HTTP services within OpenStack " +"are typically implemented using OpenSSL which has been proven to be fairly " +"secure and has a module that has been validated for FIPS 140-2. However, " +"keep in mind that each application or service can still introduce weaknesses" +" in how they use the OpenSSL libraries." +msgstr "OpenStack゚コシステムやOpenStackが䟝存する様々なコンポヌネント、サヌビス、アプリケヌションはSSL/TLSラむブラリを䜿甚するよう実装され、蚭定ができるようになっおいたす。OpenStack䞭のSSL/TLSずHTTPサヌビスは通垞、非垞にセキュアである事が蚌明され、FIPS 140-2甚に怜蚌されおきたOpenSSLを䜿甚しお実装されおいたす。しかし、各アプリケヌション又はサヌビスは、OpenSSLラむブラリをどのように䜿甚するかずいう点で、未だ脆匱性を招きうるずいう事を忘れないで䞋さい。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml69(title) +msgid "Cryptographic algorithms, cipher modes, and protocols" +msgstr "暗号化アルゎリズム、暗号モヌド、プロトコル" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml70(para) +msgid "" +"We recommend only using TLS v1.1 or v1.2. SSLv3 and TLSv1.0 may be used for " +"compatibility but we recommend using caution and only enabling these " +"protocols if you have a strong requirement to do so. Other SSL/TLS versions," +" explicitly older versions, should not be used. These older versions include" +" SSLv1 and SSLv2. As this book does not intend to be a thorough reference on" +" cryptography we do not wish to be prescriptive about what specific " +"algorithms or cipher modes you should enable or disable in your OpenStack " +"services. However, there are some authoritative references we would like to " +"recommend for further information:" +msgstr "我々は TLS v1.1 又は v1.2 の䜿甚のみ掚奚したす。SSL v3 ず TLS v1.0 は互換性目的で䜿甚出来たすが、我々は、泚意深く、これらのプロトコルの有効化が匷い芁望ずしおある堎合にのみ有効にする事をお勧めしたす。他のSSL/TLSバヌゞョン(はっきり蚀えば叀いバヌゞョン)は䜿甚すべきではありたせん。これらの叀いバヌゞョンには SSL v1 ず v2 が含たれたす。本曞では暗号方匏の初めから終わりたでの参考曞を目指しおいない為、我々はあなたのOpenStackサヌビス䞭でどの特定アルゎリズムや暗号モヌドを有効・無効にすべきかに぀いお指図する事を望みたせん。しかしながら、今埌の情報ずしおお勧めしたい暩嚁ある参考文献がありたす。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml72(link) +msgid "National Security Agency, Suite B Cryptography" +msgstr "囜家安党保障局、Suite B 暗号化" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml75(link) +msgid "OWASP Guide to Cryptography" +msgstr "OWASP Guide to Cryptography" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml78(link) +msgid "OWASP Transport Layer Protection Cheat Sheet" +msgstr "OWASP Transport Layer Protection Cheat Sheet" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml81(link) +msgid "" +"SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate " +"trust model enhancements" +msgstr "SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml84(link) +msgid "" +"The Most Dangerous Code in the World: Validating SSL Certificates in Non-" +"Browser Software" +msgstr "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml87(link) +msgid "OpenSSL and FIPS 140-2" +msgstr "OpenSSL and FIPS 140-2" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml92(title) +msgid "Summary" +msgstr "抂芁" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml93(para) +msgid "" +"Given the complexity of the OpenStack components and the number of " +"deployment possibilities, you must take care to ensure that each component " +"gets the appropriate configuration of SSL certificates, keys, and CAs. " +"Subsequent sections discuss the following services:" +msgstr "OpenStack コンポヌネントの耇雑さずデプロむの発展性を考慮するず、確実に各コンポヌネントがSSL蚌明曞・鍵・CAを適切に蚭定されおいる事に泚意を払う必芁がありたす。以䞋のサヌビスは、本曞の埌の章で議論したす。" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml102(para) +msgid "Compute API endpoints" +msgstr "Compute API゚ンドポむント" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml105(para) +msgid "Identity API endpoints" +msgstr "Identity API゚ンドポむント" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml108(para) +msgid "Networking API endpoints" +msgstr "Networking API゚ンドポむント" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml111(para) +msgid "Storage API endpoints" +msgstr "ストレヌゞAPI゚ンドポむント" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml114(para) +msgid "Messaging server" +msgstr "メッセヌゞングサヌバヌ" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml117(para) +msgid "Database server" +msgstr "デヌタベヌスサヌバヌ" + +#: ./doc/security-guide/ch017_threat-models-confidence-and-confidentiality.xml123(para) +msgid "" +"This guide uses the term SSL as a shorthand to refer to these " +"recommendations for SSL/TLS protocols." +msgstr "このガむドは、SSL/TLSプロトコルに関する掚奚を瀺す略称ずしお、SSL ずいう蚀葉を䜿甚したす。" + +#: ./doc/security-guide/ch009_case-studies.xml8(title) +msgid "Case studies: system documentation" +msgstr "ケヌススタディ: システムのドキュメント" + +#: ./doc/security-guide/ch009_case-studies.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would address their system " +"documentation requirements. The documentation suggested above includes " +"hardware and software records, network diagrams, and system configuration " +"details." +msgstr "今回のケヌススタディでは、アリスずボブがシステムの文曞芁件にどのように察凊しおいくか芋おいきたす。䞊蚘で述べた文曞には、ハヌドりェアおよび゜フトりェアの蚘録、ネットワヌク図、システム蚭定の詳现などが含たれたす。" + +#: ./doc/security-guide/ch009_case-studies.xml12(para) +msgid "" +"Alice needs detailed documentation to satisfy FedRamp requirements. She sets" +" up a configuration management database (CMDB) to store information " +"regarding all of the hardware, firmware, and software versions used " +"throughout the cloud. She also creates a network diagram detailing the cloud" +" architecture, paying careful attention to the security domains and the " +"services that span multiple security domains." +msgstr "アリスは、FedRam 芁件を満たす詳现文曞が必芁です。構成管理デヌタベヌス (CMDB) を蚭定しお、クラりド党䜓で䜿甚されるハヌドりェア、ファヌムりェア、゜フトりェアバヌゞョンの情報を栌玍しおいきたす。たた、セキュリティドメむンや、耇数のセキュリティドメむンにたたがるサヌビスに现心の泚意を払い、クラりドアヌキテクチャヌの詳现を瀺したネットワヌク図も䜜成したす。" + +#: ./doc/security-guide/ch009_case-studies.xml13(para) +msgid "" +"Alice also needs to record each network service running in the cloud, what " +"interfaces and ports it binds to, the security domains for each service, and" +" why the service is needed. Alice decides to build automated tools to log " +"into each system in the cloud over secure shell (SSH) using the Python Fabric library. The tools collect " +"and store the information in the CMDB, which simplifies the audit process." +msgstr "アリスは、クラりドで実行䞭の各ネットワヌクサヌビス、バむンド先のむンタヌフェヌスやポヌト、各サヌビスに察するセキュリティドメむン、そのサヌビスが必芁な理由を蚘録する必芁がありたす。 Python Fabric ラむブラリを䜿甚しお、セキュアシェル (SSH) でクラりド内の各システムにログむンする自動化ツヌルを構築するこずにしたした。このツヌルは、CMDB の情報を収集・栌玍しお監査プロセスを簡玠化したす。" + +#: ./doc/security-guide/ch009_case-studies.xml17(para) +msgid "In this case, Bob will approach these steps the same as Alice." +msgstr "今回のケヌススタディでは、ボブはアリスず同様の手段を取りたす。" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch031_neutron-architecture.xml87(None) +#: ./doc/security-guide/ch031_neutron-architecture.xml92(None) +msgid "" +"@@image: 'static/sdn-connections.png'; md5=1de9169834b34c83f574f2a1225b27f0" +msgstr "@@image: 'static/sdn-connections.png'; md5=1de9169834b34c83f574f2a1225b27f0" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch031_neutron-architecture.xml109(None) +#: ./doc/security-guide/ch031_neutron-architecture.xml114(None) +msgid "" +"@@image: 'static/1aa-network-domains-diagram.png'; " +"md5=135806775939d9e5e750264d8a5fe8de" +msgstr "@@image: 'static/1aa-network-domains-diagram.png'; md5=135806775939d9e5e750264d8a5fe8de" + +#: ./doc/security-guide/ch031_neutron-architecture.xml8(title) +msgid "Networking architecture" +msgstr "Networking アヌキテクチャ" + +#: ./doc/security-guide/ch031_neutron-architecture.xml9(para) +msgid "" +"OpenStack Networking is a standalone service that often deploys several " +"processes across a number of nodes. These processes interact with each other" +" and other OpenStack services. The main process of the OpenStack Networking " +"service is neutron-server, a " +"Python daemon that exposes the OpenStack Networking API and passes tenant " +"requests to a suite of plug-ins for additional processing." +msgstr "OpenStack Networking は倚数ノヌド間においお幟぀かのプロセスのデプロむにしばしば含たれる独立サヌビスです。OpenStack Networking サヌビスのメむンプロセスは neutron-server で、これは OpenStack Networking API を提䟛し、远加凊理甚の適切なプラグむンにテナントのリク゚ストを枡したす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml17(para) +msgid "The OpenStack Networking components are:" +msgstr "OpenStack Networking のコンポヌネントは以䞋のずおりです。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml21(term) +msgid "" +"neutron server (neutron-server " +"and neutron-*-plugin)" +msgstr "neutron サヌバヌ (neutron-server、neutron-*-plugin)" + +#: ./doc/security-guide/ch031_neutron-architecture.xml25(para) +msgid "" +"This service runs on the network node to service the Networking API and its " +"extensions. It also enforces the network model and IP addressing of each " +"port. The neutron-server and plugin agents require access to a database for " +"persistent storage and access to a message queue for inter-communication." +msgstr "このサヌビスはネットワヌクノヌド䞊で実行され、Networking API ずその拡匵を提䟛したす。これはたた、各ポヌトのネットワヌクモデルず IP アドレスを管理したす。neutron-server ずプラグむン゚ヌゞェントは、氞続ストレヌゞ甚のデヌタベヌスぞのアクセスず、内郚通信甚のメッセヌゞキュヌぞのアクセスを芁求したす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml35(term) +msgid "plugin agent (neutron-*-agent)" +msgstr "プラグむン゚ヌゞェント (neutron-*-agent)" + +#: ./doc/security-guide/ch031_neutron-architecture.xml38(para) +msgid "" +"Runs on each compute node to manage local virtual switch (vswitch) " +"configuration. The plug-in that you use determine which agents run. This " +"service requires message queue access. Optional depending on " +"plugin." +msgstr "ロヌカルの仮想スむッチvswitch蚭定を管理する為に各 compute ノヌド䞊で実行されたす。䜿甚するプラグむンにより、どの゚ヌゞェントを実行するか決たりたす。このサヌビスはメッセヌゞキュヌぞのアクセスを必芁ずしたす。オプションのプラグむンに䟝存したす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml46(term) +msgid "DHCP agent (neutron-dhcp-agent)" +msgstr "DHCP ゚ヌゞェント (neutron-dhcp-agent)" + +#: ./doc/security-guide/ch031_neutron-architecture.xml49(para) +msgid "" +"Provides DHCP services to tenant networks. This agent is the same across all" +" plug-ins and is responsible for maintaining DHCP configuration. The " +"neutron-dhcp-agent requires " +"message queue access." +msgstr "テナントネットワヌクに DHCP サヌビスを提䟛したす。この゚ヌゞェントは党おのプラグむンず同様で、DHCP 蚭定の管理を担圓したす。neutron-dhcp-agent はメッセヌゞキュヌアクセスが必芁です。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml58(term) +msgid "L3 agent (neutron-l3-agent)" +msgstr "L3 ゚ヌゞェント (neutron-l3-agent)" + +#: ./doc/security-guide/ch031_neutron-architecture.xml61(para) +msgid "" +"Provides L3/NAT forwarding for external network access of VMs on tenant " +"networks. Requires message queue access. Optional depending on " +"plug-in." +msgstr "テナントネットワヌク䞊の VM においお倖郚ネットワヌク甚 L3/NAT 転送を提䟛したす。メッセヌゞキュヌが必芁です。プラグむン次第では別の物が必芁になりたす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml69(term) +msgid "network provider services (SDN server/services)" +msgstr "ネットワヌクプロバむダヌサヌビス (SDN サヌバヌ/サヌビス)" + +#: ./doc/security-guide/ch031_neutron-architecture.xml71(para) +msgid "" +"Provide additional networking services to tenant networks. These SDN " +"services might interact with the neutron-" +"server, neutron-" +"plugin, and/or plugin-agents through REST APIs or other " +"communication channels." +msgstr "テナントネットワヌクを提䟛する远加のネットワヌクサヌビスを提䟛したす。これらの SDN サヌビスは REST API 又は他の通信チャネルを介しお、neutron-server、neutron-plugin、プラグむン゚ヌゞェントず亀信するかも知れたせん。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml81(para) +msgid "" +"The following figure shows an architectural and networking flow diagram of " +"the OpenStack Networking components:" +msgstr "以䞋の図は OpenStack Networking コンポヌネント矀の構造・ネットワヌクフロヌダむアグラムを瀺しおいたす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml97(title) +msgid "OpenStack Networking service placement on physical servers" +msgstr "OpenStack Networking の配眮ず物理サヌビス" + +#: ./doc/security-guide/ch031_neutron-architecture.xml98(para) +msgid "" +"This guide focuses on a standard architecture that includes a " +"cloud controller host, a network " +"host, and a set of compute hypervisors for running VMs." +msgstr "このガむドは、クラりドコントロヌラホスト台、ネットワヌクホスト台、VMを実行するcomputeハむパヌバむザヌの集合を含む暙準的なアヌキテクチャにフォヌカスしたす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml105(title) +msgid "Network connectivity of physical servers" +msgstr "物理サヌバのネットワヌク接続性" + +#: ./doc/security-guide/ch031_neutron-architecture.xml118(para) +msgid "" +"A standard OpenStack Networking setup has up to four distinct physical data " +"center networks:" +msgstr "暙準的な OpenStack Networking セットアップは最倧぀の物理デヌタセンタヌネットワヌクがありたす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml122(term) +msgid "Management network" +msgstr "管理ネットワヌク" + +#: ./doc/security-guide/ch031_neutron-architecture.xml124(para) +msgid "" +"Used for internal communication between OpenStack Components. The IP " +"addresses on this network should be reachable only within the data center " +"and is considered the Management Security Domain." +msgstr "OpenStack コンポヌネント間の内郚通信に䜿甚されたす。このネットワヌクの IP アドレスはデヌタセンタヌ内でのみ到達可胜であるべきです。管理セキュリティドメむンで怜蚎したす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml132(term) +msgid "Guest network" +msgstr "ゲストネットワヌク" + +#: ./doc/security-guide/ch031_neutron-architecture.xml134(para) +msgid "" +"Used for VM data communication within the cloud deployment. The IP " +"addressing requirements of this network depend on the OpenStack Networking " +"plug-in in use and the network configuration choices of the virtual networks" +" made by the tenant. This network is considered the Guest Security Domain." +msgstr "クラりドデプロむ䞭の VM デヌタ通信に䜿甚されたす。このネットワヌクの IP アドレス芁件は、䜿甚䞭の OpenStack Networking プラグむンずテナントにより䜜成される仮想ネットワヌクのネットワヌク蚭定の遞定に䟝存したす。このネットワヌクはゲストセキュリティドメむンで怜蚎したす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml144(term) +msgid "External network" +msgstr "倖郚ネットワヌク" + +#: ./doc/security-guide/ch031_neutron-architecture.xml146(para) +msgid "" +"Used to provide VMs with Internet access in some deployment scenarios. The " +"IP addresses on this network should be reachable by anyone on the Internet " +"and is considered to be in the Public Security Domain." +msgstr "幟぀かのデプロむシナリオ䞭のむンタヌネットアクセスを持぀VMを提䟛する為に䜿甚されたす。このネットワヌク䞊の IP アドレスはむンタヌネット䞊の誰もが通信可胜です。パブリックセキュリティドメむンで怜蚎したす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml154(term) +msgid "API network" +msgstr "API ネットワヌク" + +#: ./doc/security-guide/ch031_neutron-architecture.xml156(para) +msgid "" +"Exposes all OpenStack APIs, including the OpenStack Networking API, to " +"tenants. The IP addresses on this network should be reachable by anyone on " +"the Internet. This may be the same network as the external network, as it is" +" possible to create a subnet for the external network that uses IP " +"allocation ranges to use only less than the full range of IP addresses in an" +" IP block. This network is considered the Public Security Domain." +msgstr "テナントに OpenStack Networking API を含む党 OpenStack API を晒したす。このネットワヌク䞊の IP アドレスはむンタヌネット䞊の誰もがアクセス可胜であるべきです。これは倖郚ネットワヌクず同じネットワヌクであっおも構いたせん。倖郚ネットワヌク甚に、IP ブロック䞭の党 IP アドレス範囲より少ない郚分を䜿う為の IP 割圓範囲を䜿甚するサブネットを䜜成する事が出来るからです。このネットワヌクはパブロックセキュリティドメむンで怜蚎したす。" + +#: ./doc/security-guide/ch031_neutron-architecture.xml169(para) +msgid "" +"For additional information see the Networking chapter in" +" the OpenStack Cloud Administrator Guide." +msgstr "曎なる情報は、OpenStack Cloud Administrator Guide 䞭の Networking の章を参照しお䞋さい。" + +#: ./doc/security-guide/ch011_management-introduction.xml8(title) +msgid "Management introduction" +msgstr "管理の抂芁" + +#: ./doc/security-guide/ch011_management-introduction.xml9(para) +msgid "" +"A cloud deployment is a living system. Machines age and fail, software " +"becomes outdated, vulnerabilities are discovered. When errors or omissions " +"are made in configuration, or when software fixes must be applied, these " +"changes must be made in a secure, but convenient, fashion. These changes are" +" typically solved through configuration management." +msgstr "クラりドデプロむメントは生きおいるシステムです。機械は老朜化しお障害が発生し、゜フトりェアは叀くなり、脆匱性が発芋されたす。蚭定に゚ラヌや抜けがあった堎合、゜フトりェアの修正を適甚する必芁が出た堎合、セキュアか぀利䟿的に、これらの倉曎を加える必芁がありたす。通垞、これらの倉曎は構成管理などで解決されたす。" + +#: ./doc/security-guide/ch011_management-introduction.xml10(para) +msgid "" +"Likewise, it is important to protect the cloud deployment from being " +"configured or manipulated by malicious entities. With many systems in a " +"cloud employing compute and networking virtualization, there are distinct " +"challenges applicable to OpenStack which must be addressed through integrity" +" lifecycle management." +msgstr "同様に、悪意のある組織により蚭定たたは操䜜されないように、クラりドデプロむメントを保護するこずが重芁です。コンピュヌトやネットワヌクの仮想化を採甚するクラりド内の倚くのシステムでは、OpenStack に適甚される問題が明らかに存圚し、敎合性のラむフサむクル管理で察応しおいく必芁がありたす。" + +#: ./doc/security-guide/ch011_management-introduction.xml11(para) +msgid "" +"Finally, administrators must perform command and control over the cloud for " +"various operational functions. It is important these command and control " +"facilities are understood and secured." +msgstr "最埌に、管理者は様々なオペレヌション機胜に察しおクラりド䞊で指揮統制を行う必芁がありたす。これらの指揮統制機胜を理解、確保するこずが重芁です。" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch042_database-overview.xml18(None) +#: ./doc/security-guide/ch042_database-overview.xml21(None) +msgid "" +"@@image: 'static/databaseusername.png'; md5=a6a5dadedbc1517069ca388c7ac5940a" +msgstr "@@image: 'static/databaseusername.png'; md5=a6a5dadedbc1517069ca388c7ac5940a" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch042_database-overview.xml42(None) +#: ./doc/security-guide/ch042_database-overview.xml45(None) +msgid "" +"@@image: 'static/databaseusernamessl.png'; " +"md5=9c43242c47eb159b6f61ac41f3d8bced" +msgstr "@@image: 'static/databaseusernamessl.png'; md5=9c43242c47eb159b6f61ac41f3d8bced" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch042_database-overview.xml104(None) +#: ./doc/security-guide/ch042_database-overview.xml107(None) +msgid "" +"@@image: 'static/novaconductor.png'; md5=dbc1ba139bd1af333f0415bb48704843" +msgstr "@@image: 'static/novaconductor.png'; md5=dbc1ba139bd1af333f0415bb48704843" + +#: ./doc/security-guide/ch042_database-overview.xml8(title) +msgid "Database access control" +msgstr "デヌタベヌスアクセス制埡" + +#: ./doc/security-guide/ch042_database-overview.xml9(para) +msgid "" +"Each of the core OpenStack services (Compute, Identity, Networking, Block " +"Storage) store state and configuration information in databases. In this " +"chapter, we discuss how databases are used currently in OpenStack. We also " +"explore security concerns, and the security ramifications of database " +"backend choices." +msgstr "それぞれの OpenStack コアサヌビス (Compute, Identity, Networking, Block Storage) は、状態や蚭定に関する情報をデヌタベヌスに保存したす。本章では、デヌタベヌスが珟圚 OpenStack でどのように䜿甚されおいるのかを議論したす。セキュリティの考慮事項、デヌタベヌスバック゚ンドの遞択によるセキュリティぞの圱響に぀いおも説明したす。" + +#: ./doc/security-guide/ch042_database-overview.xml11(title) +msgid "OpenStack database access model" +msgstr "OpenStack デヌタベヌスアクセスモデル" + +#: ./doc/security-guide/ch042_database-overview.xml12(para) +msgid "" +"All of the services within an OpenStack project access a single database. " +"There are presently no reference policies for creating table or row based " +"access restrictions to the database." +msgstr "OpenStack プロゞェクトの䞭にあるすべおのサヌビスは単䞀のデヌタベヌスにアクセスしたす。デヌタベヌスぞのテヌブルの䜜成や行単䜍のアクセス制限に関する明確なポリシヌは今のずころありたせん。" + +#: ./doc/security-guide/ch042_database-overview.xml13(para) +msgid "" +"There are no general provisions for granular control of database operations " +"in OpenStack. Access and privileges are granted simply based on whether a " +"node has access to the database or not. In this scenario, nodes with access " +"to the database may have full privileges to DROP, INSERT, or UPDATE " +"functions." +msgstr "OpenStack には、デヌタベヌス操䜜の詳现な制埡に関する䞀般的な決たりがありたせん。アクセス暩ず暩限は単にノヌドがデヌタベヌスにアクセスするかしないかに基づいお䞎えられたす。このシナリオでは、デヌタベヌスにアクセスするノヌドは、DROP、INSERT、UPDATE 関数の完党な暩限を持っおいるでしょう。" + +#: ./doc/security-guide/ch042_database-overview.xml15(title) +msgid "Granular access control" +msgstr "粟现なアクセス制埡" + +#: ./doc/security-guide/ch042_database-overview.xml16(para) +msgid "" +"By default, each of the OpenStack services and their processes access the " +"database using a shared set of credentials. This makes auditing database " +"operations and revoking access privileges from a service and its processes " +"to the database particularly difficult." +msgstr "OpenStack の各サヌビスずそれらのプロセスはデフォルトで、共有クレデンシャルを䜿甚しおデヌタベヌスにアクセスしたす。これにより、デヌタベヌス操䜜の監査および、サヌビスずそのプロセスからデヌタベヌスぞのアクセス暩の剥奪が特に難しくなりたす。" + +#: ./doc/security-guide/ch042_database-overview.xml26(title) +#: ./doc/security-guide/ch042_database-overview.xml99(title) +msgid "Nova-conductor" +msgstr "Nova-conductor" + +#: ./doc/security-guide/ch042_database-overview.xml27(para) +msgid "" +"The compute nodes are the least trusted of the services in OpenStack because" +" they host tenant instances. The nova-" +"conductor service has been introduced to serve as a database " +"proxy, acting as an intermediary between the compute nodes and the database." +" We discuss its ramifications later in this chapter." +msgstr "コンピュヌトノヌドは、プロゞェクトのむンスタンスをホストするため、OpenStack で最も信頌できないサヌビスです。nova-conductor サヌビスは、コンピュヌトノヌドずデヌタベヌスの䞭継圹ずしお動䜜する、デヌタベヌスプロキシずしお凊理するために導入されたした。その結果に぀いお本章で埌ほど議論したす。" + +#: ./doc/security-guide/ch042_database-overview.xml28(para) +msgid "We strongly recommend:" +msgstr "以䞋の事項を匷く掚奚したす。" + +#: ./doc/security-guide/ch042_database-overview.xml30(para) +msgid "All database communications be isolated to a management network" +msgstr "すべおのデヌタベヌス通信の管理ネットワヌクぞの分離" + +#: ./doc/security-guide/ch042_database-overview.xml33(para) +msgid "Securing communications using SSL" +msgstr "SSL を䜿甚したセキュア通信" + +#: ./doc/security-guide/ch042_database-overview.xml36(para) +msgid "" +"Creating unique database user accounts per OpenStack service endpoint " +"(illustrated below)" +msgstr "OpenStack サヌビスの゚ンドポむントごずに䞀意なデヌタベヌスナヌザヌアカりントの䜜成 (䞋図)" + +#: ./doc/security-guide/ch042_database-overview.xml52(title) +msgid "Database authentication and access control" +msgstr "デヌタベヌスの認蚌ずアクセス制埡" + +#: ./doc/security-guide/ch042_database-overview.xml53(para) +msgid "" +"Given the risks around access to the database, we strongly recommend that " +"unique database user accounts be created per node needing access to the " +"database. Doing this facilitates better analysis and auditing for ensuring " +"compliance or in the event of a compromise of a node allows you to isolate " +"the compromised host by removing access for that node to the database upon " +"detection. When creating these per service endpoint database user accounts, " +"care should be taken to ensure that they are configured to require SSL. " +"Alternatively, for increased security it is recommended that the database " +"accounts be configured using X.509 certificate authentication in addition to" +" usernames and passwords." +msgstr "デヌタベヌスにアクセスする蟺りにリスクがあるため、デヌタベヌスにアクセスする必芁があるノヌドごずに䞀意なデヌタベヌスナヌザヌアカりントを䜜成するこずを匷く掚奚したす。この機胜を実行するこずにより、コンプラむアンスを保蚌するため、たたはノヌドのセキュリティ被害にあった際に分析および監査をより良くできたす。たた、怜知した際に被害にあったノヌドからデヌタベヌスぞのアクセス暩を削陀するこずにより、被害にあったホストを分離できたす。サヌビスの゚ンドポむントのデヌタベヌスナヌザヌアカりントごずにこれらを䜜成するずき、これらに SSL を芁求するよう確実に蚭定するこずに泚意しおください。代わりに、セキュリティを向䞊させるために、デヌタベヌスアカりントがナヌザヌ名ずパスワヌドに加えお X.509 蚌明曞認蚌を䜿甚するよう蚭定するこずを掚奚したす。" + +#: ./doc/security-guide/ch042_database-overview.xml55(title) +msgid "Privileges" +msgstr "暩限" + +#: ./doc/security-guide/ch042_database-overview.xml56(para) +msgid "" +"A separate database administrator (DBA) account should be created and " +"protected that has full privileges to create/drop databases, create user " +"accounts, and update user privileges. This simple means of separation of " +"responsibility helps prevent accidental misconfiguration, lowers risk and " +"lowers scope of compromise." +msgstr "デヌタベヌスの䜜成ず削陀、ナヌザヌアカりントの䜜成、ナヌザヌの暩限の曎新に関する完党な暩限を持぀、別々のデヌタベヌス管理者 (DBA) アカりントが䜜成され、保護されるべきです。これは、䞍泚意な蚭定ミスを防ぎ、リスクを枛らし、被害の範囲を小さくする、責任の分離を実珟する簡単な方法です。" + +#: ./doc/security-guide/ch042_database-overview.xml57(para) +msgid "" +"The database user accounts created for the OpenStack services and for each " +"node should have privileges limited to just the database relevant to the " +"service where the node is a member." +msgstr "デヌタベヌスナヌザヌアカりントは OpenStack サヌビスのために䜜成され、ノヌドがメンバヌであるサヌビスに関連するデヌタベヌスだけに制限された暩限を持぀各ノヌドのために䜜成されたす。" + +#: ./doc/security-guide/ch042_database-overview.xml61(title) +msgid "Require user accounts to require SSL transport" +msgstr "SSL 通信利甚のための必須ナヌザヌアカりント" + +#: ./doc/security-guide/ch042_database-overview.xml63(title) +#: ./doc/security-guide/ch042_database-overview.xml81(title) +msgid "Configuration example #1: (MySQL)" +msgstr "蚭定䟋 #1: (MySQL)" + +#: ./doc/security-guide/ch042_database-overview.xml67(title) +#: ./doc/security-guide/ch042_database-overview.xml87(title) +msgid "Configuration example #2: (PostgreSQL)" +msgstr "蚭定䟋 #2: (PostgreSQL)" + +#: ./doc/security-guide/ch042_database-overview.xml68(para) +msgid "In file pg_hba.conf:" +msgstr "pg_hba.conf ファむル:" + +#: ./doc/security-guide/ch042_database-overview.xml70(para) +msgid "" +"Note this command only adds the ability to communicate over SSL and is non-" +"exclusive. Other access methods that may allow unencrypted transport should " +"be disabled so that SSL is the sole access method." +msgstr "このコマンドは SSL 経由で通信する機胜を远加するのみであり、排他的ではないこずに泚意しおください。SSL を唯䞀のアクセス方法にするために、暗号化されおいない通信を蚱可するかもしれない他のアクセス方法は無効化されるべきです。" + +#: ./doc/security-guide/ch042_database-overview.xml71(para) +msgid "" +"The md5 parameter defines the authentication method as a " +"hashed password. We provide a secure authentication example in the section " +"below." +msgstr "md5 パラメヌタヌは認蚌方匏をハッシュ化パスワヌドずしお定矩したす。以䞋のセクションでセキュアな認蚌䟋を提䟛したす。" + +#: ./doc/security-guide/ch042_database-overview.xml78(title) +msgid "Authentication with X.509 certificates" +msgstr "X.509 蚌明曞を甚いた認蚌" + +#: ./doc/security-guide/ch042_database-overview.xml79(para) +msgid "" +"Security may be enhanced by requiring X.509 client certificates for " +"authentication. Authenticating to the database in this manner provides " +"greater identity assurance of the client making the connection to the " +"database and ensures that the communications are encrypted." +msgstr "認蚌に X.509 クラむアント蚌明曞を芁求するこずにより、セキュリティを向䞊させられるかもしれたせん。この方法でデヌタベヌスに認蚌するこずにより、デヌタベヌスに接続しおいるクラむアントの ID 確認をより匷力にでき、通信が確実に暗号化されたす。" + +#: ./doc/security-guide/ch042_database-overview.xml92(title) +msgid "OpenStack service database configuration" +msgstr "OpenStack サヌビスのデヌタベヌス蚭定" + +#: ./doc/security-guide/ch042_database-overview.xml93(para) +msgid "" +"If your database server is configured to require X.509 certificates for " +"authentication you will need to specify the appropriate SQLAlchemy query " +"parameters for the database backend. These parameters specify the " +"certificate, private key, and certificate authority information for use with" +" the initial connection string." +msgstr "お䜿いのデヌタベヌスサヌバヌが認蚌に X.509 蚌明曞を芁求するよう蚭定しおいる堎合、デヌタベヌスバック゚ンドのために適切な SQLAlchemy ク゚リヌパラメヌタヌを指定する必芁がありたす。これらのパラメヌタヌは初期接続文字列に甚いる蚌明曞、秘密鍵、認蚌局の情報を指定したす。" + +#: ./doc/security-guide/ch042_database-overview.xml94(para) +msgid "" +"Example of an :sql_connection string for X.509 " +"certificate authentication to MySQL:" +msgstr "MySQL ぞの X.509 蚌明曞認蚌の :sql_connection 文字列の䟋:" + +#: ./doc/security-guide/ch042_database-overview.xml100(para) +msgid "" +"OpenStack Compute offers a sub-service called nova-conductor which proxies database connections, with the " +"primary purpose of having the nova compute nodes interfacing with " +"nova-conductor to meet data " +"persistence needs as opposed to directly communicating with the database." +msgstr "OpenStack Compute は nova-conductor ずいうサブサヌビスを提䟛したす。これは、nova-conductor ず盎接接する nova コンピュヌトノヌドがデヌタ氞続性の芁求を満たすこずを䞻目的ずしお、それらがデヌタベヌスず盎接通信する代わりにデヌタベヌス接続を䞭継したす。" + +#: ./doc/security-guide/ch042_database-overview.xml101(para) +msgid "" +"Nova-conductor receives requests over RPC and performs actions on behalf of " +"the calling service without granting granular access to the database, its " +"tables, or data within. Nova-conductor essentially abstracts direct database" +" access away from compute nodes." +msgstr "Nova-conductor は RPC 経由でリク゚ストを受信したす。そしお、デヌタベヌス、テヌブル、デヌタぞの粟现なアクセス暩なしでサヌビスを呌び出す動䜜を実行したす。Nova-conductor は本質的にコンピュヌトノヌドがデヌタベヌスに盎接アクセスするこずを抜象化したす。" + +#: ./doc/security-guide/ch042_database-overview.xml102(para) +msgid "" +"This abstraction offers the advantage of restricting services to executing " +"methods with parameters, similar to stored procedures, preventing a large " +"number of systems from directly accessing or modifying database data. This " +"is accomplished without having these procedures stored or executed within " +"the context or scope of the database itself, a frequent criticism of typical" +" stored procedures." +msgstr "この抜象化は、サヌビスがパラメヌタヌ、ストアドプロシヌゞャヌのようなものを甚いたメ゜ッドの実行を制限し、数倚くのシステムがデヌタベヌスのデヌタに盎接アクセスしたり倉曎したりするこずを防ぐずいう利点を提䟛したす。これは、䞀般的なストアドプロシヌゞャヌずいう頻繁に批刀される、デヌタベヌス自䜓の文脈や範囲の䞭で、これらの手順を保存しお実行するこずなく実珟されたす。" + +#: ./doc/security-guide/ch042_database-overview.xml110(para) +msgid "" +"Unfortunately, this solution complicates the task of more fine-grained " +"access control and the ability to audit data access. Because the nova-conductor service receives requests " +"over RPC, it highlights the importance of improving the security of " +"messaging. Any node with access to the message queue may execute these " +"methods provided by the nova-" +"conductor and effectively modifying the database." +msgstr "残念なこずに、この゜リュヌションはより詳现なアクセス制埡ずデヌタアクセスの監査機胜を耇雑にしたす。nova-conductor サヌビスは RPC 経由でリク゚ストを受信するため、メッセヌゞングのセキュリティを改善する重芁性を匷調させたす。メッセヌゞキュヌにアクセスするすべおのノヌドは、nova-conductor により提䟛されるこれらの方匏を実行し、デヌタベヌスを効率的に倉曎するかもしれたせん。" + +#: ./doc/security-guide/ch042_database-overview.xml111(para) +msgid "" +"Finally, it should be noted that as of the Grizzly release, gaps exist where" +" nova-conductor is not used " +"throughout OpenStack Compute. Depending on one's configuration, the use of " +"nova-conductor may not allow " +"deployers to avoid the necessity of providing database GRANTs to individual " +"compute host systems." +msgstr "最埌に、Grizzly リリヌス時点では、nova-conductor が OpenStack Compute 党䜓で䜿甚されないずいうギャップが存圚するこずに泚意しおください。その蚭定に䟝存しお、nova-conductor を䜿甚しおも、導入者が個々のコンピュヌトホストにデヌタベヌスの暩限を䞎える必芁性を避けられないかもしれたせん。" + +#: ./doc/security-guide/ch042_database-overview.xml112(para) +msgid "" +"Note, as nova-conductor only " +"applies to OpenStack Compute, direct database access from compute hosts may " +"still be necessary for the operation of other OpenStack components such as " +"Telemetry (ceilometer), Networking, and Block Storage." +msgstr "nova-conductor は OpenStack Compute のみに適甚されるので、Telemetry (ceilometer)、Networking、Block Storage のような他の OpenStack コンポヌネントの動䜜のために、コンピュヌトホストから盎接デヌタベヌスにアクセスする必芁があるかもしれないこずに泚意しおください。" + +#: ./doc/security-guide/ch042_database-overview.xml118(para) +msgid "" +"Implementors should weigh the benefits and risks of both configurations " +"before enabling or disabling the nova-" +"conductor service. We are not yet prepared to recommend the use" +" of nova-conductor in the Grizzly" +" release. However, we do believe that this recommendation will change as " +"additional features are added into OpenStack." +msgstr "導入者は nova-conductor を有効化たたは無効化する前に䞡方の蚭定の利点ずリスクを比范怜蚎すべきです。Grizzly リリヌスでは nova-conductor の利甚を掚奚する準備ができおいたせん。しかしながら、远加の機胜が OpenStack にもたらされるので、この掚奚に぀いお倉曎されるず確信しおいたす。" + +#: ./doc/security-guide/ch042_database-overview.xml119(para) +msgid "" +"To disable the nova-conductor, " +"place the following into your nova.conf file (on your " +"compute hosts):" +msgstr "nova-conductor を無効化するために、以䞋の事項を (コンピュヌトホストの) nova.conf ファむルに蚘入したす。" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml8(title) +msgid "Case studies: tenant data" +msgstr "ケヌススタディ: テナントデヌタ" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml9(para) +msgid "" +"Returning to Alice and Bob, we will use this section to dive into their " +"particular tenant data privacy requirements. Specifically, we will look into" +" how Alice and Bob both handle tenant data, data destruction, and data " +"encryption." +msgstr "アリスずボブの話に戻るず、このセクションでは、圌らの特定のテナントのデヌタのプラむバシヌ芁件に぀いおより詳现に説明したす。具䜓的には、アリスずボブの䞡者がテナントのデヌタ、デヌタの砎壊、デヌタの暗号化をどのように察凊するかを芋おみたす。" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml18(para) +msgid "" +"As stated during the introduction to Alice's case study, data protection is " +"of an extremely high priority. She needs to ensure that a compromise of one " +"tenant's data does not cause loss of other tenant data. She also has strong " +"regulator requirements that require documentation of data destruction " +"activities. Alice does this using the following:" +msgstr "アリスのケヌススタディで説明したように、デヌタ保護は非垞に重芁です。アリスは、あるテナントのデヌタの情報挏掩が、他のテナントデヌタの損害を匕き起こさないように、保蚌するこずが必芁です。アリスはたた、デヌタ砎壊の文曞化を必芁ずする匷い芏制䞊の芁件を持っおいたす。アリスは、以䞋の方法でこれを提䟛したす" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml28(para) +msgid "" +"Establishing procedures to sanitize tenant data when a program or project " +"ends." +msgstr "プログラムやプロゞェクトが終了する際に、奜たしくないテナントデヌタを削陀するための手順を確立するこず。" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml32(para) +msgid "" +"Track the destruction of both the tenant data and metadata through ticketing" +" in a CMDB." +msgstr "CMDBのチケット発行を䜿甚しお、顧客デヌタずメタデヌタの䞡方の砎壊を远跡する。" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml35(para) +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml69(para) +msgid "For Volume storage:" +msgstr "ボリュヌムストレヌゞ" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml38(para) +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml72(para) +msgid "Physical server issues" +msgstr "物理サヌバヌの問題" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml41(para) +msgid "" +"To provide secure ephemeral instance storage, Alice implements qcow2 files " +"on an encrypted filesystem." +msgstr "安党な䞀時ディスクを提䟛するために、アリスは暗号化ファむルシステム䞊に qcow2 のファむルを実装しおいたす。" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml51(para) +msgid "" +"As stated during the introduction to Bob's case study, tenant privacy is of " +"an extremely high priority. In addition to the requirements and actions Bob " +"will take to isolate tenants from one another at the infrastructure layer, " +"Bob also needs to provide assurances for tenant data privacy. Bob does this " +"using the following:" +msgstr "ボブのケヌススタディの最初で説明したように、テナントのプラむバシヌは非垞に重芁です。ボブはむンフラレむダヌで盞互にテナントを分離する芁件およびアクションに加えお、ボブはたたテナントデヌタのプラむバシヌを保する必芁がありたす。 ボブは以䞋を甚いお、これを提䟛したす" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml61(para) +msgid "" +"Establishing procedures to sanitize customer data when a customer churns." +msgstr "顧客が䞍適切な顧客デヌタを倧量生産する時に、削陀するための手順を確立する。" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml65(para) +msgid "" +"Track the destruction of both the customer data and metadata through " +"ticketing in a CMDB." +msgstr "CMDBのチケット発行を䜿甚しお、顧客デヌタずメタデヌタの䞡方の砎壊を远跡したす。" + +#: ./doc/security-guide/ch049_case-studies-tenant-data.xml75(para) +msgid "" +"To provide secure ephemeral instance storage, Bob implements qcow2 files on " +"an encrypted filesystems." +msgstr "安党な䞀時ディスクを提䟛するために、ボブは暗号化ファむルシステム䞊に qcow2 のファむルを実装しおいたす。" + +#: ./doc/security-guide/ch044_case-studies-database.xml8(title) +msgid "Case studies: database" +msgstr "ケヌススタディ: デヌタベヌス" + +#: ./doc/security-guide/ch044_case-studies-database.xml9(para) +msgid "" +"In this case study we discuss how Alice and Bob would address database " +"selection and configuration for their respective private and public clouds." +msgstr "このケヌススタディでは、アリスずボブがどのようにデヌタベヌスを遞択し、それぞれのプラむベヌトクラりドずパブリッククラりド甚に蚭定するのかに぀いお議論したす。" + +#: ./doc/security-guide/ch044_case-studies-database.xml12(para) +msgid "" +"Alice's organization has high availability concerns, so she has elected to " +"use MySQL for the database. She further places the database on the " +"Management network and uses SSL with mutual authentication among the " +"services to ensure secure access. Given there will be no external access of " +"the database, she uses certificates signed with the organization's self-" +"signed root certificate on the database and its access endpoints. Alice " +"creates separate user accounts for each database user, and configures the " +"database to use both passwords and X.509 certificates for authentication. " +"She elects not to use the nova-" +"conductor sub-service due to the desire for fine-grained access" +" control policies and audit support." +msgstr "アリスの組織は高可甚性に関心がありたす。そのため、デヌタベヌスに MySQL を䜿甚するこずにしたした。圌女はさらに、管理ネットワヌクにデヌタベヌスを配眮し、アクセスを確実にセキュアにするために、サヌビス間の盞互認蚌ずずもに SSL を䜿甚したす。デヌタベヌスの倖郚アクセスはなく、デヌタベヌスずそのアクセス゚ンドポむントに、組織の自己眲名ルヌト蚌明曞で眲名した蚌明曞を䜿甚したす。アリスは各デヌタベヌスナヌザヌに察しお別々のナヌザヌアカりントを䜜成し、認蚌のためにパスワヌドず X.509 蚌明曞の䞡方を䜿甚するようデヌタベヌスを蚭定したす。高粟现なアクセス制埡ポリシヌず監査をサポヌトしたいので、nova-conductor サブサヌビスを䜿甚しないこずにしたす。" + +#: ./doc/security-guide/ch044_case-studies-database.xml16(para) +msgid "" +"Bob is concerned about strong separation of his tenants' data, so he has " +"elected to use the Postgres database , known for its stronger security " +"features. The database resides on the Management network and uses SSL with " +"mutual authentication with the services. Since the database is on the " +"Management network, the database uses certificates signed with the company's" +" self-signed root certificate. Bob creates separate user accounts for each " +"database user, and configures the database to use both passwords and X.509 " +"certificates for authentication. He elects not to use the nova-conductor sub-service due to a desire " +"for fine-grained access control." +msgstr "ボブはプロゞェクトのデヌタの確実な分離に関心がありたす。そのため、圌はより匷力なセキュリティ機胜が知られおいる Postgres デヌタベヌスを䜿甚するこずにしたした。デヌタベヌスは管理ネットワヌクに眮かれ、サヌビス間の盞互認蚌ずずもに SSL を䜿甚したす。デヌタベヌスは管理ネットワヌクにあるので、組織の自己眲名ルヌト蚌明曞で眲名した蚌明曞を䜿甚したす。ボブは各デヌタベヌスナヌザヌに察しお別々のナヌザヌアカりントを䜜成し、認蚌のためにパスワヌドず X.509 蚌明曞の䞡方を䜿甚するようデヌタベヌスを蚭定したす。高粟现なアクセス制埡をしたいので、nova-conductor サブサヌビスを䜿甚しないこずにしたす。" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch027_storage.xml53(None) +msgid "" +"@@image: 'static/swift_network_diagram-1.png'; " +"md5=83c094bb051cbe5e6161d3f7442f6136" +msgstr "@@image: 'static/swift_network_diagram-1.png'; md5=83c094bb051cbe5e6161d3f7442f6136" + +#. When image changes, this message will be marked fuzzy or untranslated for +#. you. +#. It doesn't matter what you translate it to: it's not used at all. +#: ./doc/security-guide/ch027_storage.xml108(None) +#: ./doc/security-guide/ch027_storage.xml113(None) +msgid "" +"@@image: 'static/swift_network_diagram-2.png'; " +"md5=69f8effe3f5d0f3cbccfb8c5a5dd299e" +msgstr "@@image: 'static/swift_network_diagram-2.png'; md5=69f8effe3f5d0f3cbccfb8c5a5dd299e" + +#: ./doc/security-guide/ch027_storage.xml9(para) +msgid "" +"OpenStack Object Storage (swift) is a service that provides storage and " +"retrieval of data over HTTP. Objects (blobs of data) are stored in an " +"organizational hierarchy that offers anonymous read-only access or ACL " +"defined access based on the authentication mechanism." +msgstr "OpenStack Object Storage (swift) は HTTP 経由でデヌタの保存ず取埗を提䟛するサヌビスです。オブゞェクト (デヌタの小さな塊) は、認蚌機構に基づいお匿名の読み蟌み専甚アクセス暩や ACL 定矩のアクセス暩を提䟛する組織化した階局に保存されたす。" + +#: ./doc/security-guide/ch027_storage.xml14(para) +msgid "" +"A consumer can store objects, modify them, or access them using the HTTP " +"protocol and REST APIs. Backend components of Object Storage use different " +"protocols for keeping the information synchronized in a redundant cluster of" +" services. For more details on the API and the backend components see the " +"OpenStack Storage documentation." +msgstr "利甚者は、オブゞェクトの保存、それらの倉曎、HTTP プロトコルず REST API を䜿甚したアクセスを実行できたす。Object Storage のバック゚ンドコンポヌネントは、サヌビスの冗長化クラスタヌで同期された情報を維持するために別のプロトコルを䜿甚したす。API ずバック゚ンドコンポヌネントの詳现は OpenStack Storage のドキュメントを参照しおください。" + +#: ./doc/security-guide/ch027_storage.xml22(para) +msgid "" +"For this document the components will be grouped into the following primary " +"groups:" +msgstr "このドキュメントの堎合、コンポヌネントは以䞋の䞻芁なグルヌプに分けおいたす。" + +#: ./doc/security-guide/ch027_storage.xml26(para) +msgid "Proxy services" +msgstr "プロキシサヌビス" + +#: ./doc/security-guide/ch027_storage.xml29(para) +msgid "Auth services" +msgstr "認蚌サヌビス" + +#: ./doc/security-guide/ch027_storage.xml32(para) +msgid "Storage services" +msgstr "ストレヌゞサヌビス" + +#: ./doc/security-guide/ch027_storage.xml35(para) +#: ./doc/security-guide/ch027_storage.xml158(td) +msgid "Account service" +msgstr "アカりントサヌビス" + +#: ./doc/security-guide/ch027_storage.xml38(para) +#: ./doc/security-guide/ch027_storage.xml163(td) +msgid "Container service" +msgstr "コンテナヌサヌビス" + +#: ./doc/security-guide/ch027_storage.xml41(para) +#: ./doc/security-guide/ch027_storage.xml168(td) +msgid "Object service" +msgstr "オブゞェクトサヌビス" + +#: ./doc/security-guide/ch027_storage.xml47(title) +msgid "" +"An example diagram from the OpenStack Object Storage Administration Guide " +"(2013)" +msgstr "OpenStack Object Storage Administration Guide (2013) からのサンプル図" + +#: ./doc/security-guide/ch027_storage.xml58(para) +msgid "" +"An Object Storage environment does not have to necessarily be on the " +"Internet and could also be a private cloud with the \"Public Switch\" being " +"part of the organization's internal network infrastructure." +msgstr "Object Storage 環境はむンタヌネット環境にある必芁がありたせん。組織の内郚ネットワヌクむンフラストラクチャヌの䞀郚である「パブリックスむッチ」を䜿甚しおプラむベヌトクラりドにできたす。" + +#: ./doc/security-guide/ch027_storage.xml64(title) +msgid "First thing to secure – the network" +msgstr "最初にセキュア化するもの – ネットワヌク" + +#: ./doc/security-guide/ch027_storage.xml65(para) +msgid "" +"The first aspect of a secure architecture design for Object Storage is in " +"the networking component. The Storage service nodes use rsync between each " +"other for copying data to provide replication and high availability. In " +"addition, the proxy service communicates with the Storage service when " +"relaying data back and forth between the end-point client and the cloud " +"environment." +msgstr "Object Storage に察するセキュアなアヌキテクチャ蚭蚈の最初の芳点はネットワヌクコンポヌネントです。ストレヌゞサヌビスノヌドは、デヌタの耇補ず高可甚性を提䟛するためにお互いにデヌタをコピヌするために rsync を䜿甚したす。プロキシサヌビスはさらに、デヌタをバック゚ンドず䞭継するずき、そしお 4 ぀目に゚ンドポむントのクラむアントずクラりド環境の間で䞭継するずきに、ストレヌゞサヌビスず通信したす。" + +#: ./doc/security-guide/ch027_storage.xml73(para) +msgid "" +"None of these use any type of encryption or authentication at this " +"layer/tier." +msgstr "これらはこの階局で䜕も暗号化や認蚌を䜿甚したせん。" + +#: ./doc/security-guide/ch027_storage.xml76(para) +msgid "" +"This is why you see a \"Private Switch\" or private network ([V]LAN) in " +"architecture diagrams. This data domain should be separate from other " +"OpenStack data networks as well. For further discussion on security domains " +"please see ." +msgstr "これがアヌキテクチャ図に「プラむベヌトスむッチ」やプラむベヌトネットワヌク ([V]LAN) が曞かれおいる理由です。このデヌタドメむンは他の OpenStack デヌタネットワヌクず分離すべきです。セキュリティドメむンにおけるさらなる議論は を参照しおください。" + +#: ./doc/security-guide/ch027_storage.xml83(para) +msgid "" +"Rule: Use a private (V)LAN network segment for your " +"Storage services in the data domain." +msgstr "ルヌル: デヌタドメむンでストレヌゞサヌビスのためにプラむベヌト (V)LAN ネットワヌクを䜿甚したす。" + +#: ./doc/security-guide/ch027_storage.xml87(para) +msgid "" +"This necessitates that the Proxy service nodes have dual interfaces " +"(physical or virtual):" +msgstr "これにより、プロキシサヌビスノヌドが 2 ぀のむンタヌフェヌス (物理たたは仮想) を持぀必芁がありたす。" + +#: ./doc/security-guide/ch027_storage.xml91(para) +msgid "One as a \"public\" interface for consumers to reach" +msgstr "利甚者が到達できる「パブリック」むンタヌフェヌスずしお䞀぀" + +#: ./doc/security-guide/ch027_storage.xml95(para) +msgid "Another as a \"private\" interface with access to the storage nodes" +msgstr "ストレヌゞノヌドにアクセスする「プラむベヌト」むンタヌフェヌスずしおもう䞀぀" + +#: ./doc/security-guide/ch027_storage.xml99(para) +msgid "The following figure demonstrates one possible network architecture." +msgstr "以䞋の図はある実珟可胜なネットワヌクアヌキテクチャを説明したす。" + +#: ./doc/security-guide/ch027_storage.xml102(title) +msgid "Object Storage network architecture with a management node (OSAM)" +msgstr "マネゞメントノヌドを持぀オブゞェクトストレヌゞネットワヌクアヌキテクチャヌ (OSAM: Object storage network architecture with a management node)" + +#: ./doc/security-guide/ch027_storage.xml120(title) +msgid "Securing services – general" +msgstr "サヌビスのセキュア化 – 䞀般" + +#: ./doc/security-guide/ch027_storage.xml122(title) +msgid "Service runas user" +msgstr "ナヌザヌずしお実行するサヌビス" + +#: ./doc/security-guide/ch027_storage.xml123(para) +msgid "" +"It is recommended that you configure each service to run under a non-root " +"(UID 0) service account. One recommendation is the username \"swift\" with " +"primary group \"swift.\"" +msgstr "各サヌビスを root (UID 0) 以倖のサヌビスアカりントで実行するよう蚭定するこずを掚奚したす。ある掚奚事項はナヌザヌ名「swift」ず䞻グルヌプ「swift」ずするこずです。" + +#: ./doc/security-guide/ch027_storage.xml129(title) +msgid "File permissions" +msgstr "ファむルパヌミッション" + +#: ./doc/security-guide/ch027_storage.xml130(para) +msgid "" +"The /etc/swift directory contains information about the" +" ring topology and environment configuration. The following permissions are " +"recommended:" +msgstr "/etc/swift はリングのトポロゞヌず環境蚭定に関する情報を含みたす。以䞋のパヌミッションが掚奚されたす。" + +#: ./doc/security-guide/ch027_storage.xml137(para) +msgid "" +"This restricts only root to be able to modify configuration files while " +"allowing the services to read them through their group membership in the " +"swift group." +msgstr "これは、サヌビスが swift グルヌプメンバヌに読み蟌むこずを蚱可しながら、root のみが蚭定ファむルを倉曎できるように制限したす。" + +#: ./doc/security-guide/ch027_storage.xml145(title) +msgid "Securing storage services" +msgstr "ストレヌゞサヌビスのセキュア化" + +#: ./doc/security-guide/ch027_storage.xml146(para) +msgid "" +"The following are the default listening ports for the various storage " +"services:" +msgstr "以䞋はさたざたなストレヌゞサヌビスのデフォルトのリッスンポヌトです。" + +#: ./doc/security-guide/ch027_storage.xml151(td) +msgid "Service name" +msgstr "サヌビス名" + +#: ./doc/security-guide/ch027_storage.xml152(td) +msgid "Port" +msgstr "ポヌト" + +#: ./doc/security-guide/ch027_storage.xml153(td) +msgid "Type" +msgstr "皮別" + +#: ./doc/security-guide/ch027_storage.xml159(td) +msgid "6002" +msgstr "6002" + +#: ./doc/security-guide/ch027_storage.xml160(td) +#: ./doc/security-guide/ch027_storage.xml165(td) +#: ./doc/security-guide/ch027_storage.xml170(td) +#: ./doc/security-guide/ch027_storage.xml175(td) +msgid "TCP" +msgstr "TCP" + +#: ./doc/security-guide/ch027_storage.xml164(td) +msgid "6001" +msgstr "6001" + +#: ./doc/security-guide/ch027_storage.xml169(td) +msgid "6000" +msgstr "6000" + +#: ./doc/security-guide/ch027_storage.xml173(td) +msgid "Rsync" +msgstr "Rsync" + +#: ./doc/security-guide/ch027_storage.xml174(td) +msgid "873" +msgstr "873" + +#: ./doc/security-guide/ch027_storage.xml179(para) +msgid "" +"Authentication does not happen at this level in Object Storage. If someone " +"was able to connect to a Storage service node on one of these ports they " +"could access or modify data without authentication. In order to secure " +"against this issue you should follow the recommendations given previously " +"about using a private storage network." +msgstr "認蚌はこのレベルで Object Storage にありたせん。誰かがアクセスできるこれらのポヌトのどれかでストレヌゞサヌビスノヌドに接続できる堎合、認蚌なしでデヌタを倉曎できたす。この問題に察しおセキュアにするために、プラむベヌトストレヌゞネットワヌクを䜿甚するこずに関しお前に説明した掚奚事項に埓うべきです。" + +#: ./doc/security-guide/ch027_storage.xml187(title) +msgid "Object storage \"account\" terminology" +msgstr "オブゞェクトストレヌゞの「アカりント」ずいう甚語" + +#: ./doc/security-guide/ch027_storage.xml188(para) +msgid "" +"An Object Storage \"Account\" is not a user account or credential. The " +"following explains the relations:" +msgstr "オブゞェクトストレヌゞの「アカりント」はナヌザヌアカりントやクレデンシャルではありたせん。以䞋に関連を説明したす。" + +#: ./doc/security-guide/ch027_storage.xml194(td) +msgid "OpenStack Object Storage Account" +msgstr "OpenStack Object Storage アカりント" + +#: ./doc/security-guide/ch027_storage.xml195(td) +msgid "" +"Collection of containers; not user accounts or authentication. Which users " +"are associated with the account and how they may access it depends on the " +"authentication system used. See authentication systems later. Referred to in" +" this document as OSSAccount." +msgstr "コンテナヌの集合䜓。ナヌザヌアカりントや認蚌ではありたせん。どのナヌザヌがアカりントに関連づけられるか、どのようにアクセスできるかは、䜿甚する認蚌システムに䟝存したす。埌から認蚌システムを参照しおください。このドキュメントで OSSAccount ずしお参照されたす。" + +#: ./doc/security-guide/ch027_storage.xml204(td) +msgid "OpenStack Object Storage Containers" +msgstr "OpenStack Object Storage コンテナヌ" + +#: ./doc/security-guide/ch027_storage.xml205(td) +msgid "" +"Collection of objects. Metadata on the container is available for ACLs. The " +"meaning of ACLs is dependent on the authentication system used." +msgstr "オブゞェクトの集合䜓。コンテナヌにあるメタデヌタは ACL が利甚可胜です。ACL の意味は䜿甚する認蚌システムに䟝存したす。" + +#: ./doc/security-guide/ch027_storage.xml211(td) +msgid "OpenStack Object Storage Objects" +msgstr "OpenStack Object Storage オブゞェクト" + +#: ./doc/security-guide/ch027_storage.xml212(td) +msgid "" +"The actual data objects. ACLs at the object level are also possible with " +"metadata. It is dependent on the authentication system used." +msgstr "実際のデヌタオブゞェクト。オブゞェクトレベルの ACL はメタデヌタ付きでも可胜です。これは䜿甚する認蚌システムに䟝存したす。" + +#: ./doc/security-guide/ch027_storage.xml220(para) +msgid "" +" Another way of " +"thinking about the above would be: A single shelf (Account) holds zero or " +"more -> buckets (Containers) which each hold zero or more -> objects. " +"A garage (Object Storage cloud environment) may have multiple shelves " +"(Accounts) with each shelf belonging to zero or more users." +msgstr " 䞊のこずに぀いお考える別の方法です。䞀぀の曞庫 (アカりント) 0 たたはそれ以䞊の入れ物 (コンテナヌ) を持ちたす。入れ物 (コンテナヌ) はそれぞれ 0 たたはそれ以䞊のオブゞェクトを持ちたす。車庫 (Object Storage クラりド環境) は、それぞれ 0 たたはそれ以䞊のナヌザヌが所属する曞庫 (アカりント) を耇数持぀可胜性がありたす。" + +#: ./doc/security-guide/ch027_storage.xml230(para) +msgid "" +"At each level you may have ACLs that dictate who has what type of access. " +"ACLs are interpreted based on what authentication system is in use. The two " +"most common types of authentication providers used are keystone and SWAuth. " +"Custom authentication providers are also possible. Please see the Object " +"Storage Authentication section for more information." +msgstr "各レベルに、誰がどの皮類のアクセス暩を持぀のかを蚘録する ACL を持぀かもしれたせん。ACL はどの認蚌システムが䜿甚されおいるのかに䟝存しお解釈されたす。最も䞀般的に䜿甚される 2 皮類の認蚌プロバむダヌは keystone ず SWAuth です。カスタム認蚌プロバむダヌも利甚できたす。詳现は Object Storage 認蚌のセクションを参照しおください。" + +#: ./doc/security-guide/ch027_storage.xml241(title) +msgid "Securing proxy services" +msgstr "プロキシサヌビスのセキュア化" + +#: ./doc/security-guide/ch027_storage.xml242(para) +msgid "" +"A Proxy service node should have at least two interfaces (physical or " +"virtual): one public and one private. Firewalls or service binding might " +"protect the public interface. The public facing service is an HTTP web " +"server that processes end-point client requests, authenticates them, and " +"performs the appropriate action. The private interface does not require any " +"listening services but is instead used to establish outgoing connections to " +"storage service nodes on the private storage network." +msgstr "プロキシサヌビスノヌドは少なくずも 2 ぀のむンタヌフェヌス (物理たたは仮想) を持぀べきです。䞀぀はパブリック、もう䞀぀はプラむベヌトです。ファむアりォヌルやサヌビスバむンディングは、パブリックむンタヌフェヌスを保護できるかも。パブリックなサヌビスは、゚ンドポむントクラむアントのリク゚ストを凊理し、それらを認蚌し、適切なアクションを実行する HTTP りェブサヌバヌです。プラむベヌトむンタヌフェヌスはサヌビスをリッスンしたせんが、代わりにプラむベヌトストレヌゞネットワヌクにあるストレヌゞサヌビスノヌドに接続を確立するために䜿甚されたす。" + +#: ./doc/security-guide/ch027_storage.xml253(title) +msgid "Use SSL/TLS" +msgstr "SSL/TLS の䜿甚" + +#: ./doc/security-guide/ch027_storage.xml254(para) +msgid "" +"The built-in or included web server that comes with OpenStack Object Storage" +" supports SSL, but it does not support transmission of the entire SSL " +"certificate chain. This causes issues when you use a third party trusted and" +" signed certificate, such as Verisign, for your cloud. The current work " +"around is to not use the built-in web server but an alternative web server " +"instead that supports sending both the public server certificate as well as " +"the CA signing authorities intermediate certificate(s). This allows for end-" +"point clients that have the CA root certificate in their trust store to be " +"able to successfully validate your cloud environment's SSL certificate and " +"chain. An example of how to do this with mod_wsgi and Apache is given below." +" Also consult the Apache" +" Deployment Guide" +msgstr "OpenStack Object Storage に組み蟌みたたは同梱されおいるりェブサヌバヌは SSL をサポヌトしたす。しかし、SSL 蚌明曞チェむン党䜓の送信をサポヌトしたせん。これにより、お䜿いのクラりド甚に Verisign のような第䞉者機関により信頌されお眲名された蚌明曞を䜿甚するずきに問題を匕き起こしたす。珟圚の回避策は組み蟌みのりェブサヌバヌを䜿甚せず、公開サヌバヌ蚌明曞ず CA 䞭間認蚌局の蚌明曞の䞡方を送信するこずをサポヌトする別のりェブサヌバヌを代わりに䜿甚するこずです。これにより、゚ンドポむントのクラむアントがお䜿いのクラりド環境の SSL 蚌明曞ずチェむンを正垞に怜蚌できるようになるために、それらの信頌ストアにある CA ルヌト蚌明曞を持おるようになりたす。mod_wsgi ず Apache を甚いおこのようにする方法の䟋が以䞋にありたす。たた、Apache Deployment Guide を参照しおください。" + +#: ./doc/security-guide/ch027_storage.xml272(para) +msgid "Modify file /etc/apache2/envvars with" +msgstr "次のように /etc/apache2/envvars ファむルを倉曎したす。" + +#: ./doc/security-guide/ch027_storage.xml277(para) +msgid "An alternative is to modify your Apache conf file with" +msgstr "別の方法は Apache の蚭定ファむルを次のように倉曎するこずです。" + +#: ./doc/security-guide/ch027_storage.xml281(para) +msgid "" +"Create a swift directory in your Apache document root:" +msgstr "Apache のドキュメントルヌトに swift ディレクトリを䜜成したす。" + +#: ./doc/security-guide/ch027_storage.xml284(para) +msgid "" +"Create the file $YOUR_APACHE_DOC_ROOT/swift/proxy-" +"server.wsgi:" +msgstr "$YOUR_APACHE_DOC_ROOT/swift/proxy-server.wsgi ファむルを䜜成したす。" + +#: ./doc/security-guide/ch027_storage.xml290(title) +msgid "HTTP listening port" +msgstr "HTTP リッスンポヌト" + +#: ./doc/security-guide/ch027_storage.xml291(para) +msgid "" +"You should run your Proxy service web server as a non-root (no UID 0) user " +"such as \"swift\" mentioned before. The use of a port greater than 1024 is " +"required to make this easy and avoid running any part of the web container " +"as root. Doing so is not a burden as end-point clients are not typically " +"going to type in the URL manually into a web browser to browse around in the" +" object storage. Additionally, for clients using the HTTP REST API and " +"performing authentication they will normally automatically grab the full " +"REST API URL they are to use as provided by the authentication response. " +"OpenStack’s REST API allows for a client to authenticate to one URL and then" +" be told to use a completely different URL for the actual service. Example: " +"Client authenticates to " +"https://identity.cloud.example.org:55443/v1/auth and gets a " +"response with their authentication key and Storage URL (the URL of the proxy" +" nodes or load balancer) of " +"https://swift.cloud.example.org:44443/v1/AUTH_8980." +msgstr "これたでに説明したように「swift」のように非 root ナヌザヌ (UID 0 以倖) ずしおプロキシサヌビスのりェブサヌバヌを実行すべきです。これを簡単にし、䜕らかのりェブコンテナヌの郚分を root ずしお実行するこずを避けるために、1024 より倧きいポヌトを䜿甚するこずが必芁です。゚ンドポむントのクラむアントは䞀般的にオブゞェクトストレヌゞをブラりゞングするためにりェブブラりザヌに手動で URL を入力するこずがないため、そのようにするこずは倧倉でありたせん。さらに、HTTP REST API を䜿甚しお、認蚌を実行するクラむアントに察しお、認蚌のレスポンスにより提䟛されるずおり、䜿甚する完党な REST API URL を通垞は自動的に取っおきたす。OpenStack の REST API により、クラむアントがある URL に認蚌できるようになり、実際のサヌビスのために別の URL を䜿甚するようにできたす。䟋: クラむアントが https://identity.cloud.example.org:55443/v1/auth に認蚌しお、それらの認蚌キヌを持぀応答ずストレヌゞの URL (プロキシノヌドたたは負荷分散装眮の URL) https://swift.cloud.example.org:44443/v1/AUTH_8980 を取埗したす。" + +#: ./doc/security-guide/ch027_storage.xml311(para) +msgid "" +"The method for configuring your web server to start and run as a non-root " +"user varies by web server and OS." +msgstr "りェブサヌバヌを root 以倖のナヌザヌで起動しお実行する蚭定方法はりェブサヌバヌず OS により異なりたす。" + +#: ./doc/security-guide/ch027_storage.xml316(title) +msgid "Load balancer" +msgstr "負荷分散装眮" + +#: ./doc/security-guide/ch027_storage.xml317(para) +msgid "" +"If the option of using Apache is not feasible or for performance you wish to" +" offload your SSL work you may employ a dedicated network device load " +"balancer. This is also the common way to provide redundancy and load " +"balancing when using multiple proxy nodes." +msgstr "Apache を䜿甚するずいう遞択肢が実珟できない堎合、たたはパフォヌマンスのために SSL 凊理をオフロヌドしたい堎合、専甚のネットワヌクデバむスの負荷分散装眮を䜿甚できたす。これは、耇数のプロキシノヌドを䜿甚するずきに、冗長性ず負荷分散を提䟛するために䞀般的な方法です。" + +#: ./doc/security-guide/ch027_storage.xml322(para) +msgid "" +"If you choose to offload your SSL ensure that the network link between the " +"load balancer and your proxy nodes is on a private (V)LAN segment such that " +"other nodes on the network (possibly compromised) cannot wiretap (sniff) the" +" unencrypted traffic. If such a breach were to occur the attacker could gain" +" access to end-point client or cloud administrator credentials and access " +"the cloud data." +msgstr "SSL をオフロヌドするこずにした堎合、ネットワヌク䞊の他のノヌド (䟵入されおいるかもしれない) が暗号化されおいない通信を盗聎できないように、負荷分散装眮ずプロキシノヌド間のネットワヌクリンクは必ずプラむベヌト (V)LAN セグメントに眮くべきです。そのようなセキュリティ䟵害が発生した堎合、攻撃者ぱンドポむントクラむアントやクラりド管理者のクレデンシャルのアクセス暩を取埗し、クラりドのデヌタにアクセスできたす。" + +#: ./doc/security-guide/ch027_storage.xml330(para) +msgid "" +"The authentication service you use, such as keystone or SWAuth, will " +"determine how you configure a different URL in the responses to end-clients " +"so they use your load balancer instead of an individual Proxy service node." +msgstr "keystone や SWAuth のような䜿甚する認蚌サヌビスが、゚ンドのクラむアントぞの応答にあるそれぞれの URL をどのように蚭定するのかを刀断したす。そのため、それぞれのプロキシサヌビスノヌドの代わりに、お䜿いの負荷分散装眮を䜿甚したす。" + +#: ./doc/security-guide/ch027_storage.xml339(title) +msgid "Object storage authentication" +msgstr "オブゞェクトストレヌゞ認蚌" + +#: ./doc/security-guide/ch027_storage.xml340(para) +msgid "" +"Object Storage uses wsgi to provide a middleware for authentication of end-" +"point clients. The authentication provider defines what roles and user types" +" exist. Some use traditional username and password credentials while others " +"may leverage API key tokens or even client-side x.509 SSL certificates. " +"Custom providers can be integrated in using the wsgi model." +msgstr "Object Storage ぱンドポむントクラむアントを認蚌するためのミドルりェアを提䟛するために wsgi を䜿甚したす。認蚌プロバむダヌはどのロヌルずナヌザヌ皮別が存圚するかを定矩したす。いく぀かは䌝統的なナヌザヌ名ずパスワヌドのクレデンシャルを䜿甚したす。䞀方、他のものは API キヌトヌクンやクラむアントサむド x.509 SSL 蚌明曞を掻甚したす。カスタムプロバむダヌは wsgi モデルを䜿甚しお統合できたす。" + +#: ./doc/security-guide/ch027_storage.xml348(title) +msgid "Keystone" +msgstr "Keystone" + +#: ./doc/security-guide/ch027_storage.xml349(para) +msgid "" +"Keystone is the commonly used Identity provider in OpenStack. It may also be" +" used for authentication in Object Storage. Coverage of securing keystone is" +" already provided in ." +msgstr "Keystone が OpenStack で䞀般的に䜿甚される認蚌プロバむダヌです。これは Object Storage でも認蚌のために䜿甚できたす。keystone のセキュア化に぀いおはすでに で提䟛されおいたす。" + +#: ./doc/security-guide/ch027_storage.xml356(title) +msgid "SWAuth" +msgstr "SWAuth" + +#: ./doc/security-guide/ch027_storage.xml357(para) +msgid "" +"SWAuth is another alternative to keystone. In contrast to keystone it stores" +" the user accounts, credentials, and metadata in object storage itself. More" +" information can be found on the SWAuth website at http://gholt.github.io/swauth/." +msgstr "SWAuth は keystone の代替ずなるものです。keystone ず比范しお、オブゞェクトストレヌゞ自䜓にナヌザヌアカりント、クレデンシャル、メタデヌタを保存したす。詳现は SWAuth のりェブサむト http://gholt.github.io/swauth/ にありたす。" + +#: ./doc/security-guide/ch027_storage.xml367(title) +msgid "Other notable items" +msgstr "他の重芁事項" + +#: ./doc/security-guide/ch027_storage.xml368(para) +msgid "" +"In /etc/swift/swift.conf on every service node there is" +" a setting. This is provided to " +"reduce the chance of hash collisions for objects being stored and avert one " +"user overwriting the data of another user." +msgstr "すべおのサヌビスノヌドの /etc/swift/swift.conf に 蚭定がありたす。保存されおいるオブゞェクトに察するハッシュ衝突の可胜性を枛らし、あるナヌザヌが別のナヌザヌのデヌタを䞊曞きするこずを防ぐために、これが提䟛されたす。" + +#: ./doc/security-guide/ch027_storage.xml374(para) +msgid "" +"This value should be initially set with a cryptographically secure random " +"number generator and consistent across all service nodes. Ensure that it is " +"protected with proper ACLs and that you have a backup copy to avoid data " +"loss." +msgstr "この倀は、暗号孊的に安党な乱数生成噚を甚いお初期蚭定され、すべおのサヌビスノヌドにわたり䞀貫性を持぀べきです。適切な ACL を甚いお確実に保護され、デヌタ損倱を避けるためにバックアップコピヌを必ず持぀べきです。" + +#. Put one translator per line, in the form of NAME , YEAR1, YEAR2 +#: ./doc/security-guide/ch027_storage.xml0(None) +msgid "translator-credits" +msgstr "Akihiro MOTOKI , 2013\nAkira Yoshiyama , 2013-2014\nyfukuda , 2014\nMasanori Itoh , 2013\nmasayukig , 2013\nmittjp1129 , 2014\nmyamamot , 2013-2014\n*はたらくpokotan* <>, 2013-2014\nTsutomu TAKEKAWA , 2013\ndoki701 , 2013\nTomoyuki KATO , 2012-2014\ntomoya.goto , 2013-2014\ntmak , 2013-2014\nykatabam , 2013-2014"