On 07/10/19 13:06 +0200, Jaan Vaks wrote:
Hi all, I'm evaluation cephfs to serve our business as a file share that span across our 3 datacenters. One concern that I have is that when using cephfs and OpenStack Manila is that all guest vms needs access to the public storage net. This to me feels like a security concern. I've seen one suggestion is to put NFS gateways in between to prevent this, I would prefer not having to use NFS. Is there another way to solve this or is this a no concern to others, both the network and NFS? We are a small cloud provider and having different customers exposed to each other on the same storage net seems risky to me. Regards Jaan
_______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
If you put clients on a shared network they need to protect themselves from one another (can use e.g. neutron security rules to disallow ingress connections on that network) irrespective of whether the network is CephFS or NFS.
The main *security* reason for CephFS backed deployments to use NFS gateways is that CephFS relies much more on client side cooperation (e.g. for quota enforcement) than NFS. In public clouds and even lots of enterprise scale private clouds, administrators don't want to expose critical Ceph resources directly to untrusted clients or rely on uncontrolled client side software.
_______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
