On 8/29/22 12:30, Nico Schottelius wrote:
Hey Burkhard, thanks a lot for the insight. Especially knowing that mons/mgr don't use the cluster network is a good information. I discovered today as well that both public network and cluster network are actually lists of networks: https://docs.ceph.com/en/latest/rados/configuration/network-config-ref/ even in Nautilus this seems already to be the case: https://docs.ceph.com/en/nautilus/rados/configuration/network-config-ref/ So what we will probably try the next days is to *add* the Kubernetes network ranges, which are already routed. Interestingly, checking on a rook/pacific installation, there is no public or cluster network configuration at all anymore, which makes me question, what these settings did actually do in the first place?
Good question. We don't have it defined in our clusters. mon_host is important, but besides that, it does not seem to be necessary (anymore). The client connects to the monitor, and can get a monmap, osdmap, mdsmap, etc. ... and in this way obtains all addresses it needs to know about.
Does setting public or cluster just limit the binds or the selection of target addresses and without the setting connections from anywhere are allowed?
I would doubt so, but I haven't tried. AFAIK it is something you have to tell Ceph to check explicitly, see: https://docs.ceph.com/en/nautilus/cephfs/client-auth/#network-restriction
I have tried this once for a CephFS share, and that worked. I guess this can be configured for all clients (and daemons) and act as an extra layer of security (for when firewall rules are not loaded or are too restrictive).
Gr. Stefan _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
