> Hi all, > Due to so many reasons (political, heating problems, lack of space > aso.) we have to > plan for our ceph cluster to be hosted externaly. > The planned version to setup is reef. > Reading up on documentation we found that it was possible to run in > secure mode. > > Our ceph.conf file will state both v1 and v2 addresses for mons: > mon host = [v2:4.3.2.1:3300/0,v1:4.3.2.1:6789/0] > [v2:4.3.2.2:3300/0,v1:4.3.2.2:6789/0] > [v2:4.3.2.3:3300/0,v1:4.3.2.3:6789/0] > > Then changing the following configuration options to only secure: > ms_cluster_mode = secure > ms_service_mode = secure > ms_client_mode = secure > ms_mon_cluster_mode = secure > ms_mon_service_mode = secure > ms_mon_client_mode = secure > > Then I remounted cephfs on the clients on our test cluster, > but still the fs would mount on ports 6789. > I thought that the above secure config change would "force" > the mount on port 3300 and v2. > Mounting with option ms_mode=secure, did the trick. > Is that the way cephfs is working that you explicit have to > specify secure mode? I thought that cephfs clients would > use the secure mode with these settings, but maybe I am wrong? > > Of cause we also plan to limit the firewalls on servers so only > the specific subnet will be able to connect and mount cephfs. > > From my understanding from the documenation this would be the > way to set this up with ceph exposed to internet. > > Is there something that we are missing or something that would > make the setup more secure? > What about a tunnel, and have a local ip range route through it? I am not sure what happens if someone is brute forcing your monitors. _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |