Yeah, you really want to do this over a vpn. Performance is going to be average at best. It would probably be faster to re-export it as NFS/SMB and push that across the internet. On Mon, May 20, 2024 at 11:37 PM Marc <Marc@xxxxxxxxxxxxxxxxx> wrote: > > > Hi all, > > Due to so many reasons (political, heating problems, lack of space > > aso.) we have to > > plan for our ceph cluster to be hosted externaly. > > The planned version to setup is reef. > > Reading up on documentation we found that it was possible to run in > > secure mode. > > > > Our ceph.conf file will state both v1 and v2 addresses for mons: > > mon host = [v2:4.3.2.1:3300/0,v1:4.3.2.1:6789/0] > > [v2:4.3.2.2:3300/0,v1:4.3.2.2:6789/0] > > [v2:4.3.2.3:3300/0,v1:4.3.2.3:6789/0] > > > > Then changing the following configuration options to only secure: > > ms_cluster_mode = secure > > ms_service_mode = secure > > ms_client_mode = secure > > ms_mon_cluster_mode = secure > > ms_mon_service_mode = secure > > ms_mon_client_mode = secure > > > > Then I remounted cephfs on the clients on our test cluster, > > but still the fs would mount on ports 6789. > > I thought that the above secure config change would "force" > > the mount on port 3300 and v2. > > Mounting with option ms_mode=secure, did the trick. > > Is that the way cephfs is working that you explicit have to > > specify secure mode? I thought that cephfs clients would > > use the secure mode with these settings, but maybe I am wrong? > > > > Of cause we also plan to limit the firewalls on servers so only > > the specific subnet will be able to connect and mount cephfs. > > > > From my understanding from the documenation this would be the > > way to set this up with ceph exposed to internet. > > > > Is there something that we are missing or something that would > > make the setup more secure? > > > > What about a tunnel, and have a local ip range route through it? I am not sure what happens if someone is brute forcing your monitors. > > > > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |