Re: Cephfs over internet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yeah, you really want to do this over a vpn.

Performance is going to be average at best. It would probably be
faster to re-export it as NFS/SMB and push that across the internet.

On Mon, May 20, 2024 at 11:37 PM Marc <Marc@xxxxxxxxxxxxxxxxx> wrote:
>
> > Hi all,
> > Due to so many reasons (political, heating problems, lack of space
> > aso.) we have to
> > plan for our ceph cluster to be hosted externaly.
> > The planned version to setup is reef.
> > Reading up on documentation we found that it was possible to run in
> > secure mode.
> >
> > Our ceph.conf file will state both v1 and v2 addresses for mons:
> > mon host = [v2:4.3.2.1:3300/0,v1:4.3.2.1:6789/0]
> > [v2:4.3.2.2:3300/0,v1:4.3.2.2:6789/0]
> > [v2:4.3.2.3:3300/0,v1:4.3.2.3:6789/0]
> >
> > Then changing the following configuration options to only secure:
> > ms_cluster_mode = secure
> > ms_service_mode = secure
> > ms_client_mode = secure
> > ms_mon_cluster_mode = secure
> > ms_mon_service_mode = secure
> > ms_mon_client_mode = secure
> >
> > Then I remounted cephfs on the clients on our test cluster,
> > but still the fs would mount on ports 6789.
> > I thought that the above secure config change would "force"
> > the mount on port 3300 and v2.
> > Mounting with option ms_mode=secure, did the trick.
> > Is that the way cephfs is working that you explicit have to
> > specify secure mode? I thought that cephfs clients would
> > use the secure mode with these settings, but maybe I am wrong?
> >
> > Of cause we also plan to limit the firewalls on servers so only
> > the specific subnet will be able to connect and mount cephfs.
> >
> >  From my understanding from the documenation this would be the
> > way to set this up with ceph exposed to internet.
> >
> > Is there something that we are missing or something that would
> > make the setup more secure?
> >
>
> What about a tunnel, and have a local ip range route through it? I am not sure what happens if someone is brute forcing your monitors.
>
>
>
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux