Thanks for your answers!
I read somewhere that a vpn would really have an impact on performance,
so it was not recommended, and I found v2 protocol.
But vpn feels like the solution and you have to accept the lower speed.
Thanks again!
On tis, maj 21 2024 at 17:07:48 +1000, Malcolm Haak
<insanemal@xxxxxxxxx> wrote:
Yeah, you really want to do this over a vpn.
Performance is going to be average at best. It would probably be
faster to re-export it as NFS/SMB and push that across the internet.
On Mon, May 20, 2024 at 11:37 PM Marc <Marc@xxxxxxxxxxxxxxxxx
<mailto:Marc@xxxxxxxxxxxxxxxxx>> wrote:
> Hi all,
> Due to so many reasons (political, heating problems, lack of space
> aso.) we have to
> plan for our ceph cluster to be hosted externaly.
> The planned version to setup is reef.
> Reading up on documentation we found that it was possible to run
in
> secure mode.
>
> Our ceph.conf file will state both v1 and v2 addresses for mons:
> mon host = [v2:4.3.2.1:3300/0,v1:4.3.2.1:6789/0]
> [v2:4.3.2.2:3300/0,v1:4.3.2.2:6789/0]
> [v2:4.3.2.3:3300/0,v1:4.3.2.3:6789/0]
>
> Then changing the following configuration options to only secure:
> ms_cluster_mode = secure
> ms_service_mode = secure
> ms_client_mode = secure
> ms_mon_cluster_mode = secure
> ms_mon_service_mode = secure
> ms_mon_client_mode = secure
>
> Then I remounted cephfs on the clients on our test cluster,
> but still the fs would mount on ports 6789.
> I thought that the above secure config change would "force"
> the mount on port 3300 and v2.
> Mounting with option ms_mode=secure, did the trick.
> Is that the way cephfs is working that you explicit have to
> specify secure mode? I thought that cephfs clients would
> use the secure mode with these settings, but maybe I am wrong?
>
> Of cause we also plan to limit the firewalls on servers so only
> the specific subnet will be able to connect and mount cephfs.
>
> From my understanding from the documenation this would be the
> way to set this up with ceph exposed to internet.
>
> Is there something that we are missing or something that would
> make the setup more secure?
>
What about a tunnel, and have a local ip range route through it? I
am not sure what happens if someone is brute forcing your monitors.
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
<mailto:ceph-users@xxxxxxx>
To unsubscribe send an email to ceph-users-leave@xxxxxxx
<mailto:ceph-users-leave@xxxxxxx>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
<mailto:ceph-users@xxxxxxx>
To unsubscribe send an email to ceph-users-leave@xxxxxxx
<mailto:ceph-users-leave@xxxxxxx>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
