We did a proof of concept moving some compute into "the cloud" and exported our cephfs shares using wireguard as the tunnel. The performance impact on our storage was completely latency and bandwidth dependent with no noticeable impact from the tunnel itself. -paul -- Paul Mezzanini Platform Engineer III Research Computing Rochester Institute of Technology ________________________________________ From: Marcus <marcus@xxxxxxxxxx> Sent: Tuesday, May 21, 2024 7:39 AM To: ceph-users Subject: Re: Cephfs over internet Thanks for your answers! I read somewhere that a vpn would really have an impact on performance, so it was not recommended, and I found v2 protocol. But vpn feels like the solution and you have to accept the lower speed. Thanks again! On tis, maj 21 2024 at 17:07:48 +1000, Malcolm Haak <insanemal@xxxxxxxxx> wrote: > Yeah, you really want to do this over a vpn. > > Performance is going to be average at best. It would probably be > faster to re-export it as NFS/SMB and push that across the internet. > > On Mon, May 20, 2024 at 11:37 PM Marc <Marc@xxxxxxxxxxxxxxxxx > <mailto:Marc@xxxxxxxxxxxxxxxxx>> wrote: >> >> > Hi all, >> > Due to so many reasons (political, heating problems, lack of space >> > aso.) we have to >> > plan for our ceph cluster to be hosted externaly. >> > The planned version to setup is reef. >> > Reading up on documentation we found that it was possible to run >> in >> > secure mode. >> > >> > Our ceph.conf file will state both v1 and v2 addresses for mons: >> > mon host = [v2:4.3.2.1:3300/0,v1:4.3.2.1:6789/0] >> > [v2:4.3.2.2:3300/0,v1:4.3.2.2:6789/0] >> > [v2:4.3.2.3:3300/0,v1:4.3.2.3:6789/0] >> > >> > Then changing the following configuration options to only secure: >> > ms_cluster_mode = secure >> > ms_service_mode = secure >> > ms_client_mode = secure >> > ms_mon_cluster_mode = secure >> > ms_mon_service_mode = secure >> > ms_mon_client_mode = secure >> > >> > Then I remounted cephfs on the clients on our test cluster, >> > but still the fs would mount on ports 6789. >> > I thought that the above secure config change would "force" >> > the mount on port 3300 and v2. >> > Mounting with option ms_mode=secure, did the trick. >> > Is that the way cephfs is working that you explicit have to >> > specify secure mode? I thought that cephfs clients would >> > use the secure mode with these settings, but maybe I am wrong? >> > >> > Of cause we also plan to limit the firewalls on servers so only >> > the specific subnet will be able to connect and mount cephfs. >> > >> > From my understanding from the documenation this would be the >> > way to set this up with ceph exposed to internet. >> > >> > Is there something that we are missing or something that would >> > make the setup more secure? >> > >> >> What about a tunnel, and have a local ip range route through it? I >> am not sure what happens if someone is brute forcing your monitors. >> >> >> >> _______________________________________________ >> ceph-users mailing list -- ceph-users@xxxxxxx >> <mailto:ceph-users@xxxxxxx> >> To unsubscribe send an email to ceph-users-leave@xxxxxxx >> <mailto:ceph-users-leave@xxxxxxx> > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > <mailto:ceph-users@xxxxxxx> > To unsubscribe send an email to ceph-users-leave@xxxxxxx > <mailto:ceph-users-leave@xxxxxxx> _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |