Hello,
You will want to do this over WireGuard tech from experience, IOPS will
be brutal, like 200 IOPS.
Wireguard has a few benefits but notably:
- Higher rate of transfer per CPU load.
- State of the the art protocols. As opposed to some of the more
legacy systems.
- Extremely fast re-connections, re-keys on IKE can be brutal.
Further fine tuning is possible too but i'm, not at that level of
knowledge. For flat files of several gigs you're going to get a decent
experience, but if you try to run VMs off this... you're in for a bad time.
Regards,
Adam
On 5/21/24 01:07, Malcolm Haak wrote:
Yeah, you really want to do this over a vpn.
Performance is going to be average at best. It would probably be
faster to re-export it as NFS/SMB and push that across the internet.
On Mon, May 20, 2024 at 11:37 PM Marc<Marc@xxxxxxxxxxxxxxxxx> wrote:
Hi all,
Due to so many reasons (political, heating problems, lack of space
aso.) we have to
plan for our ceph cluster to be hosted externaly.
The planned version to setup is reef.
Reading up on documentation we found that it was possible to run in
secure mode.
Our ceph.conf file will state both v1 and v2 addresses for mons:
mon host = [v2:4.3.2.1:3300/0,v1:4.3.2.1:6789/0]
[v2:4.3.2.2:3300/0,v1:4.3.2.2:6789/0]
[v2:4.3.2.3:3300/0,v1:4.3.2.3:6789/0]
Then changing the following configuration options to only secure:
ms_cluster_mode = secure
ms_service_mode = secure
ms_client_mode = secure
ms_mon_cluster_mode = secure
ms_mon_service_mode = secure
ms_mon_client_mode = secure
Then I remounted cephfs on the clients on our test cluster,
but still the fs would mount on ports 6789.
I thought that the above secure config change would "force"
the mount on port 3300 and v2.
Mounting with option ms_mode=secure, did the trick.
Is that the way cephfs is working that you explicit have to
specify secure mode? I thought that cephfs clients would
use the secure mode with these settings, but maybe I am wrong?
Of cause we also plan to limit the firewalls on servers so only
the specific subnet will be able to connect and mount cephfs.
From my understanding from the documenation this would be the
way to set this up with ceph exposed to internet.
Is there something that we are missing or something that would
make the setup more secure?
What about a tunnel, and have a local ip range route through it? I am not sure what happens if someone is brute forcing your monitors.
_______________________________________________
ceph-users mailing list --ceph-users@xxxxxxx
To unsubscribe send an email toceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list --ceph-users@xxxxxxx
To unsubscribe send an email toceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
