On 07/10/19 13:06 +0200, Jaan Vaks wrote:
Hi all,
I'm evaluation cephfs to serve our business as a file share that span
across our 3 datacenters. One concern that I have is that when using cephfs
and OpenStack Manila is that all guest vms needs access to the public
storage net. This to me feels like a security concern. I've seen one
suggestion is to put NFS gateways in between to prevent this, I would
prefer not having to use NFS. Is there another way to solve this or is this
a no concern to others, both the network and NFS? We are a small cloud
provider and having different customers exposed to each other on the same
storage net seems risky to me.
Regards
Jaan
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io
If you put clients on a shared network they need to protect themselves
from one another (can use e.g. neutron security rules to disallow
ingress connections on that network) irrespective of whether the
network is CephFS or NFS.
The main *security* reason for CephFS backed deployments to use NFS
gateways is that CephFS relies much more on client side cooperation
(e.g. for quota enforcement) than NFS. In public clouds and even lots
of enterprise scale private clouds, administrators don't want to
expose critical Ceph resources directly to untrusted clients or rely
on uncontrolled client side software.