On Mar 5, 2010, at 4:02 AM, Brett Cave wrote:
>
> On Fri, Mar 5, 2010 at 12:42 PM, Rudi Ahlers <[email protected]> wrote:
>
>
> What kind of security do you apply, both to the NFS cluster, and the data
> that get accessed on it?
>
> heya rudi, never realised u were on this list too ;)
>
> the exports are controlled by source IP address in /etc/exports. The data on
> there is not sensitive data at all in our environment, and GFS is all server
> environment, with no user access... but I just tested using ACLs and it
> works 100% (added the acl option to gfs mount, and configured using setfacl).
> We are using ldap network authentication, so works nicely with group
> permissions ;)
>
> (although we do have 1 luks volume image on the gfs filesystem that is
> mounted by one of the phy machines using a keyfile stored locally).
>
A good solution for security is to define the clustered NFS service on a
"private" non-routed network and give the VMs a new interface in that network.
Then the NFS won't even be visible outside the cluster. Also keeps that traffic
off your physical networks.
--
Linux-cluster mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-cluster
