Re: [Users] Best practice for securing oVirt's NFS mounts
On Wed, Mar 12, 2014 at 11:05:34AM +0100, Jiri Belka wrote:
On Tue, 11 Mar 2014 10:23:19 -0700
Prakash Surya <surya1(a)llnl.gov> wrote:
> Hi,
>
> All the documentation I've seen states that the oVirt NFS storage should
> use the "all_squash,anonuid=36,anongid=36" options. Obviously this
isn't
> secure, so I'm curious how others have locked down their NFS storage? Is
> the best option to just limit access to these NFS exports to the IP
> addresses of the hypervisor nodes (and maybe the engine)? Is there a
> better way to go about this?
Run vlans and have some active monitoring for physical ports up|down
states etc... If you cannot control your environment then ask yourself
if you trust your infrastructure provider at all.
You can run kerberized NFS etc... but what about kerberos security? The
beginning is trust towards your infrastructure.
It's not that I don't trust my infrastructure, because I do, I'd just
like to restrict access as much as possible. All of our users are
"trusted", and if a malicious user did get onto our LAN we have bigger
issues to worry about; but still, limiting the storage to *only* oVirt
would be better than not.
Can I use kerberos with oVirt? That's what we currently use for other
exports, but I assumed that would not work because of the "all_squash"
and "anon" options needed.
--
Cheers, Prakash
j.