Right, and agreed. We've migrated to using kerberos authentication and NFS4 for most of our NFS mounts, but since oVirt requires the all_squash and *ID of 36, that won't work. Honestly, our LAN is fairly well protected and our users are more or less "trusted", so I don't think it's _that_ big of a deal; but restricting access as much as possible is better than nothing. Do you have any suggestions? I'll admit, NFS security definitely isn't one of my strong suits. Restricting the to specific IPs, was just the best and easiest thing I thought of, keeping the insecure export options in mind. -- Cheers, Prakash On Wed, Mar 12, 2014 at 08:16:34AM +0000, Sven Kieske wrote:
Hi,
just a quick reminder:
unless you got strong network authentication and absolute control over the LAN it's a bad advice to trust some random IP address.
In today's networking world I would advice to not trust any LAN resource without strong authentication mechanisms.
Am 11.03.2014 18:23, schrieb Prakash Surya:
Is the best option to just limit access to these NFS exports to the IP addresses of the hypervisor nodes (and maybe the engine)?
-- Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users