[Users] Best practice for securing oVirt's NFS mounts
Jiri Belka
jbelka at redhat.com
Wed Mar 12 10:05:34 UTC 2014
On Tue, 11 Mar 2014 10:23:19 -0700
Prakash Surya <surya1 at llnl.gov> wrote:
> Hi,
>
> All the documentation I've seen states that the oVirt NFS storage should
> use the "all_squash,anonuid=36,anongid=36" options. Obviously this isn't
> secure, so I'm curious how others have locked down their NFS storage? Is
> the best option to just limit access to these NFS exports to the IP
> addresses of the hypervisor nodes (and maybe the engine)? Is there a
> better way to go about this?
Run vlans and have some active monitoring for physical ports up|down
states etc... If you cannot control your environment then ask yourself
if you trust your infrastructure provider at all.
You can run kerberized NFS etc... but what about kerberos security? The
beginning is trust towards your infrastructure.
j.
More information about the Users
mailing list