[Users] Best practice for securing oVirt's NFS mounts

Prakash Surya surya1 at llnl.gov
Wed Mar 12 17:32:10 UTC 2014


Right, and agreed. We've migrated to using kerberos authentication and
NFS4 for most of our NFS mounts, but since oVirt requires the all_squash
and *ID of 36, that won't work.

Honestly, our LAN is fairly well protected and our users are more or
less "trusted", so I don't think it's _that_ big of a deal; but
restricting access as much as possible is better than nothing.

Do you have any suggestions? I'll admit, NFS security definitely isn't
one of my strong suits. Restricting the to specific IPs, was just the
best and easiest thing I thought of, keeping the insecure export options
in mind.

-- 
Cheers, Prakash

On Wed, Mar 12, 2014 at 08:16:34AM +0000, Sven Kieske wrote:
> Hi,
> 
> just a quick reminder:
> 
> unless you got strong network authentication and absolute
> control over the LAN it's a bad advice to trust some random
> IP address.
> 
> In today's networking world I would advice to not
> trust any LAN resource without strong authentication mechanisms.
> 
> Am 11.03.2014 18:23, schrieb Prakash Surya:
> > Is
> > the best option to just limit access to these NFS exports to the IP
> > addresses of the hypervisor nodes (and maybe the engine)?
> 
> -- 
> Mit freundlichen Grüßen / Regards
> 
> Sven Kieske
> 
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users



More information about the Users mailing list