[Users] Best practice for securing oVirt's NFS mounts
Prakash Surya
surya1 at llnl.gov
Wed Mar 12 17:37:21 UTC 2014
On Wed, Mar 12, 2014 at 11:05:34AM +0100, Jiri Belka wrote:
> On Tue, 11 Mar 2014 10:23:19 -0700
> Prakash Surya <surya1 at llnl.gov> wrote:
>
> > Hi,
> >
> > All the documentation I've seen states that the oVirt NFS storage should
> > use the "all_squash,anonuid=36,anongid=36" options. Obviously this isn't
> > secure, so I'm curious how others have locked down their NFS storage? Is
> > the best option to just limit access to these NFS exports to the IP
> > addresses of the hypervisor nodes (and maybe the engine)? Is there a
> > better way to go about this?
>
> Run vlans and have some active monitoring for physical ports up|down
> states etc... If you cannot control your environment then ask yourself
> if you trust your infrastructure provider at all.
>
> You can run kerberized NFS etc... but what about kerberos security? The
> beginning is trust towards your infrastructure.
It's not that I don't trust my infrastructure, because I do, I'd just
like to restrict access as much as possible. All of our users are
"trusted", and if a malicious user did get onto our LAN we have bigger
issues to worry about; but still, limiting the storage to *only* oVirt
would be better than not.
Can I use kerberos with oVirt? That's what we currently use for other
exports, but I assumed that would not work because of the "all_squash"
and "anon" options needed.
--
Cheers, Prakash
>
> j.
More information about the Users
mailing list