[Users] Best practice for securing oVirt's NFS mounts

Prakash Surya surya1 at llnl.gov
Wed Mar 12 17:37:21 UTC 2014


On Wed, Mar 12, 2014 at 11:05:34AM +0100, Jiri Belka wrote:
> On Tue, 11 Mar 2014 10:23:19 -0700
> Prakash Surya <surya1 at llnl.gov> wrote:
> 
> > Hi,
> > 
> > All the documentation I've seen states that the oVirt NFS storage should
> > use the "all_squash,anonuid=36,anongid=36" options. Obviously this isn't
> > secure, so I'm curious how others have locked down their NFS storage? Is
> > the best option to just limit access to these NFS exports to the IP
> > addresses of the hypervisor nodes (and maybe the engine)? Is there a
> > better way to go about this?
> 
> Run vlans and have some active monitoring for physical ports up|down
> states etc... If you cannot control your environment then ask yourself
> if you trust your infrastructure provider at all.
> 
> You can run kerberized NFS etc... but what about kerberos security? The
> beginning is trust towards your infrastructure.

It's not that I don't trust my infrastructure, because I do, I'd just
like to restrict access as much as possible. All of our users are
"trusted", and if a malicious user did get onto our LAN we have bigger
issues to worry about; but still, limiting the storage to *only* oVirt
would be better than not.

Can I use kerberos with oVirt? That's what we currently use for other
exports, but I assumed that would not work because of the "all_squash"
and "anon" options needed.

-- 
Cheers, Prakash

> 
> j.



More information about the Users mailing list