[openstack-dev] [Manila] Ceph native driver for manila
Danny Al-Gaaf
danny.al-gaaf at bisect.de
Tue Mar 3 23:40:47 UTC 2015
Am 03.03.2015 um 19:31 schrieb Deepak Shetty:
[...]
>> For us security is very critical, as the performance is too. The
>> first solution via ganesha is not what we prefer (to use CephFS
>> via p9 and NFS would not perform that well I guess). The second
>> solution, to use CephFS directly to the VM would be a bad
>> solution from the security point of view since we can't expose
>> the Ceph public network directly to the VMs to prevent all the
>> security issues we discussed already.
>>
>
> Is there any place the security issues are captured for the case
> where VMs access CephFS directly ?
No there isn't any place and this is the issue for us.
> I was curious to understand. IIUC Neutron provides private and
> public networks and for VMs to access external CephFS network, the
> tenant private network needs to be bridged/routed to the external
> provider network and there are ways neturon achives it.
>
> Are you saying that this approach of neutron is insecure ?
I don't say neutron itself is insecure.
The problem is: we don't want any VM to get access to the ceph public
network at all since this would mean access to all MON, OSDs and MDS
daemons.
If a tenant VM has access to the ceph public net, which is needed to
use/mount native cephfs in this VM, one critical issue would be: the
client can attack any ceph component via this network. Maybe I misses
something, but routing doesn't change this fact.
Danny
More information about the OpenStack-dev
mailing list