[openstack-dev] [Manila] Ceph native driver for manila
Deepak Shetty
dpkshetty at gmail.com
Wed Mar 4 04:19:26 UTC 2015
On Wed, Mar 4, 2015 at 5:10 AM, Danny Al-Gaaf <danny.al-gaaf at bisect.de>
wrote:
> Am 03.03.2015 um 19:31 schrieb Deepak Shetty:
> [...]
> >> For us security is very critical, as the performance is too. The
> >> first solution via ganesha is not what we prefer (to use CephFS
> >> via p9 and NFS would not perform that well I guess). The second
> >> solution, to use CephFS directly to the VM would be a bad
> >> solution from the security point of view since we can't expose
> >> the Ceph public network directly to the VMs to prevent all the
> >> security issues we discussed already.
> >>
> >
> > Is there any place the security issues are captured for the case
> > where VMs access CephFS directly ?
>
> No there isn't any place and this is the issue for us.
>
> > I was curious to understand. IIUC Neutron provides private and
> > public networks and for VMs to access external CephFS network, the
> > tenant private network needs to be bridged/routed to the external
> > provider network and there are ways neturon achives it.
> >
> > Are you saying that this approach of neutron is insecure ?
>
> I don't say neutron itself is insecure.
>
> The problem is: we don't want any VM to get access to the ceph public
> network at all since this would mean access to all MON, OSDs and MDS
> daemons.
>
> If a tenant VM has access to the ceph public net, which is needed to
> use/mount native cephfs in this VM, one critical issue would be: the
> client can attack any ceph component via this network. Maybe I misses
> something, but routing doesn't change this fact.
>
Agree, but there are ways you can restrict the tenant VMs to specific
network ports
only using neutron security groups and limit what tenant VM can do. On the
CephFS side one can use selinux labels to provide addnl level of security
for
Ceph daemons, where in only certain process can access/modify them, I am
just thinking aloud here, i m not sure how well cephfs works with selinux
combined.
Thinking more, it seems like then you need a solution that goes via the
serviceVM
approach but provide native CephFS mounts instead of NFS ?
thanx,
deepak
>
> Danny
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150304/5b0a1f82/attachment.html>
More information about the OpenStack-dev
mailing list