On Wed, Mar 4, 2015 at 5:10 AM, Danny Al-Gaaf wrote: > Am 03.03.2015 um 19:31 schrieb Deepak Shetty: > [...] > >> For us security is very critical, as the performance is too. The > >> first solution via ganesha is not what we prefer (to use CephFS > >> via p9 and NFS would not perform that well I guess). The second > >> solution, to use CephFS directly to the VM would be a bad > >> solution from the security point of view since we can't expose > >> the Ceph public network directly to the VMs to prevent all the > >> security issues we discussed already. > >> > > > > Is there any place the security issues are captured for the case > > where VMs access CephFS directly ? > > No there isn't any place and this is the issue for us. > > > I was curious to understand. IIUC Neutron provides private and > > public networks and for VMs to access external CephFS network, the > > tenant private network needs to be bridged/routed to the external > > provider network and there are ways neturon achives it. > > > > Are you saying that this approach of neutron is insecure ? > > I don't say neutron itself is insecure. > > The problem is: we don't want any VM to get access to the ceph public > network at all since this would mean access to all MON, OSDs and MDS > daemons. > > If a tenant VM has access to the ceph public net, which is needed to > use/mount native cephfs in this VM, one critical issue would be: the > client can attack any ceph component via this network. Maybe I misses > something, but routing doesn't change this fact. > Agree, but there are ways you can restrict the tenant VMs to specific network ports only using neutron security groups and limit what tenant VM can do. On the CephFS side one can use selinux labels to provide addnl level of security for Ceph daemons, where in only certain process can access/modify them, I am just thinking aloud here, i m not sure how well cephfs works with selinux combined. Thinking more, it seems like then you need a solution that goes via the serviceVM approach but provide native CephFS mounts instead of NFS ? thanx, deepak > > Danny > > > >