On Mon, Aug 21, 2017 at 3:03 PM, Bryan Banister <[email protected]> wrote: > Thanks for the response John. > > Maybe I'm not understanding this correctly, but I thought clients could be > restricted to specific file systems by limiting access to the underlying ceph > pools used in each file system? > > client.cephfs.test1 > key: AQDuQpdZp90MHhAAkYE6P5XYzsoswgEkZy6RLw== > caps: [mds] allow > caps: [mon] allow r > caps: [osd] allow rw pool cephfs01_data > > client.cephfs.test2 > key: AQDuQpdZp90MHhAAkYE6P5XYzsoswgEkZy6RLw== > caps: [mds] allow > caps: [mon] allow r > caps: [osd] allow rw pool cephfs02_data > > Would these two clients keys which only have access to specific data pools > restrict their access? > > Or I guess with mds allow on both, then they could mount the file system but > only reading/writing the data in the file systems would be restricted?
Correct, although critically even if a client doesn't have pool caps, it can still send *deletes* to the MDS and thereby attack the data. In the long run the caps should be improved so that we are always giving a client access to a specific filesystem, so that these sorts of fine lines just go away. John > > Thanks! > -Bryan > > -----Original Message----- > From: John Spray [mailto:[email protected]] > Sent: Monday, August 21, 2017 8:48 AM > To: Bryan Banister <[email protected]> > Cc: [email protected] > Subject: Re: [ceph-users] Any experience with multiple cephfs instances in > one ceph cluster? How experimental is this? > > Note: External Email > ------------------------------------------------- > > On Mon, Aug 21, 2017 at 2:35 PM, Bryan Banister > <[email protected]> wrote: >> Hi all, >> >> >> >> I’m very new to ceph and cephfs, so I’m just starting to play around with >> the Luminous release. There are some very concerning warnings about >> deploying multiple cephfs instances in the same cluster: >> >> “There are no known bugs, but any failures which do result from having >> multiple active filesystems in your cluster will require manual intervention >> and, so far, will not have been experienced by anybody else – knowledgeable >> help will be extremely limited. You also probably do not have the security >> or isolation guarantees you want or think you have upon doing so.” > > The sort of literal translation of this is: > - the automated tests for systems with multiple filesystems are not > very comprehensive > - a client that can access one filesystem can access all of them > > If you're adventurous enough to be running upstream Ceph packages, and > you have at least some level of test/staging environment to try it in, > then I'd not be too scared about trying it out. > >> And Redhat says: >> >> “Creating multiple Ceph File Systems in one cluster is not fully supported >> yet and can cause the MDS or client nodes to terminate unexpectedly.” > > I don't know who wrote that text, but I do not believe that there are > any known issues involving MDS or client nodes terminating > unexpectedly. > > John > >> >> >> >> Is anybody deploying multiple cephfs instances and have there been any >> issues like the warnings indicate? >> >> >> >> Thanks! >> >> -Bryan >> >> >> >> >> >> >> ________________________________ >> >> Note: This email is for the confidential use of the named addressee(s) only >> and may contain proprietary, confidential or privileged information. If you >> are not the intended recipient, you are hereby notified that any review, >> dissemination or copying of this email is strictly prohibited, and to please >> notify the sender immediately and destroy this email and any attachments. >> Email transmission cannot be guaranteed to be secure or error-free. The >> Company, therefore, does not make any guarantees as to the completeness or >> accuracy of this email or any attachments. This email is for informational >> purposes only and does not constitute a recommendation, offer, request or >> solicitation of any kind to buy, sell, subscribe, redeem or perform any type >> of transaction of a financial product. >> >> _______________________________________________ >> ceph-users mailing list >> [email protected] >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> > > ________________________________ > > Note: This email is for the confidential use of the named addressee(s) only > and may contain proprietary, confidential or privileged information. If you > are not the intended recipient, you are hereby notified that any review, > dissemination or copying of this email is strictly prohibited, and to please > notify the sender immediately and destroy this email and any attachments. > Email transmission cannot be guaranteed to be secure or error-free. The > Company, therefore, does not make any guarantees as to the completeness or > accuracy of this email or any attachments. This email is for informational > purposes only and does not constitute a recommendation, offer, request or > solicitation of any kind to buy, sell, subscribe, redeem or perform any type > of transaction of a financial product. _______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
