iSCSI targets are actually exposed on the *rack* controller, which may or may not be the same system as the region controller. So you could have your rack controllers screened off on the internal network - as long as they can still communicate with the region controller.
On Tue, 29 Nov 2016 at 14:46 Mark Shuttleworth <[email protected]> wrote: > On 29/11/16 04:37, Jonas Wagner wrote: > > I'd like to ask a question about how MAAS uses iSCSI. Apparently, the > > MAAS region controller exposes iSCSI targets for supported Ubuntu > > images. These are flagged as vulnerable by the Nessus scanner running > > at our university. > > > > I've described this in more detail here: > > > https://askubuntu.com/questions/847854/maas-disable-iscsi-or-require-authentication > > > > I would be curious as to how MAAS uses these iSCSI targets. Is it > > possible to make them available to the internal network only (where > > the MAAS-managed cluster is) rather than the region controller's > > external interface? Would MAAS break if we close the corresponding > > ports in our firewall? > > I believe these are currently read-only boot volumes for ephemeral (i.e. > ramdisk) Ubuntu used for enlistment and commissioning, as well as the OS > installer during deployment. They should only need to be accessed by > machine being enlisted, commissioned and deployed, so yes, it should be > fine (and sensible) to screen them off. > > Mark > > > -- > Maas-devel mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/maas-devel >
-- Maas-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/maas-devel
