Right, and agreed. We've migrated to using kerberos authentication and NFS4 for most of our NFS mounts, but since oVirt requires the all_squash and *ID of 36, that won't work.
Honestly, our LAN is fairly well protected and our users are more or less "trusted", so I don't think it's _that_ big of a deal; but restricting access as much as possible is better than nothing. Do you have any suggestions? I'll admit, NFS security definitely isn't one of my strong suits. Restricting the to specific IPs, was just the best and easiest thing I thought of, keeping the insecure export options in mind. -- Cheers, Prakash On Wed, Mar 12, 2014 at 08:16:34AM +0000, Sven Kieske wrote: > Hi, > > just a quick reminder: > > unless you got strong network authentication and absolute > control over the LAN it's a bad advice to trust some random > IP address. > > In today's networking world I would advice to not > trust any LAN resource without strong authentication mechanisms. > > Am 11.03.2014 18:23, schrieb Prakash Surya: > > Is > > the best option to just limit access to these NFS exports to the IP > > addresses of the hypervisor nodes (and maybe the engine)? > > -- > Mit freundlichen Grüßen / Regards > > Sven Kieske > > Systemadministrator > Mittwald CM Service GmbH & Co. KG > Königsberger Straße 6 > 32339 Espelkamp > T: +49-5772-293-100 > F: +49-5772-293-333 > https://www.mittwald.de > Geschäftsführer: Robert Meyer > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen > Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users