On Wed, Mar 12, 2014 at 11:05:34AM +0100, Jiri Belka wrote: > On Tue, 11 Mar 2014 10:23:19 -0700 > Prakash Surya <sur...@llnl.gov> wrote: > > > Hi, > > > > All the documentation I've seen states that the oVirt NFS storage should > > use the "all_squash,anonuid=36,anongid=36" options. Obviously this isn't > > secure, so I'm curious how others have locked down their NFS storage? Is > > the best option to just limit access to these NFS exports to the IP > > addresses of the hypervisor nodes (and maybe the engine)? Is there a > > better way to go about this? > > Run vlans and have some active monitoring for physical ports up|down > states etc... If you cannot control your environment then ask yourself > if you trust your infrastructure provider at all. > > You can run kerberized NFS etc... but what about kerberos security? The > beginning is trust towards your infrastructure.
It's not that I don't trust my infrastructure, because I do, I'd just like to restrict access as much as possible. All of our users are "trusted", and if a malicious user did get onto our LAN we have bigger issues to worry about; but still, limiting the storage to *only* oVirt would be better than not. Can I use kerberos with oVirt? That's what we currently use for other exports, but I assumed that would not work because of the "all_squash" and "anon" options needed. -- Cheers, Prakash > > j. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
