Re: [xcat-user] [External] How to restrict xCAT's NFS shares?

[Song BJ Yang]

the 2 shared nfs entries will be added on xCAT installation or upgrading or `xcatconfig -i/-f`

 

these 2 nfs shared directories are only used in 2 scenarios:

1) NFS based statelite

2) hierarchy cluster when site.sharedtftp and site.sharedinstall

any missing scenario?

 

We got some complains on this to be a security issue, we are considering not to export these 2 directories by default, provide some command or step to export them only needed in any of scenarios above, any comment or suggestion?

 

thanks

------------------------------------------------------------------------------
YANG Song (杨嵩)
IBM China System Technology Laboratory
Tel: 86-10-82452903
Email: yang...@cn.ibm.com
Address: Building 28, ZhongGuanCun Software Park,
No.8, Dong Bei Wang West Road, Haidian District Beijing 100193, PRC

北京市海淀区东北旺西路8号中关村软件园28号楼
邮编: 100193

 

 

----- Original message -----
From: Kevin Keane <kke...@sandiego.edu>
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Cc:
Subject: Re: [xcat-user] [External] How to restrict xCAT's NFS shares?
Date: Thu, Nov 29, 2018 7:17 AM
 

Yes, you appear to be correct. I just, for testing, uninstalled all of xCAT. Then I manually removed the entries, and re-installed the xCAT RPMs. Lo and behold - it did in fact re-create the entries (but did not remove them when uninstalling xCAT).

 

Thanks for the help!

_______________________________________________________________________
Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859

REMEMBER! No one from IT at USD will ever ask to confirm or supply your password.
These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them!

 

 

On Wed, Nov 28, 2018 at 2:51 PM Christian Caruthers <ccaruth...@lenovo.com> wrote:

I believe that is created when xCAT is installed. Not sure which RPM does it, though. Possible the main xCAT or xCAT-server package. I don’t see the file in any of the packages, so I’m guessing it’s created by a script.

 

Regards,

Christian Caruthers

Lenovo Professional Services

Mobile: 757-289-9872

 

From: Kevin Keane <kke...@sandiego.edu>
Sent: Wednesday, November 28, 2018 17:26
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Subject: Re: [xcat-user] [External] How to restrict xCAT's NFS shares?

 

My question is actually, how does the /etc/exports get generated, and how do I get xCAT to generate the exports file without the world-writable permissions?

 

Thanks,

_______________________________________________________________________
Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859

REMEMBER! No one from IT at USD will ever ask to confirm or supply your password.
These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them!

 

 

 

On Wed, Nov 28, 2018 at 1:50 PM Christian Caruthers <ccaruth...@lenovo.com> wrote:

So long as the shares are available to your provisioning network, it should not break anything.

 

Regards,

Christian Caruthers

Lenovo Professional Services

Mobile: 757-289-9872

 

From: Kevin Keane <kke...@sandiego.edu>
Sent: Wednesday, November 28, 2018 16:37
To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>
Subject: [External] [xcat-user] How to restrict xCAT's NFS shares?

 

I noticed that xCAT shares /tftpboot and /install as world-writeable. Is there a way to restrict these NFS shares to only the networks within the cluster, without making them globally available?

 

Specifically, xCAT creates this /etc/exports file:

 

/tftpboot *(rw,no_root_squash,sync,no_subtree_check)
/install *(rw,no_root_squash,sync,no_subtree_check)

 

I would like it to instead create this:

 

/tftpboot 192.168.10.0/24(rw,no_root_squash,sync,no_subtree_check)

/tftpboot 192.168.11.0/24(rw,no_root_squash,sync,no_subtree_check)
/install 192.168.10.0/24(rw,no_root_squash,sync,no_subtree_check)

/install 192.168.11.0/24(rw,no_root_squash,sync,no_subtree_check)

 

(where 192.168.10.0 and 192.168.11.0 are two networks defined in the network table)

 

Is that doable?

 

Thanks!

_______________________________________________________________________
Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859

REMEMBER! No one from IT at USD will ever ask to confirm or supply your password.
These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them!

 

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

 

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user