Reputation: 169
CEPH, running a Cluster over the Internet
Are there any concerns in regards to security when running a CEPH Cluster on the Internet?
I could not find directly something which makes it no usuable for this use case. I dont need low I/O response times, I am fine with it.
Thanks Guys.
Upvotes: 4
Views: 2757
Answers (3)
Reputation: 169
I did end up with TincVPN, which is easy to setup and uses Public/Private keys, that connects all my Nodes.
But as I got told, thats not a good use case but it works, so meh.
Upvotes: 1
Reputation: 91
While auth to the cluster daemons is handled by cephx, the traffic is NOT encrypted.
So yes, there is a security concern.
Upvotes: 2
Reputation: 4835
CEPH recommends that your cluster does not face the Internet.
We recommend running a Ceph Storage Cluster with two networks: a public (front-side) network and a cluster (back-side) network.
They recommend having your cluster on the backend because of improved performance (which doesn't matter for your use case), but also security: having it on the backend helps combat DoS attacks.
While most people are generally civil, a very tiny segment of the population likes to engage in what’s known as a Denial of Service (DoS) attack. When traffic between Ceph OSD Daemons gets disrupted, placement groups may no longer reflect an active + clean state, which may prevent users from reading and writing data. A great way to defeat this type of attack is to maintain a completely separate cluster network that doesn’t connect directly to the internet.
(Source)
Upvotes: 1
Related Questions
- cephadm: Not able to add nodes to ceph cluster (Error EINVAL: Failed to connect to host)
- Configure a cluster network with Cephadm?
- Not able to deploy CEPH monitor
- Ceph Cluster down
- create rook-ceph cluster on minikube
- Single-node ceph cluster unresponsive from client
- Where are Ceph clusters
- Ceph install failure with ceph-deploy
- How to connect to Ceph cluster using librbd (Python)
- How to connect to ceph cluster from java program