Are there any concerns in regards to security when running a CEPH Cluster on the Internet?
I could not find directly something which makes it no usuable for this use case. I dont need low I/O response times, I am fine with it.
Thanks Guys.
Asked
Active
Viewed 2,149 times
3 Answers
2
While auth to the cluster daemons is handled by cephx, the traffic is NOT encrypted.
So yes, there is a security concern.
Concubidated
- 91
- 2
1
CEPH recommends that your cluster does not face the Internet.
We recommend running a Ceph Storage Cluster with two networks: a public (front-side) network and a cluster (back-side) network.
They recommend having your cluster on the backend because of improved performance (which doesn't matter for your use case), but also security: having it on the backend helps combat DoS attacks.
While most people are generally civil, a very tiny segment of the population likes to engage in what’s known as a Denial of Service (DoS) attack. When traffic between Ceph OSD Daemons gets disrupted, placement groups may no longer reflect an active + clean state, which may prevent users from reading and writing data. A great way to defeat this type of attack is to maintain a completely separate cluster network that doesn’t connect directly to the internet.
(Source)
Noam Hacker
- 4,671
- 7
- 34
- 55
1
I did end up with TincVPN, which is easy to setup and uses Public/Private keys, that connects all my Nodes.
But as I got told, thats not a good use case but it works, so meh.
Neoon
- 169
- 2
- 12