Ocfs2 users - Feb 2011 - howto achieve inter-node file permissions / workarounds

Greetings,
I would like to know if there is possibility to  deny / obscure access into
some directory within ocfs2 for specific nodes - or allow just specific
nodes.
I am using ocfs2 shared storage among Xen VM (because it's performance is
better than NFS with our hardware), but then root of each VM has absolute
access to the whole ocfs2 filesystem - which I would like to limit this at
least a little bit,
I know that the root of node has access to a raw block device so it cannot
be done down to all levels, but if the mounted filesystem would respect some
limits for a local root
that would be very fine for me.

Is this doable and if it is easy which utility/ command would allow that ?

If not, should a simple kernel module/patch limiting access to specific
UID/GIDs for all users including root do the trick ? (I am thinking that if
such module does not exist, I can get it made and then map node-specific
directories into these uid/gids , so they will be accessible only from a
single node , if that's viable ...)

Thanks for any hints or tips in advance

Regards
Petr Vacek
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://oss.oracle.com/pipermail/ocfs2-users/attachments/20110204/147e2d15/attachment.html

If you are sharing the block device that contains the OCFS2 filesystem 
with all VM's, and the end user you want to restrict can get root 
privileges in the VM (with or without your permission), then all bets 
are off.  They will have access to the entire device.

Thanks,
Herbert.


On 2/4/11 12:44 PM, Petr Vacek wrote:
> Greetings,
> I would like to know if there is possibility to  deny / obscure access
> into some directory within ocfs2 for specific nodes - or allow just
> specific nodes.
> I am using ocfs2 shared storage among Xen VM (because it's performance
> is better than NFS with our hardware), but then root of each VM has
> absolute access to the whole ocfs2 filesystem - which I would like to
> limit this at least a little bit,
> I know that the root of node has access to a raw block device so it
> cannot be done down to all levels, but if the mounted filesystem would
> respect some limits for a local root
> that would be very fine for me.
>
> Is this doable and if it is easy which utility/ command would allow that ?
>
> If not, should a simple kernel module/patch limiting access to specific
> UID/GIDs for all users including root do the trick ? (I am thinking that
> if such module does not exist, I can get it made and then map
> node-specific directories into these uid/gids , so they will be
> accessible only from a single node , if that's viable ...)
>
> Thanks for any hints or tips in advance
>
> Regards
> Petr Vacek
>
>
>
> _______________________________________________
> Ocfs2-users mailing list
> Ocfs2-users at oss.oracle.com
> http://oss.oracle.com/mailman/listinfo/ocfs2-users

Security in Linux is user based. Nodes (hostname) has no role to
play. If I understand you correctly, you want a user+hostname
based security. Probably hostname providing a default set of
permissions. I am not aware of any fs providing this. Do you have
an example that would better illustrate your point.

Remember that node based security does not make much sense
considering the basic idea behind clustering is to allow services
to be available across the cluster. As in, if a node dies, the service
is restarted on an available node. Shared disk clustered file systems
have been designed to operate in such an environment.

On 02/04/2011 12:44 PM, Petr Vacek wrote:
> Greetings,
> I would like to know if there is possibility to  deny / obscure access 
> into some directory within ocfs2 for specific nodes - or allow just 
> specific nodes.
> I am using ocfs2 shared storage among Xen VM (because it's performance 
> is better than NFS with our hardware), but then root of each VM has 
> absolute access to the whole ocfs2 filesystem - which I would like to 
> limit this at least a little bit,
> I know that the root of node has access to a raw block device so it 
> cannot be done down to all levels, but if the mounted filesystem would 
> respect some limits for a local root
> that would be very fine for me.
>
> Is this doable and if it is easy which utility/ command would allow 
> that ?
>
> If not, should a simple kernel module/patch limiting access to 
> specific UID/GIDs for all users including root do the trick ? (I am 
> thinking that if such module does not exist, I can get it made and 
> then map node-specific directories into these uid/gids , so they will 
> be accessible only from a single node , if that's viable ...)
>
> Thanks for any hints or tips in advance
>
> Regards
> Petr Vacek
>
>
> _______________________________________________
> Ocfs2-users mailing list
> Ocfs2-users at oss.oracle.com
> http://oss.oracle.com/mailman/listinfo/ocfs2-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://oss.oracle.com/pipermail/ocfs2-users/attachments/20110207/6be851bc/attachment.html