Brent A Nelson
2006-Aug-14 12:45 UTC
[Lustre-discuss] Questions regarding security, 1.5.9x
I am testing a handful of Lustre fileservers running 1.5.90, and I''d like to have multiple Lustre filesystems spread across them (every node would be an OSS for all the filesystems). However, I''d like to setup a bit of security, with all of the filesystems only accessible from within our department. However, one of the filesystems should be restricted to just a small set of clients and the rest of the department should be prevented from accessing it. What would be the best way to go about this? Also, in investigating some of my options, it appears that the libwrap functionality has been removed (I can''t find any trace of it in 1.5.91). Is that correct? I assume client host control (as well as user-based access control) will be very easy when the GSSAPI code is released? I''d like to bring Lustre storage into production in the near future, but I''d like to do it with 1.6 rather than 1.4. Does anyone have any guesstimates as to when 1.6 might be released, or maybe a 1.5beta release with guaranteed compatibility with 1.6 (at least so I wouldn''t have to worry about the worst-case scenario of having to reformat my filesystems and start over when upgrading)? Thanks, Brent Nelson Director of Computing Dept. of Physics University of Florida
Peter J. Braam
2006-Aug-14 17:39 UTC
[Lustre-discuss] Questions regarding security, 1.5.9x
Hi Brent, > -----Original Message----- > From: lustre-discuss-bounces@clusterfs.com > [mailto:lustre-discuss-bounces@clusterfs.com] On Behalf Of > Brent A Nelson > Sent: Monday, August 14, 2006 12:46 PM > To: lustre-discuss@clusterfs.com > Subject: [Lustre-discuss] Questions regarding security, 1.5.9x > > I am testing a handful of Lustre fileservers running 1.5.90, > and I''d like to have multiple Lustre filesystems spread > across them (every node would be an OSS for all the > filesystems). However, I''d like to setup a bit of security, > with all of the filesystems only accessible from within our > department. However, one of the filesystems should be > restricted to just a small set of clients and the rest of > the department should be prevented from accessing it. What > would be the best way to go about this? > > Also, in investigating some of my options, it appears that > the libwrap functionality has been removed (I can''t find any > trace of it in 1.5.91). > Is that correct? Libwrap was removed because the acceptor now runs in kernel space. But iptables can do the same thing for you and block out certain clients. > > I assume client host control (as well as user-based access > control) will be very easy when the GSSAPI code is released? GSSAPI is really a user authentication protocol, and although anyone not authenticated can be kept out, there isn''t a great way to block hosts through GSS at the moment. There will be early GSS betas within 2 months I _think_. > I''d like to bring Lustre storage into production in the near > future, but I''d like to do it with 1.6 rather than 1.4. > Does anyone have any guesstimates as to when 1.6 might be > released, or maybe a 1.5beta release with guaranteed > compatibility with 1.6 (at least so I wouldn''t have to worry > about the worst-case scenario of having to reformat my > filesystems and start over when upgrading)? Someone else needs to answer this. - Peter - > Thanks, > > Brent Nelson > Director of Computing > Dept. of Physics > University of Florida > > _______________________________________________ > Lustre-discuss mailing list > Lustre-discuss@clusterfs.com > https://mail.clusterfs.com/mailman/listinfo/lustre-discuss > >
On Tuesday 15 August 2006 01:37, Peter J. Braam wrote:> ?> I''d like to bring Lustre storage into production in the near > ?> future, but I''d like to do it with 1.6 rather than 1.4. ? > ?> Does anyone have any guesstimates as to when 1.6 might be > ?> released, or maybe a 1.5beta release with guaranteed > ?> compatibility with 1.6 (at least so I wouldn''t have to worry > ?> about the worst-case scenario of having to reformat my > ?> filesystems and start over when upgrading)? > > Someone else needs to answer this.Yes, please! Any new 1.6beta on the horizon? An update on the status would be very useful (and appreciated)... Regards, Erich
Nathaniel Rutman
2006-Aug-15 12:09 UTC
[Lustre-discuss] Questions regarding security, 1.5.9x
Brent A Nelson wrote:> I''d like to bring Lustre storage into production in the near future, > but I''d like to do it with 1.6 rather than 1.4. Does anyone have any > guesstimates as to when 1.6 might be released, or maybe a 1.5beta > release with guaranteed compatibility with 1.6 (at least so I wouldn''t > have to worry about the worst-case scenario of having to reformat my > filesystems and start over when upgrading)?We''re concentrating on releasing 1.4.7 right now. We''ll migrate the fixes there into 1.5 and release another beta, probably by the end of the month. While I won''t guarantee compatability, I do not forsee any on-disk or wire changes that would prevent you from using a disk formatted from that beta (1.5b5) . There has been a change since 1.5b4, so 1.5b5 will not work with older betas.