Lustre discuss - Aug 2006 - Questions regarding security, 1.5.9x

I am testing a handful of Lustre fileservers running 1.5.90, and I''d
like
to have multiple Lustre filesystems spread across them (every node would 
be an OSS for all the filesystems).  However, I''d like to setup a bit
of
security, with all of the filesystems only accessible from within our 
department.  However, one of the filesystems should be restricted to just 
a small set of clients and the rest of the department should be prevented 
from accessing it.  What would be the best way to go about this?

Also, in investigating some of my options, it appears that the libwrap 
functionality has been removed (I can''t find any trace of it in
1.5.91).
Is that correct?

I assume client host control (as well as user-based access control) will 
be very easy when the GSSAPI code is released?

I''d like to bring Lustre storage into production in the near future,
but
I''d like to do it with 1.6 rather than 1.4.  Does anyone have any 
guesstimates as to when 1.6 might be released, or maybe a 1.5beta release 
with guaranteed compatibility with 1.6 (at least so I wouldn''t have to 
worry about the worst-case scenario of having to reformat my filesystems 
and start over when upgrading)?

Thanks,

Brent Nelson
Director of Computing
Dept. of Physics
University of Florida

Hi Brent,
 

 > -----Original Message-----
 > From: lustre-discuss-bounces@clusterfs.com 
 > [mailto:lustre-discuss-bounces@clusterfs.com] On Behalf Of 
 > Brent A Nelson
 > Sent: Monday, August 14, 2006 12:46 PM
 > To: lustre-discuss@clusterfs.com
 > Subject: [Lustre-discuss] Questions regarding security, 1.5.9x
 > 
 > I am testing a handful of Lustre fileservers running 1.5.90, 
 > and I''d like to have multiple Lustre filesystems spread 
 > across them (every node would be an OSS for all the 
 > filesystems).  However, I''d like to setup a bit of security, 
 > with all of the filesystems only accessible from within our 
 > department.  However, one of the filesystems should be 
 > restricted to just a small set of clients and the rest of 
 > the department should be prevented from accessing it.  What 
 > would be the best way to go about this?
 > 
 > Also, in investigating some of my options, it appears that 
 > the libwrap functionality has been removed (I can''t find any 
 > trace of it in 1.5.91). 
 > Is that correct?

Libwrap was removed because the acceptor now runs in kernel space.

But iptables can do the same thing for you and block out certain
clients.


 > 
 > I assume client host control (as well as user-based access 
 > control) will be very easy when the GSSAPI code is released?

GSSAPI is really a user authentication protocol, and although anyone not
authenticated can be kept out, there isn''t a great way to block hosts
through GSS at the moment.  There will be early GSS betas within 2
months I _think_.

 > I''d like to bring Lustre storage into production in the near 
 > future, but I''d like to do it with 1.6 rather than 1.4.  
 > Does anyone have any guesstimates as to when 1.6 might be 
 > released, or maybe a 1.5beta release with guaranteed 
 > compatibility with 1.6 (at least so I wouldn''t have to worry 
 > about the worst-case scenario of having to reformat my 
 > filesystems and start over when upgrading)?

Someone else needs to answer this.


- Peter -

 > Thanks,
 > 
 > Brent Nelson
 > Director of Computing
 > Dept. of Physics
 > University of Florida
 > 
 > _______________________________________________
 > Lustre-discuss mailing list
 > Lustre-discuss@clusterfs.com
 > https://mail.clusterfs.com/mailman/listinfo/lustre-discuss
 > 
 >

On Tuesday 15 August 2006 01:37, Peter J. Braam wrote:
> ?> I''d like to bring Lustre storage into production in the near
> ?> future, but I''d like to do it with 1.6 rather than 1.4. ?
> ?> Does anyone have any guesstimates as to when 1.6 might be 
> ?> released, or maybe a 1.5beta release with guaranteed 
> ?> compatibility with 1.6 (at least so I wouldn''t have to worry
> ?> about the worst-case scenario of having to reformat my 
> ?> filesystems and start over when upgrading)?
> 
> Someone else needs to answer this.
Yes, please! Any new 1.6beta on the horizon? An update on the status would be
very useful (and appreciated)...

Regards,
Erich

Brent A Nelson wrote:
> I''d like to bring Lustre storage into production in the near
future,
> but I''d like to do it with 1.6 rather than 1.4.  Does anyone have
any
> guesstimates as to when 1.6 might be released, or maybe a 1.5beta 
> release with guaranteed compatibility with 1.6 (at least so I
wouldn''t
> have to worry about the worst-case scenario of having to reformat my 
> filesystems and start over when upgrading)?
We''re concentrating on releasing 1.4.7 right now.  We''ll
migrate the
fixes there into 1.5 and release another beta, probably by the end of 
the month.  While I won''t guarantee compatability, I do not forsee any 
on-disk or wire changes that would prevent you from using a disk 
formatted from that beta (1.5b5) .  There has been a change since 1.5b4, 
so 1.5b5 will not work with older betas.