Movatterモバイル変換

[0]ホーム
URL:

Your submission was sent successfully!Close

Thank you for contacting us. A member of our team will be in touch shortly.Close

You have successfully unsubscribed!Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Your preferences have been successfully updated.Close notification

Please try again orfile a bug report.Close

Canonical Ubuntu
Canonical Ceph

Attack surface

The attack surface encompasses all points where an unauthorized user could attempt to enter or extract data from the system. For Charmed Ceph, these include:

Open ports and network interfaces

Ceph daemons by default listen on the TCP ports below.

PortComponentPurposeSecurity Considerations
3300, 6789Ceph MONMonitor daemon client communicationShould ideally be restricted to internal networks and specific client subnets via firewall.
6800-7300Ceph OSD / MGR / MDSIntra-cluster communicationMust be strictly firewalled from external access. Essential for cluster operation.
80RGW (HTTP)RADOS Gateway (Object storage HTTP access)Object storage access. Disable if not needed.
443RGW (HTTPS)RADOS Gateway secure traffic (HTTPS)Object storage access. Disable if not needed. Requires TLS certificate management.
9283MGR (Dashboard)Ceph Dashboard HTTPS accessAccess should be restricted. Authentication is required.
9128MGR (Prometheus)Prometheus metrics endpointRestrict access to monitoring servers.
22SSHHost OS accessStandard SSH hardening practices (key auth, restricted access).
17070Juju AgentJuju agent communication with ControllerCommunication is TLS encrypted. Access to hosts implies potential access to agents.
Other (various)Other ServicesPotentially other services running on hostsAudit open ports on cluster nodes.

Network protocols and endpoints

  • Ceph Protocol (Messenger v1/v2): Used for all internal Ceph communication (MON, OSD, MGR, MDS). Messenger v2 (default in newer Ceph versions) provides encryption capabilities for data in transit.
  • Cephx Authentication: Primary mechanism for authenticating Ceph internal and client communication. It provides mutual authentication between clients/daemons and the MONs.
  • HTTP/HTTPS (RGW): Used for S3/Swift access via the RADOS Gateway. HTTPS with strong TLS configuration is best practice for protecting data and credentials in transit, especially if RGW is externally accessible.
  • Juju Agent Protocol: Communication between Juju agents and the controller is encrypted with TLS.

Data interfaces

  • Block Devices and Filesystems: OSDs interact directly with underlying storage (disks or logical volumes). The OSD processes require elevated privileges to access these devices. The ceph-osd charm provides an option to limit capabilities via AppArmor – this should be used as a best practice.
  • CephFS Mounts: Clients mounting CephFS interact via the Ceph kernel module or FUSE, requiring Cephx authentication.

Management infrastructure (Juju)

Juju itself presents a management attack surface:

  • Juju Controller: Gaining access to the Juju controller provides complete control over the entire deployment. Secure controller access using strong credentials and network restrictions.
  • Juju Agents: Agents run on each machine managed by Juju. Compromise of a host machine could potentially lead to compromise of the agent and interaction with the controller.
  • Charms and Configuration: Configuration applied via Juju (including charm configurations and relations) can impact security. Review charm options of ceph and related charms.

Refer to theofficial Juju security documentation for more details on securing Juju itself.

This page was last modified 4 months ago.Help improve this document in the forum.

[8]ページ先頭
©2009-2026 Movatter.jp