Public iSCSI targets on MAAS region controller
Mark Shuttleworth
mark at ubuntu.com
Tue Nov 29 14:46:05 UTC 2016
On 29/11/16 04:37, Jonas Wagner wrote:
> I'd like to ask a question about how MAAS uses iSCSI. Apparently, the
> MAAS region controller exposes iSCSI targets for supported Ubuntu
> images. These are flagged as vulnerable by the Nessus scanner running
> at our university.
>
> I've described this in more detail here:
> https://askubuntu.com/questions/847854/maas-disable-iscsi-or-require-authentication
>
> I would be curious as to how MAAS uses these iSCSI targets. Is it
> possible to make them available to the internal network only (where
> the MAAS-managed cluster is) rather than the region controller's
> external interface? Would MAAS break if we close the corresponding
> ports in our firewall?
I believe these are currently read-only boot volumes for ephemeral (i.e.
ramdisk) Ubuntu used for enlistment and commissioning, as well as the OS
installer during deployment. They should only need to be accessed by
machine being enlisted, commissioned and deployed, so yes, it should be
fine (and sensible) to screen them off.
Mark
More information about the Maas-devel
mailing list