Public iSCSI targets on MAAS region controller

Brendan Donegan brendan.donegan at canonical.com
Tue Nov 29 14:53:16 UTC 2016


iSCSI targets are actually exposed on the *rack* controller, which may or
may not be the same system as the region controller. So you could have your
rack controllers screened off on the internal network - as long as they can
still communicate with the region controller.

On Tue, 29 Nov 2016 at 14:46 Mark Shuttleworth <mark at ubuntu.com> wrote:

> On 29/11/16 04:37, Jonas Wagner wrote:
> > I'd like to ask a question about how MAAS uses iSCSI. Apparently, the
> > MAAS region controller exposes iSCSI targets for supported Ubuntu
> > images. These are flagged as vulnerable by the Nessus scanner running
> > at our university.
> >
> > I've described this in more detail here:
> >
> https://askubuntu.com/questions/847854/maas-disable-iscsi-or-require-authentication
> >
> > I would be curious as to how MAAS uses these iSCSI targets. Is it
> > possible to make them available to the internal network only (where
> > the MAAS-managed cluster is) rather than the region controller's
> > external interface? Would MAAS break if we close the corresponding
> > ports in our firewall?
>
> I believe these are currently read-only boot volumes for ephemeral (i.e.
> ramdisk) Ubuntu used for enlistment and commissioning, as well as the OS
> installer during deployment. They should only need to be accessed by
> machine being enlisted, commissioned and deployed, so yes, it should be
> fine (and sensible) to screen them off.
>
> Mark
>
>
> --
> Maas-devel mailing list
> Maas-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/maas-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20161129/50b034f3/attachment.html>


More information about the Maas-devel mailing list