Public iSCSI targets on MAAS region controller
Jonas Wagner
jonas.wagner at epfl.ch
Tue Nov 29 15:34:07 UTC 2016
Thanks for the replies! I now understand what these targets are used for.
In our setup, the rack controller is indeed the same as the region
controller. I've fixed the problem using a firewall rule. For reference:
ufw allow from 10.0.0.1/16 port 3260 proto tcp
ufw deny 3260/tcp
Best,
Jonas
On Tue, Nov 29, 2016 at 3:58 PM Brendan Donegan <
brendan.donegan at canonical.com> wrote:
> iSCSI targets are actually exposed on the *rack* controller, which may or
> may not be the same system as the region controller. So you could have your
> rack controllers screened off on the internal network - as long as they can
> still communicate with the region controller.
>
> On Tue, 29 Nov 2016 at 14:46 Mark Shuttleworth <mark at ubuntu.com> wrote:
>
> On 29/11/16 04:37, Jonas Wagner wrote:
> > I'd like to ask a question about how MAAS uses iSCSI. Apparently, the
> > MAAS region controller exposes iSCSI targets for supported Ubuntu
> > images. These are flagged as vulnerable by the Nessus scanner running
> > at our university.
> >
> > I've described this in more detail here:
> >
> https://askubuntu.com/questions/847854/maas-disable-iscsi-or-require-authentication
> >
> > I would be curious as to how MAAS uses these iSCSI targets. Is it
> > possible to make them available to the internal network only (where
> > the MAAS-managed cluster is) rather than the region controller's
> > external interface? Would MAAS break if we close the corresponding
> > ports in our firewall?
>
> I believe these are currently read-only boot volumes for ephemeral (i.e.
> ramdisk) Ubuntu used for enlistment and commissioning, as well as the OS
> installer during deployment. They should only need to be accessed by
> machine being enlisted, commissioned and deployed, so yes, it should be
> fine (and sensible) to screen them off.
>
> Mark
>
>
> --
> Maas-devel mailing list
> Maas-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/maas-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20161129/5f97e786/attachment.html>
More information about the Maas-devel
mailing list