Public iSCSI targets on MAAS region controller

Jonas Wagner jonas.wagner at epfl.ch
Thu Mar 23 09:45:07 UTC 2017 

Hello,

I discovered a mistake in a firewall rule that I've sent to this mailing
list 4 months ago. Although it has been a while, I'd like to correct it to
prevent breaking other people's MAAS setups:

In our setup, the rack controller is indeed the same as the region
> controller. I've fixed the problem using a firewall rule. For reference:
>
>     ufw allow from 10.0.0.1/16 port 3260 proto tcp
>     ufw deny 3260/tcp
>

These rules mix up source and destination ports, allowing traffic from port
3260 instead of to port 3260. Here's the corrected version:

    ufw allow proto tcp from 10.0.0.1/16 to any port 3260
    ufw deny 3260/tcp

Best,
Jonas

On Tue, Nov 29, 2016 at 3:58 PM Brendan Donegan <
> brendan.donegan at canonical.com> wrote:
>
> iSCSI targets are actually exposed on the *rack* controller, which may or
> may not be the same system as the region controller. So you could have your
> rack controllers screened off on the internal network - as long as they can
> still communicate with the region controller.
>
> On Tue, 29 Nov 2016 at 14:46 Mark Shuttleworth <mark at ubuntu.com> wrote:
>
> On 29/11/16 04:37, Jonas Wagner wrote:
> > I'd like to ask a question about how MAAS uses iSCSI. Apparently, the
> > MAAS region controller exposes iSCSI targets for supported Ubuntu
> > images. These are flagged as vulnerable by the Nessus scanner running
> > at our university.
> >
> > I've described this in more detail here:
> >
> https://askubuntu.com/questions/847854/maas-disable-iscsi-or-require-authentication
> >
> > I would be curious as to how MAAS uses these iSCSI targets. Is it
> > possible to make them available to the internal network only (where
> > the MAAS-managed cluster is) rather than the region controller's
> > external interface? Would MAAS break if we close the corresponding
> > ports in our firewall?
>
> I believe these are currently read-only boot volumes for ephemeral (i.e.
> ramdisk) Ubuntu used for enlistment and commissioning, as well as the OS
> installer during deployment. They should only need to be accessed by
> machine being enlisted, commissioned and deployed, so yes, it should be
> fine (and sensible) to screen them off.
>
> Mark
>
>
> --
> Maas-devel mailing list
> Maas-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/maas-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20170323/19f51931/attachment.html>

More information about the Maas-devel mailing list