[Ocfs2-users] howto achieve inter-node file permissions / workarounds

Sunil Mushran sunil.mushran at oracle.com
Mon Feb 7 20:21:38 PST 2011 

Security in Linux is user based. Nodes (hostname) has no role to
play. If I understand you correctly, you want a user+hostname
based security. Probably hostname providing a default set of
permissions. I am not aware of any fs providing this. Do you have
an example that would better illustrate your point.

Remember that node based security does not make much sense
considering the basic idea behind clustering is to allow services
to be available across the cluster. As in, if a node dies, the service
is restarted on an available node. Shared disk clustered file systems
have been designed to operate in such an environment.

On 02/04/2011 12:44 PM, Petr Vacek wrote:
> Greetings,
> I would like to know if there is possibility to  deny / obscure access 
> into some directory within ocfs2 for specific nodes - or allow just 
> specific nodes.
> I am using ocfs2 shared storage among Xen VM (because it's performance 
> is better than NFS with our hardware), but then root of each VM has 
> absolute access to the whole ocfs2 filesystem - which I would like to 
> limit this at least a little bit,
> I know that the root of node has access to a raw block device so it 
> cannot be done down to all levels, but if the mounted filesystem would 
> respect some limits for a local root
> that would be very fine for me.
>
> Is this doable and if it is easy which utility/ command would allow 
> that ?
>
> If not, should a simple kernel module/patch limiting access to 
> specific UID/GIDs for all users including root do the trick ? (I am 
> thinking that if such module does not exist, I can get it made and 
> then map node-specific directories into these uid/gids , so they will 
> be accessible only from a single node , if that's viable ...)
>
> Thanks for any hints or tips in advance
>
> Regards
> Petr Vacek
>
>
> _______________________________________________
> Ocfs2-users mailing list
> Ocfs2-users at oss.oracle.com
> http://oss.oracle.com/mailman/listinfo/ocfs2-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.oracle.com/pipermail/ocfs2-users/attachments/20110207/6be851bc/attachment.html

More information about the Ocfs2-users mailing list