Re: 'Immutable bit' on pools to prevent deletion

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Wido den Hollander <wido@42on.com>
To: Sage Weil <sweil@redhat.com>, John Spray <john.spray@redhat.com>
Cc: Gregory Farnum <greg@gregs42.com>,
	Yehuda Sadeh <yehuda@redhat.com>,
	ceph-devel <ceph-devel@vger.kernel.org>
Subject: Re: 'Immutable bit' on pools to prevent deletion
Date: Fri, 16 Jan 2015 08:55:46 +0100	[thread overview]
Message-ID: <54B8C402.9020301@42on.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1501151105050.15918@cobra.newdream.net>

On 01/15/2015 08:07 PM, Sage Weil wrote:
> On Thu, 15 Jan 2015, John Spray wrote:
>> On Thu, Jan 15, 2015 at 6:07 PM, Sage Weil <sweil@redhat.com> wrote:
>>>> What would that buy us? Preventing injectargs on it would require mon
>>>> restarts, which is unfortunate ? and makes it sounds more like a
>>>> security feature than a safety blanket.
>>>
>>> I meant 'ceph tell mon.* injectargs ...' as distinct from 'ceph daemon ...
>>> config set', which requires access to the host.  But yeah, if we went to
>>> the effort to limit injectargs (maybe a blanket option that disables
>>> injectargs on mons?), it could double as a security feature.
>>>
>>> But whether it may also useful for security doesn't change whether it is a
>>> good safety blanket.  I like it because it's simple, easy to implement,
>>> and easy to disable for testing... :)
>>
>> The trouble with this is admin socket part is that any tool that
>> manages Ceph must use the admin socket interface as well as the normal
>> over-the-network command interface, and by extension must be able to
>> execute locally on a mon.  We would no longer have a comprehensive
>> remote management interface for the mon: management tools would have
>> to run some code locally too.
> 
> True.. if we make that option enabled by default.  If we it's off by 
> default them it's an opt-in layer of protection.  Most clusters don't have 
> ephemeral pools so I think lots of people would want this.
>  

If this is the easiest route I'm +1 for that way.

I'd turn it off right away on the clusters I manage. Pools don't change
that often and I simply want another safeguard against deleting them.

>> I think it's sufficient to require two API calls (set the flag or
>> config option, then do the delete) within the remote API, rather than
>> requiring that anyone driving the interface knows how to speak two
>> network protocols (usual mon remote command + SSH-to-asok).
> 
> Yeah...
> 
> sage
> 


-- 
Wido den Hollander
42on B.V.
Ceph trainer and consultant

Phone: +31 (0)20 700 9902
Skype: contact42on

next prev parent reply	other threads:[~2015-01-16  7:55 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-15 14:46 'Immutable bit' on pools to prevent deletion Wido den Hollander
2015-01-15 15:39 ` Dan Van Der Ster
2015-01-15 15:52   ` Wido den Hollander
2015-01-15 15:45 ` Mike Dawson
2015-01-15 15:58 ` Yehuda Sadeh
2015-01-15 17:24   ` Sage Weil
2015-01-15 17:44     ` Sage Weil
2015-01-15 17:55       ` Gregory Farnum
2015-01-15 18:07         ` Sage Weil
2015-01-15 18:45           ` Gregory Farnum
2015-01-15 19:02           ` John Spray
2015-01-15 19:07             ` Sage Weil
2015-01-15 22:02               ` John Spray
2015-01-16  7:55               ` Wido den Hollander [this message]
2015-01-16  9:50     ` Sebastien Han
2015-01-16 10:55       ` Wido den Hollander
2015-01-16 14:46         ` Sage Weil
2015-01-19 19:32           ` Mykola Golub
2015-01-19 20:28             ` Sage Weil
     [not found]         ` <597309080.14312.1421421468640.open-xchange@websrv>
2015-01-16 20:45           ` Wido den Hollander
2015-01-17  2:31 ` Alex Elsayed
2015-01-17 13:11   ` Wido den Hollander
2015-01-17 16:24   ` Sage Weil
2015-01-17 19:09     ` Alex Elsayed
2015-01-17 23:28       ` David Zafman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54B8C402.9020301@42on.com \
    --to=wido@42on.com \
    --cc=ceph-devel@vger.kernel.org \
    --cc=greg@gregs42.com \
    --cc=john.spray@redhat.com \
    --cc=sweil@redhat.com \
    --cc=yehuda@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.