Cluster suggestion [cluster_config]
Posted: 21 Apr 2010, 15:50
I've search the forum and didn't see this posted. Also I'm new here.
If my suggestion is far-fetched I apologize in advance. Feedback are appreciated.
Problem
The new cluster options are great. I just miss one feature:
Be able to update the cluster ip list on all servers without compromising security.
Explanation
I like the ability to change the csf.conf from one server and push them out to all other servers. This is especially necessary when adding new servers to the cluster.
We add/remove servers in our server park quite frequently so editing the cluster ip list on all servers manually is not an option.
BUT allowing CLUSTER_CONFIG on all servers is a very big security risk.
If one server is compromised then all firewalls on all servers could be taken down.
Suggestion
I suggest that a special authentication (public-private key) can be used to change the csf.conf, OR at least change the cluster ip lists.
Maybe even a extra list of IP-numbers who are allowed to do this.
If my suggestion is far-fetched I apologize in advance. Feedback are appreciated.
Problem
The new cluster options are great. I just miss one feature:
Be able to update the cluster ip list on all servers without compromising security.
Explanation
I like the ability to change the csf.conf from one server and push them out to all other servers. This is especially necessary when adding new servers to the cluster.
We add/remove servers in our server park quite frequently so editing the cluster ip list on all servers manually is not an option.
BUT allowing CLUSTER_CONFIG on all servers is a very big security risk.
If one server is compromised then all firewalls on all servers could be taken down.
Suggestion
I suggest that a special authentication (public-private key) can be used to change the csf.conf, OR at least change the cluster ip lists.
Maybe even a extra list of IP-numbers who are allowed to do this.
