Attack surface
The attack surface encompasses all points where an unauthorized user could attempt to enter or extract data from the system. For Charmed Ceph, these include:
Open Ports and Network Interfaces
Ceph daemons by default listen on the TCP ports below.
| Port | Component | Purpose | Security Considerations |
|---|---|---|---|
| 3300, 6789 | Ceph MON | Monitor daemon client communication | Should ideally be restricted to internal networks and specific client subnets via firewall. |
| 6800-7300 | Ceph OSD / MGR / MDS | Intra-cluster communication | Must be strictly firewalled from external access. Essential for cluster operation. |
| 80 | RGW (HTTP) | RADOS Gateway (Object storage HTTP access) | Object storage access. Disable if not needed. |
| 443 | RGW (HTTPS) | RADOS Gateway secure traffic (HTTPS) | Object storage access. Disable if not needed. Requires TLS certificate management. |
| 9283 | MGR (Dashboard) | Ceph Dashboard HTTPS access | Access should be restricted. Authentication is required. |
| 9128 | MGR (Prometheus) | Prometheus metrics endpoint | Restrict access to monitoring servers. |
| 22 | SSH | Host OS access | Standard SSH hardening practices (key auth, restricted access). |
| 17070 | Juju Agent | Juju agent communication with Controller | Communication is TLS encrypted. Access to hosts implies potential access to agents. |
| Other (various) | Other Services | Potentially other services running on hosts | Audit open ports on cluster nodes. |
Network Protocols and Endpoints
- Ceph Protocol (Messenger v1/v2): Used for all internal Ceph communication (MON, OSD, MGR, MDS). Messenger v2 (default in newer Ceph versions) provides encryption capabilities for data in transit.
- Cephx Authentication: Primary mechanism for authenticating Ceph internal and client communication. It provides mutual authentication between clients/daemons and the MONs.
- HTTP/HTTPS (RGW): Used for S3/Swift access via the RADOS Gateway. HTTPS with strong TLS configuration is best practice for protecting data and credentials in transit, especially if RGW is externally accessible.
- Juju Agent Protocol: Communication between Juju agents and the controller is encrypted with TLS.
Data Interfaces
- Block Devices and Filesystems: OSDs interact directly with underlying storage (disks or logical volumes). The OSD processes require elevated privileges to access these devices. The ceph-osd charm provides an option to limit capabilities via AppArmor – this should be used as a best practice.
- CephFS Mounts: Clients mounting CephFS interact via the Ceph kernel module or FUSE, requiring Cephx authentication.
Management Infrastructure (Juju)
Juju itself presents a management attack surface:
- Juju Controller: Gaining access to the Juju controller provides complete control over the entire deployment. Secure controller access using strong credentials and network restrictions.
- Juju Agents: Agents run on each machine managed by Juju. Compromise of a host machine could potentially lead to compromise of the agent and interaction with the controller.
- Charms and Configuration: Configuration applied via Juju (including charm configurations and relations) can impact security. Review charm options of ceph and related charms.
Refer to the Official Juju Security Documentation for more details on securing Juju itself.