Hacker News new | ask | show | jobs
by toomuchtodo 2189 days ago
SSH for job running and management, NFS for filesystem access. Have remote systems mount the local file system. If NFS isn’t available, have the remote job pull files over rsync from your local system, then rsync back the resulting output.
1 comments
so_tired 2189 days ago
Ugh! Thanks but no thanks

I dont want to mount and expose nfs, or allow a full ssh login. This will be a custom agent/daemon on both ends

link
hnlmorg 2189 days ago
I wouldn't recommend NFS over the open internet but there's a few options based around SFTP (rsync, scp, sshfs) and being based on SFTP means they can run without granting that user full SSH login access while still taking advantage of the security benefits that SSH brings.

For job execution you could write your own agent but doing likely wouldn't be any more secure than SSH. Just make sure you have disabled password logins (use keys instead) and fail2ban or equivalent running to auto blacklist attacks. You could probably use Chef or SaltStack if really wanted to avoid a remote shell but if you're not already running config management then you have to ask yourself if you're over-engineering a solution.

An alternative solution would be to run an OpenVPN tunnel and then you can SSH to your hearts content. But even here, unless you have multiple machines you want to connect to, I can't help thinking you're just making life harder for yourself without getting any realistic gains.

This is all based on the very high level spec provided so I accept there might be some currently undisclosed detail that renders the above suggestions moot.

link
anonymousiam 2189 days ago
NFS works great over the open Internet, as long as you do it through a secure tunnel. I've been doing this for years as a way of increasing the size of the available storage in a VPS.
link
joshbaptiste 2189 days ago
You run NFS within which secure tunneler?
link
anonymousiam 2188 days ago
I've used both vtun and WireGuard for remote NFS. On a good day, I get 100MB/s to the NFS filesystem on my San Jose AWS instance (from Vegas) via WireGuard. Note: That was before CoVid-19. CenturyLink/Quest has since (stealthily) throttled my bandwidth down from 1Gbps to ~750Mbps.
link
hnlmorg 2189 days ago
It's really no different to running any other service over VPN or SSH tunnel. It does work well with NFSv3 but never tried with NFSv4.
link
namibj 2189 days ago
Just use Wireguard, tbh.
link