Changeset 35047 in project


Ignore:
Timestamp:
01/21/18 18:54:43 (4 weeks ago)
Author:
sjamaan
Message:

ugarit-backend-s3: Note disadvantage when using salts

File:
1 edited

Legend:

Unmodified
Added
Removed
  • wiki/eggref/4/ugarit-backend-s3

    r35043 r35047  
    134134As per the Ugarit documentation, use the {{(hash)}} option to provide
    135135a salt, so that blocks with the same content can't be easily detected
    136 across different vaults.  This provides additional guarantees.
    137 
    138 ==== Use privilege separation for the backend
    139 
    140 Using {{sudo}} (or {{doas}}, etc) to run the backend is strongly
    141 recommended.  This will avoid having to make network connections as
    142 root.  Use an account that has as few privileges as possible; it will
    143 only need access to the S3 configuration file, the OpenSSL default
    144 certificate store, and to make network connections.
     136across different vaults.  The only disadvantage of this is that this
     137will use more disk space if you use the same S3 bucket for multiple
     138hosts - something which is explicity '''not''' recommended.
    145139
    146140==== Use separate S3 accounts for each machine
     
    163157S3 versions.  Neither does {{s3cmd}}, so you'll need to determine if
    164158it's worthwhile.
     159
     160==== Use privilege separation for the backend
     161
     162Using {{sudo}} (or {{doas}}, etc) to run the backend is strongly
     163recommended.  This will avoid having to make network connections as
     164root.  Use an account that has as few privileges as possible; it will
     165only need access to the S3 configuration file, the OpenSSL default
     166certificate store, and to make network connections.
    165167
    166168==== Do not use sensitive info for your tag names
Note: See TracChangeset for help on using the changeset viewer.