Bug 1181466

Summary: [RFE][HC] – Require GlusterFS 3.7.3 for rpc-auth-allow-insecure to be used by libgfapi
Product: [oVirt] ovirt-host-deploy Reporter: Federico Simoncelli <fsimonce>
Component: Plugins.GlusterAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED UPSTREAM QA Contact: Pavel Stehlik <pstehlik>
Severity: medium Docs Contact:
Priority: medium    
Version: ---CC: alonbl, amureini, bazulay, bugs, dougsland, ecohen, gklein, iheim, kaushal, lsurette, prasanna.kalever, ricardo.arguello, sabose, sbonazzo, sbose, vbellur, yeylon, ylavi
Target Milestone: ovirt-4.0.0-alphaKeywords: FutureFeature
Target Release: ---Flags: ylavi: ovirt-4.0.0?
ylavi: planning_ack?
ylavi: devel_ack?
ylavi: testing_ack?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-15 13:13:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1232658    
Bug Blocks: 1022961, 1177776    

Description Federico Simoncelli 2015-01-13 09:09:52 UTC 
Description of problem:
Adding the support for libgfapi requires the option rpc-auth-allow-insecure set to "on" in glusterd.vol (and service restart).

We also should consider what to do with the hosts where gluster was already deployed.
Comment 1 Alon Bar-Lev 2015-01-13 09:43:45 UTC 
or patch libgfapi to enable secure mode? exposing hosts only because a component that is under our control misbehaves is the last [non available] alternative.
Comment 2 Federico Simoncelli 2015-02-04 14:11:01 UTC 
(In reply to Alon Bar-Lev from comment #1)
> or patch libgfapi to enable secure mode? exposing hosts only because a
> component that is under our control misbehaves is the last [non available]
> alternative.

rpc-auth-allow-insecure:

"""
Allow client connections from unprivileged ports. By default only privileged ports are allowed.
"""

If you want regular users (using unprivileged ports on the client) to be able to connect to your gluster server you need to enable rpc-auth-allow-insecure.

The use case for this is qemu processes (running as qemu user) being able to directly connect to the gluster server to access the images.

It would be great if we could do it only per-volume but as I understood from Vijay that's not enough (you also need rpc-auth-allow-insecure).

Vijay is that correct?
Comment 3 Sandro Bonazzola 2015-05-21 07:14:15 UTC 
According to Pranith and Vijay this one won't be needed starting with Gluster 3.7.1. So the requirement here is to raise the requirements for getting gluster >= 3.7.1 once it will be out in a couple of weeks.
Comment 4 Sandro Bonazzola 2015-05-22 12:00:35 UTC 
Waiting for Gluster 3.7.1 to be out.
Comment 5 Sandro Bonazzola 2015-06-03 07:05:57 UTC 
The patch has been delayed to 3.7.2
Comment 6 Sandro Bonazzola 2015-06-30 07:07:50 UTC 
The patch has been delayed to 3.7.3 http://review.gluster.org/11039
Comment 7 Yaniv Lavi 2015-07-16 03:53:30 UTC 
should this be modified?
Comment 8 Sandro Bonazzola 2015-07-16 07:01:47 UTC 
AFAIK 3.7.3 has not been released yet.
Comment 9 Prasanna Kumar Kalever 2015-07-22 09:58:28 UTC 
There  were few problems discovered by http://review.gluster.org/11039 which can be addressed by http://review.gluster.org/#/c/11512/ (Waiting to get merged)
Comment 10 Red Hat Bugzilla Rules Engine 2015-09-20 21:01:48 UTC 
This request has been proposed for two releases. This is invalid flag usage. The ovirt-future release flag has been cleared. If you wish to change the release flag, you must clear one release flag and then set the other release flag to ?.
Comment 11 Sandro Bonazzola 2015-12-15 13:13:40 UTC 
Closing Upstream, should be solved in Gluster by now.