Bug 1340608
| Summary: | [RFE] : Support SSL enabled volume via SMB v3 | |||
|---|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | Ambarish <asoman> | |
| Component: | core | Assignee: | rjoseph | |
| Status: | CLOSED ERRATA | QA Contact: | Vivek Das <vdas> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rhgs-3.1 | CC: | amukherj, asoman, bmohanra, jthottan, rcyriac, rhinduja, rhs-bugs, rjoseph, rtalur, sabose, sbhaloth | |
| Target Milestone: | --- | Keywords: | FutureFeature | |
| Target Release: | RHGS 3.2.0 | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | glusterfs-3.8.4-1 | Doc Type: | Enhancement | |
| Doc Text: |
Red Hat Gluster Storage now provides support for Samba to enable Transport Layer Security (SSL) on a management connection between the smbd and glusterd services. Libgfapi now checks for the /var/lib/glusterd/secure-access file before making an RPC connection and enables SSL on the management connection if the file is present.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1362602 1371475 (view as bug list) | Environment: | ||
| Last Closed: | 2017-03-23 05:33:13 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1277939, 1311843, 1351503, 1351530, 1362602, 1371650 | |||
|
Description
Ambarish
2016-05-28 17:15:08 UTC
******************* BEFORE ENABLING SSL ******************* [root@gqac007 ~]# mount -t cifs -o vers=3.0,rsize=1048576,wsize=1048576,username=root,password=redhat -vv //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol /gluster-mount/ mount.cifs kernel mount options: ip=192.168.79.140,unc=\\gqas013.sbu.lab.eng.bos.redhat.com\gluster-testvol,vers=3.0,rsize=1048576,wsize=1048576,user=root,pass=******** [root@gqac007 ~]# [root@gqac007 ~]# mount |grep testvol //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol on /gluster-mount type cifs (rw,relatime,vers=3.0,sec=ntlmssp,cache=strict,username=root,domain=GQAS013,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.79.140,file_mode=0755,dir_mode=0755,nounix,serverino,rsize=1048576,wsize=1048576,actimeo=1) [root@gqac007 ~]# From brick logs : [2016-05-28 11:21:33.086008] I [login.c:81:gf_auth] 0-auth/login: allowed user names: 5d99fc86-a351-45f8-930f-563a1d1d2ba7 [2016-05-28 11:21:33.086056] I [MSGID: 115029] [server-handshake.c:690:server_setvolume] 0-testvol-server: accepted client from gqas013.sbu.lab.eng.bos.redhat.com-8371-2016/05/28-11:21:32:993828-testvol-client-0-0-0 (version: 3.7.9) ****************** AFTER ENABLING SSL ****************** [root@gqac007 ~]# mount -t cifs -o vers=3.0,rsize=1048576,wsize=1048576,username=root,password=redhat -vv //gqas013.sbu.lab.eng.bos.redhat.com/gluster-testvol /gluster-mount/ mount.cifs kernel mount options: ip=192.168.79.140,unc=\\gqas013.sbu.lab.eng.bos.redhat.com\gluster-testvol,vers=3.0,rsize=1048576,wsize=1048576,user=root,pass=******** mount error(5): Input/output error Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [root@gqac007 ~]# [root@gqac007 ~]# There is no update on brick logs. These are the error messages on vol.log : #tail -f /var/log/glusterfs/etc-glusterfs-glusterd.vol.log [2016-05-28 11:52:49.012342] E [socket.c:464:ssl_setup_connection] 0-socket.management: SSL connect error [2016-05-28 11:52:49.012415] E [socket.c:318:ssl_dump_error_stack] 0-socket.management: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number [2016-05-28 11:52:49.012450] E [socket.c:2505:socket_poller] 0-socket.management: server setup failed smb status shows running : [root@gqas013 ~]# service smb status smbd (pid 11989 11988 11980) is running... [root@gqas013 ~]# [root@gqas013 ~]# If I try mounting with FUSE,I am able to mount it.So there's nothing wrong with my setup. [root@gqac007 ~]# mount -t glusterfs gqas013.sbu.lab.eng.bos.redhat.com:testvol /gluster-mount/ [root@gqac007 ~]# [root@gqac007 ~]# mount |grep test gqas013.sbu.lab.eng.bos.redhat.com:testvol on /gluster-mount type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072) [root@gqac007 ~]# From brick logs : [2016-05-28 11:43:26.628574] I [socket.c:459:ssl_setup_connection] 0-tcp.testvol-server: peer CN = gqac007.sbu.lab.eng.bos.redhat.com [2016-05-28 11:43:26.629471] I [login.c:39:gf_auth] 0-auth/login: connecting user name: gqac007.sbu.lab.eng.bos.redhat.com [2016-05-28 11:43:26.629507] I [MSGID: 115029] [server-handshake.c:690:server_setvolume] 0-testvol-server: accepted client from gqac007.sbu.lab.eng.bos.redhat.com-9073-2016/05/28-11:43:26:445012-testvol-client-0-0-0 (version: 3.7.9) From mount log : [2016-05-28 11:43:26.551049] I [socket.c:4054:socket_init] 0-testvol-client-16: SSL support on the I/O path is ENABLED [2016-05-28 11:43:26.551070] I [socket.c:4057:socket_init] 0-testvol-client-16: SSL support for glusterd is ENABLED [2016-05-28 11:43:26.551080] I [socket.c:4074:socket_init] 0-testvol-client-16: using private polling thread I've asked SMB team whether this is supported or not. Based on that we can take a call. Were there any avc denials in audit.log. It is possible that smbd process wasn't allowed to look into /etc/ssl for gluster certificates. (In reply to Raghavendra Talur from comment #7) > Were there any avc denials in audit.log. It is possible that smbd process > wasn't allowed to look into /etc/ssl for gluster certificates. Raghavendra, selinux was disabled at all times Verified tht the same problem on Ganesha mounts as well. Ganesha Mounts fail as well on SSL enabled vols. Changing the bug summary to something more appropriate. Upstream mainline patches posted for review: http://review.gluster.org/15072 http://review.gluster.org/15073 Update: http://review.gluster.org/15072 - Merged in upstream http://review.gluster.org/15073 - Regression failures in NetBSD. Build scripts on netbsd machines are not upto date, due to which the regression is failing. http://review.gluster.org/15073 is merged into mainline. Both 15072 & 15073 need to be backported to 3.8 branch. Upstream Master: http://review.gluster.org/15072 - Merged http://review.gluster.org/15073 - Merged Uostream release-3.8: http://review.gluster.org/15361 - Post http://review.gluster.org/15359 - Post Upstream Master: http://review.gluster.org/15072 - Merged http://review.gluster.org/15073 - Merged Uostream release-3.8: http://review.gluster.org/15361 - Merged http://review.gluster.org/15359 - Merged As the release 3.8 patches mentioned in comment 26 are now available in rhgs-3.2.0 as part of rebase, moving the bug state to modified. I am able to mount smb on a SSL enabled setup. Version samba-client-4.4.6-4 glusterfs-server-3.8.4-13 Marking it as verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0486.html The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |