Bug 1356296

Summary: [RFE] Extend gdeploy functionality to support other features required by hyperconverged environments
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Paul Cuzner <pcuzner>
Component: gdeployAssignee: Sachidananda Urs <surs>
Status: CLOSED ERRATA QA Contact: SATHEESARAN <sasundar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rhgs-3.1CC: amukherj, rcyriac, rhinduja, sasundar, smohan
Target Milestone: ---Keywords: FutureFeature
Target Release: RHGS 3.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gdeploy-2.0.1-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-23 04:57:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1351503    

Description Paul Cuzner 2016-07-13 22:29:03 UTC 
Description of problem:
hyperconverged environments need additional settings to satisfy some customer requirements - specifically around security. I've talked these through with Sac, so these enhancements are all bundled into one RFE 

I've broken the request into short/medium term goals


Short term (3-6 months)

- configure SSL for the control and data path
- configure auth.allow to lock down client connections to a specified list of IP's
- configure glusterd to support gfapi (rhel 7.3/ovirt 4 timeframe)
- configure systemd slice, and glusterd.service overrides for CPU control


Medium term 6-9 months
- support gluster based tiering in addition to lvmcache
- automatically configure the lvmcache lv sizes instead of having them hard-coded by the admin in the conf file - still support current settings as an override, but the tool should make some sensible default choices, based on device size.




Additional info:
Comment 4 Sachidananda Urs 2016-09-01 09:47:40 UTC 
(In reply to Paul Cuzner from comment #0)
> Description of problem:
> hyperconverged environments need additional settings to satisfy some
> customer requirements - specifically around security. I've talked these
> through with Sac, so these enhancements are all bundled into one RFE 
> 
> I've broken the request into short/medium term goals
> 
> 
> Short term (3-6 months)
> 
> - configure SSL for the control and data path

Done pushed to master.

> - configure auth.allow to lock down client connections to a specified list
> of IP's

Currently not taken care of.

> - configure glusterd to support gfapi (rhel 7.3/ovirt 4 timeframe)

I need steps/documentation on how to do this.

> - configure systemd slice, and glusterd.service overrides for CPU control

Will be done in gdeploy.

> 
> 
> Medium term 6-9 months
> - support gluster based tiering in addition to lvmcache
> - automatically configure the lvmcache lv sizes instead of having them
> hard-coded by the admin in the conf file - still support current settings as
> an override, but the tool should make some sensible default choices, based
> on device size.
>
Comment 5 SATHEESARAN 2016-09-15 13:44:00 UTC 
(In reply to Sachidananda Urs from comment #4)
> (In reply to Paul Cuzner from comment #0)
> > Description of problem:
> > hyperconverged environments need additional settings to satisfy some
> > customer requirements - specifically around security. I've talked these
> > through with Sac, so these enhancements are all bundled into one RFE 
> > 
> > I've broken the request into short/medium term goals
> > 
> > 
> > Short term (3-6 months)
> > 
> > - configure SSL for the control and data path
> 
> Done pushed to master.
> 
> > - configure auth.allow to lock down client connections to a specified list
> > of IP's
> 
> Currently not taken care of.
> 
> > - configure glusterd to support gfapi (rhel 7.3/ovirt 4 timeframe)
> 
> I need steps/documentation on how to do this.

I think glusterd by defaults allows requests coming in from insecure ports.
@Sac, you can double check this one with Kaushal
Comment 6 SATHEESARAN 2016-09-15 13:57:45 UTC 
This bug's intent was split in to short-term and medium term requirements.

The short-term requirements list goes as :

- configure SSL for the control and data path
- configure auth.allow to lock down client connections to a specified list of IP's
- configure glusterd to support gfapi (rhel 7.3/ovirt 4 timeframe)
- configure systemd slice, and glusterd.service overrides for CPU control

And these requirements will be tracked as part of this bug.

The medium term requirement are tracked as part of the bug - BZ1376473
Comment 7 SATHEESARAN 2016-11-07 09:40:17 UTC 
All the observations are made with gdeploy-2.0.1-1.el7rhgs installed on RHEL 7.3

Enabling SSL/TLS encryption through gdeploy is already verified with the bug - https://bugzilla.redhat.com/show_bug.cgi?id=1360980

With the above bug verification SSL/TLS is enabled on management and data path.
Also specific ssl clients could be set for the volume which locks down client connections to the volume.

glusterfs slice is also created for glusterfs slice using 'slice_setup' configuration.

With all these information, marking this bug as VERIFIED
Comment 9 errata-xmlrpc 2017-03-23 04:57:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0483.html