| Summary: | [Doc] : Document enabling SSL on SMB and Ganesha setups. | ||
|---|---|---|---|
| Product: | Red Hat Gluster Storage | Reporter: | Ambarish <asoman> |
| Component: | doc-Administration_Guide | Assignee: | Bhavana <bmohanra> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ambarish <asoman> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rhgs-3.2 | CC: | asoman, asriram, bturner, rcyriac, rhinduja, rhs-bugs, rjoseph, rwheeler, sankarshan, skoduri, storage-doc, storage-qa-internal, vdas |
| Target Milestone: | --- | ||
| Target Release: | RHGS 3.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-24 10:24:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1351553 | ||
|
Description
Ambarish
2016-12-11 16:55:10 UTC
Hi Soumya, Rajesh, Can you please share the setup steps with the access mechanisms for NFS ganesha and Samba respectively. Thanks I am not familiar with the ssl setup mechanism. AFAIR, Ambarish planned to provide the steps he had used for his testing. I can help with the review and suggest in case any corrections are needed. Thanks! From Samba side I don't think we need any new documentation. The exact same steps followed for fuse mount need to be followed for Samba mount. Vivek and Surabhi can comment here. The only change I can see is to remove the "Important" note in the starting of the chapter which says we don't support NFS and Samba with SSL. ************ Ganesha +SSL ************ On a Fresh Setup ----------------- > Do the SSL part first,i.e. ,generate keys,TLS authenticate servers and clients etc. > Then build then Ganesha cluster . On an already existing Ganesha cluster -------------------------------------- This has to be done the disruptive way. > Break the cluster,disable Ganesha. > *Perform SSL setup steps* > Recreate Ganesha cluster by enabling Ganesha. If we do not do it this way ,we hit https://bugzilla.redhat.com/show_bug.cgi?id=1403543. Based on our meeting today it was decided to try this scenario again for ganesha. And based on the result it can be decided if a note (after step 2 of 9.3.1) needs to be added or not. Bhavana, Kindly discard Comment Number 6 made by me completely,I missed a little something :) On an already existing Ganesha cluster(Mgt Encryption,I/O encryption works fine,anyway) : -------------------------------------- *Follow steps documented for FUSE* > Stop Volume. > Stop glusterd > pkill glusterfs > Stop Ganesha service ** Perform TLS auth steps,then bring back everything up** > Start glusterd > Start volume > *Mount shared storage manually* via : mount -t glusterfs <hostname>:/gluster_shared_storage /run/gluster/shared_storage > Start Ganesha service and check for export. TLDR - > So basically along with the steps we do for an existing FUSE setup,we need to stop Ganesha before performing the TLS authentication stuff,re mount shred storage once we are done,and then only start NFS - Ganesha.This works fine,I tested it. Soumya , Can you please review this? Vivek, Can you add the necessary steps for Samba? 9.3.2. Enabling Management Encryption On an already existing CTDB cluster -------------------------------------- #umount mount-point #gluster volume stop VOLNAME >> systemctl stop ctdb (on all servers) / service ctdb stop (on all servers) #service glusterd stop # Existing steps >> To be added Adding needifno on Soumya,it was cleared by mistake. The changes suggested by Ambarish look good to me. I am proposing a single section to cover all these. Please let me know if anybody has any concerns. Following are the proposed changes.
1. Unmount all volumes on all the clients
# umount mount-point
2. Stop Ganesha and Samba services if used. Provide links to samba and FNS sections for commands. [New]
3. Unmount shared storage (if used) on all nodes. [New]
umount /var/run/gluster/shared_storage
NOTE: Services dependent on shared storage like snapshot, geo-replication may not work till it is remounted again.
4. Stop all the volumes including shared storage.
# gluster volume stop VOLNAME
5. Stop glusterd on all servers.
# service glusterd stop
(pkill step should be removed)
6. Create the /var/lib/glusterd/secure-access file on all servers and clients.
# touch /var/lib/glusterd/secure-access
7. Start glusterd on all the servers.
# service glusterd start
8. Start all the volumes including shared storage
# gluster volume start VOLNAME
9. Mount shared stoage if used. [New]
10. Mount the volume on all the clients. For example, to manually mount a volume and access data using Native client, use the following command:
# mount -t glusterfs server1:/test-volume /mnt/glusterfs
11. Start Ganesha and Samba services. Provide link [New]
Steps 10 and 11 should be interchanged :) You need to start Ganesha/Samba before you can proceed with the mount. Step 8 : When is shared storage stopped? Yes, steps 10 and 11 should be interchanged ;)
> Step 8 : When is shared storage stopped?
Step 4
LGTM :) Thanks Rajesh! Thanks Ambarish and Rajesh. The updated steps are added to section 9.3.2 Enabling Management Encryption http://ccs-jenkins.gsslab.brq.redhat.com:8080/job/doc-Red_Hat_Gluster_Storage-3.2-Administration_Guide-branch-master/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#idm139926274157712 LGTM,Thanks! RHGS 3.2.0 GA completed on 23 March 2017 |