Bug 1408926
Summary: | Isolate the sections on enabling ssl and volume creation in gdeploy to prevent the volume mount problem. | ||
---|---|---|---|
Product: | [Red Hat Storage] Red Hat Gluster Storage | Reporter: | RamaKasturi <knarra> |
Component: | gdeploy | Assignee: | Sachidananda Urs <surs> |
Status: | CLOSED WONTFIX | QA Contact: | SATHEESARAN <sasundar> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | rhgs-3.2 | CC: | amukherj, bmohanra, rcyriac, rhs-bugs, sabose, sasundar, smohan, storage-qa-internal, surs |
Target Milestone: | --- | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
Currently the "ssl_enable" option is part of the "volume" section. It is a site wide change. If more than one volume is used in the same configuration (and within the same set of servers) and ssl_enable is set in all the volume sections, then the ssl operation steps are performed multiple times. This causes the older volumes to fail to mount. Users will then not be able to set SSL automatically with a single line of configuration.
Workaround:
If there are more than one volume on a node. Set the variable "enable_ssl" under one [volume] section and set the keys: 'client.ssl', value: 'on'; 'server.ssl', value: 'on';'auth.ssl-allow', value: <comma separated ssl hosts>
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-11-08 12:57:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1351530 |
Description
RamaKasturi
2016-12-28 07:46:03 UTC
put blocker '?' because when volumes are created using gdeploy with ssl_enabled, mounting of volume does not work and due to his hc installation fails. Also the workflow goes like this when the volume requires encryption: 1. Create volume 2. Set volume options ( if provided as part of [volume] gdeploy ansible module ) 3. Start the volume 4. If encryption is required on the volume, ssl options ( server.ssl=on & client.ssl=on) are set on the volume 5. Stop & Start the volume In the above workflow the volume goes through start->stop->start states. The corrected workflow could be: 1. Create volume 2. Set volume options ( if provided as part of [volume] gdeploy ansible module ) 3. If encryption is required on the volume, SSL volume options ( server.ssl=on & client.ssl=on) are set on the volume 4. Start the volume With the corrected workflow, there is only one volume start and reduces the gdeploy configuration time. (In reply to SATHEESARAN from comment #3) > Also the workflow goes like this when the volume requires encryption: > > 1. Create volume > 2. Set volume options ( if provided as part of [volume] gdeploy ansible > module ) > 3. Start the volume > 4. If encryption is required on the volume, ssl options ( server.ssl=on & > client.ssl=on) are set on the volume > 5. Stop & Start the volume > > In the above workflow the volume goes through start->stop->start states. > > The corrected workflow could be: > 1. Create volume > 2. Set volume options ( if provided as part of [volume] gdeploy ansible > module ) > 3. If encryption is required on the volume, SSL volume options ( > server.ssl=on & client.ssl=on) are set on the volume > 4. Start the volume > > With the corrected workflow, there is only one volume start and reduces the > gdeploy configuration time. sas, the volume stop-start is added because we support ssl setup on existing volumes as well. And we try to stop first to ensure we don't do anything on running volumes. Currently gdeploy follows the 3 step process when enabled per volume 1. Creation of SSL files ( glusterfs.key, glusterfs.pem, glusterfs.ca ) 2. Enabling SSL with glusterd 3. Enabling SSL on that gluster volume The above 3 steps are done together when the volume section has 'enable_ssl=yes' and 'ssl_clients=host1,host2' So, the above 3 steps should not be done together as it may contradict the some case. Take for instance, when expanding the cluster, user may just require to generate SSL cert files on the new host and turn on SSL for glusterd but not on the volume, as the volume would have already enabled SSL In other case, he may have the SSL certs creating by his own ( say there is a CA available ), in that case the user may just want to turn on SSL on glusterd and volumes, but not to generate SSL cert files once again. Gdeploy should consider all these cases and provide the flexibility to handle above mentioned cases Since this functionality will be moved to gluster-ansible in future, this bug is flagged for closure. If there is a requirement to fix in 3.x please update the bug. But is there any need to have this bug kept open here? If there were any requirements to fix this in 3.x updates; I was expecting a comment here. Now that I don't see anyone commenting from past two weeks, we can close this. |