Bug 764731 (GLUSTER-2999)

Summary: Support SSL in socket transport
Product: [Community] GlusterFS Reporter: Jeff Darcy <jdarcy>
Component: transportAssignee: Vijay Bellur <vbellur>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: mainlineCC: amarts, gluster-bugs
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: glusterfs-3.4.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-24 17:48:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 895528    

Description Jeff Darcy 2011-06-07 14:47:53 UTC 
I have a patch that adds SSL (based on OpenSSL) as an option for the socket transport.  Actually it's three options:

* transport.socket.ssl-own-cert: this server's certificate

* transport.socket.ssl-private-key: key matching own-cert

* transport.socket.ssl-ca-list: list of trusted certificates (including CA certs)

If all three options are specified, then SSL support will be enabled.  If one or two are specified, a warning will be issued and SSL will not be enabled.  If none are specified, behavior remains as it was before.

This patch also includes socket multi-threading ("gatling gun") changes, to mitigate the performance impact of calling ssl_read/ssl_write from a single polling thread.  This is also controlled by an option:

* transport.socket.own-thread: use own per-socket polling thread

This option is initially enabled if SSL is enabled (see above) but can be overridden in the volfile.  It's effect on performance without SSL ranges from neutral to slightly positive (e.g. one client connecting to many servers).  With SSL enabled, it can have about a 2.5x positive effect on performance - probably even more with increasing numbers of servers and cores.
Comment 1 Amar Tumballi 2011-09-28 04:26:41 UTC 
vijay, Du is not working on this. As Jeff already has it working, putting you as assignee to take care of this.
Comment 2 Vijay Bellur 2012-07-17 20:18:40 UTC 
CHANGE: http://review.gluster.com/362 (rpc-transport/socket: Add SSL support.) merged in master by Anand Avati (avati)
Comment 3 Vijay Bellur 2012-07-30 18:53:33 UTC 
CHANGE: http://review.gluster.com/3701 (rpc/socket: finish initialization in own thread) merged in master by Anand Avati (avati)
Comment 4 Anand Avati 2014-04-17 23:40:17 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#3) for review on master by Jeff Darcy (jdarcy)
Comment 5 Anand Avati 2014-04-18 00:13:59 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#4) for review on master by Jeff Darcy (jdarcy)
Comment 6 Anand Avati 2014-06-10 19:18:04 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#5) for review on master by Jeff Darcy (jdarcy)
Comment 7 Anand Avati 2014-06-11 12:23:10 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#6) for review on master by Jeff Darcy (jdarcy)
Comment 8 Anand Avati 2014-06-13 12:38:35 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#7) for review on master by Jeff Darcy (jdarcy)
Comment 9 Anand Avati 2014-06-23 15:37:57 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#8) for review on master by Jeff Darcy (jdarcy)
Comment 10 Anand Avati 2014-06-24 15:03:51 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#9) for review on master by Jeff Darcy (jdarcy)