Description of problem: Unable to setup/use non-root Geo-replication Version-Release number of selected component (if applicable): mainline How reproducible: always Actual results: With the current changes to Geo-replication, using non-root user (via Mountbroker) to replicate data is not functioning. Expected results: Admin should be able to setup and use this feature as expected
Efforts involved This can be split into two parts - glusterd and geo-replication daemon. 1. Revert patch in glusterd As of now, glusterd does not allow creation of non-root geo-rep session. Reverting this patch would allow the creation of non-root geo-rep sessions. 2. Fixes in geo-replication daemon After #1, there would be changes/bug-fixes in the daemon part to allow entities to be synced without super user privileges. Majority of the code still lives in the codebase, but given the extensive amount of changes that has been done to geo-rep for distributify and using changelogs, there could be a lot of places to fix bugs.
Initial patch: http://review.gluster.org/#/c/7658/
REVIEW: http://review.gluster.org/7658 (gsyncd / geo-rep: Partial support for Non-root geo-replication) posted (#4) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7658 (gsyncd / geo-rep: Partial support for Non-root geo-replication) posted (#5) for review on master by Avra Sengupta (asengupt)
REVIEW: http://review.gluster.org/7744 (glusterd/geo-rep: Allow gverify.sh and S56glusterd-geo-rep-create-post.sh to operate for non-root privileged slave volume) posted (#1) for review on master by Avra Sengupta (asengupt)
REVIEW: http://review.gluster.org/7744 (glusterd/geo-rep: Allow gverify.sh and S56glusterd-geo-rep-create-post.sh to operate for non-root privileged slave volume) posted (#2) for review on master by Avra Sengupta (asengupt)
REVIEW: http://review.gluster.org/7658 (gsyncd / geo-rep: Partial support for Non-root geo-replication.) posted (#6) for review on master by Avra Sengupta (asengupt)
REVIEW: http://review.gluster.org/7744 (glusterd/geo-rep: Allow gverify.sh and S56glusterd-geo-rep-create-post.sh to operate for non-root privileged slave volume) posted (#3) for review on master by Avra Sengupta (asengupt)
REVIEW: http://review.gluster.org/7658 (gsyncd / geo-rep: Partial support for Non-root geo-replication.) posted (#7) for review on master by Avra Sengupta (asengupt)
COMMIT: http://review.gluster.org/7658 committed in master by Venky Shankar (vshankar) ------ commit 48201f4faeef3602cb095bf47d14deebf91899ba Author: Venky Shankar <vshankar> Date: Sun May 4 01:34:08 2014 +0530 gsyncd / geo-rep: Partial support for Non-root geo-replication. This patch enables geo-replication to be run as an unprivileged user. As of now, this is just the partial support, but is very close to achieve full functionality. Current limitation * Geo-replication executed Gluster CLI commands on the slave via SSH. On a non-root setup, Gluster CLI would run as an unprivileged user, failing to execute the command. As a workaround (for testing), setuid(2) Gluster CLI executable or use the glusterd option to accept commands by unprivileged CLI process. The nature of cli commands are "system::" commands (for key management) and remote volume info fetching. Remote volume info fetching has been modified to use --remote-host gluster cli option rather than ssh and remote cli execution. Change-Id: Ica89e2ba9b7f48fd6e1c876c477d7822dc693617 BUG: 1077452 Signed-off-by: Venky Shankar <vshankar> Reviewed-on: http://review.gluster.org/7658 Tested-by: Gluster Build System <jenkins.com>
COMMIT: http://review.gluster.org/7744 committed in master by Venky Shankar (vshankar) ------ commit 09e9775127c7def49202e68c923e36a6032a3628 Author: Avra Sengupta <asengupt> Date: Mon May 12 00:06:32 2014 +0000 glusterd/geo-rep: Allow gverify.sh and S56glusterd-geo-rep-create-post.sh to operate for non-root privileged slave volume Mounting the slave-volume on local node, to perform disk checks in order to allow gverify.sh to operate for non-root privileged slave volume Allowing the hook script S56glusterd-geo-rep-create-post.sh to operate for non-root privileged slave volume Modified peer_add_secret_pub.in to accept username as argument and add the pem keys to the users's_home_dir/.ssh/authorized_keys Wrote set_geo_rep_pem_keys.sh which accepts username as argument and copies the pem keys from the user's home directory to $GLUSTERD_WORKING_DIR/geo-replication/ and then copies the keys to other nodes in the cluster and add them to the respective authorized keys. The script takes as argument the user name and assumes that the user will be present in all the nodes in the cluster. It is not needed for root. To summarize: For a privileged slave user, execute the following on master node as super user: gluster system:: execute gsec_create gluster volume geo-replication <master_vol> [root@]<slave_ip>::<slave_vol> create push_pem For a non-privileged slave user execute the following on master node as super user: gluster system:: execute gsec_create gluster volume geo-replication <master_vol> <slave_user>@<slave_ip>::<slave_vol> create push_pem then on the slave node execute the following as super user: /usr/local/libexec/glusterfs/set_geo_rep_pem_keys.sh <slave_user> BUG: 1077452 Change-Id: I88020968aa5b13a2c2ab86b1d6661b60071f6f5e Signed-off-by: Avra Sengupta <asengupt> Reviewed-on: http://review.gluster.org/7744 Tested-by: Gluster Build System <jenkins.com> Reviewed-by: Venky Shankar <vshankar> Tested-by: Venky Shankar <vshankar>
REVIEW: http://review.gluster.org/7767 (gsyncd/geo-rep: Fix remote vol info fetching for non-root) posted (#1) for review on master by Kotresh HR (khiremat)
COMMIT: http://review.gluster.org/7767 committed in master by Venky Shankar (vshankar) ------ commit a20b6b473bf72224b0ea7752987d47d44b8b633c Author: Kotresh H R <khiremat> Date: Thu May 15 12:52:22 2014 +0530 gsyncd/geo-rep: Fix remote vol info fetching for non-root Signed-off-by: Kotresh H R <khiremat> Change-Id: If1d2cab3fcfe2391105551e54f0b9729a7c204e4 BUG: 1077452 Reviewed-on: http://review.gluster.org/7767 Reviewed-by: Venky Shankar <vshankar> Tested-by: Venky Shankar <vshankar>
REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix slave volume glusterd query) posted (#1) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix cli query for volinfo fetch) posted (#2) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7820 (gsyncd / geo-rep: Mountbroker cli to use INET sockets) posted (#1) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7820 (gsyncd / geo-rep: Mountbroker cli to use INET sockets) posted (#2) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix cli query for volinfo fetch) posted (#3) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7821 (mgmt/glusterd: Allow mount/umount requests over AF_INET) posted (#1) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7820 (gsyncd / geo-rep: Mountbroker cli to use INET sockets) posted (#3) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7821 (mgmt/glusterd: Allow mount/umount requests over AF_INET) posted (#2) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix cli query for volinfo fetch) posted (#4) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7833 (gsyncd : Use --remote-host option during cli invocation) posted (#1) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7820 (gsyncd / geo-rep: Mountbroker cli to use INET sockets) posted (#4) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7821 (mgmt/glusterd: Allow mount/umount requests over AF_INET) posted (#3) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7833 (gsyncd : Use --remote-host option during cli invocation) posted (#2) for review on master by Venky Shankar (vshankar)
REVIEW: http://review.gluster.org/7818 (gsyncd / geo-rep: fix cli query for volinfo fetch) posted (#5) for review on master by Venky Shankar (vshankar)
COMMIT: http://review.gluster.org/7821 committed in master by Venky Shankar (vshankar) ------ commit a6da7b531bccbec8c8320acb09e2ee6a5df73a33 Author: Vijay Bellur <vbellur> Date: Tue May 20 19:57:37 2014 +0530 mgmt/glusterd: Allow mount/umount requests over AF_INET Along with a simple naming convention change to avoid confusion as per below. s/gd_svc_cli_prog_ro/gd_svc_cli_trusted_progs/ s/gd_svc_cli_actors_ro/gd_svc_cli_trusted_actors/ Change-Id: Ibc73d88846636656f060a811f641f37a1a864615 BUG: 1077452 Original-Author: Vijay Bellur <vbellur> Signed-off-by: Venky Shankar <vshankar> Reviewed-on: http://review.gluster.org/7821 Reviewed-by: Kotresh HR <khiremat> Tested-by: Gluster Build System <jenkins.com>
COMMIT: http://review.gluster.org/7818 committed in master by Venky Shankar (vshankar) ------ commit bbb8313568bd0725f9faf1927ccefe79126a2113 Author: Venky Shankar <vshankar> Date: Wed May 21 11:54:24 2014 +0530 gsyncd / geo-rep: fix cli query for volinfo fetch With an unprivileged geo-replication session, monitor was using user@slave for --remote-host option for gluster cli, thereby failing to sucessfully connect to the slave glusterd. This patch fixes the issue by selecting the hostname/IP from the speicified slave endpoint url. - For privileged geo-replication sessions, this patch has no effect as the slave endpoint url is just the hostname/IP. Change-Id: I88f66c406a8d9a34db7fc626965f949075e3ceac BUG: 1077452 Signed-off-by: Venky Shankar <vshankar> Reviewed-on: http://review.gluster.org/7818 Reviewed-by: Aravinda VK <avishwan> Reviewed-by: Kotresh HR <khiremat> Tested-by: Gluster Build System <jenkins.com>
COMMIT: http://review.gluster.org/7820 committed in master by Venky Shankar (vshankar) ------ commit 74cc911d4301905d0722a943ca2b844637d4dc74 Author: Venky Shankar <vshankar> Date: Wed May 21 14:18:06 2014 +0530 gsyncd / geo-rep: Mountbroker cli to use INET sockets unprivileged geo-replication session runs the slave gsyncd process as unprivileged, thereby executing gluster cli commands as an unprivileged user. By default, cli to glusterd uses unix domain sockets, thereby restricting cli command execution by non root users. This patch introduces '--remote-host' cli option to force cli to use INET socket. For this to work, the following needs to be added in glusterd volfile option rpc-auth-allow-insecure on Change-Id: I84b1711281bbcbde156200f80ebdb065afb55488 BUG: 1077452 Signed-off-by: Venky Shankar <vshankar> Reviewed-on: http://review.gluster.org/7820 Tested-by: Gluster Build System <jenkins.com>
COMMIT: http://review.gluster.org/7833 committed in master by Venky Shankar (vshankar) ------ commit be8a3845c7d76d7da66ad278618ff29d0b81903c Author: Venky Shankar <vshankar> Date: Wed May 21 20:49:22 2014 +0530 gsyncd : Use --remote-host option during cli invocation Required for unprivileged geo-replication sessions to execute glusterd commands (which are however restricted). Change-Id: Ib83b81defa061717f4465ffa665450d0f5d3d20d BUG: 1077452 Signed-off-by: Venky Shankar <vshankar> Reviewed-on: http://review.gluster.org/7833 Reviewed-by: Kotresh HR <khiremat> Tested-by: Gluster Build System <jenkins.com>
Would it be practical to backport this to 3.5.x series?
A beta release for GlusterFS 3.6.0 has been released. Please verify if the release solves this bug report for you. In case the glusterfs-3.6.0beta1 release does not have a resolution for this issue, leave a comment in this bug and move the status to ASSIGNED. If this release fixes the problem for you, leave a note and change the status to VERIFIED. Packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update (possibly an "updates-testing" repository) infrastructure for your distribution. [1] http://supercolony.gluster.org/pipermail/gluster-users/2014-September/018836.html [2] http://supercolony.gluster.org/pipermail/gluster-users/
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.6.1, please reopen this bug report. glusterfs-3.6.1 has been announced [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://supercolony.gluster.org/pipermail/gluster-users/2014-November/019410.html [2] http://supercolony.gluster.org/mailman/listinfo/gluster-users