Bug 1181466 - [RFE][HC] – Require GlusterFS 3.7.3 for rpc-auth-allow-insecure to be used by libgfapi
Summary: [RFE][HC] – Require GlusterFS 3.7.3 for rpc-auth-allow-insecure to be used by...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: ovirt-host-deploy
Classification: oVirt
Component: Plugins.Gluster
Version: ---
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-4.0.0-alpha
: ---
Assignee: Sandro Bonazzola
QA Contact: Pavel Stehlik
URL:
Whiteboard: integration
Depends On: 1232658
Blocks: 1022961 1177776
TreeView+ depends on / blocked
 
Reported: 2015-01-13 09:09 UTC by Federico Simoncelli
Modified: 2015-12-15 13:13 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-15 13:13:40 UTC
oVirt Team: ---
Embargoed:
ylavi: ovirt-4.0.0?
ylavi: planning_ack?
ylavi: devel_ack?
ylavi: testing_ack?

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 39678 0 master ABANDONED hosted-engine: configure gluster for HC Never

Description Federico Simoncelli 2015-01-13 09:09:52 UTC 
Description of problem:
Adding the support for libgfapi requires the option rpc-auth-allow-insecure set to "on" in glusterd.vol (and service restart).

We also should consider what to do with the hosts where gluster was already deployed.
Comment 1 Alon Bar-Lev 2015-01-13 09:43:45 UTC 
or patch libgfapi to enable secure mode? exposing hosts only because a component that is under our control misbehaves is the last [non available] alternative.
Comment 2 Federico Simoncelli 2015-02-04 14:11:01 UTC 
(In reply to Alon Bar-Lev from comment #1)
> or patch libgfapi to enable secure mode? exposing hosts only because a
> component that is under our control misbehaves is the last [non available]
> alternative.

rpc-auth-allow-insecure:

"""
Allow client connections from unprivileged ports. By default only privileged ports are allowed.
"""

If you want regular users (using unprivileged ports on the client) to be able to connect to your gluster server you need to enable rpc-auth-allow-insecure.

The use case for this is qemu processes (running as qemu user) being able to directly connect to the gluster server to access the images.

It would be great if we could do it only per-volume but as I understood from Vijay that's not enough (you also need rpc-auth-allow-insecure).

Vijay is that correct?
Comment 3 Sandro Bonazzola 2015-05-21 07:14:15 UTC 
According to Pranith and Vijay this one won't be needed starting with Gluster 3.7.1. So the requirement here is to raise the requirements for getting gluster >= 3.7.1 once it will be out in a couple of weeks.
Comment 4 Sandro Bonazzola 2015-05-22 12:00:35 UTC 
Waiting for Gluster 3.7.1 to be out.
Comment 5 Sandro Bonazzola 2015-06-03 07:05:57 UTC 
The patch has been delayed to 3.7.2
Comment 6 Sandro Bonazzola 2015-06-30 07:07:50 UTC 
The patch has been delayed to 3.7.3 http://review.gluster.org/11039
Comment 7 Yaniv Lavi 2015-07-16 03:53:30 UTC 
should this be modified?
Comment 8 Sandro Bonazzola 2015-07-16 07:01:47 UTC 
AFAIK 3.7.3 has not been released yet.
Comment 9 Prasanna Kumar Kalever 2015-07-22 09:58:28 UTC 
There  were few problems discovered by http://review.gluster.org/11039 which can be addressed by http://review.gluster.org/#/c/11512/ (Waiting to get merged)
Comment 10 Red Hat Bugzilla Rules Engine 2015-09-20 21:01:48 UTC 
This request has been proposed for two releases. This is invalid flag usage. The ovirt-future release flag has been cleared. If you wish to change the release flag, you must clear one release flag and then set the other release flag to ?.
Comment 11 Sandro Bonazzola 2015-12-15 13:13:40 UTC 
Closing Upstream, should be solved in Gluster by now.
Note You need to log in before you can comment on or make changes to this bug.