Description of problem: commit 243a5b429f225acb8e7132264fe0a0835ff013d5 turn's 'ON' allow-insecure and bind-insecure by default. while upgrading subset of nodes from a trusted storage pool, nodes which have older versions of glusterfs will expect connection from secure ports only (since they still have bind-insecure off) thus they reject connection from upgraded nodes which now have insecure ports. Hence we will run into connection issues between peers. Version-Release number of selected component (if applicable): 3.1.3 reproducible: Simple, upgrading a subset of nodes from trusted pool will show you failure in connection between peers Actual results: Failure in connection between non-upgraded nodes and upgraded nodes Expected results: No connection issues between peers Additional info:
This bug is to track the fix which was already in 3.1.2 but missed out as part of rebasing to 3.1.3 from upstream 3.7.9
(In reply to Atin Mukherjee from comment #2) > This bug is to track the fix which was already in 3.1.2 but missed out as > part of rebasing to 3.1.3 from upstream 3.7.9 If I understand correctly, this solution is to revert that patch ( commit 243a5b429f225acb8e7132264fe0a0835ff013d5 ) that enabled allow-insecure and bind-insecure ?
rpc: set bind-insecure to off by default commit 243a5b429f225acb8e7132264fe0a0835ff013d5 turn's 'ON' allow-insecure and bind-insecure by default. Problem: Now with newer versions we have bind-insecure 'ON' by default. So, while upgrading subset of nodes from a trusted storage pool, nodes which have older versions of glusterfs will expect connection from secure ports only (since they still have bind-insecure off) thus they reject connection from upgraded nodes which now have insecure ports. Hence we will run into connection issues between peers. Solution: This patch will turn bind-insecure 'OFF' by default to avoid problem explained above. Change-Id: Id7a19b4872399d3b019243b0857c9c7af75472f7 BUG: 1319638 Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever>
REVIEW: https://code.engineering.redhat.com/gerrit/#/c/70313/
Don't see this issue with latest build. Tried to upgrade subset of nodes from 3.1.2 to 3.1.3 [version 3.7.9-2]. Moving it to verified.
bind insecure default value is off in rhgs-3.1.2 as well and hence this doesn't qualify for a doc_text.
Based on comment12, making the required changes
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1240