Description of problem: hyperconverged environments need additional settings to satisfy some customer requirements - specifically around security. I've talked these through with Sac, so these enhancements are all bundled into one RFE I've broken the request into short/medium term goals Short term (3-6 months) - configure SSL for the control and data path - configure auth.allow to lock down client connections to a specified list of IP's - configure glusterd to support gfapi (rhel 7.3/ovirt 4 timeframe) - configure systemd slice, and glusterd.service overrides for CPU control Medium term 6-9 months - support gluster based tiering in addition to lvmcache - automatically configure the lvmcache lv sizes instead of having them hard-coded by the admin in the conf file - still support current settings as an override, but the tool should make some sensible default choices, based on device size. Additional info:
(In reply to Paul Cuzner from comment #0) > Description of problem: > hyperconverged environments need additional settings to satisfy some > customer requirements - specifically around security. I've talked these > through with Sac, so these enhancements are all bundled into one RFE > > I've broken the request into short/medium term goals > > > Short term (3-6 months) > > - configure SSL for the control and data path Done pushed to master. > - configure auth.allow to lock down client connections to a specified list > of IP's Currently not taken care of. > - configure glusterd to support gfapi (rhel 7.3/ovirt 4 timeframe) I need steps/documentation on how to do this. > - configure systemd slice, and glusterd.service overrides for CPU control Will be done in gdeploy. > > > Medium term 6-9 months > - support gluster based tiering in addition to lvmcache > - automatically configure the lvmcache lv sizes instead of having them > hard-coded by the admin in the conf file - still support current settings as > an override, but the tool should make some sensible default choices, based > on device size. >
(In reply to Sachidananda Urs from comment #4) > (In reply to Paul Cuzner from comment #0) > > Description of problem: > > hyperconverged environments need additional settings to satisfy some > > customer requirements - specifically around security. I've talked these > > through with Sac, so these enhancements are all bundled into one RFE > > > > I've broken the request into short/medium term goals > > > > > > Short term (3-6 months) > > > > - configure SSL for the control and data path > > Done pushed to master. > > > - configure auth.allow to lock down client connections to a specified list > > of IP's > > Currently not taken care of. > > > - configure glusterd to support gfapi (rhel 7.3/ovirt 4 timeframe) > > I need steps/documentation on how to do this. I think glusterd by defaults allows requests coming in from insecure ports. @Sac, you can double check this one with Kaushal
This bug's intent was split in to short-term and medium term requirements. The short-term requirements list goes as : - configure SSL for the control and data path - configure auth.allow to lock down client connections to a specified list of IP's - configure glusterd to support gfapi (rhel 7.3/ovirt 4 timeframe) - configure systemd slice, and glusterd.service overrides for CPU control And these requirements will be tracked as part of this bug. The medium term requirement are tracked as part of the bug - BZ1376473
All the observations are made with gdeploy-2.0.1-1.el7rhgs installed on RHEL 7.3 Enabling SSL/TLS encryption through gdeploy is already verified with the bug - https://bugzilla.redhat.com/show_bug.cgi?id=1360980 With the above bug verification SSL/TLS is enabled on management and data path. Also specific ssl clients could be set for the volume which locks down client connections to the volume. glusterfs slice is also created for glusterfs slice using 'slice_setup' configuration. With all these information, marking this bug as VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0483.html