Bug 1360980 - [RFE] Configure SSL options for gluster volume
Summary: [RFE] Configure SSL options for gluster volume
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: gdeploy
Version: rhgs-3.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: RHGS 3.2.0
Assignee: Sachidananda Urs
QA Contact: Manisha Saini
URL:
Whiteboard:
Depends On:
Blocks: Gluster-HC-2 1351503
TreeView+ depends on / blocked
 
Reported: 2016-07-28 06:00 UTC by Sahina Bose
Modified: 2017-03-23 04:57 UTC (History)
7 users (show)

Fixed In Version: gdeploy-2.0.1-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-23 04:57:42 UTC


Attachments (Terms of Use)
gdeploy_script (382 bytes, text/plain)
2016-10-13 12:51 UTC, Manisha Saini
no flags Details
gdeply_script_logs (13.51 KB, text/plain)
2016-10-13 12:52 UTC, Manisha Saini
no flags Details
mount_logs_client1 (1.80 KB, text/plain)
2016-10-13 12:52 UTC, Manisha Saini
no flags Details
mount_logs_client2 (1.80 KB, text/plain)
2016-10-13 12:53 UTC, Manisha Saini
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:0483 normal SHIPPED_LIVE gdeploy bug fix and enhancement update 2017-03-23 08:56:29 UTC
Red Hat Bugzilla 1217555 None None None Never

Internal Links: 1217555

Description Sahina Bose 2016-07-28 06:00:41 UTC
Description of problem:
Provide a way to enable accessing gluster volume via SSL/TLS. 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
NA

Comment 2 Sachidananda Urs 2016-08-11 09:31:47 UTC
Is there a document that you follow? I need something as a reference.

Comment 3 Sachidananda Urs 2016-08-30 13:30:44 UTC
Currently we follow the documentation at:

https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/
https://kshlm.in/post/network-encryption-in-glusterfs/

for setting up SSL on rhgs volumes.

I've completed the gdeploy feature for this and merged the patches into master.

On a fresh setup, if a volume has to be created with ssl enabled. The config file will look like:

[hosts]
10.70.37.147
10.70.37.47

[backend-setup]
devices=/dev/vdb
vgs=vg1
pools=pool1
lvs=lv1
mountpoints=/mnt/brick

[volume]
action=create
volname=ssl
transport=tcp
replica_count=2
force=yes
enable_ssl=yes
ssl_clients=10.70.37.107,10.70.37.173
brick_dirs=/data/1

[clients]
action=mount
hosts=10.70.37.173,10.70.37.107
volname=ssl
fstype=glusterfs
client_mount_points=/mnt/data


===========================================

If user has to enable ssl on an existing volume, the configuration file looks like:


[hosts]
10.70.37.147
10.70.37.47

# This is important. Clients have to be unmounted before setting up SSL
[clients1]
action=unmount
hosts=10.70.37.173,10.70.37.107
client_mount_points=/mnt/data

[volume]
action=enable-ssl
volname=ssl
ssl_clients=10.70.37.107,10.70.37.173

[clients2]
action=mount
hosts=10.70.37.173
volname=ssl
fstype=glusterfs
client_mount_points=/mnt/data


============================================================


Commit: https://github.com/gluster/gdeploy/commit/9a652a824 fixes the issue.

Comment 4 Manisha Saini 2016-10-13 12:51:00 UTC
Created attachment 1210069 [details]
gdeploy_script

Comment 5 Manisha Saini 2016-10-13 12:52:02 UTC
Created attachment 1210071 [details]
gdeply_script_logs

Comment 6 Manisha Saini 2016-10-13 12:52:40 UTC
Created attachment 1210072 [details]
mount_logs_client1

Comment 7 Manisha Saini 2016-10-13 12:53:16 UTC
Created attachment 1210073 [details]
mount_logs_client2

Comment 8 Manisha Saini 2016-10-13 13:03:03 UTC
Mount is failing on client when SSL services are enabled on the fresh setup when new volume is created with ssl service enable.


[root@dhcp37-202 ssl]# gluster v info
Volume Name: ssl
Type: Replicate
Volume ID: 005b1aac-e4a8-4daf-8669-45be00c37664
Status: Started
Snapshot Count: 0
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: 10.70.37.202:/data/1
Brick2: 10.70.37.97:/data/1
Options Reconfigured:
performance.readdir-ahead: on
transport.address-family: inet
client.ssl: on
server.ssl: on
auth.ssl-allow: 10.70.37.135,10.70.37.137,10.70.37.202,10.70.37.97

server:

[root@dhcp37-202 ssl]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 (Maipo)


gluster-nagios-common-0.2.4-1.el7rhgs.noarch
glusterfs-client-xlators-3.8.4-2.el7rhgs.x86_64
glusterfs-server-3.8.4-2.el7rhgs.x86_64
vdsm-gluster-4.17.33-1.el7rhgs.noarch
gluster-nagios-addons-0.2.8-1.el7rhgs.x86_64
glusterfs-3.8.4-2.el7rhgs.x86_64
glusterfs-api-3.8.4-2.el7rhgs.x86_64
glusterfs-cli-3.8.4-2.el7rhgs.x86_64
glusterfs-geo-replication-3.8.4-2.el7rhgs.x86_64
glusterfs-libs-3.8.4-2.el7rhgs.x86_64
glusterfs-fuse-3.8.4-2.el7rhgs.x86_64
python-gluster-3.8.4-2.el7rhgs.noarch


Client:

[root@dhcp37-137 glusterfs]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 (Maipo)

[root@dhcp37-137 glusterfs]# rpm -qa | grep gluster
glusterfs-3.8.4-2.el7.x86_64
glusterfs-libs-3.8.4-2.el7.x86_64
glusterfs-client-xlators-3.8.4-2.el7.x86_64
glusterfs-fuse-3.8.4-2.el7.x86_64

Comment 10 Manisha Saini 2016-10-14 09:17:39 UTC
Even tried the gdeploy script with replacing IP's with hostname.In that case also mount is failing on client.


And md5sum of the glusterfs.ca file on all the servers and client are same.
But as per the documentation the client glusterfs.ca should have only the server's keys and the server's glusterfs.ca file should have client+servers keys

https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/
https://kshlm.in/post/network-encryption-in-glusterfs/

[root@dhcp37-135 ssl]# md5sum glusterfs.ca 
da0daa0e0e8eff2f04776d3e544b959e  glusterfs.ca

[root@dhcp37-97 ssl]# md5sum glusterfs.ca 
da0daa0e0e8eff2f04776d3e544b959e  glusterfs.ca

[root@dhcp37-137 ssl]# md5sum glusterfs.ca 
da0daa0e0e8eff2f04776d3e544b959e  glusterfs.ca

[root@dhcp37-202 ssl]# md5sum glusterfs.ca 
da0daa0e0e8eff2f04776d3e544b959e  glusterfs.ca

Comment 11 Sachidananda Urs 2016-10-19 05:44:22 UTC
Manisha, it works for me on my setup. Can you please provide me your setup?
I would like to check on that.

Regarding md5sum, it is ok to have the md5sum of glusterfs.ca on all the nodes
clients+servers. I have confirmed that from the ssl team.

(In reply to Manisha Saini from comment #10)
> Even tried the gdeploy script with replacing IP's with hostname.In that case
> also mount is failing on client.
> 
> 
> And md5sum of the glusterfs.ca file on all the servers and client are same.
> But as per the documentation the client glusterfs.ca should have only the
> server's keys and the server's glusterfs.ca file should have client+servers
> keys
> 
> https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/
> https://kshlm.in/post/network-encryption-in-glusterfs/
> 
> [root@dhcp37-135 ssl]# md5sum glusterfs.ca 
> da0daa0e0e8eff2f04776d3e544b959e  glusterfs.ca
> 
> [root@dhcp37-97 ssl]# md5sum glusterfs.ca 
> da0daa0e0e8eff2f04776d3e544b959e  glusterfs.ca
> 
> [root@dhcp37-137 ssl]# md5sum glusterfs.ca 
> da0daa0e0e8eff2f04776d3e544b959e  glusterfs.ca
> 
> [root@dhcp37-202 ssl]# md5sum glusterfs.ca 
> da0daa0e0e8eff2f04776d3e544b959e  glusterfs.ca

Comment 12 Manisha Saini 2016-10-20 09:54:55 UTC
I tried SSL scenario both manually and with Gdeploy on newly created setup and it working fine.

[root@dhcp37-148 glusterd]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[root@dhcp37-148 glusterd]# cat /etc/redhat-storage-release 
Red Hat Gluster Storage Server 3.2.0

[root@dhcp37-148 glusterd]# rpm -qa | grep gluster
glusterfs-3.8.4-2.el7rhgs.x86_64
glusterfs-cli-3.8.4-2.el7rhgs.x86_64
gluster-nagios-common-0.2.4-1.el7rhgs.noarch
glusterfs-libs-3.8.4-2.el7rhgs.x86_64
glusterfs-client-xlators-3.8.4-2.el7rhgs.x86_64
glusterfs-api-3.8.4-2.el7rhgs.x86_64
glusterfs-server-3.8.4-2.el7rhgs.x86_64
gluster-nagios-addons-0.2.8-1.el7rhgs.x86_64
vdsm-gluster-4.17.33-1.el7rhgs.noarch
glusterfs-fuse-3.8.4-2.el7rhgs.x86_64
glusterfs-geo-replication-3.8.4-2.el7rhgs.x86_64
python-gluster-3.8.4-2.el7rhgs.noarch

Comment 13 Atin Mukherjee 2016-10-20 10:14:24 UTC
Based on comment 12, moving this back to ON_QA.

Comment 14 Manisha Saini 2016-10-20 11:43:12 UTC
Based on Comment 12,
As SSL option for gluster volume is working fine with GDEPLOY,
Hence marking this big as verified

Comment 16 errata-xmlrpc 2017-03-23 04:57:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0483.html


Note You need to log in before you can comment on or make changes to this bug.