Description of problem: Provide a way to enable accessing gluster volume via SSL/TLS. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: NA
Is there a document that you follow? I need something as a reference.
Currently we follow the documentation at: https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/ https://kshlm.in/post/network-encryption-in-glusterfs/ for setting up SSL on rhgs volumes. I've completed the gdeploy feature for this and merged the patches into master. On a fresh setup, if a volume has to be created with ssl enabled. The config file will look like: [hosts] 10.70.37.147 10.70.37.47 [backend-setup] devices=/dev/vdb vgs=vg1 pools=pool1 lvs=lv1 mountpoints=/mnt/brick [volume] action=create volname=ssl transport=tcp replica_count=2 force=yes enable_ssl=yes ssl_clients=10.70.37.107,10.70.37.173 brick_dirs=/data/1 [clients] action=mount hosts=10.70.37.173,10.70.37.107 volname=ssl fstype=glusterfs client_mount_points=/mnt/data =========================================== If user has to enable ssl on an existing volume, the configuration file looks like: [hosts] 10.70.37.147 10.70.37.47 # This is important. Clients have to be unmounted before setting up SSL [clients1] action=unmount hosts=10.70.37.173,10.70.37.107 client_mount_points=/mnt/data [volume] action=enable-ssl volname=ssl ssl_clients=10.70.37.107,10.70.37.173 [clients2] action=mount hosts=10.70.37.173 volname=ssl fstype=glusterfs client_mount_points=/mnt/data ============================================================ Commit: https://github.com/gluster/gdeploy/commit/9a652a824 fixes the issue.
Created attachment 1210069 [details] gdeploy_script
Created attachment 1210071 [details] gdeply_script_logs
Created attachment 1210072 [details] mount_logs_client1
Created attachment 1210073 [details] mount_logs_client2
Mount is failing on client when SSL services are enabled on the fresh setup when new volume is created with ssl service enable. [root@dhcp37-202 ssl]# gluster v info Volume Name: ssl Type: Replicate Volume ID: 005b1aac-e4a8-4daf-8669-45be00c37664 Status: Started Snapshot Count: 0 Number of Bricks: 1 x 2 = 2 Transport-type: tcp Bricks: Brick1: 10.70.37.202:/data/1 Brick2: 10.70.37.97:/data/1 Options Reconfigured: performance.readdir-ahead: on transport.address-family: inet client.ssl: on server.ssl: on auth.ssl-allow: 10.70.37.135,10.70.37.137,10.70.37.202,10.70.37.97 server: [root@dhcp37-202 ssl]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) gluster-nagios-common-0.2.4-1.el7rhgs.noarch glusterfs-client-xlators-3.8.4-2.el7rhgs.x86_64 glusterfs-server-3.8.4-2.el7rhgs.x86_64 vdsm-gluster-4.17.33-1.el7rhgs.noarch gluster-nagios-addons-0.2.8-1.el7rhgs.x86_64 glusterfs-3.8.4-2.el7rhgs.x86_64 glusterfs-api-3.8.4-2.el7rhgs.x86_64 glusterfs-cli-3.8.4-2.el7rhgs.x86_64 glusterfs-geo-replication-3.8.4-2.el7rhgs.x86_64 glusterfs-libs-3.8.4-2.el7rhgs.x86_64 glusterfs-fuse-3.8.4-2.el7rhgs.x86_64 python-gluster-3.8.4-2.el7rhgs.noarch Client: [root@dhcp37-137 glusterfs]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) [root@dhcp37-137 glusterfs]# rpm -qa | grep gluster glusterfs-3.8.4-2.el7.x86_64 glusterfs-libs-3.8.4-2.el7.x86_64 glusterfs-client-xlators-3.8.4-2.el7.x86_64 glusterfs-fuse-3.8.4-2.el7.x86_64
Even tried the gdeploy script with replacing IP's with hostname.In that case also mount is failing on client. And md5sum of the glusterfs.ca file on all the servers and client are same. But as per the documentation the client glusterfs.ca should have only the server's keys and the server's glusterfs.ca file should have client+servers keys https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/ https://kshlm.in/post/network-encryption-in-glusterfs/ [root@dhcp37-135 ssl]# md5sum glusterfs.ca da0daa0e0e8eff2f04776d3e544b959e glusterfs.ca [root@dhcp37-97 ssl]# md5sum glusterfs.ca da0daa0e0e8eff2f04776d3e544b959e glusterfs.ca [root@dhcp37-137 ssl]# md5sum glusterfs.ca da0daa0e0e8eff2f04776d3e544b959e glusterfs.ca [root@dhcp37-202 ssl]# md5sum glusterfs.ca da0daa0e0e8eff2f04776d3e544b959e glusterfs.ca
Manisha, it works for me on my setup. Can you please provide me your setup? I would like to check on that. Regarding md5sum, it is ok to have the md5sum of glusterfs.ca on all the nodes clients+servers. I have confirmed that from the ssl team. (In reply to Manisha Saini from comment #10) > Even tried the gdeploy script with replacing IP's with hostname.In that case > also mount is failing on client. > > > And md5sum of the glusterfs.ca file on all the servers and client are same. > But as per the documentation the client glusterfs.ca should have only the > server's keys and the server's glusterfs.ca file should have client+servers > keys > > https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/ > https://kshlm.in/post/network-encryption-in-glusterfs/ > > [root@dhcp37-135 ssl]# md5sum glusterfs.ca > da0daa0e0e8eff2f04776d3e544b959e glusterfs.ca > > [root@dhcp37-97 ssl]# md5sum glusterfs.ca > da0daa0e0e8eff2f04776d3e544b959e glusterfs.ca > > [root@dhcp37-137 ssl]# md5sum glusterfs.ca > da0daa0e0e8eff2f04776d3e544b959e glusterfs.ca > > [root@dhcp37-202 ssl]# md5sum glusterfs.ca > da0daa0e0e8eff2f04776d3e544b959e glusterfs.ca
I tried SSL scenario both manually and with Gdeploy on newly created setup and it working fine. [root@dhcp37-148 glusterd]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 (Maipo) [root@dhcp37-148 glusterd]# cat /etc/redhat-storage-release Red Hat Gluster Storage Server 3.2.0 [root@dhcp37-148 glusterd]# rpm -qa | grep gluster glusterfs-3.8.4-2.el7rhgs.x86_64 glusterfs-cli-3.8.4-2.el7rhgs.x86_64 gluster-nagios-common-0.2.4-1.el7rhgs.noarch glusterfs-libs-3.8.4-2.el7rhgs.x86_64 glusterfs-client-xlators-3.8.4-2.el7rhgs.x86_64 glusterfs-api-3.8.4-2.el7rhgs.x86_64 glusterfs-server-3.8.4-2.el7rhgs.x86_64 gluster-nagios-addons-0.2.8-1.el7rhgs.x86_64 vdsm-gluster-4.17.33-1.el7rhgs.noarch glusterfs-fuse-3.8.4-2.el7rhgs.x86_64 glusterfs-geo-replication-3.8.4-2.el7rhgs.x86_64 python-gluster-3.8.4-2.el7rhgs.noarch
Based on comment 12, moving this back to ON_QA.
Based on Comment 12, As SSL option for gluster volume is working fine with GDEPLOY, Hence marking this big as verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0483.html