Bug 764731 - (GLUSTER-2999) Support SSL in socket transport
Support SSL in socket transport
Status: CLOSED CURRENTRELEASE
Product: GlusterFS
Classification: Community
Component: transport (Show other bugs)
mainline
x86_64 Linux
medium Severity low
: ---
: ---
Assigned To: Vijay Bellur
:
Depends On:
Blocks: 895528
  Show dependency treegraph
 
Reported: 2011-06-07 10:47 EDT by Jeff Darcy
Modified: 2015-12-01 11:45 EST (History)
2 users (show)

See Also:
Fixed In Version: glusterfs-3.4.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-24 13:48:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jeff Darcy 2011-06-07 10:47:53 EDT
I have a patch that adds SSL (based on OpenSSL) as an option for the socket transport.  Actually it's three options:

* transport.socket.ssl-own-cert: this server's certificate

* transport.socket.ssl-private-key: key matching own-cert

* transport.socket.ssl-ca-list: list of trusted certificates (including CA certs)

If all three options are specified, then SSL support will be enabled.  If one or two are specified, a warning will be issued and SSL will not be enabled.  If none are specified, behavior remains as it was before.

This patch also includes socket multi-threading ("gatling gun") changes, to mitigate the performance impact of calling ssl_read/ssl_write from a single polling thread.  This is also controlled by an option:

* transport.socket.own-thread: use own per-socket polling thread

This option is initially enabled if SSL is enabled (see above) but can be overridden in the volfile.  It's effect on performance without SSL ranges from neutral to slightly positive (e.g. one client connecting to many servers).  With SSL enabled, it can have about a 2.5x positive effect on performance - probably even more with increasing numbers of servers and cores.
Comment 1 Amar Tumballi 2011-09-28 00:26:41 EDT
vijay, Du is not working on this. As Jeff already has it working, putting you as assignee to take care of this.
Comment 2 Vijay Bellur 2012-07-17 16:18:40 EDT
CHANGE: http://review.gluster.com/362 (rpc-transport/socket: Add SSL support.) merged in master by Anand Avati (avati@redhat.com)
Comment 3 Vijay Bellur 2012-07-30 14:53:33 EDT
CHANGE: http://review.gluster.com/3701 (rpc/socket: finish initialization in own thread) merged in master by Anand Avati (avati@redhat.com)
Comment 4 Anand Avati 2014-04-17 19:40:17 EDT
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#3) for review on master by Jeff Darcy (jdarcy@redhat.com)
Comment 5 Anand Avati 2014-04-17 20:13:59 EDT
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#4) for review on master by Jeff Darcy (jdarcy@redhat.com)
Comment 6 Anand Avati 2014-06-10 15:18:04 EDT
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#5) for review on master by Jeff Darcy (jdarcy@redhat.com)
Comment 7 Anand Avati 2014-06-11 08:23:10 EDT
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#6) for review on master by Jeff Darcy (jdarcy@redhat.com)
Comment 8 Anand Avati 2014-06-13 08:38:35 EDT
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#7) for review on master by Jeff Darcy (jdarcy@redhat.com)
Comment 9 Anand Avati 2014-06-23 11:37:57 EDT
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#8) for review on master by Jeff Darcy (jdarcy@redhat.com)
Comment 10 Anand Avati 2014-06-24 11:03:51 EDT
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#9) for review on master by Jeff Darcy (jdarcy@redhat.com)

Note You need to log in before you can comment on or make changes to this bug.