Bug 764731 (GLUSTER-2999) - Support SSL in socket transport
Summary: Support SSL in socket transport
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: GLUSTER-2999
Product: GlusterFS
Classification: Community
Component: transport
Version: mainline
Hardware: x86_64
OS: Linux
medium
low
Target Milestone: ---
Assignee: Vijay Bellur
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 895528
TreeView+ depends on / blocked
 
Reported: 2011-06-07 14:47 UTC by Jeff Darcy
Modified: 2015-12-01 16:45 UTC (History)
2 users (show)

Fixed In Version: glusterfs-3.4.0
Clone Of:
Environment:
Last Closed: 2013-07-24 17:48:53 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Embargoed:

Attachments (Terms of Use)

Description Jeff Darcy 2011-06-07 14:47:53 UTC 
I have a patch that adds SSL (based on OpenSSL) as an option for the socket transport.  Actually it's three options:

* transport.socket.ssl-own-cert: this server's certificate

* transport.socket.ssl-private-key: key matching own-cert

* transport.socket.ssl-ca-list: list of trusted certificates (including CA certs)

If all three options are specified, then SSL support will be enabled.  If one or two are specified, a warning will be issued and SSL will not be enabled.  If none are specified, behavior remains as it was before.

This patch also includes socket multi-threading ("gatling gun") changes, to mitigate the performance impact of calling ssl_read/ssl_write from a single polling thread.  This is also controlled by an option:

* transport.socket.own-thread: use own per-socket polling thread

This option is initially enabled if SSL is enabled (see above) but can be overridden in the volfile.  It's effect on performance without SSL ranges from neutral to slightly positive (e.g. one client connecting to many servers).  With SSL enabled, it can have about a 2.5x positive effect on performance - probably even more with increasing numbers of servers and cores.
Comment 1 Amar Tumballi 2011-09-28 04:26:41 UTC 
vijay, Du is not working on this. As Jeff already has it working, putting you as assignee to take care of this.
Comment 2 Vijay Bellur 2012-07-17 20:18:40 UTC 
CHANGE: http://review.gluster.com/362 (rpc-transport/socket: Add SSL support.) merged in master by Anand Avati (avati)
Comment 3 Vijay Bellur 2012-07-30 18:53:33 UTC 
CHANGE: http://review.gluster.com/3701 (rpc/socket: finish initialization in own thread) merged in master by Anand Avati (avati)
Comment 4 Anand Avati 2014-04-17 23:40:17 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#3) for review on master by Jeff Darcy (jdarcy)
Comment 5 Anand Avati 2014-04-18 00:13:59 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#4) for review on master by Jeff Darcy (jdarcy)
Comment 6 Anand Avati 2014-06-10 19:18:04 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#5) for review on master by Jeff Darcy (jdarcy)
Comment 7 Anand Avati 2014-06-11 12:23:10 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#6) for review on master by Jeff Darcy (jdarcy)
Comment 8 Anand Avati 2014-06-13 12:38:35 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#7) for review on master by Jeff Darcy (jdarcy)
Comment 9 Anand Avati 2014-06-23 15:37:57 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#8) for review on master by Jeff Darcy (jdarcy)
Comment 10 Anand Avati 2014-06-24 15:03:51 UTC 
REVIEW: http://review.gluster.org/3695 (rpc/auth: allow SSL identity to be used for authorization) posted (#9) for review on master by Jeff Darcy (jdarcy)
Note You need to log in before you can comment on or make changes to this bug.