Recently, I needed to configure glusterfs with SSL and found that the documention that describes how to do it is actually pretty thin. What's annoying is that this feature has been around since 2013!
First the caveat - I'm not an expert with SSL, but I arrived at this working process after digging through mail lists and a great article from Zbyszek Żółkiewski
There are 8 steps to follow, so nothing too taxing :)
- Create the keys and certificates
- On each node, perform the following;
- This step creates a private key(.key) and associated certificate(.pem) on each node. The common name (CN), I've used is the hostname, so each certificate is unique to each gluster node and/or client. You may opt for a different scheme - but the important thing is the CN chosen here is reflected in step 6.
# cd /etc/ssl
# openssl genrsa -out glusterfs.key 1024
# openssl req -new -x509 -days 3650 -key glusterfs.key -subj /CN=<hostname> -out glusterfs.pem
# openssl genrsa -out glusterfs.key 1024
# openssl req -new -x509 -days 3650 -key glusterfs.key -subj /CN=<hostname> -out glusterfs.pem
- Combine the pem files to a single file
- Use scp to copy the .pem file from each node to a single node in the cluster (I'm calling it the primary host for the purpose of this article)
# scp glusterfs.pem root@<primary-host>:/etc/ssl/<this-hostname>.pem
On the primary host concatenate the files
# cat glusterfs.pem host2.pem host3.pem > glusterfs.ca
On the primary host concatenate the files
# cat glusterfs.pem host2.pem host3.pem > glusterfs.ca
- Distribute the common 'ca' file to all nodes
- On the primary host distribute the common CA containing the certs from all nodes/clients
# scp /etc/ssl/glusterfs.ca root@<hostX>:/etc/ssl/.
- Stop the volume you want to enable SSL on
# gluster vol stop <volume-name>
- Restart glusterd
# systemctl restart glusterd
- Update the volume to enable SSL
# gluster vol set <volume-name> client.ssl on
# gluster vol set <volume-name> server.ssl on
# gluster vol set <volume-name> auth.ssl-allow host-1,host-2,host-3
# gluster vol set <volume-name> server.ssl on
# gluster vol set <volume-name> auth.ssl-allow host-1,host-2,host-3
- The comma separated list should consist of the CN's used when generating the .pem files on each host, from step '1'.
- Start the volume
# gluster vol start <volume-name>
- Check SSL is enabled on the I/O Path
-
Although you can use vol info to check the SSL setting is in place, the best way to confirm that SSL is actually being used is to look at one of the log files;
# grep SSL /var/log/glusterfs/glustershd.log
[2015-03-31 06:58:34.674091] I [socket.c:3799:socket_init] 0-vol-client-2: SSL support on the I/O path is ENABLED
[2015-03-31 06:58:34.679316] I [socket.c:3799:socket_init] 0-vol-client-1: SSL support on the I/O path is ENABLED
[2015-03-31 06:58:34.680784] I [socket.c:3799:socket_init] 0-vol-client-0: SSL support on the I/O path is ENABLED
This comment has been removed by a blog administrator.
ReplyDeleteExcellent writeup! One other important step, if you're using each machine as both a Gluster server and a client with a FUSE mount point, is to unmount the gluster volume prior to SSL enable and then remount it later. i.e:
ReplyDeleteumount /gluster
(Perform above steps...)
mount -t glusterfs 127.0.0.1:/gv0 /gluster
Regards,
Kevin Davis
Cyber security is one of the most important measures that we should consider. Thanks for the great piece of content. The info is great.
ReplyDelete