0

UPDATE: It seems the Ubuntu 14.04 bundled version of Gluster is too old for what I want to do (as hinted at by @SmallLoanOf1M). There is a gluster community PPA for Ubuntu here which has newer versions with better SSL suport.

I followed the Enable glusterfs SSL mode on the Gluster community website to enable SSL on my glusterfs server (using v3.4.2 on Ubuntu 14.04). I distributed the ssl certs to both the server and two clients. When I view the volume info on the server I get

# gluster vol info

Volume Name: pm1-dump
Type: Distribute
Volume ID: eb403a2b-e28b-440c-846a-fa9f82e748bd
Status: Started
Number of Bricks: 1
Transport-type: tcp
Bricks:
Brick1: 172.22.2.1:/mnt/pm2_pm1/pm1-dump
Options Reconfigured:
performance.write-behind: on
diagnostics.brick-log-level: WARNING
diagnostics.client-log-level: WARNING
nfs.enable-ino32: on
nfs.addr-namelookup: off
nfs.disable: on
performance.cache-refresh-timeout: 4
performance.cache-size: 32MB
performance.write-behind-window-size: 16MB
performance.io-thread-count: 24
auth.allow: 172.22.2.3,172.22.2.4
client.ssl: on

On the client (172.22.2.3) I usually mount the gluster share like this:

/bin/mount -t glusterfs -o transport=tcp,direct-io-mode=disable 172.22.2.1:/pm1-dump /mnt/vmdumps

The link above does not go into detail for the correct options to add to my mount command above to enable SSL on the client however. Despite copying the ssl certs to /etc/ssl my log file on the client says it can't find the certs:

[2017-02-15 20:17:04.446330] W [client.c:2569:init] 0-pm1-dump: Volume is dangling. 
[2017-02-15 20:17:04.447417] I [socket.c:3561:socket_init] 0-pm1-dump: SSL support is ENABLED
[2017-02-15 20:17:04.447428] I [socket.c:3576:socket_init] 0-pm1-dump: using private polling thread
[2017-02-15 20:17:04.449102] E [socket.c:3594:socket_init] 0-pm1-dump: could not load our cert

I created the certs using these commands

openssl genrsa -out gluster.key 2048
openssl req -new -x509 -days 3650 -key gluster.key \
-subj /CN=GLUSTERSSL -out gluster.pem

cp gluster.pem gluster.ca
Server Fault
  • 3,714
  • 12
  • 54
  • 89

1 Answers1

1

There isn't a mount option for that. SSL is enabled or disabled on the volume properties, which you've done. It then expects to find your certs in /etc/ssl/gluster.*. You'll also need to create a gluster.ca file, which is a concatenation of all your approved .pem files.

The guide you linked to says essentially the same thing. You'll need to place your .key file within /etc/ssl/ on any client machines. Also, how did you create your certs?

Most importantly, you haven't mentioned what version of GlusterFS you're using. This is very important, as features and bugs regarding this have changed a lot. Also make sure that the client version matches the server version.

Spooler
  • 7,046
  • 18
  • 29
  • I've update the original post with gluster version (3.4.2), OS platform (ubuntu 14.04) and ssl creation commands along with a gluster community PPA I found. – Server Fault Feb 16 '17 at 14:16
  • Yeah, that's usually the case with most GlusterFS problems. Version numbers and network hiccups. Glad you got it figured out. – Spooler Feb 16 '17 at 15:57