How to Enable Gluster encryption
You will create a self signed certificate for each master and have it be trusted by its peers.
For more options see Setting up Transport Layer Security in the Additional Information section of this page
- (On all masters) Create a private key and then create a certificate for this host signed with this key
# openssl genrsa -out /etc/ssl/glusterfs.key 2048 # openssl req -new -x509 -days 365 -key /etc/ssl/glusterfs.key \ -out /etc/ssl/glusterfs.pem \ -subj "/CN=${HOSTNAME}/" - (On all masters) Combine the certificate from each node into one file all masters can trust
# cat /etc/ssl/glusterfs.pem >> /vagrant/combined.ca.pem - (On all masters) Copy the combined list of trusted certificates to the local system for Gluster use
# cp /vagrant/combined.ca.pem /etc/ssl/glusterfs.ca - (On all masters) Enable encryption for Gluster management traffic
# touch /var/lib/glusterd/secure-access - On master1: Enable encryption on the Gluster volume
sharedvol# gluster volume set sharedvol client.ssl on # gluster volume set sharedvol server.ssl on - (On all masters) Restart the Gluster service
# systemctl restart glusterd
Our Gluster volume now has transport encryption enabled
# gluster volume info Volume Name: sharedvol Type: Replicate Volume ID: 970effb5-5d9a-4ece-9188-7f0525010acf Status: Started Snapshot Count: 0 Number of Bricks: 1 x 3 = 3 Transport-type: tcp Bricks: Brick1: master1:/data/glusterfs/sharedvol/mybrick/brick Brick2: master2:/data/glusterfs/sharedvol/mybrick/brick Brick3: master3:/data/glusterfs/sharedvol/mybrick/brick Options Reconfigured: server.ssl: on client.ssl: on transport.address-family: inet nfs.disable: on performance.client-io-threads: offHow to Create a highly available NFS service with Oracle Linux 7How to Configure NFS / NFS-Ganesha Server Clustering Using Pacemaker on CentOS7/RHEL7/Oracle Linux 7
About Manas Ranjan Tripathy
No comments