|
Size: 2314
Comment:
|
← Revision 46 as of 2021-03-26 21:25:57 ⇥
Size: 3370
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| == Keys == Keep your keys safe. I personally generate my keys on a special server which is only powered up when i need to make a new key or sign a certificate. Otherwise that system is always powered down. This way i can be sure that my keys are safe. |
The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption. |
| Line 6: | Line 5: |
| On each of the Glusterfs servers and clients run. | == Keys and Certificates == Make an encryption key and make sure to set the `CN` to match the name of the client/server. Repeat this on all the servers and the client. === Servers === |
| Line 8: | Line 10: |
| mkdir /etc/ssl/glusterfs cd /etc/ssl/glusterfs |
cd /etc/ssl |
| Line 11: | Line 12: |
| }}} == Certificates == Now sign certificates using those keys. Replace the `CN` so it matches the host you are siging the certificate for. {{{ |
|
| Line 19: | Line 15: |
| == Compile == Compile all the certificates into one large file |
=== Client === |
| Line 23: | Line 17: |
| scp gluster01:/etc/ssl/glusterfs/gluster.pem gluster01.pem scp gluster02:/etc/ssl/glusterfs/gluster.pem gluster02.pem scp gluster03:/etc/ssl/glusterfs/gluster.pem gluster03.pem scp gluster04:/etc/ssl/glusterfs/gluster.pem gluster04.pem scp glusterclient01:/etc/ssl/glusterfs/gluster.pem glusterclient01.pem cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs.ca |
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem |
| Line 31: | Line 22: |
| {{{#!highlight bash #!/bin/sh if [ ! -e /etc/ssl/glusterfs ] then mkdir -p /etc/ssl/glusterfs fi |
== Certificate Authorities == |
| Line 38: | Line 24: |
| cd /etc/ssl/glusterfs | === Servers === Compile all the certificates in one place and concatenate them into `/etc/ssl/glusterfs.ca`. Notice that this will also include the certificates from the client. {{{ cat gluster01.pem gluster02.pem gluster03.pem glusterclient01.pem > glusterfs.ca }}} Copy the certificate authority to all the servers and place it in `/etc/ssl/glusterfs.ca` |
| Line 40: | Line 31: |
| # create the server keys openssl genrsa -out gluster01.key 2048 openssl genrsa -out gluster02.key 2048 openssl genrsa -out gluster03.key 2048 openssl genrsa -out gluster04.key 2048 # sign the server certificates openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem |
=== Client === Compile all the server certificates in one place and concatenate them into `/etc/ssl/glusterfs-client.ca`. {{{ cat gluster01.pem gluster02.pem gluster03.pem > glusterfs-client.ca }}} Copy the certificate authority to the client and place it in `/etc/ssl/glusterfs.ca` |
| Line 51: | Line 38: |
| # create the client keys openssl genrsa -out glusterclient01.key 2048 |
== Activate Encryption == |
| Line 54: | Line 40: |
| # sign the client certificates openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem |
=== Servers === When this file exists the glusterfs server will use the new certificates. {{{ touch /var/lib/glusterd/secure-access }}} |
| Line 57: | Line 46: |
| # server certificates authorities cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem www01.pem www02.pem > glusterfs.ca # client certificates authorities cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca |
Restart the servers {{{ service glusterfs-server restart |
| Line 62: | Line 50: |
=== Client === On the client you need to create the `/var/lib/glusterd` directory before activating encryption. {{{ mkdir /var/lib/glusterd/ touch /var/lib/glusterd/secure-access }}} == Enable Encryption == Ecryption is enabled for a volume from one of the servers. {{{ gluster volume set www client.ssl on gluster volume set www server.ssl on }}} == Allow Only Specific Hosts == We allow only access from known hosts. Run this on one of the servers. {{{ gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,glusterclient01' }}} == Mounting == On the client we have to enable ssl for the volume. Add `option transport.socket.ssl-enabled on` to `/etc/glusterfs/www.vol`. The file will now look like this. {{{ volume remote1 type protocol/client option transport-type tcp option remote-host gluster01 option remote-subvolume /srv/www/brick option transport.socket.ssl-enabled on end-volume volume remote2 type protocol/client option transport-type tcp option remote-host gluster02 option remote-subvolume /srv/www/brick option transport.socket.ssl-enabled on end-volume volume remote3 type protocol/client option transport-type tcp option remote-host gluster03 option remote-subvolume /srv/www/brick option transport.socket.ssl-enabled on end-volume volume replicate type cluster/replicate subvolumes remote1 remote2 remote3 end-volume volume writebehind type performance/write-behind option window-size 1MB subvolumes replicate end-volume volume cache type performance/io-cache option cache-size 64MB subvolumes writebehind end-volume }}} |
GlusterFS Encryption
The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.
Keys and Certificates
Make an encryption key and make sure to set the CN to match the name of the client/server. Repeat this on all the servers and the client.
Servers
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
Client
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem
Certificate Authorities
Servers
Compile all the certificates in one place and concatenate them into /etc/ssl/glusterfs.ca. Notice that this will also include the certificates from the client.
cat gluster01.pem gluster02.pem gluster03.pem glusterclient01.pem > glusterfs.ca
Copy the certificate authority to all the servers and place it in /etc/ssl/glusterfs.ca
Client
Compile all the server certificates in one place and concatenate them into /etc/ssl/glusterfs-client.ca.
cat gluster01.pem gluster02.pem gluster03.pem > glusterfs-client.ca
Copy the certificate authority to the client and place it in /etc/ssl/glusterfs.ca
Activate Encryption
Servers
When this file exists the glusterfs server will use the new certificates.
touch /var/lib/glusterd/secure-access
Restart the servers
service glusterfs-server restart
Client
On the client you need to create the /var/lib/glusterd directory before activating encryption.
mkdir /var/lib/glusterd/ touch /var/lib/glusterd/secure-access
Enable Encryption
Ecryption is enabled for a volume from one of the servers.
gluster volume set www client.ssl on gluster volume set www server.ssl on
Allow Only Specific Hosts
We allow only access from known hosts. Run this on one of the servers.
gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,glusterclient01'
Mounting
On the client we have to enable ssl for the volume. Add option transport.socket.ssl-enabled on to /etc/glusterfs/www.vol. The file will now look like this.
volume remote1
type protocol/client
option transport-type tcp
option remote-host gluster01
option remote-subvolume /srv/www/brick
option transport.socket.ssl-enabled on
end-volume
volume remote2
type protocol/client
option transport-type tcp
option remote-host gluster02
option remote-subvolume /srv/www/brick
option transport.socket.ssl-enabled on
end-volume
volume remote3
type protocol/client
option transport-type tcp
option remote-host gluster03
option remote-subvolume /srv/www/brick
option transport.socket.ssl-enabled on
end-volume
volume replicate
type cluster/replicate
subvolumes remote1 remote2 remote3
end-volume
volume writebehind
type performance/write-behind
option window-size 1MB
subvolumes replicate
end-volume
volume cache
type performance/io-cache
option cache-size 64MB
subvolumes writebehind
end-volume