Differences between revisions 16 and 46 (spanning 30 versions)
Revision 16 as of 2017-12-24 17:29:30
Size: 1552
Comment:
Revision 46 as of 2021-03-26 21:25:57
Size: 3370
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
== Keys ==
On each of the gluster servers and on the client manKeep your keys safe. I personally generate my keys on a special server which is only powered up when I need to make a new key or sign a certificate. Otherwise that system is always powered down. This way I can be sure that my keys are safe.
The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.
Line 6: Line 5:
On gluster01 == Keys and Certificates ==
Make an encryption key and make sure to set the `CN` to match the name of the client/server. Repeat this on all the servers and the client.

=== Servers ===
Line 8: Line 10:
mkdir /etc/ssl/glusterfs
cd /etc/ssl/glusterfs
openssl genrsa -out gluster01.key 2048
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
Line 13: Line 14:

=== Client ===
Line 14: Line 17:
# create the server keys
openssl genrsa -out gluster01.key 2048
openssl genrsa -out gluster02.key 2048
openssl genrsa -out gluster03.key 2048
openssl genrsa -out gluster04.key 2048
# sign the server certificates
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
# create the client keys
openssl genrsa -out glusterclient01.key 2048
# sign the client certificates
openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
# server certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
# client certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca
cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem
Line 33: Line 21:

== Certificate Authorities ==

=== Servers ===
Compile all the certificates in one place and concatenate them into `/etc/ssl/glusterfs.ca`. Notice that this will also include the certificates from the client.
{{{
cat gluster01.pem gluster02.pem gluster03.pem glusterclient01.pem > glusterfs.ca
}}}
Copy the certificate authority to all the servers and place it in `/etc/ssl/glusterfs.ca`

=== Client ===
Compile all the server certificates in one place and concatenate them into `/etc/ssl/glusterfs-client.ca`.
{{{
cat gluster01.pem gluster02.pem gluster03.pem > glusterfs-client.ca
}}}
Copy the certificate authority to the client and place it in `/etc/ssl/glusterfs.ca`

== Activate Encryption ==

=== Servers ===
When this file exists the glusterfs server will use the new certificates.
{{{
touch /var/lib/glusterd/secure-access
}}}

Restart the servers
{{{
service glusterfs-server restart
}}}

=== Client ===
On the client you need to create the `/var/lib/glusterd` directory before activating encryption.
{{{
mkdir /var/lib/glusterd/
touch /var/lib/glusterd/secure-access
}}}

== Enable Encryption ==
Ecryption is enabled for a volume from one of the servers.
{{{
gluster volume set www client.ssl on
gluster volume set www server.ssl on
}}}

== Allow Only Specific Hosts ==
We allow only access from known hosts. Run this on one of the servers.
{{{
gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,glusterclient01'
}}}

== Mounting ==
On the client we have to enable ssl for the volume. Add `option transport.socket.ssl-enabled on` to `/etc/glusterfs/www.vol`. The file will now look like this.
{{{
volume remote1
        type protocol/client
        option transport-type tcp
        option remote-host gluster01
        option remote-subvolume /srv/www/brick
        option transport.socket.ssl-enabled on
end-volume
 
volume remote2
        type protocol/client
        option transport-type tcp
        option remote-host gluster02
        option remote-subvolume /srv/www/brick
        option transport.socket.ssl-enabled on
end-volume
 
volume remote3
        type protocol/client
        option transport-type tcp
        option remote-host gluster03
        option remote-subvolume /srv/www/brick
        option transport.socket.ssl-enabled on
end-volume

volume replicate
        type cluster/replicate
        subvolumes remote1 remote2 remote3
end-volume
 
volume writebehind
        type performance/write-behind
        option window-size 1MB
        subvolumes replicate
end-volume
 
volume cache
  type performance/io-cache
  option cache-size 64MB
  subvolumes writebehind
end-volume

}}}

GlusterFS Encryption

The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.

Keys and Certificates

Make an encryption key and make sure to set the CN to match the name of the client/server. Repeat this on all the servers and the client.

Servers

cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem

Client

cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem

Certificate Authorities

Servers

Compile all the certificates in one place and concatenate them into /etc/ssl/glusterfs.ca. Notice that this will also include the certificates from the client.

cat gluster01.pem gluster02.pem gluster03.pem glusterclient01.pem > glusterfs.ca

Copy the certificate authority to all the servers and place it in /etc/ssl/glusterfs.ca

Client

Compile all the server certificates in one place and concatenate them into /etc/ssl/glusterfs-client.ca.

cat gluster01.pem gluster02.pem gluster03.pem > glusterfs-client.ca

Copy the certificate authority to the client and place it in /etc/ssl/glusterfs.ca

Activate Encryption

Servers

When this file exists the glusterfs server will use the new certificates.

touch /var/lib/glusterd/secure-access

Restart the servers

service glusterfs-server restart

Client

On the client you need to create the /var/lib/glusterd directory before activating encryption.

mkdir /var/lib/glusterd/
touch /var/lib/glusterd/secure-access

Enable Encryption

Ecryption is enabled for a volume from one of the servers.

gluster volume set www client.ssl on
gluster volume set www server.ssl on

Allow Only Specific Hosts

We allow only access from known hosts. Run this on one of the servers.

gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,glusterclient01'

Mounting

On the client we have to enable ssl for the volume. Add option transport.socket.ssl-enabled on to /etc/glusterfs/www.vol. The file will now look like this.

volume remote1
        type protocol/client
        option transport-type tcp
        option remote-host gluster01
        option remote-subvolume /srv/www/brick
        option transport.socket.ssl-enabled on
end-volume
 
volume remote2
        type protocol/client
        option transport-type tcp
        option remote-host gluster02
        option remote-subvolume /srv/www/brick
        option transport.socket.ssl-enabled on
end-volume
 
volume remote3
        type protocol/client
        option transport-type tcp
        option remote-host gluster03
        option remote-subvolume /srv/www/brick
        option transport.socket.ssl-enabled on
end-volume

volume replicate
        type cluster/replicate
        subvolumes remote1 remote2 remote3
end-volume
 
volume writebehind
        type performance/write-behind
        option window-size 1MB
        subvolumes replicate
end-volume
 
volume cache
  type performance/io-cache
  option cache-size 64MB
  subvolumes writebehind
end-volume

None: GlusterFS Encryption (last edited 2021-03-26 21:25:57 by Kristian Kallenberg)