Differences between revisions 19 and 38 (spanning 19 versions)

GlusterFS Encryption

The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.

Keys and Certificates

Make an encryption key and make sure to set the CN to match the name of the client/server. Repeat this on all the servers and the client.

Servers

cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem

Client

cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem

Certificate Authorities

Servers

Compile all the certificates in one place and concatenate them into /etc/ssl/glusterfs.ca. Notice that this will also include the certificates from the client.

cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca

Copy the certificate authority to all the servers and place it in /etc/ssl/glusterfs.ca

Client

Compile all the server certificates in one place and concatenate them into /etc/ssl/glusterfs-client.ca.

cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca

Copy the certificate authority to the client and place it in /etc/ssl/glusterfs.ca

Activate Encryption

When this file exists the glusterfs server will use the new certificates

touch /var/lib/glusterd/secure-access

Enable Encryption

On one of the servers encryption is enabled

gluster volume set www client.ssl on
gluster volume set www server.ssl on

Allow Only Specific Hosts

We allow only access from known hosts

gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,gluster04,glusterclient01'

None: GlusterFS Encryption (last edited 2021-03-26 21:25:57 by Kristian Kallenberg)

-  ⇤ ← Revision 19 as of 2017-12-24 17:34:12 → 
  Size: 2034
  Editor: Kristian Kallenberg
  Comment:
+   ← Revision 38 as of 2017-12-24 20:37:55 → ⇥
  Size: 1850
  Editor: Kristian Kallenberg
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 2:
-Line 4:
+Line 5:
-== Keys ==
Make an encryption key on the client and on each of the servers. Make sure to set the `CN` to match the name of the host.
+== Keys and Certificates ==
Make an encryption key and make sure to set the `CN` to match the name of the client/server. Repeat this on all the servers and the client.
-Line 7:
+Line 8:
+=== Servers ===
-Line 8:
+Line 10:
-mkdir /etc/ssl/glusterfs
cd /etc/ssl/glusterfs
openssl genrsa -out gluster01.key 2048
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
+cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
-Line 14:
+Line 15:
-== Certificates ==
Sign a certificate using the key
+=== Client ===
 Line 17:
-openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
+cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem
-Line 20:
+Line 22:
-== Certificate authorities ==
compile all the certificates in one place and concatename them into two files. glusterfs.ca and glusterfs-client.ca.
+== Certificate Authorities ==

=== Servers ===
Compile all the certificates in one place and concatenate them into `/etc/ssl/glusterfs.ca`. Notice that this will also include the certificates from the client.
-Line 23:
+Line 27:
-# server certificates authorities
-Line 25:
+Line 28:
-# client certificates authorities
+}}}
Copy the certificate authority to all the servers and place it in `/etc/ssl/glusterfs.ca`

=== Client ===
Compile all the server certificates in one place and concatenate them into `/etc/ssl/glusterfs-client.ca`.
{{{
-Line 28:
+Line 36:
+Copy the certificate authority to the client and place it in `/etc/ssl/glusterfs.ca`
-Line 29:
+Line 38:
+== Activate Encryption ==
When this file exists the glusterfs server will use the new certificates
-Line 30:
+Line 41:
-# create the server keys
openssl genrsa -out gluster01.key 2048
openssl genrsa -out gluster02.key 2048
openssl genrsa -out gluster03.key 2048
openssl genrsa -out gluster04.key 2048
# sign the server certificates
openssl req -new -x509 -key gluster01.key -subj "/CN=gluster01" -out gluster01.pem
openssl req -new -x509 -key gluster02.key -subj "/CN=gluster02" -out gluster02.pem
openssl req -new -x509 -key gluster03.key -subj "/CN=gluster03" -out gluster03.pem
openssl req -new -x509 -key gluster04.key -subj "/CN=gluster04" -out gluster04.pem
# create the client keys
openssl genrsa -out glusterclient01.key 2048
# sign the client certificates
openssl req -new -x509 -key glusterclient01.key -subj "/CN=glusterclient01" -out glusterclient01.pem
# server certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
# client certificates authorities
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca
+touch /var/lib/glusterd/secure-access
-Line 49:
+Line 43:
+== Enable Encryption ==
On one of the servers encryption is enabled
{{{
gluster volume set www client.ssl on
gluster volume set www server.ssl on
}}}

== Allow Only Specific Hosts ==
We allow only access from known hosts
{{{
gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,gluster04,glusterclient01'
}}}