|
Size: 843
Comment:
|
Size: 1564
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| == Servers == | The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption. |
| Line 5: | Line 5: |
| Once all this works we will continue by adding TLS encryption to the setup. | == Keys and Certificates == Make an encryption key and make sure to set the `CN` to match the name of the client/server. Repeat this on all the servers and the client. |
| Line 7: | Line 8: |
| === Keys === On each of the Glusterfs servers run. |
=== Server === |
| Line 10: | Line 10: |
| mkdir /etc/ssl/glusterfs cd /etc/ssl/glusterfs |
cd /etc/ssl |
| Line 13: | Line 12: |
| openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem | |
| Line 15: | Line 15: |
| === Certificates === Now sign a certificate using that key. |
=== Client === |
| Line 18: | Line 17: |
| root@gluster01:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem root@gluster02:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster02" -out glusterfs.pem root@gluster03:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster03" -out glusterfs.pem root@gluster04:/etc/ssl/glusterfs# openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster04" -out glusterfs.pem |
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem |
| Line 24: | Line 22: |
| == Clients == | == Certificate Authorities == === Servers === Compile all the certificates in one place and concatenate them into `/etc/ssl/glusterfs.ca`. Notice that this will also include the certificates from the client. {{{ cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca }}} === Client === Copy the certificate authority to all the servers and place it in `/etc/ssl/glusterfs.ca` == Activate Encryption == When this file exists the glusterfs server will use the new certificates {{{ touch /var/lib/glusterd/secure-access }}} == Enable Encryption == On one of the servers encryption is enabled {{{ gluster volume set www client.ssl on gluster volume set www server.ssl on }}} == Allow Only Specific Hosts == We allow only access from known hosts {{{ gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,gluster04,glusterclient01' }}} |
GlusterFS Encryption
The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.
Keys and Certificates
Make an encryption key and make sure to set the CN to match the name of the client/server. Repeat this on all the servers and the client.
Server
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
Client
cd /etc/ssl openssl genrsa -out glusterfs.key 2048 openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem
Certificate Authorities
Servers
Compile all the certificates in one place and concatenate them into /etc/ssl/glusterfs.ca. Notice that this will also include the certificates from the client.
cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca
Client
Copy the certificate authority to all the servers and place it in /etc/ssl/glusterfs.ca
Activate Encryption
When this file exists the glusterfs server will use the new certificates
touch /var/lib/glusterd/secure-access
Enable Encryption
On one of the servers encryption is enabled
gluster volume set www client.ssl on gluster volume set www server.ssl on
Allow Only Specific Hosts
We allow only access from known hosts
gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,gluster04,glusterclient01'