Differences between revisions 31 and 34 (spanning 3 versions)

GlusterFS Server Encryption

The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.

Keys and Certificates

Make an encryption key and make sure to set the CN to match the name of the client/server. Repeat this on all the servers and the client.

Server

cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem

Client

cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem

Certificate Authorities

Compile all the certificates in one place and concatenate them into /etc/ssl/glusterfs.ca. Notice that this will also include the certificates from the client.

cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem glusterclient01.pem > glusterfs.ca

Copy the certificate authority to all the servers and place it in /etc/ssl/glusterfs.ca

Activate Encryption

When this file exists the glusterfs server will use the new certificates

touch /var/lib/glusterd/secure-access

Enable Encryption

On one of the servers encryption is enabled

gluster volume set www client.ssl on
gluster volume set www server.ssl on

Allow Only Specific Hosts

We allow only access from known hosts

gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,gluster04,glusterclient01'

None: GlusterFS Encryption (last edited 2021-03-26 21:25:57 by Kristian Kallenberg)

-  ⇤ ← Revision 31 as of 2017-12-24 20:02:54 → 
  Size: 1048
  Editor: Kristian Kallenberg
  Comment:
+   ← Revision 34 as of 2017-12-24 20:34:47 → ⇥
  Size: 1536
  Editor: Kristian Kallenberg
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 2:
-Line 5:
+Line 6:
-Make an encryption key and make sure to set the `CN` to match the name of the host. Repeat this on the client and on each of the servers.
+Make an encryption key and make sure to set the `CN` to match the name of the client/server. Repeat this on all the servers and the client.

=== Server ===
-Line 12:
+Line 15:
+=== Client ===
{{{
cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem
}}}
-Line 14:
+Line 24:
-=== Server ===
Compile all the certificates in one place and concatenate them into one file `glusterfs.ca`
+Compile all the certificates in one place and concatenate them into `/etc/ssl/glusterfs.ca`. Notice that this will also include the certificates from the client.
-Line 18:
+Line 27:
-cat gluster01.pem gluster02.pem gluster03.pem gluster04.pem > glusterfs-client.ca
-Line 21:
+Line 29:
-=== Client ===
 and `glusterfs-client.ca`.
Copy `glusterfs.ca` to `/etc/ssl/glusterfs.ca` on all servers. Copy `glusterfs-client.ca` to `/etc/ssl/glusterfs.ca` on the client.
+Copy the certificate authority to all the servers and place it in `/etc/ssl/glusterfs.ca`
-Line 27:
+Line 32:
+When this file exists the glusterfs server will use the new certificates
-Line 30:
+Line 36:
+== Enable Encryption ==
On one of the servers encryption is enabled
{{{
gluster volume set www client.ssl on
gluster volume set www server.ssl on
}}}

== Allow Only Specific Hosts ==
We allow only access from known hosts
{{{
gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,gluster04,glusterclient01'
}}}