22.4. Expanding Volumes
In a network encrypted Red Hat Gluster Storage trusted storage pool, you must ensure that you meet the prerequisites listed at Section 22.1, “Prerequisites”.
22.4.1. Certificate Signed with a Common Certificate Authority
Adding a server to a storage pool is simple if the servers all use a common Certificate Authority.
- Copy
/etc/ssl/glusterfs.ca
file from one of the existing servers and save it on the/etc/ssl/
directory on the new server. - If you are using management encryption, create
/var/lib/glusterd/secure-access
file.#
touch
/var/lib/glusterd/secure-access
- Start
glusterd
on the new peer#
service glusterd start
- Add the common name of the new server to the
auth.ssl-allow
list for all volumes which have encryption enabled.#
gluster volume set VOLNAME auth.ssl-allow servernew
Note
Thegluster volume set
command does not append to existing values of the options. To append the new name to the list, get the existing list usinggluster volume info
command, append the new name to the list and set the option again usinggluster volume set
command. - Run gluster peer probe [server] to add additional servers to the trusted storage pool. For more information on adding servers to the trusted storage pool, see Chapter 4, Adding Servers to the Trusted Storage Pool .
22.4.2. Self-signed Certificates
Using self-signed certificates would require a downtime of servers to add a new server into the trusted storage pool, as the CA list cannot be dynamically reloaded. To add a new server:
- Generate the private key and self-signed certificate on the new server using the steps listed at Section 22.1, “Prerequisites”.
- Copy the following files:
- On an existing server, copy the
/etc/ssl/glusterfs.ca
file, append the content of new server's certificate to it, and distribute it to all servers, including the new server. - On an existing client, copy the
/etc/ssl/glusterfs.ca file
, append the content of the new server's certificate to it, and distribute it to all clients.
- Stop all gluster-related processes on all servers.
#
pkill glusterfs
- Create the
/var/lib/glusterd/secure-access
file on the server if management encryption is enable in the trusted storage pool. - Start
glusterd
on the new peer#
service glusterd start
- Add the common name of the new server to the
auth.ssl-allow
list for all volumes which have encryption enabled.Note
If you setauth.ssl-allow
option with*
as value, any TLS authenticated clients can mount and access the volume from the application side. Hence, you set the option's value to*
or provide common names of clients as well as the nodes in the trusted storage pool. - Restart all the glusterfs processes on existing servers and clients by performing the following .
- Unmount the volume on all the clients.
#
umount mount-point
- Stop all volumes.
#
gluster volume stop VOLNAME
- Restart glusterd on all the servers.
#
service glusterd start
- Start the volumes
#
gluster volume start VOLNAME
- Mount the volume on all the clients. For example, to manually mount a volume and access data using Native client, use the following command:
#
mount -t glusterfs server1:/test-volume /mnt/glusterfs
- Peer probe the new server to add it to the trusted storage pool. For more information on peer probe, see Chapter 4, Adding Servers to the Trusted Storage Pool