23.4. Expanding Volumes
In a network encrypted Red Hat Gluster Storage trusted storage pool, you must ensure that you meet the prerequisites listed at Section 23.1, “Prerequisites”.
23.4.1. Certificate Signed with a Common Certificate Authority
Adding a server to a storage pool is simple if the servers all use a common Certificate Authority.
- Copy
/etc/ssl/glusterfs.ca
file from one of the existing servers and save it on the/etc/ssl/
directory on the new server. - If you are using management encryption, create
/var/lib/glusterd/secure-access
file.touch /var/lib/glusterd/secure-access
# touch /var/lib/glusterd/secure-access
Copy to Clipboard Copied! - Start
glusterd
on the new peerservice glusterd start
# service glusterd start
Copy to Clipboard Copied! - Add the common name of the new server to the
auth.ssl-allow
list for all volumes which have encryption enabled.gluster volume set VOLNAME auth.ssl-allow servernew
# gluster volume set VOLNAME auth.ssl-allow servernew
Copy to Clipboard Copied! Note
Thegluster volume set
command does not append to existing values of the options. To append the new name to the list, get the existing list usinggluster volume info
command, append the new name to the list and set the option again usinggluster volume set
command. - Run gluster peer probe [server] to add additional servers to the trusted storage pool. For more information on adding servers to the trusted storage pool, see Chapter 4, Adding Servers to the Trusted Storage Pool .
23.4.2. Self-signed Certificates
Using self-signed certificates would require a downtime of servers to add a new server into the trusted storage pool, as the CA list cannot be dynamically reloaded. To add a new server:
- Generate the private key and self-signed certificate on the new server using the steps listed at Section 23.1, “Prerequisites”.
- Copy the following files:
- On an existing server, copy the
/etc/ssl/glusterfs.ca
file, append the content of new server's certificate to it, and distribute it to all servers, including the new server. - On an existing client, copy the
/etc/ssl/glusterfs.ca file
, append the content of the new server's certificate to it, and distribute it to all clients.
- Stop all gluster-related processes on all servers.
pkill glusterfs
# pkill glusterfs
Copy to Clipboard Copied! - Create the
/var/lib/glusterd/secure-access
file on the server if management encryption is enable in the trusted storage pool. - Start
glusterd
on the new peerservice glusterd start
# service glusterd start
Copy to Clipboard Copied! - Add the common name of the new server to the
auth.ssl-allow
list for all volumes which have encryption enabled.Note
If you setauth.ssl-allow
option with*
as value, any TLS authenticated clients can mount and access the volume from the application side. Hence, you set the option's value to*
or provide common names of clients as well as the nodes in the trusted storage pool. - Restart all the glusterfs processes on existing servers and clients by performing the following .
- Unmount the volume on all the clients.
umount mount-point
# umount mount-point
Copy to Clipboard Copied! - Stop all volumes.
gluster volume stop VOLNAME
# gluster volume stop VOLNAME
Copy to Clipboard Copied! - Restart glusterd on all the servers.
service glusterd start
# service glusterd start
Copy to Clipboard Copied! - Start the volumes
gluster volume start VOLNAME
# gluster volume start VOLNAME
Copy to Clipboard Copied! - Mount the volume on all the clients. For example, to manually mount a volume and access data using Native client, use the following command:
mount -t glusterfs server1:/test-volume /mnt/glusterfs
# mount -t glusterfs server1:/test-volume /mnt/glusterfs
Copy to Clipboard Copied!
- Peer probe the new server to add it to the trusted storage pool. For more information on peer probe, see Chapter 4, Adding Servers to the Trusted Storage Pool