Red Hat Summit23.4. Expanding Volumes
In a network encrypted Red Hat Gluster Storage trusted storage pool, you must ensure that you meet the prerequisites listed at Section 23.1, “Prerequisites”.
23.4.1. Certificate Signed with a Common Certificate Authority
Adding a server to a storage pool is simple if the servers all use a common Certificate Authority.
- Copy
/etc/ssl/glusterfs.cafile from one of the existing servers and save it on the/etc/ssl/directory on the new server. - If you are using management encryption, create
/var/lib/glusterd/secure-accessfile.Copy to Clipboard Copied! Toggle word wrap Toggle overflow touch /var/lib/glusterd/secure-access
# touch /var/lib/glusterd/secure-access - Start
glusterdon the new peerCopy to Clipboard Copied! Toggle word wrap Toggle overflow service glusterd start
# service glusterd start - Add the common name of the new server to the
auth.ssl-allowlist for all volumes which have encryption enabled.Copy to Clipboard Copied! Toggle word wrap Toggle overflow gluster volume set VOLNAME auth.ssl-allow servernew
# gluster volume set VOLNAME auth.ssl-allow servernewNote
Thegluster volume setcommand does not append to existing values of the options. To append the new name to the list, get the existing list usinggluster volume infocommand, append the new name to the list and set the option again usinggluster volume setcommand. - Run gluster peer probe [server] to add additional servers to the trusted storage pool. For more information on adding servers to the trusted storage pool, see Chapter 4, Adding Servers to the Trusted Storage Pool .
23.4.2. Self-signed Certificates
Using self-signed certificates would require a downtime of servers to add a new server into the trusted storage pool, as the CA list cannot be dynamically reloaded. To add a new server:
- Generate the private key and self-signed certificate on the new server using the steps listed at Section 23.1, “Prerequisites”.
- Copy the following files:
- On an existing server, copy the
/etc/ssl/glusterfs.cafile, append the content of new server's certificate to it, and distribute it to all servers, including the new server. - On an existing client, copy the
/etc/ssl/glusterfs.ca file, append the content of the new server's certificate to it, and distribute it to all clients.
- Stop all gluster-related processes on all servers.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow pkill glusterfs
# pkill glusterfs - Create the
/var/lib/glusterd/secure-accessfile on the server if management encryption is enable in the trusted storage pool. - Start
glusterdon the new peerCopy to Clipboard Copied! Toggle word wrap Toggle overflow service glusterd start
# service glusterd start - Add the common name of the new server to the
auth.ssl-allowlist for all volumes which have encryption enabled.Note
If you setauth.ssl-allowoption with*as value, any TLS authenticated clients can mount and access the volume from the application side. Hence, you set the option's value to*or provide common names of clients as well as the nodes in the trusted storage pool. - Restart all the glusterfs processes on existing servers and clients by performing the following .
- Unmount the volume on all the clients.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow umount mount-point
# umount mount-point - Stop all volumes.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow gluster volume stop VOLNAME
# gluster volume stop VOLNAME - Restart glusterd on all the servers.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow service glusterd start
# service glusterd start - Start the volumes
Copy to Clipboard Copied! Toggle word wrap Toggle overflow gluster volume start VOLNAME
# gluster volume start VOLNAME - Mount the volume on all the clients. For example, to manually mount a volume and access data using Native client, use the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow mount -t glusterfs server1:/test-volume /mnt/glusterfs
# mount -t glusterfs server1:/test-volume /mnt/glusterfs
- Peer probe the new server to add it to the trusted storage pool. For more information on peer probe, see Chapter 4, Adding Servers to the Trusted Storage Pool
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}