20.5. Expanding Volumes

Procedure 20.8. Expanding a pool that uses common Certificate Authority signed certificates

1. Import the common Certificate Authority list

   Copy the /etc/ssl/glusterfs.ca file from an existing server into the /etc/ssl directory of the new server.

2. For management encryption, create and edit the secure-access file

   Create a new /var/lib/glusterd/secure-access file. This file can be empty if you are using the default settings.

   # touch /var/lib/glusterd/secure-access

   Copy to Clipboard Toggle word wrap
   Your Certificate Authority may require changes to the SSL certificate depth setting, transport.socket.ssl-cert-depth, in order to work correctly. To edit this setting, add the following line to the secure-access file, replacing n with the certificate depth required by your Certificate Authority.

   echo "option transport.socket.ssl-cert-depth n" > /var/lib/glusterd/secure-access

   Copy to Clipboard Toggle word wrap

3. Start glusterd on the new server

   # systemctl start glusterd

   Copy to Clipboard Toggle word wrap

4. Specify servers and clients to allow

   Provide a list of the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the glusterfs.pem file for that server or client.

   # gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'

   Copy to Clipboard Toggle word wrap
   This provides an additional check in case you want to leave keys in place, but temporarily restrict a client or server by removing it from this list, as shown in Section 20.7, “Deauthorizing a Client”.

   Note

   The gluster volume set command does not append to existing values of the options. To append the new name to the list, get the existing list using gluster volume info command, append the new name to the list and set the option again using gluster volume set command.
   You can also use the default value of *, which indicates that any TLS authenticated machine can mount and access the volume.

5. Expand volumes to the new server

   Follow the instructions in Section 11.7, “Expanding Volumes” to expand existing volumes using the newly trusted server.

Procedure 20.9. Expanding a pool that uses self-signed certificates

1. Generate the key and self-signed certificate for the new server

   Follow the steps in Section 20.1, “Preparing Certificates” to generate a private key and a self-signed certificate for the new server.

2. Update server Certificate Authority list files

   Append the contents of the new server's /etc/ssl/glusterfs.pem file to the /etc/ssl/glusterfs.ca file on all existing servers in the trusted storage pool.

3. Update client Certificate Authority list files

   Append the contents of the new server's /etc/ssl/glusterfs.pem file to the /etc/ssl/glusterfs.ca file on all authorized clients in the trusted storage pool.

4. Stop all gluster processes

   Run the following commands on all servers.

   # systemctl stop glusterd
   # pkill glusterfs

   Copy to Clipboard Toggle word wrap

5. (Optional) Enable management encryption on the new server

   Copy the /var/lib/glusterd/secure-access file from an existing server to the new server.

6. Start glusterd on the new server

   # systemctl start glusterd

   Copy to Clipboard Toggle word wrap

7. Update servers and clients to allow

   Run the following command from any server to specify the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the glusterfs.pem file for that server or client.

   # gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'

   Copy to Clipboard Toggle word wrap

   Note

   The gluster volume set command does not append to existing values of the options. To append the new name to the list, get the existing list using gluster volume info command, append the new name to the list and set the option again using gluster volume set command.
   You can also use the default value of *, which indicates that any TLS authenticated machine can mount and access the volume.

8. Restart the glusterfs processes on existing servers and clients

   1. On all clients, unmount all volumes

      # umount mountpoint

      Copy to Clipboard Toggle word wrap

   2. On any server, stop all volumes

      # for vol in `gluster volume list`; do gluster --mode=script volume stop $vol; sleep 2s; done

      Copy to Clipboard Toggle word wrap

   3. On all servers, restart glusterd

      For Red Hat Enterprise Linux 7 based installations:

      # systemctl start glusterd

      Copy to Clipboard Toggle word wrap
      For Red Hat Enterprise Linux 6 based installations:

      # service glusterd start

      Copy to Clipboard Toggle word wrap

      Important

      Red Hat Gluster Storage is not supported on Red Hat Enterprise Linux 6 (RHEL 6) from 3.5 Batch Update 1 onwards. See Version Details table in section Red Hat Gluster Storage Software Components and Versions of the Installation Guide

   4. On any server, start all volumes

      # gluster volume start volname

      Copy to Clipboard Toggle word wrap

9. Mount the volume on all clients

   The process for mounting a volume depends on the protocol your client is using. The following command mounts a volume using the native FUSE protocol.

   # mount -t glusterfs server1:/test-volume /mnt/glusterfs

   Copy to Clipboard Toggle word wrap

10. Expand volumes to the new server

    Follow the instructions in Section 11.7, “Expanding Volumes” to expand existing volumes using the newly trusted server.