検索

このコンテンツは選択した言語では利用できません。

22.5. Expanding Volumes

download PDF
Follow this section to add new nodes to a trusted storage pool that uses network encryption.

22.5.1. Certificate signed by a Common Certificate Authority

Follow this section to add a new Gluster server to a trusted storage pool that uses network encryption signed by a common Certificate Authority.

Prerequisites

Procedure 22.8. Expanding a pool that uses common Certificate Authority signed certificates

  1. Import the common Certificate Authority list

    Copy the /etc/ssl/glusterfs.ca file from an existing server into the /etc/ssl directory of the new server.
  2. For management encryption, create and edit the secure-access file

    Create a new /var/lib/glusterd/secure-access file. This file can be empty if you are using the default settings.
    # touch /var/lib/glusterd/secure-access
    Your Certificate Authority may require changes to the SSL certificate depth setting, transport.socket.ssl-cert-depth, in order to work correctly. To edit this setting, add the following line to the secure-access file, replacing n with the certificate depth required by your Certificate Authority.
    echo "option transport.socket.ssl-cert-depth n" > /var/lib/glusterd/secure-access
  3. Start glusterd on the new server

    # systemctl start glusterd
  4. Specify servers and clients to allow

    Provide a list of the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the glusterfs.pem file for that server or client.
    # gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'
    This provides an additional check in case you want to leave keys in place, but temporarily restrict a client or server by removing it from this list, as shown in Section 22.7, “Deauthorizing a Client”.

    Note

    The gluster volume set command does not append to existing values of the options. To append the new name to the list, get the existing list using gluster volume info command, append the new name to the list and set the option again using gluster volume set command.
    You can also use the default value of *, which indicates that any TLS authenticated machine can mount and access the volume.
  5. Expand volumes to the new server

    Follow the instructions in Section 11.7, “Expanding Volumes” to expand existing volumes using the newly trusted server.

22.5.2. Self-signed Certificates

Prerequisites

  • Because self-signed certificates are not automatically generated and updated, the trusted storage pool must be offline for this process. Schedule an outage window for volumes, applications, clients, and other end users before beginning this process.

Procedure 22.9. Expanding a pool that uses self-signed certificates

  1. Generate the key and self-signed certificate for the new server

    Follow the steps in Section 22.1, “Preparing Certificates” to generate a private key and a self-signed certificate for the new server.
  2. Update server Certificate Authority list files

    Append the contents of the new server's /etc/ssl/glusterfs.pem file to the /etc/ssl/glusterfs.ca file on all existing servers in the trusted storage pool.
  3. Update client Certificate Authority list files

    Append the contents of the new server's /etc/ssl/glusterfs.pem file to the /etc/ssl/glusterfs.ca file on all authorized clients in the trusted storage pool.
  4. Stop all gluster processes

    Run the following commands on all servers.
    # systemctl stop glusterd
    # pkill glusterfs

    Important

    Bug 1635071 may cause glusterd to crash during shutdown, but there is no functionality impact to this crash. See Resolving glusterd crash for details.
  5. (Optional) Enable management encryption on the new server

    Copy the /var/lib/glusterd/secure-access file from an existing server to the new server.
  6. Start glusterd on the new server

    # systemctl start glusterd
  7. Update servers and clients to allow

    Run the following command from any server to specify the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the glusterfs.pem file for that server or client.
    # gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'

    Note

    The gluster volume set command does not append to existing values of the options. To append the new name to the list, get the existing list using gluster volume info command, append the new name to the list and set the option again using gluster volume set command.
    You can also use the default value of *, which indicates that any TLS authenticated machine can mount and access the volume.
  8. Restart the glusterfs processes on existing servers and clients

    1. On all clients, unmount all volumes

      # umount mountpoint
    2. On any server, stop all volumes

      # for vol in `gluster volume list`; do gluster --mode=script volume stop $vol; sleep 2s; done
    3. On all servers, restart glusterd

      For Red Hat Enterprise Linux 7 based installations:
      # systemctl start glusterd
      For Red Hat Enterprise Linux 6 based installations:
      # service glusterd start
    4. On any server, start all volumes

      # gluster volume start volname
  9. Mount the volume on all clients

    The process for mounting a volume depends on the protocol your client is using. The following command mounts a volume using the native FUSE protocol.
    # mount -t glusterfs server1:/test-volume /mnt/glusterfs
  10. Expand volumes to the new server

    Follow the instructions in Section 11.7, “Expanding Volumes” to expand existing volumes using the newly trusted server.
Red Hat logoGithubRedditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

© 2024 Red Hat, Inc.