このコンテンツは選択した言語では利用できません。
22.5. Expanding Volumes
22.5.1. Certificate signed by a Common Certificate Authority
Prerequisites
- Ensure that you have followed the steps in Section 22.1, “Preparing Certificates” before following this section.
Procedure 22.8. Expanding a pool that uses common Certificate Authority signed certificates
Import the common Certificate Authority list
Copy the/etc/ssl/glusterfs.ca
file from an existing server into the/etc/ssl
directory of the new server.For management encryption, create and edit the secure-access file
Create a new/var/lib/glusterd/secure-access
file. This file can be empty if you are using the default settings.# touch /var/lib/glusterd/secure-access
Your Certificate Authority may require changes to the SSL certificate depth setting,transport.socket.ssl-cert-depth
, in order to work correctly. To edit this setting, add the following line to thesecure-access
file, replacing n with the certificate depth required by your Certificate Authority.echo "option transport.socket.ssl-cert-depth n" > /var/lib/glusterd/secure-access
Start glusterd on the new server
# systemctl start glusterd
Specify servers and clients to allow
Provide a list of the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created theglusterfs.pem
file for that server or client.# gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'
This provides an additional check in case you want to leave keys in place, but temporarily restrict a client or server by removing it from this list, as shown in Section 22.7, “Deauthorizing a Client”.Note
Thegluster volume set
command does not append to existing values of the options. To append the new name to the list, get the existing list usinggluster volume info
command, append the new name to the list and set the option again usinggluster volume set
command.You can also use the default value of*
, which indicates that any TLS authenticated machine can mount and access the volume.Expand volumes to the new server
Follow the instructions in Section 11.7, “Expanding Volumes” to expand existing volumes using the newly trusted server.
22.5.2. Self-signed Certificates
Prerequisites
- Because self-signed certificates are not automatically generated and updated, the trusted storage pool must be offline for this process. Schedule an outage window for volumes, applications, clients, and other end users before beginning this process.
Procedure 22.9. Expanding a pool that uses self-signed certificates
Generate the key and self-signed certificate for the new server
Follow the steps in Section 22.1, “Preparing Certificates” to generate a private key and a self-signed certificate for the new server.Update server Certificate Authority list files
Append the contents of the new server's/etc/ssl/glusterfs.pem
file to the/etc/ssl/glusterfs.ca
file on all existing servers in the trusted storage pool.Update client Certificate Authority list files
Append the contents of the new server's/etc/ssl/glusterfs.pem
file to the/etc/ssl/glusterfs.ca
file on all authorized clients in the trusted storage pool.Stop all gluster processes
Run the following commands on all servers.# systemctl stop glusterd # pkill glusterfs
Important
Bug 1635071 may cause glusterd to crash during shutdown, but there is no functionality impact to this crash. See Resolving glusterd crash for details.(Optional) Enable management encryption on the new server
Copy the/var/lib/glusterd/secure-access
file from an existing server to the new server.Start glusterd on the new server
# systemctl start glusterd
Update servers and clients to allow
Run the following command from any server to specify the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created theglusterfs.pem
file for that server or client.# gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'
Note
Thegluster volume set
command does not append to existing values of the options. To append the new name to the list, get the existing list usinggluster volume info
command, append the new name to the list and set the option again usinggluster volume set
command.You can also use the default value of*
, which indicates that any TLS authenticated machine can mount and access the volume.Restart the glusterfs processes on existing servers and clients
On all clients, unmount all volumes
# umount mountpoint
On any server, stop all volumes
# for vol in `gluster volume list`; do gluster --mode=script volume stop $vol; sleep 2s; done
On all servers, restart glusterd
For Red Hat Enterprise Linux 7 based installations:# systemctl start glusterd
For Red Hat Enterprise Linux 6 based installations:# service glusterd start
On any server, start all volumes
# gluster volume start volname
Mount the volume on all clients
The process for mounting a volume depends on the protocol your client is using. The following command mounts a volume using the native FUSE protocol.# mount -t glusterfs server1:/test-volume /mnt/glusterfs
Expand volumes to the new server
Follow the instructions in Section 11.7, “Expanding Volumes” to expand existing volumes using the newly trusted server.