搜索

此内容没有您所选择的语言版本。

20.2. Configuring Network Encryption for a New Trusted Storage Pool

download PDF
Follow this section to configure I/O and management encryption on a freshly installed Red Hat Gluster Storage deployment that does not yet have a trusted storage pool configured.

20.2.1. Enabling Management Encryption

Red Hat recommends enabling both management and I/O encryption, but if you only want to use I/O encryption, you can skip this section and continue with Section 20.2.2, “Enabling I/O Encryption”.

Procedure 20.3. Enabling management encryption on servers

Perform the following steps on all servers.
  1. Create and edit the secure-access file

    Create a new /var/lib/glusterd/secure-access file. This file can be empty if you are using the default settings.
    # touch /var/lib/glusterd/secure-access
    Your Certificate Authority may require changes to the SSL certificate depth setting, transport.socket.ssl-cert-depth, in order to work correctly. To edit this setting, add the following line to the secure-access file, replacing n with the certificate depth required by your Certificate Authority.
    echo "option transport.socket.ssl-cert-depth n" > /var/lib/glusterd/secure-access
  2. Start glusterd

    On Red Hat Enterprise Linux 7 based servers, run:
    # systemctl start glusterd
    On Red Hat Enterprise Linux 6 based servers, run:
    # service glusterd start

    Important

    Red Hat Gluster Storage is not supported on Red Hat Enterprise Linux 6 (RHEL 6) from 3.5 Batch Update 1 onwards. See Version Details table in section Red Hat Gluster Storage Software Components and Versions of the Installation Guide
  3. Continue storage configuration

    Proceed with the normal configuration process by setting up the trusted storage pool, formatting bricks, and creating volumes. For more information, see Chapter 4, Adding Servers to the Trusted Storage Pool and Chapter 5, Setting Up Storage Volumes.

Procedure 20.4. Enabling management encryption on clients

Prerequisites

Perform the following steps on all clients.
  1. Create and edit the secure-access file

    Create the /var/lib/glusterd directory, and create a new /var/lib/glusterd/secure-access file. This file can be empty if you are using the default settings.
    # touch /var/lib/glusterd/secure-access
    Your Certificate Authority may require changes to the SSL certificate depth setting, transport.socket.ssl-cert-depth, in order to work correctly. To edit this setting, add the following line to the secure-access file, replacing n with the certificate depth required by your Certificate Authority.
    echo "option transport.socket.ssl-cert-depth n" > /var/lib/glusterd/secure-access
  2. Start the volume

    On the server, start the volume.
    # gluster volume start volname
  3. Mount the volume

    The process for mounting a volume depends on the protocol your client is using. The following command mounts a volume called testvol using the native FUSE protocol.
    # mount -t glusterfs server1:testvol /mnt/glusterfs

20.2.2. Enabling I/O Encryption

Follow this section to enable I/O encryption between servers and clients.

Procedure 20.5. Enabling I/O encryption

Prerequisites

  • You must have volumes configured, but not started, to perform this process. See Chapter 5, Setting Up Storage Volumes for information on creating volumes. To stop a volume, run the following command:
    # gluster volume stop volname
Run the following commands from any Gluster server.
  1. Specify servers and clients to allow

    Provide a list of the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the glusterfs.pem file for that server or client.
    # gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'
    This provides an additional check in case you want to leave keys in place, but temporarily restrict a client or server by removing it from this list, as shown in Section 20.7, “Deauthorizing a Client”.
    You can also use the default value of *, which indicates that any TLS authenticated machine can mount and access the volume.
  2. Enable TLS/SSL on the volume

    # gluster volume set volname client.ssl on
    # gluster volume set volname server.ssl on
  3. Start the volume

    # gluster volume start volname
  4. Verify

    Verify that the volume can be mounted on authorized clients, and that the volume cannot be mounted by unauthorized clients. The process for mounting a volume depends on the protocol your client is using.
    The process for mounting a volume depends on the protocol your client is using. The following command mounts a volume called testvol using the native FUSE protocol.
    # mount -t glusterfs server1:testvol /mnt/glusterfs
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.