Recently, I needed to configure glusterfs with SSL and found that the documention that describes how to do it is actually pretty thin. What's annoying is that this feature has been around since 2013!
First the caveat - I'm not an expert with SSL, but I arrived at this working process after digging through mail lists and a great article from Zbyszek Żółkiewski
There are 8 steps to follow, so nothing too taxing :)
- Create the keys and certificates
- On each node, perform the following;
- This step creates a private key(.key) and associated certificate(.pem) on each node. The common name (CN), I've used is the hostname, so each certificate is unique to each gluster node and/or client. You may opt for a different scheme - but the important thing is the CN chosen here is reflected in step 6.
- Combine the pem files to a single file
- Use scp to copy the .pem file from each node to a single node in the cluster (I'm calling it the primary host for the purpose of this article)
- Distribute the common 'ca' file to all nodes
- On the primary host distribute the common CA containing the certs from all nodes/clients
- Stop the volume you want to enable SSL on
- Restart glusterd
- Update the volume to enable SSL
- The comma separated list should consist of the CN's used when generating the .pem files on each host, from step '1'.
- Start the volume
- Check SSL is enabled on the I/O Path
Although you can use vol info to check the SSL setting is in place, the best way to confirm that SSL is actually being used is to look at one of the log files;