[Gluster-users] GlusterFS Security Stunnel or alternative?
Corentin Chary
corentin.chary at gmail.com
Tue Oct 27 14:48:09 UTC 2009
On Tue, Oct 27, 2009 at 12:58 AM, Jeffery Soo <js at realtechtalk.com> wrote:
> weber wrote:
>>
>> On Mon, 26 Oct 2009 10:05:52 +0100, Tomasz Chmielewski <mangoo at wpkg.org>
>> wrote:
>>
>>>
>>> Jeffery Soo wrote:
>>>
>>>>
>>>> I'm using glusterfs 2.07 and I'm trying to secure it. I'm using it on a
>>>>
>>
>>
>>>>
>>>> switch that is connected to the internet.
>>>> I've tried using stunnel but it uses like 90% of CPU on both client and
>>>> server. It also reduces throughput by 3-4x.
>>>>
>>>> Is there any better way or translator that will be available soon to
>>>> secure and encrypt the connection, or is glusterfs really meant to be used
>>>> only on a private internal switch?
>>>>
>>>
>>> I don't think there is any usable translator for that.
>>>
>>> You can try running it over an IPsec or OpenVPN tunnel.
>>>
>>> If you run glusterfs over internet, you might also consider enabling
>>> compression in the VPN tunnel; this could technically increase your
>>> throughput.
>>>
>>
>>
>> http://gluster.com/community/documentation/index.php/Translators/encryption/rot-13
>>
>> ROT-13 is a toy translator that can "encrypt" and "decrypt" file contents
>> using the ROT-13 algorithm. ROT-13 is a trivial algorithm that rotates
>> each
>> alphabet by thirteen places. Thus, 'A' becomes 'N', 'B' becomes 'O', and
>> 'Z' becomes 'M'.
>>
>> It goes without saying that you shouldn't use this translator if you need
>> _real_ encryption (a future release of GlusterFS will have real encryption
>> translators).
>> so its an upcoming feature.
>>
>> Why dont use GRE or ssh?
>> _______________________________________________
>> Gluster-users mailing list
>> Gluster-users at gluster.org
>> http://gluster.org/cgi-bin/mailman/listinfo/gluster-users
>>
>>
>
> Thanks for the suggestion. I used an SSH tunnel and the performance was
> very close to having it without encryption. The SSH tunnel is something I
> never thought of. If I can't find a better solution I will do it this way.
> Next I'll try GRE, do you think GRE can achieve better performance or at
> least lower CPU usage than SSH?
>
> I wish ROT-13 was stable/production ready and safe.
>
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://gluster.org/cgi-bin/mailman/listinfo/gluster-users
>
>
I'm working on something like that, some patchs are available in my git tree:
http://git.iksaif.net/?p=glusterfs.git;a=shortlog;h=refs/heads/transport-encryption
It's not production ready, but feel free to test, and fix bugs :)
--
Corentin Chary
http://xf.iksaif.net
More information about the Gluster-users
mailing list