<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta content="text/html;charset=UTF-8" http-equiv="Content-Type"></head><body ><div style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10pt;"><div>Sure let us know if it works with re setup.<br></div><div><br></div><div>> One reason I don't want to use docker is, I need to install it on VMs in <br></div><div>> the future. If everything is working, I will put the hole setup into <br></div><div>> ansible. But first step first. And the first step is, geting TLS running.<br></div><div><br></div><div>Kadalu Binnacle also supports ssh. Just change the command_mode to ssh, remove/replace the docker commands.<br></div><div><br></div><div>Refer below doc for Binnacle SSH config options.<br></div><div><br></div><div><a target="_blank" href="https://github.com/kadalu/binnacle?tab=readme-ov-file#run-a-command-using-ssh">https://github.com/kadalu/binnacle?tab=readme-ov-file#run-a-command-using-ssh</a><br></div><div><br></div><div>Blog post: <a target="_blank" href="https://aravindavk.in/blog/gluster-volume-setup-binnacle/">https://aravindavk.in/blog/gluster-volume-setup-binnacle</a><br></div><div><br></div><div>--<br></div><div>Thanks and Regards<br></div><div id="Zm-_Id_-Sgn" data-sigid="3848334000000010003" data-zbluepencil-ignore="true"><div>Aravinda<br></div><div>Kadalu Technologies<br></div></div><div><br></div><div class="zmail_extra_hr" style="border-top: 1px solid rgb(204, 204, 204); height: 0px; margin-top: 10px; margin-bottom: 10px; line-height: 0px;"><br></div><div class="zmail_extra" data-zbluepencil-ignore="true"><div><br></div><div id="Zm-_Id_-Sgn1">---- On Wed, 31 Jan 2024 22:01:24 +0530 <b>Stefan Kania <stefan@kania-online.de></b> wrote ---<br></div><div><br></div><blockquote id="blockquote_zmail" style="margin: 0px;"><div>Hi Aravinda, <br> <br>im not so into Docker :-( So I just looked at your commands and I saw <br>that you did exacly the same I did. I even removed all TLS configuration <br>and all certificates and then copied your commands (as far as it was <br>possible) to create the certificates and compared it with my commands. <br>Everything is exacly the same. But my setup is not working :-(. At this <br>point I think it's not a Gluster problem but a problem of my Debian <br>installation and configuration. So I will start from scratch and do it <br>all again. <br>One reason I don't want to use docker is, I need to install it on VMs in <br>the future. If everything is working, I will put the hole setup into <br>ansible. But first step first. And the first step is, geting TLS running. <br> <br>Stefan <br> <br>Am 31.01.24 um 09:22 schrieb Aravinda: <br>> Hi Stefan, <br>> <br>> <br>> <br>> I reproduced this in our lab and it is working without any issues. <br>> <br>> <br>> <br>> Lab setup: Debian 12 and Gluster version 10.5 <br>> <br>> Three servers and one client: c01.gluster, c02.gluster, c03.gluster and cluster-client.gluster <br>> <br>> <br>> <br>> I used RSA key length as 4096 instead of 2048 and used the below volume option <br>> <br>> <br>> <br>> gluster volume set gv1 ssl.cipher-list 'HIGH:!SSLv2' <br>> <br>> <br>> <br>> I used Kadalu Binnacle (<a href="https://github.com/kadalu/binnacle" target="_blank">https://github.com/kadalu/binnacle</a>) to setup container based three nodes cluster. The details and the test file are available in the below Github repository. <br>> <br>> <br>> <br>> <a href="https://github.com/aravindavk/gluster-tests?tab=readme-ov-file#gluster-tls-tests" target="_blank">https://github.com/aravindavk/gluster-tests?tab=readme-ov-file#gluster-tls-tests</a> <br>> <br>> <br>> <br>> -- <br>> Aravinda <br>> <br>> Kadalu Technologies <br>> <br>> <br>> <br>> <br>> <br>> <br>> <br>> <br>> ---- On Mon, 29 Jan 2024 22:10:50 +0530 Stefan Kania <<a href="mailto:stefan@kania-online.de" target="_blank">stefan@kania-online.de</a>> wrote --- <br>> <br>> <br>> <br>> Hi Strahil, hi Aravinda <br>> <br>> Am 28.01.24 um 23:03 schrieb Strahil Nikolov: <br>>> You didn't specify correctly the IP in the SANS but I'm not sure if that's the root cause. <br>>> In the SANs section Specify all hosts + their IPs: IP.1=1.2.3.4IP.2=2.3.4.5DNS.1=c01.glusterDNS.2=c02.gluster <br>> <br>> That's what I did now: <br>> <br>> I took the commands from the article you recommended and added all the <br>> alternative names and IPs into the certificate: <br>> ------------- <br>> openssl req -new -x509 -key /etc/ssl/glusterfs.key -subj "/CN=`hostname <br>> -f`" -addext "subjectAltName = <br>> IP:192.168.57.41,IP:192.168.57.42,IP:192.168.57.43,IP:192.168.57.51,DNS:c01.gluster,DNS:c02.gluster,DNS:c03.gluster,DNS:cluster-client.gluster" <br>> -out /etc/ssl/glusterfs.pem <br>> ------------- <br>> Stille getting on the server: <br>> ------------- <br>> [2024-01-29 16:32:08.877499 +0000] I <br>> [socket.c:4288:ssl_setup_connection_params] 0-socket.management: SSL <br>> support for MGMT is ENABLED IO path is ENABLED certificate depth is 1 <br>> for peer 192.168.57.51:49151 <br>> [2024-01-29 16:32:08.881842 +0000] E [socket.c:224:ssl_dump_error_stack] <br>> 0-socket.management: error:0A00010B:SSL routines::wrong version number <br>> <br>> ------------- <br>> <br>> And on the client: <br>> ------------- <br>> [2024-01-29 16:32:08.865731 +0000] I [MSGID: 100030] <br>> [glusterfsd.c:2767:main] 0-/usr/sbin/glusterfs: Started running version <br>> [{arg=/usr/sbin/glusterfs}, {version=10.5}, <br>> {cmdlinestr=/usr/sbin/glusterfs --process-name fuse <br>> --volfile-server=c02.gluster --volfile-id=/gv1 /mnt}] <br>> [2024-01-29 16:32:08.870129 +0000] I [glusterfsd.c:2447:daemonize] <br>> 0-glusterfs: Pid of current running process is 664 <br>> [2024-01-29 16:32:08.880528 +0000] I [MSGID: 101190] <br>> [event-epoll.c:667:event_dispatch_epoll_worker] 0-epoll: Started thread <br>> with index [{index=1}] <br>> [2024-01-29 16:32:08.880935 +0000] I [MSGID: 101190] <br>> [event-epoll.c:667:event_dispatch_epoll_worker] 0-epoll: Started thread <br>> with index [{index=0}] <br>> [2024-01-29 16:32:08.885755 +0000] I <br>> [glusterfsd-mgmt.c:2681:mgmt_rpc_notify] 0-glusterfsd-mgmt: disconnected <br>> from remote-host: c02.gluster <br>> [2024-01-29 16:32:08.885879 +0000] I <br>> [glusterfsd-mgmt.c:2720:mgmt_rpc_notify] 0-glusterfsd-mgmt: Exhausted <br>> all volfile servers <br>> [2024-01-29 16:32:08.887116 +0000] W <br>> [glusterfsd.c:1458:cleanup_and_exit] <br>> (-->/lib/x86_64-linux-gnu/libgfrpc.so.0(+0xfa35) [0x7fd18d185a35] <br>> -->/usr/sbin/glusterfs(+0x14769) [0x55d4f8d5d769] <br>> -->/usr/sbin/glusterfs(cleanup_and_exit+0x57) [0x55d4f8d54447] ) 0-: <br>> received signum (1), shutting down <br>> [2024-01-29 16:32:08.887209 +0000] I [fuse-bridge.c:7065:fini] 0-fuse: <br>> Unmounting '/mnt'. <br>> [2024-01-29 16:32:08.889719 +0000] I [fuse-bridge.c:7069:fini] 0-fuse: <br>> Closing fuse connection to '/mnt'. <br>> [2024-01-29 16:32:08.889909 +0000] W <br>> [glusterfsd.c:1458:cleanup_and_exit] <br>> (-->/lib/x86_64-linux-gnu/libc.so.6(+0x89044) [0x7fd18d00a044] <br>> -->/usr/sbin/glusterfs(glusterfs_sigwaiter+0xc5) [0x55d4f8d5be05] <br>> -->/usr/sbin/glusterfs(cleanup_and_exit+0x57) [0x55d4f8d54447] ) 0-: <br>> received signum (15), shutting down <br>> ------------- <br>> <br>> executing the connect command on the client: <br>> -------------- <br>> openssl s_client -showcerts -connect c02.gluster:24007 <br>> -------------- <br>> <br>> shows on the sever: <br>> -------------- <br>> [2024-01-29 16:37:08.747123 +0000] I <br>> [socket.c:4288:ssl_setup_connection_params] 0-socket.management: SSL <br>> support for MGMT is ENABLED IO path is ENABLED certificate depth is 1 <br>> for peer 192.168.57.51:58060 <br>> [2024-01-29 16:37:08.767715 +0000] E <br>> [socket.c:426:ssl_setup_connection_postfix] 0-socket.management: SSL <br>> connect error (client: 192.168.57.51:58060) (server: 192.168.57.42:24007) <br>> -------------- <br>> <br>> So still the same, no changes :-( <br>> <br>> Stefan <br> <br>-- <br>Stefan Kania <br>Landweg 13 <br>25693 St. Michaelisdonn <br> <br> <br>Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre <br>Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter <br><a href="https://www.dgn.de/dgncert/index.html" target="_blank">https://www.dgn.de/dgncert/index.html</a> <br> <br></div></blockquote></div><div><br></div></div><br></body></html>