[Gluster-devel] jdarcy status (October 2014)
Jeff Darcy
jdarcy at redhat.com
Wed Oct 8 21:06:58 UTC 2014
> I might be misunderstanding some of this, but I thought that the way
> of doing SSL (as you say, two years ago), and the mechanism, the
> generation and transferring of certificates, and so on, was going to
> be updated with a new mechanism in 3.6...?
SSL was updated in a couple of ways for 3.6:
* Per-volume authorization by SSL identity
* Full support for SSL to glusterd as well as glusterfsd
* New options for ciphers, certificate depth
I toyed with the idea of switching from OpenSSL to PolarSSL as part of
the process, but that's a big piece of work and I never got to it.
Among other benefits, that *might* allow SSL to work with multi-epoll.
On the other hand, they might have the same inverted "poll for read when
you need to write (and vice versa)" behavior as OpenSSL, for the same
reasons. I just haven't gone through their API enough to know.
> As soon as the mechanism is "stable" and hopefully won't change too
> much (maybe that is already the case) please let me know, and point me
> to the authoritative docs/reference/notes/napkins on how to do
> ssl+gluster and I'll patch this in to puppet-gluster to aid adoption
> and for "documentation as puppet code".
Here are some previous emails and wiki pages about how to set it up.
* http://gluster.org/pipermail/gluster-devel/2014-January/028480.html
* http://lists.gnu.org/archive/html/gluster-devel/2013-05/msg00139.html
* http://blog.onefellow.com/2014/01/enable-glusterfs-ssl-mode.html
Really, I think the best place to start is a couple of the tests:
* https://github.com/gluster/glusterfs/blob/master/tests/bugs/bug-873367.t
* https://github.com/gluster/glusterfs/blob/master/tests/features/ssl-authz.t
The first one shows how to set up a minimal SSL configuration; the
second shows how to use SSL identities to limit access to a volume (a
feature being used now in Manila BTW). What I still need to do is wrap
it all in some explanations of how SSL works and how the files must
therefore relate to one another (across clients and servers), plus an
example of how to use certificate signing instead of directly including
each peer's certificate in others' CA files.
More information about the Gluster-devel
mailing list