11.2.4. Setting Up the Environment for Geo-replication

Time Synchronization
  • On bricks of a geo-replication master volume, all the servers' time must be uniform. You are recommended to set up NTP (Network Time Protocol) service to keep the bricks sync in time and avoid out-of-time sync effect.
    For example: In a Replicated volume where brick1 of the master is at 12.20 hrs and brick 2 of the master is at 12.10 hrs with 10 minutes time lag, all the changes in brick2 between this period may go unnoticed during synchronization of files with Slave.
To setup Geo-replication for SSH
Password-less login has to be set up between the host machine (where geo-replication Start command will be issued) and the remote machine (where slave process should be launched through SSH). You can setup Geo-replication for SSH using any of the following methods:
Method 1 - Setup with Dedicated Service User Alias on Slave
  1. Create a new user account on slave. This can be an alias user of an existing user (another user with same user ID). You can also use an alias of privileged user. For example: user@slavehost.
  2. On the node where geo-replication sessions are to be set up, run the following commands:
    # ssh-keygen -f /var/lib/glusterd/geo-replication/secret.pem
    Press Enter twice to avoid passphrase.
  3. Run the following command on master for all the slave hosts to copy ssh-id:
    # ssh-copy-id -i /var/lib/glusterd/geo-replication/secret.pem.pub user@slavehost
  4. Change the shell of the user created in Step 1 to /usr/libexec/glusterfs/gsyncd by running the following command:
    # usermod -s /usr/libexec/glusterfs/gsyncd USERNAME
Method 2 - Using restricted SSH Key
  1. Choose an user account on slave. This can be a new account or an existing one; using root account is possible. For example: user@slavehost
  2. On the node where geo-replication sessions are to be set up, run the following commands:
    # ssh-keygen -f /var/lib/glusterd/geo-replication/secret.pem.tmp
    Press Enter twice to avoid passphrase.
    # cat /var/lib/glusterd/geo-replication/secret.pem.tmp > /var/lib/glusterd/geo-replication/secret.pem
    # echo -n 'command="/usr/libexec/glusterfs/gsyncd" ' > /var/lib/glusterd/geo-replication/secret.pem.pub
    # cat /var/lib/glusterd/geo-replication/secret.pem.tmp.pub >> /var/lib/glusterd/geo-replication/secret.pem.pub
    # rm /var/lib/glusterd/geo-replication/secret.pem.tmp
    # rm /var/lib/glusterd/geo-replication/secret.pem.tmp.pub
  3. Run the following command on master for all the slave hosts:
    # ssh-copy-id -i /var/lib/glusterd/geo-replication/secret.pem.pub user@slavehost
With these methods, the Slave audits commands coming from the master and the commands related to the given geo-replication session is allowed. The Slave also provides access only to the files within the slave resource which can be read or manipulated by the Master. You must not store unrestricted keys of Slave on Master to use this measure effectively.
Certain conditions are to be met and special setup is needed for the case when the chosen account is not privileged. See Section 11.2.5, “Setting Up the Environment for a Secure Geo-replication Slave” for details.