11.2.5. Setting Up the Environment for a Secure Geo-replication Slave

You can configure a secure slave using SSH so that master is granted a restricted access. With Red Hat Storage, you need not specify configuration parameters regarding the slave on the master-side configuration. For example, the master does not require the location of the rsync program on slave but the slave must ensure that rsync is in the PATH of the user which the master connects using SSH. The only information that master and slave have to negotiate are the slave-side user account, slave's resources that master uses as slave resources, and the master's public key. Secure access to the slave can be established using the following options:
  • Using unprivileged Red Hat Storage Over SSH
  • Using IP based access control
Backward Compatibility
Your existing Geo-replication environment will work with Red Hat Storage, except for the following:
  • The process of secure reconfiguration affects only the glusterFS instance on slave. The changes are transparent to master with the exception that you may have to change the SSH target to an unprivileged account on slave.
  • The following are the some exceptions where this might not work:
    • Geo-replication URLs which specify the slave resource when configuring master will include the following special characters: space, *, ?, [;
    • Slave must have a running instance of glusterd, even if there is no Red Hat Storage volume among the mounted slave resources (that is, file tree slaves are used exclusively) . Unprivileged Red Hat Storage Slave over SSH

Geo-replication supports access to Red Hat Storage slaves through SSH using an unprivileged account (user account with non-zero uid). This method is recommended as it is more secure and it reduces the master's capabilities over slave to the minimum. This feature relies on mountbroker, an internal service of glusterd which manages the mounts for unprivileged slave accounts. You must perform additional steps to configure glusterd with the appropriate mountbroker's access control directives. The following example demonstrates this process:
To setup an auxiliary glusterFS mount for the unprivileged account:
  1. Create a new group. For example, geogroup.
  2. Create a unprivileged account. For example, geoaccount. Make it a member of geogroup.
  3. Create a new directory owned by root and with permissions 0711. Ensure that the location where this directory is created is writable only by root but geoaccount is able to access it. For example, create a mountbroker-root directory at /var/mountbroker-root.
  4. Add the following options to the glusterd volfile, assuming the name of the slave Red Hat Storage volume as slavevol:
    option mountbroker-root /var/mountbroker-root
    option mountbroker-geo-replication.geoaccount slavevol option geo-replication-log-group geogroup
    If you are unable to locate the glusterd volfile at /var/lib/glusterfs/glusterd.vol, you can create a volfile containing both the default configuration and the above options and place it at /var/lib/glusterfs/.
    A sample glusterd volfile along with default options:
    volume management
        type mgmt/glusterd
        option working-directory /var/lib/glusterd
        option transport-type socket,rdma
        option transport.socket.keepalive-time 10
        option transport.socket.keepalive-interval 2
        option transport.socket.read-fail-log off
        option mountbroker-root /var/mountbroker-root 
        option mountbroker-geo-replication.geoaccount slavevol
        option geo-replication-log-group geogroup
    If you host multiple slave volumes on Slave, you can repeat step 2. for each of them and add the following options to the volfile:
    option mountbroker-geo-replication.geoaccount2 slavevol2
    option mountbroker-geo-replication.geoaccount3 slavevol3
  5. Setup Master to access Slave as geoaccount@Slave.
    You can add multiple slave volumes within the same account (geoaccount) by providing comma-separated list (without spaces) as the argument of mountbroker-geo-replication.geogroup. You can also have multiple options of the form mountbroker-geo-replication.*. It is recommended to use one service account per Master machine. For example, if there are multiple slave volumes on Slave for the master machines Master1, Master2, and Master3, then create a dedicated service user on Slave for them by repeating Step 2. for each (like geogroup1, geogroup2, and geogroup3), and then add the following corresponding options to the volfile:
    option mountbroker-geo-replication.geoaccount1 slavevol11,slavevol12,slavevol13
    option mountbroker-geo-replication.geoaccount2 slavevol21,slavevol22
    option mountbroker-geo-replication.geoaccount3 slavevol31
    Now set up Master1 to ssh to geoaccount1@Slave, etc.
    You must restart glusterd after making changes in the configuration to effect the updates.