22.4. Enabling Management Encryption
- Enabling management encryption requires that storage servers are offline. Schedule an outage window for volumes, applications, clients, and other end users before beginning this process. Be aware that features such as snapshots and geo-replication may also be affected by this outage.
Procedure 22.7. Enabling management encryption
Prepare to enable encryption
Unmount all volumes from all clientsRun the following command on each client, for each volume mounted on that client.
# umount mount-point
Stop NFS Ganesha or SMB services, if usedRun the following command on any gluster server to disable NFS-Ganesha.
# systemctl stop nfs-ganeshaRun the following command on any gluster server to stop SMB.
# systemctl stop ctdb
Unmount shared storage, if usedRun the following command on all servers to unmount shared storage.
# umount /var/run/gluster/shared_storage
ImportantFeatures that require shared storage, such as snapshots and geo-replication, may not work until after this process is complete.
Stop all volumesRun the following command on any server to stop all volumes, including the shared storage volume.
# for vol in `gluster volume list`; do gluster --mode=script volume stop $vol; sleep 2s; done
Stop gluster services on all serversFor Red Hat Enterprise Linux 7 based installations:
# systemctl stop glusterd # pkill glusterfsFor Red Hat Enterprise Linux 6 based installations:
# service glusterd stop # pkill glusterfs
Create and edit the secure-access file on all servers and clientsCreate a new
/var/lib/glusterd/secure-accessfile. This file can be empty if you are using the default settings.
# touch /var/lib/glusterd/secure-accessYour Certificate Authority may require changes to the SSL certificate depth setting,
transport.socket.ssl-cert-depth, in order to work correctly. To edit this setting, add the following line to the
secure-accessfile, replacing n with the certificate depth required by your Certificate Authority.
echo "option transport.socket.ssl-cert-depth n" > /var/lib/glusterd/secure-access
Clean up after configuring management encryption
Start the glusterd service on all serversFor Red Hat Enterprise Linux 7 based installations:
# systemctl start glusterdFor Red Hat Enterprise Linux 6 based installations:
# service glusterd start
Start all volumesRun the following command on any host to start all volumes including shared storage.
# for vol in `gluster volume list`; do gluster --mode=script volume start $vol; sleep 2s; done
Mount shared storage, if usedRun the following command on all servers to mount shared storage.
# mount -t glusterfs hostname:/gluster_shared_storage /run/gluster/shared_storage
Restart NFS Ganesha or SMB services, if usedRun the following command on any gluster server to start NFS-Ganesha.
# systemctl start nfs-ganeshaRun the following command on any gluster server to start SMB.
# systemctl start ctdb
Mount volumes on clientsThe process for mounting a volume depends on the protocol your client is using. The following command mounts a volume using the native FUSE protocol.
# mount -t glusterfs server1:/testvolume /mnt/glusterfs