23.5. Expanding Volumes

Follow this section to add new nodes to a trusted storage pool that uses network encryption.

23.5.1. Certificate signed by a Common Certificate Authority

Follow this section to add a new Gluster server to a trusted storage pool that uses network encryption signed by a common Certificate Authority.

Prerequisites

Procedure 23.8. Expanding a pool that uses common Certificate Authority signed certificates

  1. Import the common Certificate Authority list

    Copy the /etc/ssl/glusterfs.ca file from an existing server into the /etc/ssl directory of the new server.
  2. For management encryption, create and edit the secure-access file

    Create a new /var/lib/glusterd/secure-access file. This file can be empty if you are using the default settings.
    # touch /var/lib/glusterd/secure-access
    Your Certificate Authority may require changes to the SSL certificate depth setting, transport.socket.ssl-cert-depth, in order to work correctly. To edit this setting, add the following line to the secure-access file, replacing n with the certificate depth required by your Certificate Authority.
    echo "option transport.socket.ssl-cert-depth n" > /var/lib/glusterd/secure-access
  3. Start glusterd on the new server

    # systemctl start glusterd
  4. Specify servers and clients to allow

    Provide a list of the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the glusterfs.pem file for that server or client.
    # gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'
    This provides an additional check in case you want to leave keys in place, but temporarily restrict a client or server by removing it from this list, as shown in Section 23.7, “Deauthorizing a Client”.

    Note

    The gluster volume set command does not append to existing values of the options. To append the new name to the list, get the existing list using gluster volume info command, append the new name to the list and set the option again using gluster volume set command.
    You can also use the default value of *, which indicates that any TLS authenticated machine can mount and access the volume.
  5. Expand volumes to the new server

    Follow the instructions in Section 11.7, “Expanding Volumes” to expand existing volumes using the newly trusted server.

23.5.2. Self-signed Certificates

Prerequisites

  • Because self-signed certificates are not automatically generated and updated, the trusted storage pool must be offline for this process. Schedule an outage window for volumes, applications, clients, and other end users before beginning this process.

Procedure 23.9. Expanding a pool that uses self-signed certificates

  1. Generate the key and self-signed certificate for the new server

    Follow the steps in Section 23.1, “Preparing Certificates” to generate a private key and a self-signed certificate for the new server.
  2. Update server Certificate Authority list files

    Append the contents of the new server's /etc/ssl/glusterfs.pem file to the /etc/ssl/glusterfs.ca file on all existing servers in the trusted storage pool.
  3. Update client Certificate Authority list files

    Append the contents of the new server's /etc/ssl/glusterfs.pem file to the /etc/ssl/glusterfs.ca file on all authorized clients in the trusted storage pool.
  4. Stop all gluster processes

    Run the following commands on all servers.
    # systemctl stop glusterd
    # pkill glusterfs

    Important

    Bug 1635071 may cause glusterd to crash during shutdown, but there is no functionality impact to this crash. See Resolving glusterd crash for details.
  5. (Optional) Enable management encryption on the new server

    Copy the /var/lib/glusterd/secure-access file from an existing server to the new server.
  6. Start glusterd on the new server

    # systemctl start glusterd
  7. Update servers and clients to allow

    Run the following command from any server to specify the common names of servers and clients that are allowed to access the volume. The common names provided must be exactly the same as the common name specified when you created the glusterfs.pem file for that server or client.
    # gluster volume set volname auth.ssl-allow 'server1,server2,client1,client2,client3'

    Note

    The gluster volume set command does not append to existing values of the options. To append the new name to the list, get the existing list using gluster volume info command, append the new name to the list and set the option again using gluster volume set command.
    You can also use the default value of *, which indicates that any TLS authenticated machine can mount and access the volume.
  8. Restart the glusterfs processes on existing servers and clients

    1. On all clients, unmount all volumes

      # umount mountpoint
    2. On any server, stop all volumes

      # for vol in `gluster volume list`; do gluster --mode=script volume stop $vol; sleep 2s; done
    3. On all servers, restart glusterd

      For Red Hat Enterprise Linux 7 based installations:
      # systemctl start glusterd
      For Red Hat Enterprise Linux 6 based installations:
      # service glusterd start
    4. On any server, start all volumes

      # gluster volume start volname
  9. Mount the volume on all clients

    The process for mounting a volume depends on the protocol your client is using. The following command mounts a volume using the native FUSE protocol.
    # mount -t glusterfs server1:/test-volume /mnt/glusterfs
  10. Expand volumes to the new server

    Follow the instructions in Section 11.7, “Expanding Volumes” to expand existing volumes using the newly trusted server.