We need to make sure a glusterfs server is setup with proper keys. We need to generate x509 certificates for both server and clients to authenticate and encrypt transit data.
Make sure glusterfs server container is started, and then copy the dms binary to the container :
docker cp dms gluster-server-container:/home/
Make sure you create key and caps before running dms
Make sure to start dms on the container with the following configuration:
storage_mode=true
storage_ca_directory=somewhere or there is default value
storage_bricks_dir=somewhere you want all the data to be stored for each volume
storage_glusterfs_hostname=for this test it can be your host's hostname
Each storage dms, has to keep the server pem files in one place so it can create a chain CA file and send it back to the clients when they create a volume. For this purpose inside storage_ca_directory we have the following:
/glusterfs_nodes
/clients
On your host run another DMS instance that will connect to the dms we ran in the container
Note that we need to give this dms capabilities to run the following behaviours on the glusterfs dms:
here we are defining clientX as the Common name of the cert. We could use a key did here for example.
At this point we have the a directory where the clients certificates are stored.
2. Create a volume
On the host dms create a volume and obtain the CA file returned from the glusterfs dms.
./dms actor cmd --context dms /dms/volume/create --name testingdms30march --client-pem-file /home/glusterfs_certificates/glusterfs.pem --ca-output-dir "/home/glusterfs_certificates/" --dest {dms peer/did on the glusterfs container}
Now if we go to the client certificate directory we should see one additional .ca file.
glusterfs.key
glusterfs.pem
glusterfs.ca <- new file
3. Start the volume
./dms actor cmd --context dms /dms/volume/start --name testingdms30march --dest {dms peer/did on the glusterfs container}
4.A. Reload gluster
For now, since we are not using a CA Root for the glusterfs server, each glusterfs is their own "Roots". We need to do one manual step which will be removed in future by introducing a Root Authority that will allow certificate of depth of more than 0 which means just by keeping the intermidiate certifivates we will be able to still verify the chain and no need each time to restart/reload.
On the glusterfs server
cd ${storage_ca_directory}
cp glusterfs.ca /etc/pki/tls/
systemctl restart glusterfsd
The volume shows the requirements.
We need to pass the the client auth data so it can read client certs and ca file we created earlier
after the allocation is started, go to the container and check the mount volume. Write to it and then go the the glususterfs container where the bricks storage directory is and observe the data.