0.实验前的环境检查与配置
[student@workstation ~]$ lab io-encryption setup
1.存储信息
gluster volume info prod-vol查看存储卷的信息。
[root@servera ~]# gluster volume info prod-vol
Volume Name: prod-vol
Type: Replicate
Volume ID: 5d3cc41e-52c4-4718-a1a2-4368b1b39d80
Status: Started
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: servera:/bricks/brick-a1/brick
Brick2: serverb:/bricks/brick-b1/brick
Options Reconfigured:
performance.readdir-ahead: on
2.停止存储卷
gluster volume stop prod-vol停止存储卷以便进行设置。
[root@servera ~]# gluster volume stop prod-vol
Stopping volume will make its data inaccessible. Do you want to continue? (y/n) y
volume stop: prod-vol: success
3.下载密钥
curl ftp://workstation.lab.example.com/pub/server.pem -o /etc/ssl/glusterfs.pem下载公钥。curl ftp://workstation.lab.example.com/pub/server.key -o /etc/ssl/glusterfs.key下载私钥。curl ftp://workstation.lab.example.com/pub/glusterfs.ca -o /etc/ssl/glusterfs.ca下载认证整数。serverb参照servera操作。注意:这里的密钥没下载和配置对,后面重启glusterd服务的时候会无法启动起来。
[root@servera ~]# curl ftp://workstation.lab.example.com/pub/server.pem -o /etc/ssl/glusterfs.pem
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (78) RETR response: 550
[root@servera ~]# curl ftp://workstation.lab.example.com/pub/server.key -o /etc/ssl/glusterfs.key
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (78) RETR response: 550
[root@servera ~]# curl ftp://workstation.lab.example.com/pub/glusterfs.ca -o /etc/ssl/glusterfs.ca
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1391 100 1391 0 0 3101 0 --:--:-- --:--:-- --:--:-- 3104
[root@serverb ~]# curl ftp://workstation.lab.example.com/pub/serverb.pem -o /etc/ssl/glusterfs.pem
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6253 100 6253 0 0 26235 0 --:--:-- --:--:-- --:--:-- 26383
[root@serverb ~]# curl ftp://workstation.lab.example.com/pub/serverb.key -o /etc/ssl/glusterfs.key
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1704 100 1704 0 0 3845 0 --:--:-- --:--:-- --:--:-- 3855
[root@serverb ~]# curl ftp://workstation.lab.example.com/pub/glusterfs.ca -o /etc/ssl/glusterfs.ca
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1391 100 1391 0 0 4549 0 --:--:-- --:--:-- --:--:-- 4560
4.SSL节点授权
gluster volume set prod-vol auth.ssl-allow添加允许SSL访问的节点。
[root@servera ~]# gluster volume set prod-vol auth.ssl-allow \
> 'servera.lab.example.com,serverb.lab.example.com,workstation.lab.example.com'
volume set: success
5.配置SSL功能
gluster volume set prod-vol server.ssl on开启服务器SSL功能。gluster volume set prod-vol client.ssl on开启客户端SSL功能。
[root@servera ~]# gluster volume set prod-vol server.ssl on
volume set: success
[root@servera ~]# gluster volume set prod-vol client.ssl on
volume set: success
6.测试文件
mkdir -p /var/lib/glusterd创建测试目录。touch /var/lib/glusterd/secure-access创建测试文件。
[root@workstation ~]# mkdir -p /var/lib/glusterd
[root@workstation ~]# touch /var/lib/glusterd/secure-access
7.启动服务
for I in server{a..b};do ssh ${I} "systemctl stop glusterd";done停止服务。for I in server{a..b};do ssh ${I} "pkill glusterfs";done停止进程。for I in server{a..b};do ssh ${I} "touch /var/lib/glusterd/secure-access";done创建测试目录。 for I in server{a..b};do ssh ${I} "systemctl start glusterd";done重新启动服务。gluster volume start prod-vol启动存储卷。gluster volume info prod-vol查看存储卷信息。yum -y install glusterfs-fuse安装文件系统包。mount -t glusterfs servera:/prod-vol /mnt目录挂载。
[root@servera ~]# for I in server{a..b};do ssh ${I} "systemctl stop glusterd";done
The authenticity of host 'servera (172.25.250.10)' can't be established.
ECDSA key fingerprint is f3:3a:20:c9:5a:cc:cc:f0:44:f7:00:90:03:18:b1:8d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'servera,172.25.250.10' (ECDSA) to the list of known hosts.
root@servera's password:
The authenticity of host 'serverb (172.25.250.11)' can't be established.
ECDSA key fingerprint is f3:3a:20:c9:5a:cc:cc:f0:44:f7:00:90:03:18:b1:8d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'serverb,172.25.250.11' (ECDSA) to the list of known hosts.
root@serverb's password:
[root@servera ~]# for I in server{a..b};do ssh ${I} "pkill glusterfs";done
root@servera's password:
root@serverb's password:
[root@servera ~]# for I in server{a..b};do ssh ${I} "touch /var/lib/glusterd/secure-access";done
root@servera's password:
root@serverb's password:
[root@servera ~]# for I in server{a..b};do ssh ${I} "systemctl start glusterd";done
root@servera's password:
root@serverb's password:
[root@servera ~]# gluster volume start prod-vol
volume start: prod-vol: success
[root@servera ~]# gluster volume info prod-vol
Volume Name: prod-vol
Type: Replicate
Volume ID: b649bef9-6ba3-47d8-9320-df817b2fe15d
Status: Started
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: servera:/bricks/brick-a1/brick
Brick2: serverb:/bricks/brick-b1/brick
Options Reconfigured:
performance.readdir-ahead: on
auth.ssl-allow: servera.lab.example.com,serverb.lab.example.com,workstation.lab.example.com
server.ssl: on
client.ssl: on
[root@workstation ~]# yum -y install glusterfs-fuse
[root@workstation ~]# mount -t glusterfs servera:/prod-vol /mnt
8.任务测评
lab io-encryption grade进行测评。主要包括:存储卷是否存在,服务是否启动,私钥,公钥,认证,测试文件,SSL访问,目录挂载等。
[student@workstation ~]$ lab io-encryption grade
Grading the student's work:
· Checking if volume prod-vol exists.......................... PASS
· Testing if glusterd is active on servera.................... PASS
· Testing if glusterd is active on serverb.................... PASS
· Checking if servera has gluster.pem in /etc/ssl............. PASS
· Checking if serverb has gluster.pem in /etc/ssl............. PASS
· Checking if servera has gluster.ca in /etc/ssl.............. PASS
· Checking if serverb has gluster.ca in /etc/ssl.............. PASS
· Checking if servera has gluster.keys in /etc/ssl............ PASS
· Checking if serverb has gluster.keys in /etc/ssl............ PASS
· Checking if servera has a secure-access file................ PASS
· Checking if serverb has a secure-access file................ PASS
· Checking if servera is accessible via SSL................... PASS
· Checking if serverb is accessible via SSL................... PASS
· Checking if prod-vol is mounted on /mnt from workstation.... PASS
Overall lab grade.............................................. PASS