|
|
cb8e9e |
From 2cee2186043fb8b2a80ce3540e41492b1744bd22 Mon Sep 17 00:00:00 2001
|
|
|
cb8e9e |
From: Kaushal M <kaushal@redhat.com>
|
|
|
cb8e9e |
Date: Tue, 7 Jul 2015 12:52:30 +0530
|
|
|
cb8e9e |
Subject: [PATCH 225/234] glusterd: Fix management encryption issues with GlusterD
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Backport of commit 01b82c6 from upstream master
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Management encryption was enabled incorrectly in GlusterD leading to
|
|
|
cb8e9e |
issues of cluster deadlocks. This has been fixed with this commit. The
|
|
|
cb8e9e |
fix is in two parts,
|
|
|
cb8e9e |
|
|
|
cb8e9e |
1. Correctly enable encrytion for the TCP listener in GlusterD and
|
|
|
cb8e9e |
re-enable own-threads for encrypted connections.
|
|
|
cb8e9e |
Without this, GlusterD could try to esatblish the blocking SSL
|
|
|
cb8e9e |
connects in the epoll thread, for eg. when handling friend updates,
|
|
|
cb8e9e |
which could lead to cluster deadlocks.
|
|
|
cb8e9e |
|
|
|
cb8e9e |
2. Explicitly enable encryption for outgoing peer connections.
|
|
|
cb8e9e |
Without enabling encryption explicitly for outgoing connections was
|
|
|
cb8e9e |
causing SSL socket events to be handled in the epoll thread. Some
|
|
|
cb8e9e |
events, like disconnects during peer detach, could lead to connection
|
|
|
cb8e9e |
attempts to happen in the epoll thread, leading to deadlocks again.
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Change-Id: I438c2b43f7b1965c0e04d95c000144118d36272c
|
|
|
cb8e9e |
BUG: 1239108
|
|
|
cb8e9e |
Signed-off-by: Kaushal M <kaushal@redhat.com>
|
|
|
cb8e9e |
Reviewed-upstream-on: http://review.gluster.org/11559
|
|
|
cb8e9e |
Reviewed-on: https://code.engineering.redhat.com/gerrit/52746
|
|
|
cb8e9e |
Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com>
|
|
|
cb8e9e |
Tested-by: Krishnan Parthasarathi <kparthas@redhat.com>
|
|
|
cb8e9e |
---
|
|
|
cb8e9e |
xlators/mgmt/glusterd/src/glusterd-handler.c | 14 ++++++++++++++
|
|
|
cb8e9e |
xlators/mgmt/glusterd/src/glusterd.c | 13 +++++--------
|
|
|
cb8e9e |
2 files changed, 19 insertions(+), 8 deletions(-)
|
|
|
cb8e9e |
|
|
|
cb8e9e |
diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c
|
|
|
cb8e9e |
index 3bc39c9..82bd7b1 100644
|
|
|
cb8e9e |
--- a/xlators/mgmt/glusterd/src/glusterd-handler.c
|
|
|
cb8e9e |
+++ b/xlators/mgmt/glusterd/src/glusterd-handler.c
|
|
|
cb8e9e |
@@ -3430,6 +3430,20 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo,
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
|
|
|
cb8e9e |
+ /* Enable encryption for the client connection if management encryption
|
|
|
cb8e9e |
+ * is enabled
|
|
|
cb8e9e |
+ */
|
|
|
cb8e9e |
+ if (this->ctx->secure_mgmt) {
|
|
|
cb8e9e |
+ ret = dict_set_str (options, "transport.socket.ssl-enabled",
|
|
|
cb8e9e |
+ "on");
|
|
|
cb8e9e |
+ if (ret) {
|
|
|
cb8e9e |
+ gf_msg ("glusterd", GF_LOG_ERROR, 0,
|
|
|
cb8e9e |
+ GD_MSG_DICT_SET_FAILED,
|
|
|
cb8e9e |
+ "failed to set ssl-enabled in dict");
|
|
|
cb8e9e |
+ goto out;
|
|
|
cb8e9e |
+ }
|
|
|
cb8e9e |
+ }
|
|
|
cb8e9e |
+
|
|
|
cb8e9e |
ret = glusterd_rpc_create (&peerinfo->rpc, options,
|
|
|
cb8e9e |
glusterd_peer_rpc_notify, peerctx);
|
|
|
cb8e9e |
if (ret) {
|
|
|
cb8e9e |
diff --git a/xlators/mgmt/glusterd/src/glusterd.c b/xlators/mgmt/glusterd/src/glusterd.c
|
|
|
cb8e9e |
index 9754e8b..05723b9 100644
|
|
|
cb8e9e |
--- a/xlators/mgmt/glusterd/src/glusterd.c
|
|
|
cb8e9e |
+++ b/xlators/mgmt/glusterd/src/glusterd.c
|
|
|
cb8e9e |
@@ -1589,19 +1589,16 @@ init (xlator_t *this)
|
|
|
cb8e9e |
goto out;
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
|
|
|
cb8e9e |
+ /* Enable encryption for the TCP listener is management encryption is
|
|
|
cb8e9e |
+ * enabled
|
|
|
cb8e9e |
+ */
|
|
|
cb8e9e |
if (this->ctx->secure_mgmt) {
|
|
|
cb8e9e |
- /*
|
|
|
cb8e9e |
- * The socket code will turn on SSL based on the same check,
|
|
|
cb8e9e |
- * but that will by default turn on own-thread as well and
|
|
|
cb8e9e |
- * we're not multi-threaded enough to handle that. Thus, we
|
|
|
cb8e9e |
- * override the value here.
|
|
|
cb8e9e |
- */
|
|
|
cb8e9e |
ret = dict_set_str (this->options,
|
|
|
cb8e9e |
- "transport.socket.own-thread", "off");
|
|
|
cb8e9e |
+ "transport.socket.ssl-enabled", "on");
|
|
|
cb8e9e |
if (ret != 0) {
|
|
|
cb8e9e |
gf_msg (this->name, GF_LOG_ERROR, 0,
|
|
|
cb8e9e |
GD_MSG_DICT_SET_FAILED,
|
|
|
cb8e9e |
- "failed to clear own-thread");
|
|
|
cb8e9e |
+ "failed to set ssl-enabled in dict");
|
|
|
cb8e9e |
goto out;
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
/*
|
|
|
cb8e9e |
--
|
|
|
cb8e9e |
1.7.1
|
|
|
cb8e9e |
|