From 2cee2186043fb8b2a80ce3540e41492b1744bd22 Mon Sep 17 00:00:00 2001

From: Kaushal M <kaushal@redhat.com>

Date: Tue, 7 Jul 2015 12:52:30 +0530

Subject: [PATCH 225/234] glusterd: Fix management encryption issues with GlusterD

  Backport of commit 01b82c6 from upstream master

Management encryption was enabled incorrectly in GlusterD leading to

issues of cluster deadlocks. This has been fixed with this commit. The

fix is in two parts,

1. Correctly enable encrytion for the TCP listener in GlusterD and

re-enable own-threads for encrypted connections.

  Without this, GlusterD could try to esatblish the blocking SSL

  connects in the epoll thread, for eg. when handling friend updates,

  which could lead to cluster deadlocks.

2. Explicitly enable encryption for outgoing peer connections.

  Without enabling encryption explicitly for outgoing connections was

  causing SSL socket events to be handled in the epoll thread. Some

  events, like disconnects during peer detach, could lead to connection

  attempts to happen in the epoll thread, leading to deadlocks again.

Change-Id: I438c2b43f7b1965c0e04d95c000144118d36272c

BUG: 1239108

Signed-off-by: Kaushal M <kaushal@redhat.com>

Reviewed-upstream-on: http://review.gluster.org/11559

Reviewed-on: https://code.engineering.redhat.com/gerrit/52746

Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com>

Tested-by: Krishnan Parthasarathi <kparthas@redhat.com>

---

 xlators/mgmt/glusterd/src/glusterd-handler.c |   14 ++++++++++++++

 xlators/mgmt/glusterd/src/glusterd.c         |   13 +++++--------

 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c

index 3bc39c9..82bd7b1 100644

--- a/xlators/mgmt/glusterd/src/glusterd-handler.c

+++ b/xlators/mgmt/glusterd/src/glusterd-handler.c

@@ -3430,6 +3430,20 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo,

                 }

         }

+        /* Enable encryption for the client connection if management encryption

+         * is enabled

+         */

+        if (this->ctx->secure_mgmt) {

+                ret = dict_set_str (options, "transport.socket.ssl-enabled",

+                                    "on");

+                if (ret) {

+                        gf_msg ("glusterd", GF_LOG_ERROR, 0,

+                                GD_MSG_DICT_SET_FAILED,

+                                "failed to set ssl-enabled in dict");

+                        goto out;

+                }

+        }

+

         ret = glusterd_rpc_create (&peerinfo->rpc, options,

                                    glusterd_peer_rpc_notify, peerctx);

         if (ret) {

diff --git a/xlators/mgmt/glusterd/src/glusterd.c b/xlators/mgmt/glusterd/src/glusterd.c

index 9754e8b..05723b9 100644

--- a/xlators/mgmt/glusterd/src/glusterd.c

+++ b/xlators/mgmt/glusterd/src/glusterd.c

@@ -1589,19 +1589,16 @@ init (xlator_t *this)

                 goto out;

         }

+        /* Enable encryption for the TCP listener is management encryption is

+         * enabled

+         */

         if (this->ctx->secure_mgmt) {

-                /*

-                 * The socket code will turn on SSL based on the same check,

-                 * but that will by default turn on own-thread as well and

-                 * we're not multi-threaded enough to handle that.  Thus, we

-                 * override the value here.

-                 */

                 ret = dict_set_str (this->options,

-                                    "transport.socket.own-thread", "off");

+                                    "transport.socket.ssl-enabled", "on");

                 if (ret != 0) {

                         gf_msg (this->name, GF_LOG_ERROR, 0,

                                 GD_MSG_DICT_SET_FAILED,

-                                "failed to clear own-thread");

+                                "failed to set ssl-enabled in dict");

                         goto out;

                 }

                 /*

-- 

1.7.1