From 2cee2186043fb8b2a80ce3540e41492b1744bd22 Mon Sep 17 00:00:00 2001
From: Kaushal M <kaushal@redhat.com>
Date: Tue, 7 Jul 2015 12:52:30 +0530
Subject: [PATCH 225/234] glusterd: Fix management encryption issues with GlusterD
Backport of commit 01b82c6 from upstream master
Management encryption was enabled incorrectly in GlusterD leading to
issues of cluster deadlocks. This has been fixed with this commit. The
fix is in two parts,
1. Correctly enable encrytion for the TCP listener in GlusterD and
re-enable own-threads for encrypted connections.
Without this, GlusterD could try to esatblish the blocking SSL
connects in the epoll thread, for eg. when handling friend updates,
which could lead to cluster deadlocks.
2. Explicitly enable encryption for outgoing peer connections.
Without enabling encryption explicitly for outgoing connections was
causing SSL socket events to be handled in the epoll thread. Some
events, like disconnects during peer detach, could lead to connection
attempts to happen in the epoll thread, leading to deadlocks again.
Change-Id: I438c2b43f7b1965c0e04d95c000144118d36272c
BUG: 1239108
Signed-off-by: Kaushal M <kaushal@redhat.com>
Reviewed-upstream-on: http://review.gluster.org/11559
Reviewed-on: https://code.engineering.redhat.com/gerrit/52746
Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com>
Tested-by: Krishnan Parthasarathi <kparthas@redhat.com>
---
xlators/mgmt/glusterd/src/glusterd-handler.c | 14 ++++++++++++++
xlators/mgmt/glusterd/src/glusterd.c | 13 +++++--------
2 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c
index 3bc39c9..82bd7b1 100644
--- a/xlators/mgmt/glusterd/src/glusterd-handler.c
+++ b/xlators/mgmt/glusterd/src/glusterd-handler.c
@@ -3430,6 +3430,20 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo,
}
}
+ /* Enable encryption for the client connection if management encryption
+ * is enabled
+ */
+ if (this->ctx->secure_mgmt) {
+ ret = dict_set_str (options, "transport.socket.ssl-enabled",
+ "on");
+ if (ret) {
+ gf_msg ("glusterd", GF_LOG_ERROR, 0,
+ GD_MSG_DICT_SET_FAILED,
+ "failed to set ssl-enabled in dict");
+ goto out;
+ }
+ }
+
ret = glusterd_rpc_create (&peerinfo->rpc, options,
glusterd_peer_rpc_notify, peerctx);
if (ret) {
diff --git a/xlators/mgmt/glusterd/src/glusterd.c b/xlators/mgmt/glusterd/src/glusterd.c
index 9754e8b..05723b9 100644
--- a/xlators/mgmt/glusterd/src/glusterd.c
+++ b/xlators/mgmt/glusterd/src/glusterd.c
@@ -1589,19 +1589,16 @@ init (xlator_t *this)
goto out;
}
+ /* Enable encryption for the TCP listener is management encryption is
+ * enabled
+ */
if (this->ctx->secure_mgmt) {
- /*
- * The socket code will turn on SSL based on the same check,
- * but that will by default turn on own-thread as well and
- * we're not multi-threaded enough to handle that. Thus, we
- * override the value here.
- */
ret = dict_set_str (this->options,
- "transport.socket.own-thread", "off");
+ "transport.socket.ssl-enabled", "on");
if (ret != 0) {
gf_msg (this->name, GF_LOG_ERROR, 0,
GD_MSG_DICT_SET_FAILED,
- "failed to clear own-thread");
+ "failed to set ssl-enabled in dict");
goto out;
}
/*
--
1.7.1