> 1) How permanent are these interfaces? Is this expected to be unchanged > (and will it be the recommended method) for future GlusterFS versions ? > What about in 4.0 ?
I hope these configuration methods are *not* permanent, because they're crufty as hell. > 2) Can you give me the _exact and full_ openssl command line that you'd > recommend someone run. This way I won't make mistakes or hurt my brain. Here's an example (from bug-873367.t) of how to create the key and cert files: openssl genrsa -out $SSL_KEY 1024 openssl req -new -x509 -key $SSL_KEY -subj /CN=Anyone -out $SSL_CERT > Can you also be more specific about which files to concatenate to > produce the glusterfs.ca file, and if it's a literal cat * > or if you > need to use a special program to merge them. It really is a straight "cat" of the peers' cert files into the local CA file. > 3) Are the /etc/ssl/glusterfs.* paths configurable (without re-compile) > somehow? Not currently. The "better-ssl" feature proposal for 3.6 should address this, along with other options such as cipher suites and certificate verification depth. > 4) Does this change any of the ports that are used anywhere? No. > 5) Anything else you think I should know? Only the caveats in the message you already cited. The fact that SSL is used only for authentication but not authorization is pretty significant. Ditto for the lack of support for it on the management path. _______________________________________________ Gluster-devel mailing list Gluster-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/gluster-devel
