summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKaushal M <kaushal@redhat.com>2015-07-07 12:52:30 +0530
committerRaghavendra Bhat <raghavendra@redhat.com>2015-07-13 03:13:55 -0700
commit50b0c7baad43dcd378a5740f154b38ec0ffe0f00 (patch)
treea8afb3184632052123c1be410e7bad164d459b32
parentc7d8d2ea1e4ad9e247b5876cf17d3a6e0d9af9ad (diff)
glusterd: Fix management encryption issues with GlusterDv3.6.4
Backport of commit 01b82c6 from master Management encryption was enabled incorrectly in GlusterD leading to issues of cluster deadlocks. This has been fixed with this commit. The fix is in two parts, 1. Correctly enable encrytion for the TCP listener in GlusterD and re-enable own-threads for encrypted connections. Without this, GlusterD could try to esatblish the blocking SSL connects in the epoll thread, for eg. when handling friend updates, which could lead to cluster deadlocks. 2. Explicitly enable encryption for outgoing peer connections. Without enabling encryption explicitly for outgoing connections was causing SSL socket events to be handled in the epoll thread. Some events, like disconnects during peer detach, could lead to connection attempts to happen in the epoll thread, leading to deadlocks again. Change-Id: I438c2b43f7b1965c0e04d95c000144118d36272c BUG: 1241785 Signed-off-by: Kaushal M <kaushal@redhat.com> Reviewed-on: http://review.gluster.org/11612 Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Raghavendra Bhat <raghavendra@redhat.com>
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-handler.c13
-rw-r--r--xlators/mgmt/glusterd/src/glusterd.c13
2 files changed, 18 insertions, 8 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c
index 9e52eff..67f6e9e 100644
--- a/xlators/mgmt/glusterd/src/glusterd-handler.c
+++ b/xlators/mgmt/glusterd/src/glusterd-handler.c
@@ -3047,6 +3047,19 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo,
}
}
+ /* Enable encryption for the client connection if management encryption
+ * is enabled
+ */
+ if (this->ctx->secure_mgmt) {
+ ret = dict_set_str (options, "transport.socket.ssl-enabled",
+ "on");
+ if (ret) {
+ gf_log ("glusterd", GF_LOG_ERROR,
+ "failed to set ssl-enabled in dict");
+ goto out;
+ }
+ }
+
ret = glusterd_rpc_create (&peerinfo->rpc, options,
glusterd_peer_rpc_notify, peerctx);
if (ret) {
diff --git a/xlators/mgmt/glusterd/src/glusterd.c b/xlators/mgmt/glusterd/src/glusterd.c
index b9a43cd..c6886c1 100644
--- a/xlators/mgmt/glusterd/src/glusterd.c
+++ b/xlators/mgmt/glusterd/src/glusterd.c
@@ -1371,18 +1371,15 @@ init (xlator_t *this)
goto out;
}
+ /* Enable encryption for the TCP listener is management encryption is
+ * enabled
+ */
if (this->ctx->secure_mgmt) {
- /*
- * The socket code will turn on SSL based on the same check,
- * but that will by default turn on own-thread as well and
- * we're not multi-threaded enough to handle that. Thus, we
- * override the value here.
- */
ret = dict_set_str (this->options,
- "transport.socket.own-thread", "off");
+ "transport.socket.ssl-enabled", "on");
if (ret != 0) {
gf_log (this->name, GF_LOG_ERROR,
- "failed to clear own-thread");
+ "failed to set ssl-enabled in dict");
goto out;
}
/*