hekafs(8) - Linux man page
Name
HekaFS - Cloud-enabled File System
Synopsis
HekaFS is a set of enhancements to the GlusterFS distributed filesystem, which collectively allow the secure sharing of a single filesystem among multiple "tenants" with the appearance of a private filesystem for each. This includes the following features:
- A separate directory namespace for each tenant.
A separate UID/GID space for each tenant.
SSL-based encryption and authentication.
Encryption of data "at rest" (on disk).
Management of tenants, encryption keys, daemons and ports.
Description
The purpose of the HekaFS management tools is to manage relationships between bricks, volumes and tenants. These are related as follows.
- brick
A directory on a server, which will be exported to form part of a volume.
volume
An aggregation of multiple bricks on one or more servers, mountable as a single filesystem (see the filesystems man page).
tenant
A person or organization using part of a volume, isolated from other tenants but able to share resources among multiple client machines using the same tenant identity.
- In addition to the hekafsd web interface, the HekaFS CLI tools allow an administrator to manipulate these relationships as follows.
- hfs_add_directory
Add a server directory to the list of those usable as bricks. Directories which represent local-filesystem mount points on servers are automatically in this list.
hfs_add_volume
Define a volume consisting of the named bricks, with optional replication and/or striping.
hfs_delete_volume
Remove (undefine) a volume.
hfs_list_volumes
List the previously defined volumes.
hfs_start_volume
Start the daemons on one or more servers which will provide access (for all tenants) to a previously defined volume.
hfs_stop_volume
Stop the server daemons associated with a volume.
hfs_add_tenant
Add a tenant with unique name, password, and UID/GID ranges.
hfs_delete_tenant
Remove a tenant.
hfs_list_tenants
List tenants.
hfs_enable_tenant
Define the list of volumes to which a tenant has access.
hfs_update_cert
Update the SSL certificate associated with a tenant.
hfs_mount
Mount a HekaFS volume on a client machine, using a specific tenant identity.
- In addition to the hekafsd web interface, the HekaFS CLI tools allow an administrator to manipulate these relationships as follows.
SSL Setup
Setting up SSL connections between HekaFS clients and servers requires extra steps that require knowledge of OpenSSL configuration. Many of these steps require the distribution of files among servers and/or clients; the security of this distribution is not provided by HekaFS, and must be provided by the administrator performing the steps according to local needs/standards.
- Enable SSL for a volume.
Generate a new SSL encryption key and certificate for each server, in /var/lib/hekafs/server.key and /var/lib/hekafs/server.pem respectively. Alternatively, generate one key and one certificate, distributing them among all servers.
For each tenant, generate a new SSL encryption key and certificate, and distribute these files among all client machines which will mount as that tenant.
Concatenate all of the certificates for servers providing a volume into a single file, and distribute that to all client machines which will mount that volume (as any tenant).
Use hfs_update_cert with the certificate for a tenant. All applicable tenant certificates will be combined into a per-tenant "certificate authority" file by hfs_start_volume automatically.
Use the -p (private key), -c (client certificate), and -s (server certificate) options of hfs_mount to mount a volume using SSL.
Examples
Set up a server key:
- server1# cd /var/lib/hekafs
server1# openssl genrsa 1024 -out server.key
server1# openssl req -new -x509 -key server.key -out server.pem - Set up a tenant key:
- client1# openssl genrsa 1024 -out tenant1.key
client1# openssl req -new -x509 -key tenant1.key -out tenant1.pem
server1# hfs_add_tenant tenant1 bad_password 1000 1999 1000 1999
server1# hfs_update_cert tenant1 tenant1.pem
server1# hfs_enable_tenant tenant1 a_volume - Start and mount the volume:
- server1# hfs_start_volume a_volume
client1# cat server*.pem > all.ca
client1# hfs_mount \ -p $PWD/tenant1.key -c $PWD/tenant1.pem -s $PWD/all.ca \ server1 a_volume tenant1 bad_password /mnt/my_volume
See Also
hfs_add_node(8), hfs_add_tenant(8), hfs_add_volume(8), hfs_delete_tenant(8), hfs_enable_tenant(8), hfs_list_tenants(8), hfs_list_volumes(8), hfs_mount(8), hfs_delete_volume(8), hfs_start_volume(8), hfs_stop_volume(8), hfs_update_cert(8), gluster(8), hekafsd(8)
Diagnostics
Exit status is normally 0; if an error occurs, exit status is 1.
Copyright Notice
Copyright © 2011 Red Hat, Inc.