I made a detailed tutorial for a Arch Linux installation a few days back. This is a quick follow up post to create a Distributed-Replicated gluster share.
The goal is to create a mirror for several linux distributions. A mirror needs a lot of disk space, but big machines are expensive. Also I would like to have a bit of redundancy. The idea is to use 4 machines, each of them has around 4,2TB storage. Gluster allows us a good combination of replication and distribution, so we can use 8,4TB of storage across two machines, the rest of the free storage is used for replication.
The installation is quite easy. We need to install the rpcbind and gluster packages. I’ve got a seperate partition on all machines, mountet at /glusterfs. After the installation of all packages we can directly create the share (do the following on any of the nodes). Important note: do not do the probe command for the server you are currently working on (we’re on server4 in this example):
gluster peer probe server1 gluster peer probe server2 gluster peer probe server3 gluster volume create mirror replica 2 transport tcp \ server1:/glusterfs/mirror \ server2:/glusterfs/mirror \ server3:/glusterfs/mirror \ server4:/glusterfs/mirror gluster volume start mirror
Now we should have a working share, hooray. We can verify the peer and share state:
gluster peer status gluster volume info mirror
We’re now able to mount the share via the glusterfs fuse module on any node:
mount -t glusterfs server1:/mirror /srv/mirror
There isn’t any encryption on the gluster traffic so we should do some firewalling. In my setup nobody except for the gluster nodes itself will mount the share. Here is an example ferm config:
@def $node1_ipv4 = ( ipv4 );
@def $node1_ipv6 = ( ipv6 );
@def $node2_ipv4 = ( ipv4 );
@def $node2_ipv6 = ( ipv6 );
@def $node3_ipv4 = ( ipv4 );
@def $node3_ipv6 = ( ipv6 );
@def $node4_ipv4 = ( ipv4 );
@def $node4_ipv6 = ( ipv6 );
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow gluster
proto tcp dport (111 24007 24008 49152 49153 49154 49155 49156 49157) saddr ( $node1_ipv4 $node2_ipv4 $node3_ipv4 $node4_ipv4 ) ACCEPT;
# the rest is dropped by the above policy
}
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
# this is not a router
chain FORWARD policy DROP;
}
domain ip6 {
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
## respond to ping
#proto icmp icmp-type echo-request ACCEPT;
# allow all icmp (needed for ipv6 ND and so on)
proto icmp ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow gluster
proto tcp dport (111 24007 24008 49152 49153 49154 49155 49156 49157) saddr ( $node1_ipv6 $node2_ipv6 $node3_ipv6 $node4_ipv6 ) ACCEPT;
# the rest is dropped by the above policy
}
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
# this is not a router
chain FORWARD policy DROP;
}
}
Pingback: Linux Short Tip: Correct IPv6 with ferm firewalling | the world needs more puppet!