Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DAOSGCP-99 Added support for using transport certs #37

Merged
merged 8 commits into from
May 6, 2022
Merged

DAOSGCP-99 Added support for using transport certs #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d1c05ff
DAOSGCP-99 Added support for using transport certs
May 5, 2022
3819c3f
Fix issues
lsitkiew May 5, 2022
d498eee
Parametrize SSH user
lsitkiew May 5, 2022
37e6f6a
DAOSGCP-99 Fix for cert permissions
May 6, 2022
f8e9b2f
Improvements
lsitkiew May 6, 2022
4cf8be2
Fixes
lsitkiew May 6, 2022
d1732bb
fix example
May 6, 2022
4a33163
Fix README and tutorial
May 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ terraform.tfvars

# Ignore terraform/examples/io500 active configuration symlink
terraform/examples/io500/config/active_config.sh
terraform/examples/io500/login

# Ignore other files
id_rsa*
Expand Down
25 changes: 13 additions & 12 deletions docs/tutorials/example_daos_cluster.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,8 @@ In order to begin using the storage you must issue a *format* command.
To format the storage run

```bash
dmg storage format
sudo dmg storage format
sudo dmg system query -v
```

To learn more see [Storage Formatting](https://docs.daos.io/latest/admin/deployment/#storage-formatting)
Expand All @@ -209,31 +210,31 @@ Now that the system has been formatted you can create a Pool.
First check to see how much free NVMe storage you have.

```bash
dmg storage query usage
sudo dmg storage query usage
```

This will return something like
This will return storage information for the servers.

The output looks similar to

```
Hosts SCM-Total SCM-Free SCM-Used NVMe-Total NVMe-Free NVMe-Used
----- --------- -------- -------- ---------- --------- ---------
daos-server-0001 107 GB 107 GB 0 % 3.2 TB 3.2 TB 0 %
daos-server-0001 48 GB 48 GB 0 % 1.6 TB 1.6 TB 0 %
daos-server-0002 48 GB 48 GB 0 % 1.6 TB 1.6 TB 0 %
daos-server-0003 48 GB 48 GB 0 % 1.6 TB 1.6 TB 0 %
daos-server-0004 48 GB 48 GB 0 % 1.6 TB 1.6 TB 0 %
```

> If the values in the columns are showing zeros, wait for 1-2 minutes and run the command again.
>
> Even though the `dmg storage format` command returned immediately it can sometimes take a few minutes for the storage system to be ready.
>
> You will know it's ready when you no longer see zeros in the output > from the `dmg storage query usage` command.

In the example output above there is one server with a total of 3.2TB > of free space.
In the example output above there are 4 servers with a total of 6.4TB of free space.

With that information you know you can create a 3TB pool.
With that information you know you can safely create a 6TB pool.

Create the pool.

```bash
dmg pool create -z 3TB -t 3 -u ${USER} --label=daos_pool
sudo dmg pool create -z 6TB -t 3 -u ${USER} --label=daos_pool
```

For more information about pools see
Expand Down
14 changes: 14 additions & 0 deletions images/daos-client-image.pkr.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,18 @@ build {
]
}

provisioner "file" {
source = "./scripts/cert_gen/sm_get_ca.sh"
destination = "/tmp/"
}

provisioner "shell" {
inline = [
"sudo mkdir -p /var/daos/cert_gen",
"sudo mv /tmp/sm_get_ca.sh /var/daos/cert_gen",
"sudo chown -R root:root /var/daos/cert_gen",
"sudo chmod +x /var/daos/cert_gen/*.sh"
]
}

}
15 changes: 14 additions & 1 deletion images/daos-server-image.pkr.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ build {
sources = ["source.googlecompute.daos-server-centos-7"]

provisioner "shell" {
environment_vars = ["DAOS_REPO_BASE_URL=${var.daos_repo_base_url}", "DAOS_VERSION=${var.daos_version}", "DAOS_INSTALL_TYPE=server"]
environment_vars = ["DAOS_REPO_BASE_URL=${var.daos_repo_base_url}", "DAOS_VERSION=${var.daos_version}", "DAOS_INSTALL_TYPE=all"]
execute_command = "echo 'packer' | sudo -S env {{ .Vars }} {{ .Path }}"
pause_before = "5s"
scripts = [
Expand All @@ -68,4 +68,17 @@ build {
]
}

provisioner "file" {
source = "./scripts/cert_gen"
destination = "/tmp/"
}

provisioner "shell" {
inline = [
"sudo mkdir -p /var/daos/",
"sudo mv /tmp/cert_gen /var/daos/",
"sudo chown -R root:root /var/daos/cert_gen",
"sudo chmod +x /var/daos/cert_gen/*.sh"
]
}
}
15 changes: 15 additions & 0 deletions images/scripts/cert_gen/SConscript
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
"""Build DAOS Certificate Generation"""
import os

def scons():
"""Execute build"""
Import('env')

env.Install("$PREFIX/lib64/daos/certgen", ['admin.cnf',
'agent.cnf',
'ca.cnf',
'server.cnf',
'gen_certificates.sh'])

if __name__ == "SCons.Script":
scons()
12 changes: 12 additions & 0 deletions images/scripts/cert_gen/admin.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# OpenSSL client configuration file
[ req ]
prompt=no
distinguished_name = distinguished_name
basicConstraints = CA:FALSE

[ distinguished_name ]
organizationName = DAOS
commonName = admin

#In the future we can do username based certs for login
#commonName = <username>
15 changes: 15 additions & 0 deletions images/scripts/cert_gen/agent.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[ req ]
prompt=no
distinguished_name = distinguished_name
basicConstraints = CA:FALSE
#uncomment if you want to use per agent certificates
#req_extensions = extensions

[ distinguished_name ]
organizationName = DAOS
# Required value for commonName, do not change.
commonName = agent

[ extensions ]
#uncomment if you want to use per agent certificates
#subjectAltName = DNS:<node-hostname>,DNS:<node-domain>,IP:<IP Address>
50 changes: 50 additions & 0 deletions images/scripts/cert_gen/ca.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
[ ca ]
default_ca = CA_daos

[ CA_daos ]
dir = ./daosCA
certs = $dir/certs
database = $dir/index.txt
serial = $dir/serial.txt

# Key and Certificate for the root
certificate = $dir/daosCA.crt
private_key = $dir/private/daosCA.key

default_md = sha512 # SAFE Crypto Requires SHA-512
default_days = 1095 # how long to certify for
copy_extensions = copy
unique_subject = no

[ req ]
prompt = no
distinguished_name = ca_dn
x509_extensions = ca_ext

[ ca_dn ]
organizationName = DAOS
commonName = DAOS CA

[ ca_ext ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1

[ signing_policy ]
organizationName = supplied
commonName = supplied

[ signing_agent ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth

[ signing_server ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth, clientAuth

[ signing_admin ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth

[ signing_test ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth
Loading