Configure allowed and rejected IP addresses for the GlusterFS volumes

Configure allowed and rejected IP addresses for the GlusterFS volumes

Note

This feature is available starting from the MCP 2019.2.4 maintenance update. Before enabling the feature, follow the steps described in Apply maintenance updates.

This section provides the instruction on how to configure the list of allowed and rejected IP addresses for the GlusterFS volumes.

By default, MCP restricts the access to the control network for all preconfigured GlusterFS volumes.

To configure the GlusterFS authentication:

  1. Log in to the Salt Master node.

  2. Open your project Git repository with the Reclass model on the cluster level.

  3. In the infra/glusterfs.yml file, configure the GlusterFS authentication depending on the needs of your MCP deployment:

    • To adjust the list of allowed and rejected IP addresses on all preconfigured GlusterFS volumes, define the glusterfs_allow_ips and glusterfs_reject_ips parameters as required:

      parameters:
        _param:
          glusterfs_allow_ips: <comma-seprated list of IPs>
          glusterfs_reject_ips: <comma-seprated list of IPs>
      

      Note

      You can use the \* wildcard to specify the IP ranges.

      Configuration example:

      parameters:
        _param:
          glusterfs_allow_ips: 10.0.0.1, 192.168.1.*
          glusterfs_reject_ips: 192.168.1.201
      

      The configuration above allows the access to all GlusterFS volumes from 10.0.0.1 and all IP addresses in the 192.168.1.0/24 network except for 192.168.1.201.

    • To change allowed and rejected IP addresses for a single volume:

      parameters:
        glusterfs:
          server:
            volumes:
              <volume_name>:
                options:
                  auth.allow: <comma-seprated_list_of_IPs>
                  auth.reject: <comma-seprated_list_of_IPs>
      
    • To define the same access-control lists (ACL) as for all preconfigured GlusterFS volumes to a custom GlusterFS volume, define the auth.allow and auth.reject options for the targeted volume as follows:

      auth.allow: ${_param:glusterfs_allow_ips}
      auth.reject: ${_param:glusterfs_reject_ips}
      
  4. Apply the changes:

    salt -I 'glusterfs:server:role:primary' state.apply glusterfs