GlusterFS libgfapi with TLS

[lejeczek]

On 01/04/2021 16:13, Peter Krempa wrote:
> On Thu, Apr 01, 2021 at 15:13:02 +0100, lejeczek wrote:
>> Hi guys.
>>
>> I have KVM guests stored on glusterFS volume and I recently added TLS
>> encryption to Gluster.
>> What changes, tweaks are required at libvirtd/qemu's end?
> Looking at the definition of the gluster backend object in qemu:
>
> <cite>
> ##
> # @BlockdevOptionsGluster:
> #
> # Driver specific block device options for Gluster
> #
> # @volume: name of gluster volume where VM image resides
> #
> # @path: absolute path to image file in gluster volume
> #
> # @server: gluster servers description
> #
> # @debug: libgfapi log level (default '4' which is Error)
> #         (Since 2.8)
> #
> # @logfile: libgfapi log file (default /dev/stderr) (Since 2.8)
> #
> # Since: 2.9
> ##
> { 'struct': 'BlockdevOptionsGluster',
>    'data': { 'volume': 'str',
>              'path': 'str',
>              'server': ['SocketAddress'],
>              '*debug': 'int',
>              '*logfile': 'str' } }
>
> </cite>
>
> it doesn't seem to yet support TLS encryption of the transport or a way
> to set it in a non-implicit way (it still might be possible to trick
> libgfapi to support it via a config file or such).
>
> That means you'll probably need to submit qemu patches implementing the
> support for configuring TLS for gluster to qemu first, and then do the
> same for libvirt.
>
> Libvirt already has some infrastructure for that for NBD and VXHS disks,
> so you can then take inspiration there when implementing it in libvirt.
>
Ah, not me, no chance, I wish I could help but being a 
regular admin I'd have to change profession.
I think, looking at it now, I should rephrase the issue to - 
GlusterFS with TLS & libvirt/qemu with libgfapi'
I'll keep my fingers crossed devel will give this parts of 
security higher priority and needed improvements, 
enhancements will land in soon.
many thanks, L.