2012-09-11 16:34:54 +05:30
dnl Copyright (c) 2006-2012 Red Hat, Inc. <http://www.redhat.com>
2012-08-27 16:48:55 +05:30
dnl This file is part of GlusterFS.
2009-02-18 17:36:07 +05:30
dnl
2012-08-27 16:48:55 +05:30
dnl This file is licensed to you under your choice of the GNU Lesser
dnl General Public License, version 3 or any later version (LGPLv3 or
dnl later), or the GNU General Public License, version 2 (GPLv2), in all
dnl cases as published by the Free Software Foundation.
2009-02-18 17:36:07 +05:30
2014-02-27 12:39:43 +05:30
AC_INIT([glusterfs],
2014-06-29 18:56:44 -07:00
[m4_esyscmd([build-aux/pkg-version --version])],
[gluster-users@gluster.org],,[https://github.com/gluster/glusterfs.git])
2014-02-27 12:39:43 +05:30
AC_SUBST([PACKAGE_RELEASE],
[m4_esyscmd([build-aux/pkg-version --release])])
2009-02-18 17:36:07 +05:30
AM_INIT_AUTOMAKE
2014-06-29 18:56:44 -07:00
2014-04-17 15:54:34 -07:00
# Removes warnings when using automake 1.14 around (...but option 'subdir-objects' is disabled )
#but libglusterfs fails to build with contrib (Then are not set up that way?)
#AM_INIT_AUTOMAKE([subdir-objects])
2009-02-18 17:36:07 +05:30
2011-07-26 17:23:27 +03:00
m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES(yes)])
2011-08-05 14:04:43 +05:30
if make --help 2>&1 | grep -q no-print-directory; then
2011-08-05 14:52:01 +05:30
AM_MAKEFLAGS="$AM_MAKEFLAGS --no-print-directory";
fi
if make --help 2>&1 | grep -q quiet; then
AM_MAKEFLAGS="$AM_MAKEFLAGS --quiet"
fi
if libtool --help 2>&1 | grep -q quiet; then
AM_LIBTOOLFLAGS="--quiet";
2011-08-05 14:04:43 +05:30
fi
2013-01-08 11:20:14 +05:30
AC_CONFIG_HEADERS([config.h])
2009-02-18 17:36:07 +05:30
AC_CONFIG_FILES([Makefile
2013-06-17 13:44:10 -04:00
libglusterfs/Makefile
libglusterfs/src/Makefile
2015-02-18 19:45:23 +05:30
libglusterfs/src/gfdb/Makefile
2013-06-01 16:17:57 +05:30
geo-replication/src/peer_gsec_create
geo-rep: mountbroker user management
Non root geo-replication setup is now simplified. This
patch provides cli for mountbroker user and options management
To set Options,
gluster system:: execute mountbroker opt <KEY> <VALUE>
# for example,
gluster system:: execute mountbroker opt mountbroker-root /var/mountbroker-root
gluster system:: execute mountbroker opt geo-replication-log-group geogroup
gluster system:: execute mountbroker opt rpc-auth-allow-insecure on
To remove option,
gluster system:: execute mountbroker optdel <KEY>
# for example,
gluster system:: execute mountbroker optdel geo-replication-log-group
To add/edit user,
gluster system:: execute mountbroker user <USERNAME> <VOLUMES>
# for example
gluster system:: execute mountbroker user geoaccount slavevol1,slavevol2
To remove user,
gluster system:: execute mountbroker userdel <USERNAME>
# for example
gluster system:: execute mountbroker userdel geoaccount
For info,
gluster system:: execute mountbroker info
gluster system:: execute mountbroker -j info
For JSON output add -j after mountbroker, for example,
gluster system:: execute mountbroker -j user geoaccount slavevol1,slavevol2
PS: Each peer prints its own JSON output, aggregator required from consumer side
BUG: 1136312
Change-Id: Ie52210c0bcc91ac2ffd3ba58988222ffca62b47f
Signed-off-by: Aravinda VK <avishwan@redhat.com>
Reviewed-on: http://review.gluster.org/9398
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: darshan n <dnarayan@redhat.com>
Reviewed-by: Kotresh HR <khiremat@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2015-01-06 18:20:45 +05:30
geo-replication/src/peer_mountbroker
2015-02-18 19:07:23 +05:30
extras/peer_add_secret_pub
2014-06-29 18:56:44 -07:00
geo-replication/syncdaemon/configinterface.py
2013-06-17 13:44:10 -04:00
glusterfsd/Makefile
glusterfsd/src/Makefile
2010-06-28 02:49:46 +00:00
rpc/Makefile
rpc/rpc-lib/Makefile
rpc/rpc-lib/src/Makefile
rpc/rpc-transport/Makefile
rpc/rpc-transport/socket/Makefile
rpc/rpc-transport/socket/src/Makefile
2010-08-30 08:03:52 +00:00
rpc/rpc-transport/rdma/Makefile
rpc/rpc-transport/rdma/src/Makefile
2010-07-14 16:26:17 +00:00
rpc/xdr/Makefile
rpc/xdr/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/Makefile
2014-06-29 18:56:44 -07:00
xlators/meta/Makefile
xlators/meta/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/mount/Makefile
xlators/mount/fuse/Makefile
xlators/mount/fuse/src/Makefile
xlators/mount/fuse/utils/mount.glusterfs
xlators/mount/fuse/utils/mount_glusterfs
xlators/mount/fuse/utils/Makefile
xlators/storage/Makefile
xlators/storage/posix/Makefile
xlators/storage/posix/src/Makefile
2013-11-13 22:44:42 +05:30
xlators/storage/bd/Makefile
xlators/storage/bd/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/cluster/Makefile
xlators/cluster/afr/Makefile
xlators/cluster/afr/src/Makefile
xlators/cluster/stripe/Makefile
xlators/cluster/stripe/src/Makefile
xlators/cluster/dht/Makefile
xlators/cluster/dht/src/Makefile
2014-05-05 12:57:34 +02:00
xlators/cluster/ec/Makefile
xlators/cluster/ec/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/performance/Makefile
xlators/performance/write-behind/Makefile
xlators/performance/write-behind/src/Makefile
xlators/performance/read-ahead/Makefile
xlators/performance/read-ahead/src/Makefile
2013-07-02 10:47:00 -04:00
xlators/performance/readdir-ahead/Makefile
xlators/performance/readdir-ahead/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/performance/io-threads/Makefile
xlators/performance/io-threads/src/Makefile
xlators/performance/io-cache/Makefile
xlators/performance/io-cache/src/Makefile
xlators/performance/symlink-cache/Makefile
xlators/performance/symlink-cache/src/Makefile
xlators/performance/quick-read/Makefile
xlators/performance/quick-read/src/Makefile
xlators/performance/open-behind/Makefile
xlators/performance/open-behind/src/Makefile
2011-09-24 16:14:11 +05:30
xlators/performance/md-cache/Makefile
xlators/performance/md-cache/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/debug/Makefile
xlators/debug/trace/Makefile
xlators/debug/trace/src/Makefile
xlators/debug/error-gen/Makefile
xlators/debug/error-gen/src/Makefile
xlators/debug/io-stats/Makefile
xlators/debug/io-stats/src/Makefile
xlators/protocol/Makefile
xlators/protocol/auth/Makefile
xlators/protocol/auth/addr/Makefile
xlators/protocol/auth/addr/src/Makefile
xlators/protocol/auth/login/Makefile
xlators/protocol/auth/login/src/Makefile
xlators/protocol/client/Makefile
xlators/protocol/client/src/Makefile
xlators/protocol/server/Makefile
xlators/protocol/server/src/Makefile
xlators/features/Makefile
2014-04-17 15:54:34 -07:00
xlators/features/changelog/Makefile
xlators/features/changelog/src/Makefile
xlators/features/changelog/lib/Makefile
xlators/features/changelog/lib/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/features/glupy/Makefile
2014-03-21 20:13:16 +00:00
xlators/features/glupy/examples/Makefile
2013-06-17 13:44:10 -04:00
xlators/features/glupy/src/Makefile
2014-03-21 20:13:16 +00:00
xlators/features/glupy/src/setup.py
2014-05-29 11:04:56 +05:30
xlators/features/glupy/src/__init__.py
2013-06-17 13:44:10 -04:00
xlators/features/locks/Makefile
xlators/features/locks/src/Makefile
xlators/features/quota/Makefile
xlators/features/quota/src/Makefile
2011-01-27 05:23:31 +00:00
xlators/features/marker/Makefile
xlators/features/marker/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/features/read-only/Makefile
xlators/features/read-only/src/Makefile
2012-03-26 14:33:41 +05:30
xlators/features/compress/Makefile
xlators/features/compress/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/features/mac-compat/Makefile
xlators/features/mac-compat/src/Makefile
xlators/features/quiesce/Makefile
xlators/features/quiesce/src/Makefile
2014-02-05 13:02:34 +05:30
xlators/features/barrier/Makefile
xlators/features/barrier/src/Makefile
2015-03-18 11:33:50 +05:30
xlators/features/ganesha/Makefile
xlators/features/ganesha/src/Makefile
2012-02-02 19:14:28 +05:30
xlators/features/index/Makefile
xlators/features/index/src/Makefile
2013-06-17 13:44:10 -04:00
xlators/features/protect/Makefile
xlators/features/protect/src/Makefile
2013-07-31 22:57:12 +05:30
xlators/features/gfid-access/Makefile
xlators/features/gfid-access/src/Makefile
2015-02-27 15:14:08 +05:30
xlators/features/trash/Makefile
xlators/features/trash/src/Makefile
2014-05-07 20:13:43 +05:30
xlators/features/snapview-server/Makefile
xlators/features/snapview-server/src/Makefile
xlators/features/snapview-client/Makefile
xlators/features/snapview-client/src/Makefile
2015-02-15 23:35:56 +05:30
xlators/features/upcall/Makefile
xlators/features/upcall/src/Makefile
2013-03-01 16:18:26 +05:30
xlators/playground/Makefile
2013-06-17 13:44:10 -04:00
xlators/playground/template/Makefile
xlators/playground/template/src/Makefile
xlators/encryption/Makefile
xlators/encryption/rot-13/Makefile
xlators/encryption/rot-13/src/Makefile
Transparent data encryption and metadata authentication
.. in the systems with non-trusted server
This new functionality can be useful in various cloud technologies.
It is implemented via a special encryption/crypt translator,which
works on the client side and performs encryption and authentication;
1. Class of supported algorithms
The crypt translator can support any atomic symmetric block cipher
algorithms (which require to pad plain/cipher text before performing
encryption/decryption transform (see glossary in atom.c for
definitions). In particular, it can support algorithms with the EOF
issue (which require to pad the end of file by extra-data).
Crypt translator performs translations
user -> (offset, size) -> (aligned-offset, padded-size) ->server
(and backward), and resolves individual FOPs (write(), truncate(),
etc) to read-modify-write sequences.
A volume can contain files encrypted by different algorithms of the
mentioned class. To change some option value just reconfigure the
volume.
Currently only one algorithm is supported: AES_XTS.
Example of algorithms, which can not be supported by the crypt
translator:
1. Asymmetric block cipher algorithms, which inflate data, e.g. RSA;
2. Symmetric block cipher algorithms with inline MACs for data
authentication.
2. Implementation notes.
a) Atomic algorithms
Since any process in a stackable file system manipulates with local
data (which can be obsoleted by local data of another process), any
atomic cipher algorithm without proper support can lead to non-POSIX
behavior. To resolve the "collisions" we introduce locks: before
performing FOP->read(), FOP->write(), etc. the process should first
lock the file.
b) Algorithms with EOF issue
Such algorithms require to pad the end of file with some extra-data.
Without proper support this will result in losing information about
real file size. Keeping a track of real file size is a responsibility
of the crypt translator. A special extended attribute with the name
"trusted.glusterfs.crypt.att.size" is used for this purpose. All files
contained in bricks of encrypted volume do have "padded" sizes.
3. Non-trusted servers and
Metadata authentication
We assume that server, where user's data is stored on is non-trusted.
It means that the server can be subjected to various attacks directed
to reveal user's encrypted personal data. We provide protection
against such attacks.
Every encrypted file has specific private attributes (cipher algorithm
id, atom size, etc), which are packed to a string (so-called "format
string") and stored as a special extended attribute with the name
"trusted.glusterfs.crypt.att.cfmt". We protect the string from
tampering. This protection is mandatory, hardcoded and is always on.
Without such protection various attacks (based on extending the scope
of per-file secret keys) are possible.
Our authentication method has been developed in tight collaboration
with Red Hat security team and is implemented as "metadata loader of
version 1" (see file metadata.c). This method is NIST-compliant and is
based on checking 8-byte per-hardlink MACs created(updated) by
FOP->create(), FOP->link(), FOP->unlink(), FOP->rename() by the
following unique entities:
. file (hardlink) name;
. verified file's object id (gfid).
Every time, before manipulating with a file, we check it's MACs at
FOP->open() time. Some FOPs don't require a file to be opened (e.g.
FOP->truncate()). In such cases the crypt translator opens the file
mandatory.
4. Generating keys
Unique per-file keys are derived by NIST-compliant methods from the
a) parent key;
b) unique verified object-id of the file (gfid);
Per-volume master key, provided by user at mount time is in the root
of this "tree of keys".
Those keys are used to:
1) encrypt/decrypt file data;
2) encrypt/decrypt file metadata;
3) create per-file and per-link MACs for metadata authentication.
5. Instructions
Getting started with crypt translator
Example:
1) Create a volume "myvol" and enable encryption:
# gluster volume create myvol pepelac:/vols/xvol
# gluster volume set myvol encryption on
2) Set location (absolute pathname) of your master key:
# gluster volume set myvol encryption.master-key /home/me/mykey
3) Set other options to override default options, if needed.
Start the volume.
4) On the client side make sure that the file /home/me/mykey exists
and contains proper per-volume master key (that is 256-bit AES
key). This key has to be in hex form, i.e. should be represented
by 64 symbols from the set {'0', ..., '9', 'a', ..., 'f'}.
The key should start at the beginning of the file. All symbols at
offsets >= 64 are ignored.
5) Mount the volume "myvol" on the client side:
# glusterfs --volfile-server=pepelac --volfile-id=myvol /mnt
After successful mount the file which contains master key may be
removed. NOTE: Keeping the master key between mount sessions is in
user's competence.
**********************************************************************
WARNING! Losing the master key will make content of all regular files
inaccessible. Mount with improper master key allows to access content
of directories: file names are not encrypted.
**********************************************************************
6. Options of crypt translator
1) "master-key": specifies location (absolute pathname) of the file
which contains per-volume master key. There is no default location
for master key.
2) "data-key-size": specifies size of per-file key for data encryption
Possible values:
. "256" default value
. "512"
3) "block-size": specifies atom size. Possible values:
. "512"
. "1024"
. "2048"
. "4096" default value;
7. Test cases
Any workload, which involves the following file operations:
->create();
->open();
->readv();
->writev();
->truncate();
->ftruncate();
->link();
->unlink();
->rename();
->readdirp().
8. TODOs:
1) Currently size of IOs issued by crypt translator is restricted
by block_size (4K by default). We can use larger IOs to improve
performance.
Change-Id: I2601fe95c5c4dc5b22308a53d0cbdc071d5e5cee
BUG: 1030058
Signed-off-by: Edward Shishkin <edward@redhat.com>
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/4667
Tested-by: Gluster Build System <jenkins@build.gluster.com>
2013-03-13 21:56:46 +01:00
xlators/encryption/crypt/Makefile
xlators/encryption/crypt/src/Makefile
2014-04-17 15:54:34 -07:00
xlators/features/qemu-block/Makefile
xlators/features/qemu-block/src/Makefile
2011-07-01 17:18:10 +00:00
xlators/system/Makefile
xlators/system/posix-acl/Makefile
xlators/system/posix-acl/src/Makefile
2013-05-14 16:07:03 -04:00
xlators/nfs/Makefile
xlators/nfs/server/Makefile
xlators/nfs/server/src/Makefile
xlators/mgmt/Makefile
xlators/mgmt/glusterd/Makefile
xlators/mgmt/glusterd/src/Makefile
2010-07-08 08:16:13 +00:00
cli/Makefile
cli/src/Makefile
2013-06-17 13:44:10 -04:00
doc/Makefile
extras/Makefile
2014-06-29 18:56:44 -07:00
extras/glusterd.vol
2013-06-17 13:44:10 -04:00
extras/init.d/Makefile
extras/init.d/glusterd.plist
2010-09-13 03:40:16 +00:00
extras/init.d/glusterd-Debian
extras/init.d/glusterd-Redhat
2014-06-21 02:00:23 -07:00
extras/init.d/glusterd-FreeBSD
2010-09-13 03:40:16 +00:00
extras/init.d/glusterd-SuSE
2015-03-17 09:27:05 -04:00
extras/ganesha/Makefile
extras/ganesha/config/Makefile
extras/ganesha/scripts/Makefile
extras/ganesha/ocf/Makefile
2013-06-17 13:44:10 -04:00
extras/systemd/Makefile
extras/systemd/glusterd.service
2015-01-16 13:48:49 +01:00
extras/run-gluster.tmpfiles
2013-06-17 13:44:10 -04:00
extras/benchmarking/Makefile
2012-04-23 13:22:42 +05:30
extras/hook-scripts/Makefile
2013-06-17 13:44:10 -04:00
extras/ocf/Makefile
extras/ocf/glusterd
extras/ocf/volume
extras/LinuxRPM/Makefile
2013-06-01 16:17:57 +05:30
extras/geo-rep/Makefile
2013-10-15 17:25:51 +05:30
extras/hook-scripts/add-brick/Makefile
extras/hook-scripts/add-brick/pre/Makefile
extras/hook-scripts/add-brick/post/Makefile
2014-03-06 19:09:13 +05:30
extras/hook-scripts/start/Makefile
extras/hook-scripts/start/post/Makefile
extras/hook-scripts/set/Makefile
extras/hook-scripts/set/post/Makefile
extras/hook-scripts/stop/Makefile
extras/hook-scripts/stop/pre/Makefile
2014-03-24 13:58:38 +05:30
extras/hook-scripts/reset/Makefile
extras/hook-scripts/reset/post/Makefile
extras/hook-scripts/reset/pre/Makefile
2015-02-09 18:03:20 +05:30
extras/snap_scheduler/Makefile
2013-06-17 13:44:10 -04:00
contrib/fuse-util/Makefile
2014-09-21 13:57:47 +02:00
contrib/umountd/Makefile
2013-06-17 13:44:10 -04:00
contrib/uuid/uuid_types.h
glusterfs-api.pc
2013-06-04 14:20:58 +05:30
libgfchangelog.pc
2015-02-18 19:45:23 +05:30
libgfdb.pc
2013-06-17 13:44:10 -04:00
api/Makefile
api/src/Makefile
2013-09-30 09:05:14 +02:00
api/examples/Makefile
2014-04-17 15:54:34 -07:00
geo-replication/Makefile
geo-replication/src/Makefile
geo-replication/syncdaemon/Makefile
2015-01-29 15:53:19 +05:30
tools/Makefile
tools/gfind_missing_files/Makefile
2013-12-15 08:05:04 +05:30
heal/Makefile
heal/src/Makefile
2015-02-18 19:07:23 +05:30
glusterfs.spec
tools/glusterfind/src/tool.conf
tools/glusterfind/glusterfind
tools/glusterfind/Makefile
tools/glusterfind/src/Makefile])
2009-02-18 17:36:07 +05:30
AC_CANONICAL_HOST
AC_PROG_CC
2012-10-03 09:30:27 -04:00
AC_DISABLE_STATIC
2009-02-18 17:36:07 +05:30
AC_PROG_LIBTOOL
2014-10-29 20:35:10 +01:00
AC_SUBST([shrext_cmds])
2009-02-18 17:36:07 +05:30
2014-04-22 13:27:35 -07:00
AC_CHECK_PROG([RPCGEN], [rpcgen], [yes], [no])
if test "x$RPCGEN" = "xno"; then
AC_MSG_ERROR([`rpcgen` not found, glusterfs needs `rpcgen` exiting..])
fi
2014-03-26 16:55:12 -07:00
2014-02-09 21:57:45 -05:00
# Initialize CFLAGS before usage
AC_ARG_ENABLE([debug],
AC_HELP_STRING([--enable-debug],
[Enable debug build options.]))
if test "x$enable_debug" = "xyes"; then
BUILD_DEBUG=yes
2014-02-18 15:44:56 +05:30
CFLAGS="${CFLAGS} -g -O0 -DDEBUG"
2014-02-09 21:57:45 -05:00
else
BUILD_DEBUG=no
2014-02-18 15:44:56 +05:30
CFLAGS="${CFLAGS} -g -O2"
2014-02-09 21:57:45 -05:00
fi
2014-05-04 01:04:11 -07:00
case $host_os in
darwin*)
if ! test "`/usr/bin/sw_vers | grep ProductVersion: | cut -f 2 | cut -d. -f2`" -ge 7; then
AC_MSG_ERROR([You need at least OS X 10.7 (Lion) to build Glusterfs])
fi
# OSX version lesser than 9 has llvm/clang optimization issues which leads to various segfaults
if test "`/usr/bin/sw_vers | grep ProductVersion: | cut -f 2 | cut -d. -f2`" -lt 9; then
CFLAGS="${CFLAGS} -g -O0 -DDEBUG"
fi
;;
esac
2014-07-08 15:36:45 +02:00
AC_ARG_WITH([previous-options],
[AS_HELP_STRING([--with-previous-options],
[read config.status for configure options])
],
[ if test -r ./config.status && \
args=$(grep 'ac_cs_config=' config.status | \
sed -e 's/.*"\(.*\)".*/\1/'| sed -e "s/'//g") ; then
echo "###"
echo "### Rerunning as '$0 $args'"
echo "###"
exec $0 $args
fi
])
2012-07-12 15:51:41 -07:00
AC_ARG_WITH(pkgconfigdir,
[ --with-pkgconfigdir=DIR pkgconfig file in DIR @<:@LIBDIR/pkgconfig@:>@],
[pkgconfigdir=$withval],
[pkgconfigdir='${libdir}/pkgconfig'])
AC_SUBST(pkgconfigdir)
2009-03-25 02:19:14 +01:00
AC_ARG_WITH(mountutildir,
[ --with-mountutildir=DIR mount helper utility in DIR @<:@/sbin@:>@],
[mountutildir=$withval],
[mountutildir='/sbin'])
AC_SUBST(mountutildir)
2013-06-17 13:44:10 -04:00
AC_ARG_WITH(systemddir,
[ --with-systemddir=DIR systemd service files in DIR @<:@/usr/lib/systemd/system@:>@],
[systemddir=$withval],
[systemddir='/usr/lib/systemd/system'])
AC_SUBST(systemddir)
2009-10-27 05:52:16 -07:00
AC_ARG_WITH(initdir,
[ --with-initdir=DIR init.d scripts in DIR @<:@/etc/init.d@:>@],
[initdir=$withval],
[initdir='/etc/init.d'])
AC_SUBST(initdir)
2010-05-28 07:00:42 +00:00
AC_ARG_WITH(launchddir,
[ --with-launchddir=DIR launchd services in DIR @<:@/Library/LaunchDaemons@:>@],
[launchddir=$withval],
[launchddir='/Library/LaunchDaemons'])
AC_SUBST(launchddir)
2015-01-16 13:48:49 +01:00
AC_ARG_WITH(tmpfilesdir,
AC_HELP_STRING([--with-tmpfilesdir=DIR],
[tmpfiles config in DIR, disabled by default]),
[tmpfilesdir=$withval],
[tmpfilesdir=''])
AC_SUBST(tmpfilesdir)
2012-02-20 16:25:43 +01:00
AC_ARG_WITH([ocf],
2012-11-06 10:13:07 +01:00
[AS_HELP_STRING([--without-ocf], [build OCF-compliant cluster resource agents])],
2012-02-20 16:25:43 +01:00
,
2012-11-06 10:13:07 +01:00
[OCF_SUBDIR='ocf'],
)
AC_SUBST(OCF_SUBDIR)
2012-02-20 16:25:43 +01:00
2009-02-18 17:36:07 +05:30
# LEX needs a check
AC_PROG_LEX
if test "x${LEX}" != "xflex" -a "x${FLEX}" != "xlex"; then
AC_MSG_ERROR([Flex or lex required to build glusterfs.])
fi
2011-11-29 15:20:48 -08:00
dnl
dnl Word sizes...
dnl
AC_CHECK_SIZEOF(short)
AC_CHECK_SIZEOF(int)
AC_CHECK_SIZEOF(long)
AC_CHECK_SIZEOF(long long)
SIZEOF_SHORT=$ac_cv_sizeof_short
SIZEOF_INT=$ac_cv_sizeof_int
SIZEOF_LONG=$ac_cv_sizeof_long
SIZEOF_LONG_LONG=$ac_cv_sizeof_long_long
AC_SUBST(SIZEOF_SHORT)
AC_SUBST(SIZEOF_INT)
AC_SUBST(SIZEOF_LONG)
AC_SUBST(SIZEOF_LONG_LONG)
2009-02-18 17:36:07 +05:30
# YACC needs a check
AC_PROG_YACC
if test "x${YACC}" = "xbyacc" -o "x${YACC}" = "xyacc" -o "x${YACC}" = "x"; then
AC_MSG_ERROR([GNU Bison required to build glusterfs.])
fi
AC_CHECK_TOOL([LD],[ld])
Replace GPLV3 MD5 with OpenSSL MD5
Ric asked me to look at replacing the GPL licensed MD5 code with
something better, i.e. perhaps faster, and with a less restrictive
license, etc. So I took a couple hour holiday from working on
wrapping up the client_t and did this.
OpenSSL (nee SSLeay) is released under the OpenSSL license, a BSD/MIT
style license. OpenSSL (libcrypto.so) is used on Linux, OS X and *BSD,
Open Solaris, etc. IOW it's universally available on the platforms we
care about. It's written by Eric Young (eay), now at EMC/RSA, and I
can say from experience that the OpenSSL implementation of MD5 (at least)
is every bit as fast as RSA's proprietary implementation (primarily
because the implementations are very, very similar.) The last time I
surveyed MD5 implementations I found they're all pretty much the same
speed.
I changed the APIs (and ABIs) for the strong and weak checksums.
Strictly speaking I didn't need to do that. They're only called on
short strings of data, i.e. pathnames, so using int32_t and uint32_t
is ostensibly okay. My change is arguably a better, more general API
for this sort of thing. It's also what bit me when gerrit/jenkins
validation failed due to glusterfs segv-ing. (I didn't pay close enough
attention to the implementation of the weak checksum. But it forced me
to learn what gerrit/jenkins are doing and going forward I can do better
testing before submitting to gerrit.)
Now resubmitting with a BZ
Change-Id: I545fade1604e74fc68399894550229bd57a5e0df
BUG: 807718
Signed-off-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-on: http://review.gluster.com/3019
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
2012-03-27 11:14:23 -04:00
AC_CHECK_LIB([crypto], [MD5], , AC_MSG_ERROR([OpenSSL crypto library is required to build glusterfs]))
2009-02-18 17:36:07 +05:30
AC_CHECK_LIB([pthread], [pthread_mutex_init], , AC_MSG_ERROR([Posix threads library is required to build glusterfs]))
Replace GPLV3 MD5 with OpenSSL MD5
Ric asked me to look at replacing the GPL licensed MD5 code with
something better, i.e. perhaps faster, and with a less restrictive
license, etc. So I took a couple hour holiday from working on
wrapping up the client_t and did this.
OpenSSL (nee SSLeay) is released under the OpenSSL license, a BSD/MIT
style license. OpenSSL (libcrypto.so) is used on Linux, OS X and *BSD,
Open Solaris, etc. IOW it's universally available on the platforms we
care about. It's written by Eric Young (eay), now at EMC/RSA, and I
can say from experience that the OpenSSL implementation of MD5 (at least)
is every bit as fast as RSA's proprietary implementation (primarily
because the implementations are very, very similar.) The last time I
surveyed MD5 implementations I found they're all pretty much the same
speed.
I changed the APIs (and ABIs) for the strong and weak checksums.
Strictly speaking I didn't need to do that. They're only called on
short strings of data, i.e. pathnames, so using int32_t and uint32_t
is ostensibly okay. My change is arguably a better, more general API
for this sort of thing. It's also what bit me when gerrit/jenkins
validation failed due to glusterfs segv-ing. (I didn't pay close enough
attention to the implementation of the weak checksum. But it forced me
to learn what gerrit/jenkins are doing and going forward I can do better
testing before submitting to gerrit.)
Now resubmitting with a BZ
Change-Id: I545fade1604e74fc68399894550229bd57a5e0df
BUG: 807718
Signed-off-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-on: http://review.gluster.com/3019
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
2012-03-27 11:14:23 -04:00
2009-02-18 17:36:07 +05:30
AC_CHECK_FUNC([dlopen], [has_dlopen=yes], AC_CHECK_LIB([dl], [dlopen], , AC_MSG_ERROR([Dynamic linking library required to build glusterfs])))
2014-04-17 15:54:34 -07:00
AC_CHECK_LIB([readline], [rl_do_undo], [RL_UNDO="yes"], [RL_UNDO="no"])
2009-02-18 17:36:07 +05:30
2014-05-27 05:30:29 +02:00
AC_CHECK_LIB([intl], [gettext])
2009-02-18 17:36:07 +05:30
AC_CHECK_HEADERS([sys/xattr.h])
2014-04-17 15:54:34 -07:00
AC_CHECK_HEADERS([sys/ioctl.h], AC_DEFINE(HAVE_IOCTL_IN_SYS_IOCTL_H, 1, [have sys/ioctl.h]))
2009-02-18 17:36:07 +05:30
AC_CHECK_HEADERS([sys/extattr.h])
2015-02-10 19:13:35 +01:00
dnl NetBSD does not support POSIX ACLs :-(
case $host_os in
*netbsd*)
AC_MSG_WARN([NetBSD does not support POSIX ACLs... disabling them])
ACL_LIBS=''
USE_POSIX_ACLS='0'
;;
*)
AC_CHECK_HEADERS([sys/acl.h], ,
AC_MSG_ERROR([Support for POSIX ACLs is required]))
USE_POSIX_ACLS='1'
case $host_os in
linux*)
ACL_LIBS='-lacl'
;;
solaris*)
ACL_LIBS='-lsec'
;;
*freebsd*)
ACL_LIBS='-lc'
;;
darwin*)
ACL_LIBS='-lc'
;;
esac
if test "x${ACL_LIBS}" = "x-lacl"; then
AC_CHECK_HEADERS([acl/libacl.h], , AC_MSG_ERROR([libacl is required for building on ${host_os}]))
fi
;;
esac
AC_SUBST(ACL_LIBS)
AC_SUBST(USE_POSIX_ACLS)
2014-11-02 19:15:49 +01:00
# libglusterfs/checksum
Replace GPLV3 MD5 with OpenSSL MD5
Ric asked me to look at replacing the GPL licensed MD5 code with
something better, i.e. perhaps faster, and with a less restrictive
license, etc. So I took a couple hour holiday from working on
wrapping up the client_t and did this.
OpenSSL (nee SSLeay) is released under the OpenSSL license, a BSD/MIT
style license. OpenSSL (libcrypto.so) is used on Linux, OS X and *BSD,
Open Solaris, etc. IOW it's universally available on the platforms we
care about. It's written by Eric Young (eay), now at EMC/RSA, and I
can say from experience that the OpenSSL implementation of MD5 (at least)
is every bit as fast as RSA's proprietary implementation (primarily
because the implementations are very, very similar.) The last time I
surveyed MD5 implementations I found they're all pretty much the same
speed.
I changed the APIs (and ABIs) for the strong and weak checksums.
Strictly speaking I didn't need to do that. They're only called on
short strings of data, i.e. pathnames, so using int32_t and uint32_t
is ostensibly okay. My change is arguably a better, more general API
for this sort of thing. It's also what bit me when gerrit/jenkins
validation failed due to glusterfs segv-ing. (I didn't pay close enough
attention to the implementation of the weak checksum. But it forced me
to learn what gerrit/jenkins are doing and going forward I can do better
testing before submitting to gerrit.)
Now resubmitting with a BZ
Change-Id: I545fade1604e74fc68399894550229bd57a5e0df
BUG: 807718
Signed-off-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-on: http://review.gluster.com/3019
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
2012-03-27 11:14:23 -04:00
AC_CHECK_HEADERS([openssl/md5.h])
2014-11-02 19:15:49 +01:00
AC_CHECK_LIB([z], [adler32], [ZLIB_LIBS="-lz"], AC_MSG_ERROR([zlib is required to build glusterfs]))
AC_SUBST(ZLIB_LIBS)
Replace GPLV3 MD5 with OpenSSL MD5
Ric asked me to look at replacing the GPL licensed MD5 code with
something better, i.e. perhaps faster, and with a less restrictive
license, etc. So I took a couple hour holiday from working on
wrapping up the client_t and did this.
OpenSSL (nee SSLeay) is released under the OpenSSL license, a BSD/MIT
style license. OpenSSL (libcrypto.so) is used on Linux, OS X and *BSD,
Open Solaris, etc. IOW it's universally available on the platforms we
care about. It's written by Eric Young (eay), now at EMC/RSA, and I
can say from experience that the OpenSSL implementation of MD5 (at least)
is every bit as fast as RSA's proprietary implementation (primarily
because the implementations are very, very similar.) The last time I
surveyed MD5 implementations I found they're all pretty much the same
speed.
I changed the APIs (and ABIs) for the strong and weak checksums.
Strictly speaking I didn't need to do that. They're only called on
short strings of data, i.e. pathnames, so using int32_t and uint32_t
is ostensibly okay. My change is arguably a better, more general API
for this sort of thing. It's also what bit me when gerrit/jenkins
validation failed due to glusterfs segv-ing. (I didn't pay close enough
attention to the implementation of the weak checksum. But it forced me
to learn what gerrit/jenkins are doing and going forward I can do better
testing before submitting to gerrit.)
Now resubmitting with a BZ
Change-Id: I545fade1604e74fc68399894550229bd57a5e0df
BUG: 807718
Signed-off-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-on: http://review.gluster.com/3019
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
2012-03-27 11:14:23 -04:00
2013-05-08 08:54:11 -04:00
AC_CHECK_HEADERS([linux/falloc.h])
2009-02-18 17:36:07 +05:30
dnl Mac OS X does not have spinlocks
AC_CHECK_FUNC([pthread_spin_init], [have_spinlock=yes])
if test "x${have_spinlock}" = "xyes"; then
AC_DEFINE(HAVE_SPINLOCK, 1, [define if found spinlock])
fi
AC_SUBST(HAVE_SPINLOCK)
dnl some os may not have GNU defined strnlen function
AC_CHECK_FUNC([strnlen], [have_strnlen=yes])
if test "x${have_strnlen}" = "xyes"; then
AC_DEFINE(HAVE_STRNLEN, 1, [define if found strnlen])
fi
AC_SUBST(HAVE_STRNLEN)
AC_CHECK_FUNC([setfsuid], [have_setfsuid=yes])
AC_CHECK_FUNC([setfsgid], [have_setfsgid=yes])
if test "x${have_setfsuid}" = "xyes" -a "x${have_setfsgid}" = "xyes"; then
AC_DEFINE(HAVE_SET_FSID, 1, [define if found setfsuid setfsgid])
fi
2014-04-17 15:54:34 -07:00
dnl test umount2 function
AC_CHECK_FUNC([umount2], [have_umount2=yes])
if test "x${have_umount2}" = "xyes"; then
AC_DEFINE(HAVE_UMOUNT2, 1, [define if found umount2])
fi
2009-02-18 17:36:07 +05:30
# FUSE section
AC_ARG_ENABLE([fuse-client],
2013-06-17 13:44:10 -04:00
AC_HELP_STRING([--disable-fuse-client],
[Do not build the fuse client. NOTE: you cannot mount glusterfs without the client]))
2009-02-18 17:36:07 +05:30
BUILD_FUSE_CLIENT=no
2009-07-13 22:28:07 +02:00
if test "x$enable_fuse_client" != "xno"; then
2009-02-18 17:36:07 +05:30
FUSE_CLIENT_SUBDIR=fuse
BUILD_FUSE_CLIENT="yes"
fi
2013-11-13 22:44:42 +05:30
AC_ARG_ENABLE([bd-xlator],
AC_HELP_STRING([--enable-bd-xlator], [Build BD xlator]))
if test "x$enable_bd_xlator" != "xno"; then
AC_CHECK_LIB([lvm2app],
[lvm_init,lvm_lv_from_name],
[HAVE_BD_LIB="yes"],
[HAVE_BD_LIB="no"])
if test "x$HAVE_BD_LIB" = "xyes"; then
# lvm_lv_from_name() has been made public with lvm2-2.02.79
AC_CHECK_DECLS(
[lvm_lv_from_name],
[NEED_LVM_LV_FROM_NAME_DECL="no"],
[NEED_LVM_LV_FROM_NAME_DECL="yes"],
[[#include <lvm2app.h>]])
fi
fi
if test "x$enable_bd_xlator" = "xyes" -a "x$HAVE_BD_LIB" = "xno"; then
echo "BD xlator requested but required lvm2 development library not found."
exit 1
fi
BUILD_BD_XLATOR=no
if test "x${enable-bd-xlator}" != "xno" -a "x${HAVE_BD_LIB}" = "xyes"; then
BUILD_BD_XLATOR=yes
AC_DEFINE(HAVE_BD_XLATOR, 1, [define if lvm2app library found and bd xlator
enabled])
if test "x$NEED_LVM_LV_FROM_NAME_DECL" = "xyes"; then
AC_DEFINE(NEED_LVM_LV_FROM_NAME_DECL, 1, [defined if lvm_lv_from_name()
was not found in the lvm2app.h header, but can be linked])
fi
fi
AM_CONDITIONAL([ENABLE_BD_XLATOR], [test x$BUILD_BD_XLATOR = xyes])
Transparent data encryption and metadata authentication
.. in the systems with non-trusted server
This new functionality can be useful in various cloud technologies.
It is implemented via a special encryption/crypt translator,which
works on the client side and performs encryption and authentication;
1. Class of supported algorithms
The crypt translator can support any atomic symmetric block cipher
algorithms (which require to pad plain/cipher text before performing
encryption/decryption transform (see glossary in atom.c for
definitions). In particular, it can support algorithms with the EOF
issue (which require to pad the end of file by extra-data).
Crypt translator performs translations
user -> (offset, size) -> (aligned-offset, padded-size) ->server
(and backward), and resolves individual FOPs (write(), truncate(),
etc) to read-modify-write sequences.
A volume can contain files encrypted by different algorithms of the
mentioned class. To change some option value just reconfigure the
volume.
Currently only one algorithm is supported: AES_XTS.
Example of algorithms, which can not be supported by the crypt
translator:
1. Asymmetric block cipher algorithms, which inflate data, e.g. RSA;
2. Symmetric block cipher algorithms with inline MACs for data
authentication.
2. Implementation notes.
a) Atomic algorithms
Since any process in a stackable file system manipulates with local
data (which can be obsoleted by local data of another process), any
atomic cipher algorithm without proper support can lead to non-POSIX
behavior. To resolve the "collisions" we introduce locks: before
performing FOP->read(), FOP->write(), etc. the process should first
lock the file.
b) Algorithms with EOF issue
Such algorithms require to pad the end of file with some extra-data.
Without proper support this will result in losing information about
real file size. Keeping a track of real file size is a responsibility
of the crypt translator. A special extended attribute with the name
"trusted.glusterfs.crypt.att.size" is used for this purpose. All files
contained in bricks of encrypted volume do have "padded" sizes.
3. Non-trusted servers and
Metadata authentication
We assume that server, where user's data is stored on is non-trusted.
It means that the server can be subjected to various attacks directed
to reveal user's encrypted personal data. We provide protection
against such attacks.
Every encrypted file has specific private attributes (cipher algorithm
id, atom size, etc), which are packed to a string (so-called "format
string") and stored as a special extended attribute with the name
"trusted.glusterfs.crypt.att.cfmt". We protect the string from
tampering. This protection is mandatory, hardcoded and is always on.
Without such protection various attacks (based on extending the scope
of per-file secret keys) are possible.
Our authentication method has been developed in tight collaboration
with Red Hat security team and is implemented as "metadata loader of
version 1" (see file metadata.c). This method is NIST-compliant and is
based on checking 8-byte per-hardlink MACs created(updated) by
FOP->create(), FOP->link(), FOP->unlink(), FOP->rename() by the
following unique entities:
. file (hardlink) name;
. verified file's object id (gfid).
Every time, before manipulating with a file, we check it's MACs at
FOP->open() time. Some FOPs don't require a file to be opened (e.g.
FOP->truncate()). In such cases the crypt translator opens the file
mandatory.
4. Generating keys
Unique per-file keys are derived by NIST-compliant methods from the
a) parent key;
b) unique verified object-id of the file (gfid);
Per-volume master key, provided by user at mount time is in the root
of this "tree of keys".
Those keys are used to:
1) encrypt/decrypt file data;
2) encrypt/decrypt file metadata;
3) create per-file and per-link MACs for metadata authentication.
5. Instructions
Getting started with crypt translator
Example:
1) Create a volume "myvol" and enable encryption:
# gluster volume create myvol pepelac:/vols/xvol
# gluster volume set myvol encryption on
2) Set location (absolute pathname) of your master key:
# gluster volume set myvol encryption.master-key /home/me/mykey
3) Set other options to override default options, if needed.
Start the volume.
4) On the client side make sure that the file /home/me/mykey exists
and contains proper per-volume master key (that is 256-bit AES
key). This key has to be in hex form, i.e. should be represented
by 64 symbols from the set {'0', ..., '9', 'a', ..., 'f'}.
The key should start at the beginning of the file. All symbols at
offsets >= 64 are ignored.
5) Mount the volume "myvol" on the client side:
# glusterfs --volfile-server=pepelac --volfile-id=myvol /mnt
After successful mount the file which contains master key may be
removed. NOTE: Keeping the master key between mount sessions is in
user's competence.
**********************************************************************
WARNING! Losing the master key will make content of all regular files
inaccessible. Mount with improper master key allows to access content
of directories: file names are not encrypted.
**********************************************************************
6. Options of crypt translator
1) "master-key": specifies location (absolute pathname) of the file
which contains per-volume master key. There is no default location
for master key.
2) "data-key-size": specifies size of per-file key for data encryption
Possible values:
. "256" default value
. "512"
3) "block-size": specifies atom size. Possible values:
. "512"
. "1024"
. "2048"
. "4096" default value;
7. Test cases
Any workload, which involves the following file operations:
->create();
->open();
->readv();
->writev();
->truncate();
->ftruncate();
->link();
->unlink();
->rename();
->readdirp().
8. TODOs:
1) Currently size of IOs issued by crypt translator is restricted
by block_size (4K by default). We can use larger IOs to improve
performance.
Change-Id: I2601fe95c5c4dc5b22308a53d0cbdc071d5e5cee
BUG: 1030058
Signed-off-by: Edward Shishkin <edward@redhat.com>
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/4667
Tested-by: Gluster Build System <jenkins@build.gluster.com>
2013-03-13 21:56:46 +01:00
# start encryption/crypt section
AC_CHECK_HEADERS([openssl/cmac.h], [have_cmac_h=yes], [have_cmac_h=no])
AC_ARG_ENABLE([crypt-xlator],
2015-02-18 19:45:23 +05:30
AC_HELP_STRING([--enable-crypt-xlator], [Build crypt encryption xlator]))
Transparent data encryption and metadata authentication
.. in the systems with non-trusted server
This new functionality can be useful in various cloud technologies.
It is implemented via a special encryption/crypt translator,which
works on the client side and performs encryption and authentication;
1. Class of supported algorithms
The crypt translator can support any atomic symmetric block cipher
algorithms (which require to pad plain/cipher text before performing
encryption/decryption transform (see glossary in atom.c for
definitions). In particular, it can support algorithms with the EOF
issue (which require to pad the end of file by extra-data).
Crypt translator performs translations
user -> (offset, size) -> (aligned-offset, padded-size) ->server
(and backward), and resolves individual FOPs (write(), truncate(),
etc) to read-modify-write sequences.
A volume can contain files encrypted by different algorithms of the
mentioned class. To change some option value just reconfigure the
volume.
Currently only one algorithm is supported: AES_XTS.
Example of algorithms, which can not be supported by the crypt
translator:
1. Asymmetric block cipher algorithms, which inflate data, e.g. RSA;
2. Symmetric block cipher algorithms with inline MACs for data
authentication.
2. Implementation notes.
a) Atomic algorithms
Since any process in a stackable file system manipulates with local
data (which can be obsoleted by local data of another process), any
atomic cipher algorithm without proper support can lead to non-POSIX
behavior. To resolve the "collisions" we introduce locks: before
performing FOP->read(), FOP->write(), etc. the process should first
lock the file.
b) Algorithms with EOF issue
Such algorithms require to pad the end of file with some extra-data.
Without proper support this will result in losing information about
real file size. Keeping a track of real file size is a responsibility
of the crypt translator. A special extended attribute with the name
"trusted.glusterfs.crypt.att.size" is used for this purpose. All files
contained in bricks of encrypted volume do have "padded" sizes.
3. Non-trusted servers and
Metadata authentication
We assume that server, where user's data is stored on is non-trusted.
It means that the server can be subjected to various attacks directed
to reveal user's encrypted personal data. We provide protection
against such attacks.
Every encrypted file has specific private attributes (cipher algorithm
id, atom size, etc), which are packed to a string (so-called "format
string") and stored as a special extended attribute with the name
"trusted.glusterfs.crypt.att.cfmt". We protect the string from
tampering. This protection is mandatory, hardcoded and is always on.
Without such protection various attacks (based on extending the scope
of per-file secret keys) are possible.
Our authentication method has been developed in tight collaboration
with Red Hat security team and is implemented as "metadata loader of
version 1" (see file metadata.c). This method is NIST-compliant and is
based on checking 8-byte per-hardlink MACs created(updated) by
FOP->create(), FOP->link(), FOP->unlink(), FOP->rename() by the
following unique entities:
. file (hardlink) name;
. verified file's object id (gfid).
Every time, before manipulating with a file, we check it's MACs at
FOP->open() time. Some FOPs don't require a file to be opened (e.g.
FOP->truncate()). In such cases the crypt translator opens the file
mandatory.
4. Generating keys
Unique per-file keys are derived by NIST-compliant methods from the
a) parent key;
b) unique verified object-id of the file (gfid);
Per-volume master key, provided by user at mount time is in the root
of this "tree of keys".
Those keys are used to:
1) encrypt/decrypt file data;
2) encrypt/decrypt file metadata;
3) create per-file and per-link MACs for metadata authentication.
5. Instructions
Getting started with crypt translator
Example:
1) Create a volume "myvol" and enable encryption:
# gluster volume create myvol pepelac:/vols/xvol
# gluster volume set myvol encryption on
2) Set location (absolute pathname) of your master key:
# gluster volume set myvol encryption.master-key /home/me/mykey
3) Set other options to override default options, if needed.
Start the volume.
4) On the client side make sure that the file /home/me/mykey exists
and contains proper per-volume master key (that is 256-bit AES
key). This key has to be in hex form, i.e. should be represented
by 64 symbols from the set {'0', ..., '9', 'a', ..., 'f'}.
The key should start at the beginning of the file. All symbols at
offsets >= 64 are ignored.
5) Mount the volume "myvol" on the client side:
# glusterfs --volfile-server=pepelac --volfile-id=myvol /mnt
After successful mount the file which contains master key may be
removed. NOTE: Keeping the master key between mount sessions is in
user's competence.
**********************************************************************
WARNING! Losing the master key will make content of all regular files
inaccessible. Mount with improper master key allows to access content
of directories: file names are not encrypted.
**********************************************************************
6. Options of crypt translator
1) "master-key": specifies location (absolute pathname) of the file
which contains per-volume master key. There is no default location
for master key.
2) "data-key-size": specifies size of per-file key for data encryption
Possible values:
. "256" default value
. "512"
3) "block-size": specifies atom size. Possible values:
. "512"
. "1024"
. "2048"
. "4096" default value;
7. Test cases
Any workload, which involves the following file operations:
->create();
->open();
->readv();
->writev();
->truncate();
->ftruncate();
->link();
->unlink();
->rename();
->readdirp().
8. TODOs:
1) Currently size of IOs issued by crypt translator is restricted
by block_size (4K by default). We can use larger IOs to improve
performance.
Change-Id: I2601fe95c5c4dc5b22308a53d0cbdc071d5e5cee
BUG: 1030058
Signed-off-by: Edward Shishkin <edward@redhat.com>
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/4667
Tested-by: Gluster Build System <jenkins@build.gluster.com>
2013-03-13 21:56:46 +01:00
if test "x$enable_crypt_xlator" = "xyes" -a "x$have_cmac_h" = "xno"; then
2014-04-17 15:54:34 -07:00
AC_MSG_ERROR([Encryption xlator requires OpenSSL with cmac.h])
Transparent data encryption and metadata authentication
.. in the systems with non-trusted server
This new functionality can be useful in various cloud technologies.
It is implemented via a special encryption/crypt translator,which
works on the client side and performs encryption and authentication;
1. Class of supported algorithms
The crypt translator can support any atomic symmetric block cipher
algorithms (which require to pad plain/cipher text before performing
encryption/decryption transform (see glossary in atom.c for
definitions). In particular, it can support algorithms with the EOF
issue (which require to pad the end of file by extra-data).
Crypt translator performs translations
user -> (offset, size) -> (aligned-offset, padded-size) ->server
(and backward), and resolves individual FOPs (write(), truncate(),
etc) to read-modify-write sequences.
A volume can contain files encrypted by different algorithms of the
mentioned class. To change some option value just reconfigure the
volume.
Currently only one algorithm is supported: AES_XTS.
Example of algorithms, which can not be supported by the crypt
translator:
1. Asymmetric block cipher algorithms, which inflate data, e.g. RSA;
2. Symmetric block cipher algorithms with inline MACs for data
authentication.
2. Implementation notes.
a) Atomic algorithms
Since any process in a stackable file system manipulates with local
data (which can be obsoleted by local data of another process), any
atomic cipher algorithm without proper support can lead to non-POSIX
behavior. To resolve the "collisions" we introduce locks: before
performing FOP->read(), FOP->write(), etc. the process should first
lock the file.
b) Algorithms with EOF issue
Such algorithms require to pad the end of file with some extra-data.
Without proper support this will result in losing information about
real file size. Keeping a track of real file size is a responsibility
of the crypt translator. A special extended attribute with the name
"trusted.glusterfs.crypt.att.size" is used for this purpose. All files
contained in bricks of encrypted volume do have "padded" sizes.
3. Non-trusted servers and
Metadata authentication
We assume that server, where user's data is stored on is non-trusted.
It means that the server can be subjected to various attacks directed
to reveal user's encrypted personal data. We provide protection
against such attacks.
Every encrypted file has specific private attributes (cipher algorithm
id, atom size, etc), which are packed to a string (so-called "format
string") and stored as a special extended attribute with the name
"trusted.glusterfs.crypt.att.cfmt". We protect the string from
tampering. This protection is mandatory, hardcoded and is always on.
Without such protection various attacks (based on extending the scope
of per-file secret keys) are possible.
Our authentication method has been developed in tight collaboration
with Red Hat security team and is implemented as "metadata loader of
version 1" (see file metadata.c). This method is NIST-compliant and is
based on checking 8-byte per-hardlink MACs created(updated) by
FOP->create(), FOP->link(), FOP->unlink(), FOP->rename() by the
following unique entities:
. file (hardlink) name;
. verified file's object id (gfid).
Every time, before manipulating with a file, we check it's MACs at
FOP->open() time. Some FOPs don't require a file to be opened (e.g.
FOP->truncate()). In such cases the crypt translator opens the file
mandatory.
4. Generating keys
Unique per-file keys are derived by NIST-compliant methods from the
a) parent key;
b) unique verified object-id of the file (gfid);
Per-volume master key, provided by user at mount time is in the root
of this "tree of keys".
Those keys are used to:
1) encrypt/decrypt file data;
2) encrypt/decrypt file metadata;
3) create per-file and per-link MACs for metadata authentication.
5. Instructions
Getting started with crypt translator
Example:
1) Create a volume "myvol" and enable encryption:
# gluster volume create myvol pepelac:/vols/xvol
# gluster volume set myvol encryption on
2) Set location (absolute pathname) of your master key:
# gluster volume set myvol encryption.master-key /home/me/mykey
3) Set other options to override default options, if needed.
Start the volume.
4) On the client side make sure that the file /home/me/mykey exists
and contains proper per-volume master key (that is 256-bit AES
key). This key has to be in hex form, i.e. should be represented
by 64 symbols from the set {'0', ..., '9', 'a', ..., 'f'}.
The key should start at the beginning of the file. All symbols at
offsets >= 64 are ignored.
5) Mount the volume "myvol" on the client side:
# glusterfs --volfile-server=pepelac --volfile-id=myvol /mnt
After successful mount the file which contains master key may be
removed. NOTE: Keeping the master key between mount sessions is in
user's competence.
**********************************************************************
WARNING! Losing the master key will make content of all regular files
inaccessible. Mount with improper master key allows to access content
of directories: file names are not encrypted.
**********************************************************************
6. Options of crypt translator
1) "master-key": specifies location (absolute pathname) of the file
which contains per-volume master key. There is no default location
for master key.
2) "data-key-size": specifies size of per-file key for data encryption
Possible values:
. "256" default value
. "512"
3) "block-size": specifies atom size. Possible values:
. "512"
. "1024"
. "2048"
. "4096" default value;
7. Test cases
Any workload, which involves the following file operations:
->create();
->open();
->readv();
->writev();
->truncate();
->ftruncate();
->link();
->unlink();
->rename();
->readdirp().
8. TODOs:
1) Currently size of IOs issued by crypt translator is restricted
by block_size (4K by default). We can use larger IOs to improve
performance.
Change-Id: I2601fe95c5c4dc5b22308a53d0cbdc071d5e5cee
BUG: 1030058
Signed-off-by: Edward Shishkin <edward@redhat.com>
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/4667
Tested-by: Gluster Build System <jenkins@build.gluster.com>
2013-03-13 21:56:46 +01:00
fi
BUILD_CRYPT_XLATOR=no
if test "x$enable_crypt_xlator" != "xno" -a "x$have_cmac_h" = "xyes"; then
BUILD_CRYPT_XLATOR=yes
AC_DEFINE(HAVE_CRYPT_XLATOR, 1, [enable building crypt encryption xlator])
fi
AM_CONDITIONAL([ENABLE_CRYPT_XLATOR], [test x$BUILD_CRYPT_XLATOR = xyes])
2009-02-18 17:36:07 +05:30
AC_SUBST(FUSE_CLIENT_SUBDIR)
# end FUSE section
2009-08-11 18:26:11 -07:00
# FUSERMOUNT section
AC_ARG_ENABLE([fusermount],
2013-06-17 13:44:10 -04:00
AC_HELP_STRING([--disable-fusermount],
[Use system's fusermount]))
2009-08-11 18:26:11 -07:00
2013-04-03 13:38:00 -07:00
BUILD_FUSERMOUNT="yes"
2013-04-10 17:51:37 +02:00
if test "x$enable_fusermount" = "xno"; then
2014-06-21 02:00:23 -07:00
BUILD_FUSERMOUNT="no"
2013-04-03 13:38:00 -07:00
else
2014-06-21 02:00:23 -07:00
AC_DEFINE(GF_FUSERMOUNT, 1, [Use our own fusermount])
FUSERMOUNT_SUBDIR="contrib/fuse-util"
2009-08-11 18:26:11 -07:00
fi
AC_SUBST(FUSERMOUNT_SUBDIR)
#end FUSERMOUNT section
2013-03-05 14:48:28 -08:00
# QEMU_BLOCK section
AC_ARG_ENABLE([qemu-block],
AC_HELP_STRING([--enable-qemu-block],
[Build QEMU Block formats translator]))
if test "x$enable_qemu_block" != "xno"; then
PKG_CHECK_MODULES([GLIB], [glib-2.0],
[HAVE_GLIB_2="yes"],
2015-02-18 19:45:23 +05:30
[HAVE_GLIB_2="no"])
2013-03-05 14:48:28 -08:00
fi
if test "x$enable_qemu_block" = "xyes" -a "x$HAVE_GLIB_2" = "xno"; then
echo "QEMU Block formats translator requires libglib-2.0, but missing."
exit 1
fi
BUILD_QEMU_BLOCK=no
if test "x${enable_qemu_block}" != "xno" -a "x${HAVE_GLIB_2}" = "xyes"; then
BUILD_QEMU_BLOCK=yes
AC_DEFINE(HAVE_QEMU_BLOCK, 1, [define if libglib-2.0 library found and QEMU
2015-02-18 19:45:23 +05:30
Block translator enabled])
2013-03-05 14:48:28 -08:00
fi
# end QEMU_BLOCK section
2009-08-11 18:26:11 -07:00
2009-02-18 17:36:07 +05:30
# EPOLL section
AC_ARG_ENABLE([epoll],
2013-06-17 13:44:10 -04:00
AC_HELP_STRING([--disable-epoll],
[Use poll instead of epoll.]))
2009-02-18 17:36:07 +05:30
BUILD_EPOLL=no
if test "x$enable_epoll" != "xno"; then
AC_CHECK_HEADERS([sys/epoll.h],
[BUILD_EPOLL=yes],
2013-06-17 13:44:10 -04:00
[BUILD_EPOLL=no])
2009-02-18 17:36:07 +05:30
fi
# end EPOLL section
# IBVERBS section
AC_ARG_ENABLE([ibverbs],
2013-06-17 13:44:10 -04:00
AC_HELP_STRING([--disable-ibverbs],
[Do not build the ibverbs transport]))
2009-02-18 17:36:07 +05:30
if test "x$enable_ibverbs" != "xno"; then
AC_CHECK_LIB([ibverbs],
[ibv_get_device_list],
2013-06-17 13:44:10 -04:00
[HAVE_LIBIBVERBS="yes"],
[HAVE_LIBIBVERBS="no"])
2013-09-17 19:27:57 -07:00
AC_CHECK_LIB([rdmacm], [rdma_create_id], [HAVE_RDMACM="yes"], [HAVE_RDMACM="no"])
2009-02-18 17:36:07 +05:30
fi
2012-12-18 12:47:43 +05:30
if test "x$enable_ibverbs" = "xyes"; then
if test "x$HAVE_LIBIBVERBS" = "xno"; then
echo "ibverbs-transport requested, but libibverbs is not present."
exit 1
fi
if test "x$HAVE_RDMACM" = "xno"; then
echo "ibverbs-transport requested, but librdmacm is not present."
exit 1
fi
2009-02-18 17:36:07 +05:30
fi
2010-08-31 03:20:29 +00:00
BUILD_RDMA=no
2009-02-18 17:36:07 +05:30
BUILD_IBVERBS=no
2012-12-18 12:47:43 +05:30
if test "x$enable_ibverbs" != "xno" -a "x$HAVE_LIBIBVERBS" = "xyes" -a "x$HAVE_RDMACM" = "xyes"; then
2009-02-18 17:36:07 +05:30
IBVERBS_SUBDIR=ib-verbs
BUILD_IBVERBS=yes
2010-08-31 03:20:29 +00:00
RDMA_SUBDIR=rdma
BUILD_RDMA=yes
2009-02-18 17:36:07 +05:30
fi
AC_SUBST(IBVERBS_SUBDIR)
2010-08-31 03:20:29 +00:00
AC_SUBST(RDMA_SUBDIR)
2009-02-18 17:36:07 +05:30
# end IBVERBS section
2011-01-27 05:23:35 +00:00
# SYNCDAEMON section
AC_ARG_ENABLE([georeplication],
2013-06-17 13:44:10 -04:00
AC_HELP_STRING([--disable-georeplication],
[Do not install georeplication components]))
2011-01-27 05:23:35 +00:00
BUILD_SYNCDAEMON=no
2011-02-17 07:31:18 +00:00
case $host_os in
linux*)
2011-08-12 09:17:44 +02:00
#do nothing
;;
netbsd*)
2011-02-17 07:31:18 +00:00
#do nothing
;;
*)
#disabling geo replication for non-linux platforms
2013-06-17 13:44:10 -04:00
enable_georeplication=no
2011-02-17 07:31:18 +00:00
;;
esac
2011-02-24 00:08:46 +00:00
SYNCDAEMON_COMPILE=0
2011-01-27 05:23:35 +00:00
if test "x$enable_georeplication" != "xno"; then
2013-05-27 22:23:57 +05:30
SYNCDAEMON_SUBDIR=geo-replication
2011-02-24 00:08:46 +00:00
SYNCDAEMON_COMPILE=1
2011-01-27 05:23:35 +00:00
BUILD_SYNCDAEMON="yes"
AM_PATH_PYTHON([2.4])
echo -n "checking if python is python 2.x... "
if echo $PYTHON_VERSION | grep ^2; then
:
else
echo no
AC_MSG_ERROR([only python 2.x is supported])
fi
echo -n "checking if python has ctypes support... "
if "$PYTHON" -c 'import ctypes' 2>/dev/null; then
echo yes
else
echo no
AC_MSG_ERROR([python does not have ctypes support])
fi
fi
2011-02-24 00:08:46 +00:00
AC_SUBST(SYNCDAEMON_COMPILE)
2011-01-27 05:23:35 +00:00
AC_SUBST(SYNCDAEMON_SUBDIR)
# end SYNCDAEMON section
2014-12-01 09:21:32 +01:00
# only install scripts from extras/geo-rep when enabled
if test "x$enable_georeplication" != "xno"; then
GEOREP_EXTRAS_SUBDIR=geo-rep
fi
AC_SUBST(GEOREP_EXTRAS_SUBDIR)
2014-08-09 23:54:15 -07:00
# CDC xlator - check if libz is present if so enable HAVE_LIB_Z
2014-08-08 12:01:34 +02:00
BUILD_CDC=yes
PKG_CHECK_MODULES([ZLIB], [zlib >= 1.2.0],,
2014-08-19 18:24:23 -07:00
[AC_CHECK_LIB([z], [deflate], [ZLIB_LIBS="-lz"],
2014-08-08 12:01:34 +02:00
[BUILD_CDC=no])])
echo -n "features requiring zlib enabled: "
if test "x$BUILD_CDC" = "xyes" ; then
echo "yes"
AC_DEFINE(HAVE_LIB_Z, 1, [define if zlib is present])
else
echo "no"
fi
2014-08-19 18:24:23 -07:00
AC_SUBST(ZLIB_CFLAGS)
AC_SUBST(ZLIB_LIBS)
2012-03-26 14:33:41 +05:30
# end CDC xlator secion
2015-02-18 19:45:23 +05:30
# Data tiering requires sqlite
AC_ARG_ENABLE([tiering],
AC_HELP_STRING([--disable-tiering],
[Disable data classification/tiering]),
[BUILD_GFDB="${enableval}"], [BUILD_GFDB="yes"])
if test "x${BUILD_GFDB}" = "xyes"; then
PKG_CHECK_MODULES([SQLITE], [sqlite3],
AC_DEFINE(USE_GFDB, 1),
AC_MSG_ERROR([pass --disable-tiering to build without sqlite]))
else
AC_DEFINE(USE_GFDB, 0, [no sqlite, gfdb is disabled])
fi
AC_SUBST(SQLITE_CFLAGS)
AC_SUBST(SQLITE_LIBS)
AM_CONDITIONAL(BUILD_GFDB, test "x${BUILD_GFDB}" = "xyes")
AM_CONDITIONAL(USE_GFDB, test "x${BUILD_GFDB}" = "xyes")
2012-07-08 10:37:49 +05:30
# check for systemtap/dtrace
BUILD_SYSTEMTAP=no
AC_MSG_CHECKING([whether to include systemtap tracing support])
AC_ARG_ENABLE([systemtap],
[AS_HELP_STRING([--enable-systemtap],
[Enable inclusion of systemtap trace support])],
[ENABLE_SYSTEMTAP="${enableval}"], [ENABLE_SYSTEMTAP="def"])
2012-11-02 09:15:36 +01:00
AM_CONDITIONAL([ENABLE_SYSTEMTAP], [test "x${ENABLE_SYSTEMTAP}" = "xyes"])
2012-07-08 10:37:49 +05:30
AC_MSG_RESULT(${ENABLE_SYSTEMTAP})
if test "x${ENABLE_SYSTEMTAP}" != "xno"; then
AC_CHECK_PROG(DTRACE, dtrace, "yes", "no")
AC_CHECK_HEADER([sys/sdt.h], [SDT_H_FOUND="yes"],
[SDT_H_FOUND="no"])
fi
2012-11-02 09:15:36 +01:00
if test "x${ENABLE_SYSTEMTAP}" = "xyes"; then
if test "x${DTRACE}" = "xno"; then
2012-07-08 10:37:49 +05:30
AC_MSG_ERROR([dtrace not found])
2012-11-02 09:15:36 +01:00
elif test "$x{SDT_H_FOUND}" = "xno"; then
2012-07-08 10:37:49 +05:30
AC_MSG_ERROR([systemtap support needs sys/sdt.h header])
fi
fi
2012-11-02 09:15:36 +01:00
if test "x${DTRACE}" = "xyes" -a "x${SDT_H_FOUND}" = "xyes"; then
2012-07-08 10:37:49 +05:30
AC_MSG_CHECKING([x"${DTRACE}"xy"${SDT_H_FOUND}"y])
AC_DEFINE([HAVE_SYSTEMTAP], [1], [Define to 1 if using probes.])
BUILD_SYSTEMTAP=yes
fi
# end of systemtap/dtrace
2013-04-08 16:49:34 +05:30
# xml-output
AC_ARG_ENABLE([xml-output],
AC_HELP_STRING([--disable-xml-output],
[Disable the xml output]))
BUILD_XML_OUTPUT="yes"
if test "x$enable_xml_output" != "xno"; then
#check if libxml is present if so enable HAVE_LIB_XML
2013-09-17 19:27:57 -07:00
m4_ifdef([AM_PATH_XML2],[AM_PATH_XML2([2.6.19])], [no_xml=yes])
2013-04-08 16:49:34 +05:30
if test "x${no_xml}" = "x"; then
AC_DEFINE([HAVE_LIB_XML], [1], [Define to 1 if using libxml2.])
else
2015-02-18 19:45:23 +05:30
if test "x$enable_georeplication" != "xno"; then
2014-02-19 18:51:26 +05:30
AC_MSG_ERROR([libxml2 devel libraries not found])
2015-02-18 19:45:23 +05:30
else
AC_MSG_WARN([libxml2 devel libraries not found disabling XML support])
2014-02-19 18:51:26 +05:30
BUILD_XML_OUTPUT="no"
2015-02-18 19:45:23 +05:30
fi
2014-02-19 18:51:26 +05:30
2013-04-08 16:49:34 +05:30
fi
else
2014-02-19 18:51:26 +05:30
if test "x$enable_georeplication" != "xno"; then
AC_MSG_ERROR([geo-replication requires xml output])
fi
2013-04-08 16:49:34 +05:30
BUILD_XML_OUTPUT="no"
2013-03-25 08:22:16 -04:00
fi
2013-04-08 16:49:34 +05:30
# end of xml-output
2011-01-27 05:23:35 +00:00
2014-06-21 02:00:23 -07:00
AC_CHECK_HEADERS([execinfo.h], [have_backtrace=yes])
2009-02-18 17:36:07 +05:30
if test "x${have_backtrace}" = "xyes"; then
AC_DEFINE(HAVE_BACKTRACE, 1, [define if found backtrace])
fi
AC_SUBST(HAVE_BACKTRACE)
2014-06-29 18:56:44 -07:00
if test "x${have_backtrace}" != "xyes"; then
AC_TRY_COMPILE([#include <math.h>], [double x=0.0; x=ceil(0.0);],
[have_math_h=yes],
AC_MSG_ERROR([need math library for libexecinfo]))
if test "x${have_math_h}" = "xyes"; then
LIBS="$LIBS -lm"
fi
fi
2014-06-21 02:00:23 -07:00
2009-02-18 17:36:07 +05:30
dnl glusterfs prints memory usage to stderr by sending it SIGUSR1
AC_CHECK_FUNC([malloc_stats], [have_malloc_stats=yes])
if test "x${have_malloc_stats}" = "xyes"; then
AC_DEFINE(HAVE_MALLOC_STATS, 1, [define if found malloc_stats])
fi
AC_SUBST(HAVE_MALLOC_STATS)
dnl Linux, Solaris, Cygwin
AC_CHECK_MEMBERS([struct stat.st_atim.tv_nsec])
dnl FreeBSD, NetBSD
AC_CHECK_MEMBERS([struct stat.st_atimespec.tv_nsec])
2012-03-30 15:58:43 +02:00
case $host_os in
2013-06-17 13:44:10 -04:00
*netbsd*)
2014-05-21 05:45:39 +02:00
CFLAGS="${CFLAGS} -D_INCOMPLETE_XOPEN_C063 -DCONFIG_MACHINE_BSWAP_H"
2013-06-17 13:44:10 -04:00
;;
2012-03-30 15:58:43 +02:00
esac
2011-08-12 09:12:27 +02:00
AC_CHECK_FUNC([linkat], [have_linkat=yes])
if test "x${have_linkat}" = "xyes"; then
AC_DEFINE(HAVE_LINKAT, 1, [define if found linkat])
fi
AC_SUBST(HAVE_LINKAT)
2009-02-18 17:36:07 +05:30
2013-10-10 04:19:16 -07:00
dnl check for Monotonic clock
2014-08-09 23:54:15 -07:00
AC_CHECK_LIB([rt], [clock_gettime], ,
AC_MSG_WARN([System doesn't have monotonic clock using contrib]))
2013-10-10 04:19:16 -07:00
2009-02-18 17:36:07 +05:30
dnl Check for argp
AC_CHECK_HEADER([argp.h], AC_DEFINE(HAVE_ARGP, 1, [have argp]))
2013-10-10 04:19:16 -07:00
2009-02-18 17:36:07 +05:30
BUILD_ARGP_STANDALONE=no
2013-09-17 19:27:57 -07:00
if test "x${ac_cv_header_argp_h}" = "xno"; then
2015-01-19 10:20:28 +01:00
AC_CONFIG_SUBDIRS(contrib/argp-standalone)
2009-02-18 17:36:07 +05:30
BUILD_ARGP_STANDALONE=yes
2014-03-26 16:55:12 -07:00
ARGP_STANDALONE_CPPFLAGS='-I${top_srcdir}/contrib/argp-standalone'
ARGP_STANDALONE_LDADD='${top_builddir}/contrib/argp-standalone/libargp.a'
2014-04-10 14:43:47 -04:00
ARGP_STANDALONE_DIR='${top_builddir}/contrib/argp-standalone'
2009-02-18 17:36:07 +05:30
fi
AC_SUBST(ARGP_STANDALONE_CPPFLAGS)
AC_SUBST(ARGP_STANDALONE_LDADD)
2014-04-24 17:09:24 -07:00
AC_SUBST(ARGP_STANDALONE_DIR)
2009-02-18 17:36:07 +05:30
AC_CHECK_HEADER([malloc.h], AC_DEFINE(HAVE_MALLOC_H, 1, [have malloc.h]))
AC_CHECK_FUNC([llistxattr], [have_llistxattr=yes])
if test "x${have_llistxattr}" = "xyes"; then
AC_DEFINE(HAVE_LLISTXATTR, 1, [define if llistxattr exists])
fi
2014-04-17 15:54:34 -07:00
AC_CHECK_FUNC([fdatasync], [have_fdatasync=no])
2009-02-18 17:36:07 +05:30
if test "x${have_fdatasync}" = "xyes"; then
AC_DEFINE(HAVE_FDATASYNC, 1, [define if fdatasync exists])
fi
2013-05-08 08:54:11 -04:00
AC_CHECK_FUNC([fallocate], [have_fallocate=yes])
if test "x${have_fallocate}" = "xyes"; then
AC_DEFINE(HAVE_FALLOCATE, 1, [define if fallocate exists])
fi
AC_CHECK_FUNC([posix_fallocate], [have_posix_fallocate=yes])
if test "x${have_posix_fallocate}" = "xyes"; then
AC_DEFINE(HAVE_POSIX_FALLOCATE, 1, [define if posix_fallocate exists])
fi
2013-09-17 19:27:57 -07:00
# Check the distribution where you are compiling glusterfs on
2009-03-01 05:35:18 -08:00
GF_DISTRIBUTION=
AC_CHECK_FILE([/etc/debian_version])
AC_CHECK_FILE([/etc/SuSE-release])
AC_CHECK_FILE([/etc/redhat-release])
if test "x$ac_cv_file__etc_debian_version" = "xyes"; then
GF_DISTRIBUTION=Debian
fi
if test "x$ac_cv_file__etc_SuSE_release" = "xyes"; then
GF_DISTRIBUTION=SuSE
fi
if test "x$ac_cv_file__etc_redhat_release" = "xyes"; then
GF_DISTRIBUTION=Redhat
fi
AC_SUBST(GF_DISTRIBUTION)
2009-02-18 17:36:07 +05:30
GF_HOST_OS=""
GF_LDFLAGS="-rdynamic"
2014-04-17 15:54:34 -07:00
dnl check for gcc -Werror=format-security
saved_GF_CFLAGS="-Wformat -Werror=format-security"
2012-12-14 10:48:46 +01:00
AC_MSG_CHECKING([whether $CC accepts -Werror=format-security])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM()], [cc_werror_format_security=yes], [cc_werror_format_security=no])
echo $cc_werror_format_security
if test "x$cc_werror_format_security" = "xno"; then
2014-04-17 15:54:34 -07:00
GF_CFLAGS="$GF_CFLAGS"
2012-12-14 10:48:46 +01:00
else
2014-04-17 15:54:34 -07:00
GF_CFLAGS="$saved_GF_CFLAGS $GF_CFLAGS"
2012-12-14 10:48:46 +01:00
fi
2014-04-17 15:54:34 -07:00
dnl check for gcc -Werror=implicit-function-declaration
saved_GF_CFLAGS=$GF_CFLAGS
GF_CFLAGS="-Werror=implicit-function-declaration"
2013-07-30 18:22:48 +02:00
AC_MSG_CHECKING([whether $CC accepts -Werror=implicit-function-declaration])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM()], [cc_werror_implicit=yes], [cc_werror_implicit=no])
echo $cc_werror_implicit
if test "x$cc_werror_implicit" = "xno"; then
2014-04-17 15:54:34 -07:00
GF_CFLAGS="$saved_GF_CFLAGS"
2013-07-30 18:22:48 +02:00
else
2014-04-17 15:54:34 -07:00
GF_CFLAGS="$saved_GF_CFLAGS $GF_CFLAGS"
2013-07-30 18:22:48 +02:00
fi
2014-04-17 15:54:34 -07:00
dnl clang is mostly GCC-compatible, but its version is much lower,
dnl so we have to check for it.
AC_MSG_CHECKING([if compiling with clang])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([], [[
#ifndef __clang__
not clang
#endif
]])],
[CLANG=yes], [CLANG=no])
AC_MSG_RESULT([$CLANG])
if test "x$CLANG" = "xyes"; then
2014-06-21 02:00:23 -07:00
GF_COMPILER_FLAGS="-Wno-gnu"
2014-04-17 15:54:34 -07:00
fi
2014-06-21 02:00:23 -07:00
if test "x$ac_cv_header_execinfo_h" = "xno"; then
# The reason is that __builtin_frame_address(n) for n > 0 seems
# to just crash on most platforms when -fomit-stack-pointer is
# specified, which seems to be the default for many platforms on
# -O2. The documentation says that __builtin_frame_address()
# should return NULL in case it can't get the frame, but it
# seems to crash instead.
# execinfo.c in ./contrib/libexecinfo uses __builtin_frame_address(n)
# for providing cross platform backtrace*() functions.
if test "x$CLANG" = "xno"; then
CFLAGS="$CFLAGS -fno-omit-frame-pointer"
fi
fi
2014-04-17 15:54:34 -07:00
2015-02-18 19:07:23 +05:30
old_prefix=$prefix
if test "x$prefix" = xNONE; then
prefix=$ac_default_prefix
fi
GLUSTERFS_LIBEXECDIR="$(eval echo $prefix)/libexec/glusterfs"
GLUSTERFSD_MISCDIR="$(eval echo $prefix)/var/lib/misc/glusterfsd"
prefix=$old_prefix
2014-06-29 18:56:44 -07:00
### Dirty hacky stuff to make LOCALSTATEDIR work
if test "x$prefix" = xNONE; then
test $localstatedir = '${prefix}/var' && localstatedir=$ac_default_prefix/var
localstatedir=/var
LOCALSTATEDIR=$(eval echo ${localstatedir})
else
LOCALSTATEDIR=$(eval echo ${localstatedir})
fi
geo-rep: mountbroker user management
Non root geo-replication setup is now simplified. This
patch provides cli for mountbroker user and options management
To set Options,
gluster system:: execute mountbroker opt <KEY> <VALUE>
# for example,
gluster system:: execute mountbroker opt mountbroker-root /var/mountbroker-root
gluster system:: execute mountbroker opt geo-replication-log-group geogroup
gluster system:: execute mountbroker opt rpc-auth-allow-insecure on
To remove option,
gluster system:: execute mountbroker optdel <KEY>
# for example,
gluster system:: execute mountbroker optdel geo-replication-log-group
To add/edit user,
gluster system:: execute mountbroker user <USERNAME> <VOLUMES>
# for example
gluster system:: execute mountbroker user geoaccount slavevol1,slavevol2
To remove user,
gluster system:: execute mountbroker userdel <USERNAME>
# for example
gluster system:: execute mountbroker userdel geoaccount
For info,
gluster system:: execute mountbroker info
gluster system:: execute mountbroker -j info
For JSON output add -j after mountbroker, for example,
gluster system:: execute mountbroker -j user geoaccount slavevol1,slavevol2
PS: Each peer prints its own JSON output, aggregator required from consumer side
BUG: 1136312
Change-Id: Ie52210c0bcc91ac2ffd3ba58988222ffca62b47f
Signed-off-by: Aravinda VK <avishwan@redhat.com>
Reviewed-on: http://review.gluster.org/9398
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: darshan n <dnarayan@redhat.com>
Reviewed-by: Kotresh HR <khiremat@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2015-01-06 18:20:45 +05:30
old_prefix=$prefix
if test "x$prefix" = xNONE; then
prefix=$ac_default_prefix
fi
GLUSTERD_VOLFILE="$(eval echo ${sysconfdir})/glusterfs/glusterd.vol"
prefix=$old_prefix
2009-02-18 17:36:07 +05:30
case $host_os in
linux*)
GF_HOST_OS="GF_LINUX_HOST_OS"
2014-06-29 18:56:44 -07:00
GF_CFLAGS="${GF_COMPILER_FLAGS} ${ARGP_STANDALONE_CPPFLAGS}"
2013-06-17 13:44:10 -04:00
GF_LDADD="${ARGP_STANDALONE_LDADD}"
GF_FUSE_CFLAGS="-DFUSERMOUNT_DIR=\\\"\$(bindir)\\\""
2014-06-29 18:56:44 -07:00
GLUSTERD_WORKDIR="${LOCALSTATEDIR}/lib/glusterd"
2013-06-17 13:44:10 -04:00
;;
2009-02-18 17:36:07 +05:30
solaris*)
GF_HOST_OS="GF_SOLARIS_HOST_OS"
2014-02-09 21:57:45 -05:00
GF_CFLAGS="${ARGP_STANDALONE_CPPFLAGS} -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -m64"
2013-06-17 13:44:10 -04:00
GF_LDFLAGS=""
GF_LDADD="${ARGP_STANDALONE_LDADD}"
2009-12-18 12:38:04 +00:00
BUILD_FUSE_CLIENT=no
FUSE_CLIENT_SUBDIR=""
2014-06-29 18:56:44 -07:00
GLUSTERD_WORKDIR="${LOCALSTATEDIR}/lib/glusterd"
2013-06-17 13:44:10 -04:00
;;
2011-05-20 16:56:27 +00:00
*netbsd*)
2013-06-17 13:44:10 -04:00
GF_HOST_OS="GF_BSD_HOST_OS"
GF_CFLAGS="${ARGP_STANDALONE_CPPFLAGS} -D_INCOMPLETE_XOPEN_C063"
GF_CFLAGS="${GF_CFLAGS} -DTHREAD_UNSAFE_BASENAME"
GF_CFLAGS="${GF_CFLAGS} -DTHREAD_UNSAFE_DIRNAME"
2014-06-21 02:00:23 -07:00
GF_FUSE_CFLAGS="-DFUSERMOUNT_DIR=\\\"\$(sbindir)\\\""
2013-06-17 13:44:10 -04:00
GF_LDADD="${ARGP_STANDALONE_LDADD}"
if test "x$ac_cv_header_execinfo_h" = "xyes"; then
2014-06-29 18:56:44 -07:00
GF_LDFLAGS="-lexecinfo"
2013-06-17 13:44:10 -04:00
fi
GF_FUSE_LDADD="-lperfuse"
BUILD_FUSE_CLIENT=yes
LEXLIB=""
2014-06-21 02:00:23 -07:00
BUILD_FUSERMOUNT=no
FUSERMOUNT_SUBDIR=""
2014-06-29 18:56:44 -07:00
GLUSTERD_WORKDIR="${LOCALSTATEDIR}/db/glusterd"
2013-06-17 13:44:10 -04:00
;;
2014-06-21 02:00:23 -07:00
*freebsd*)
2009-02-18 17:36:07 +05:30
GF_HOST_OS="GF_BSD_HOST_OS"
2014-06-29 18:56:44 -07:00
GF_CFLAGS="${GF_COMPILER_FLAGS} ${ARGP_STANDALONE_CPPFLAGS} -O0"
2013-06-17 13:44:10 -04:00
GF_CFLAGS="${GF_CFLAGS} -DTHREAD_UNSAFE_BASENAME"
GF_CFLAGS="${GF_CFLAGS} -DTHREAD_UNSAFE_DIRNAME"
2014-06-21 02:00:23 -07:00
GF_CFLAGS="${GF_CFLAGS} -D_LIBGEN_H_"
GF_CFLAGS="${GF_CFLAGS} -DO_DSYNC=0"
GF_CFLAGS="${GF_CFLAGS} -Dxdr_quad_t=xdr_longlong_t"
GF_CFLAGS="${GF_CFLAGS} -Dxdr_u_quad_t=xdr_u_longlong_t"
GF_FUSE_CFLAGS="-DFUSERMOUNT_DIR=\\\"\$(sbindir)\\\""
2014-06-29 18:56:44 -07:00
GF_LDADD="${ARGP_STANDALONE_LDADD}"
2013-06-17 13:44:10 -04:00
if test "x$ac_cv_header_execinfo_h" = "xyes"; then
2014-06-29 18:56:44 -07:00
GF_LDFLAGS="-lexecinfo"
2013-06-17 13:44:10 -04:00
fi
2014-06-29 18:56:44 -07:00
BUILD_FUSE_CLIENT=yes
2014-06-21 02:00:23 -07:00
BUILD_FUSERMOUNT=no
FUSERMOUNT_SUBDIR=""
2014-06-29 18:56:44 -07:00
GLUSTERD_WORKDIR="${LOCALSTATEDIR}/db/glusterd"
2013-06-17 13:44:10 -04:00
;;
2009-02-18 17:36:07 +05:30
darwin*)
GF_HOST_OS="GF_DARWIN_HOST_OS"
2013-06-17 13:44:10 -04:00
LIBTOOL=glibtool
2014-07-01 19:03:52 -07:00
GF_CFLAGS="${GF_COMPILER_FLAGS} ${ARGP_STANDALONE_CPPFLAGS} "
GF_CFLAGS="${GF_CFLAGS} -D_REENTRANT -D_XOPEN_SOURCE "
GF_CFLAGS="${GF_CFLAGS} -D_DARWIN_USE_64_BIT_INODE "
2013-06-17 13:44:10 -04:00
GF_CFLAGS="${GF_CFLAGS} -DTHREAD_UNSAFE_BASENAME"
GF_CFLAGS="${GF_CFLAGS} -DTHREAD_UNSAFE_DIRNAME"
GF_LDADD="${ARGP_STANDALONE_LDADD}"
2014-04-17 15:54:34 -07:00
GF_LDFLAGS=""
2013-06-17 13:44:10 -04:00
GF_FUSE_CFLAGS="-I\$(CONTRIBDIR)/macfuse"
2014-04-17 15:54:34 -07:00
BUILD_FUSERMOUNT="no"
FUSERMOUNT_SUBDIR=""
2014-06-29 18:56:44 -07:00
GLUSTERD_WORKDIR="${LOCALSTATEDIR}/db/glusterd"
2013-06-17 13:44:10 -04:00
;;
2009-02-18 17:36:07 +05:30
esac
api: versioned symbols in libgfapi.so for compatibility
Use versioned symbols to keep libgfapi at libgfapi.so.0.0.0
Revisited to address broken build on Mac OS X
See http://review.gluster.org/9036
Rebased to include http://review.gluster.org/#/c/9376/ (glfs_resolve())
but note that gerrit's "Rebase Change" couldn't do it.
N.B. noticed that glfs_get_volumeid() decl in glfs.h was missing
the __THROW, added it.
On systems using ELF and the GNU toolchain, symbol versions are created
with a .symver asm operand in the .c source file. Clang is claimed to
be compatible with gcc, so we'll pretend for now that this also works
with clang.
On Mac OS X, aliases are created with __asm "magic" in the .h header
file. In the normal case, when both the decl and defn match, that's
all that's needed. In our case though the decl and defn don't match ---
we have, e.g. a defn such as 'int glfs_foo(...)' and the corresponding
decl is 'int pub_glfs_foo(...)'. To make this work we create the necessary
aliases in the library at link time with the -alias_list link option.
Note that this results in there being pairs of symbols in the .dylib,
e.g. _pub_glfs_foo and _glfs_foo$GFAPI_3.4.0. We could use another
link option, -unexported_symbols_list to elide the _pub_glfs_* symbols.
(And we probably should.)
Linux symbol versioning was essentially copied from Solaris; in general
I would expect this to "just work" on Solaris, but until someone tries
we don't really know.
Change-Id: Icb96a3c2d80be7b6d7a6849bb9168f03a947f47c
BUG: 1160709
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
Reviewed-on: http://review.gluster.org/9143
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Shyamsundar Ranganathan <srangana@redhat.com>
2014-11-18 11:08:16 -05:00
case $host_os in
darwin*)
GFAPI_EXTRA_LDFLAGS='-Wl,-alias_list,$(top_srcdir)/api/src/gfapi.aliases'
;;
*)
GFAPI_EXTRA_LDFLAGS='-Wl,--version-script=$(top_srcdir)/api/src/gfapi.map'
;;
esac
2014-09-21 13:57:47 +02:00
# lazy umount emulation
UMOUNTD_SUBDIR=""
if test "x${GF_HOST_OS}" != "xGF_LINUX_HOST_OS" ; then
UMOUNTD_SUBDIR="contrib/umountd"
fi
AC_SUBST(UMOUNTD_SUBDIR)
2014-04-17 15:54:34 -07:00
# enable/disable QEMU
AM_CONDITIONAL([ENABLE_QEMU_BLOCK], [test x$BUILD_QEMU_BLOCK = xyes])
2012-08-03 15:46:22 +05:30
# enable debug section
AC_ARG_ENABLE([debug],
AC_HELP_STRING([--enable-debug],
[Enable debug build options.]))
2014-04-17 15:54:34 -07:00
log: enhance syslog logging using CEE format
This patch enables to use syslog as log target in addition to the
default. The logs are sent in CEE format (http://cee.mitre.org/).
This logging can be disabled using compile time option by
./configure --disable-syslog
(or)
rpmbuild glusterfs.tar.gz --without syslog
The framework provides two api
void gf_openlog (const char *ident, int option, int facility);
void gf_syslog (int error_code, int facility_priority, char *format, ...);
consumers need to call gf_openlog() prior to gf_syslog() like the way
traditional syslog function calls. error_code is mandatory when using
gf_syslog(). For example,
gf_openlog (NULL, -1, -1);
gf_syslog (GF_ERR_DEV, LOG_ERR, "error reading configuration file");
Using syslog, admin is free to configure logger to
* reduce repeated log messages
* forward logs to remote logger
* execute a command on certain log pattern
* alert people for certain log pattern by email, snmp etc
* and many more
Change-Id: Ibacbcbbc547192893fc4a46b387496b622e4811f
BUG: 928648
Signed-off-by: Bala.FA <barumuga@redhat.com>
Reviewed-on: http://review.gluster.org/4915
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2013-04-30 17:39:30 +05:30
# syslog section
AC_ARG_ENABLE([syslog],
2014-04-17 15:54:34 -07:00
AC_HELP_STRING([--disable-syslog],
[Disable syslog for logging]))
log: enhance syslog logging using CEE format
This patch enables to use syslog as log target in addition to the
default. The logs are sent in CEE format (http://cee.mitre.org/).
This logging can be disabled using compile time option by
./configure --disable-syslog
(or)
rpmbuild glusterfs.tar.gz --without syslog
The framework provides two api
void gf_openlog (const char *ident, int option, int facility);
void gf_syslog (int error_code, int facility_priority, char *format, ...);
consumers need to call gf_openlog() prior to gf_syslog() like the way
traditional syslog function calls. error_code is mandatory when using
gf_syslog(). For example,
gf_openlog (NULL, -1, -1);
gf_syslog (GF_ERR_DEV, LOG_ERR, "error reading configuration file");
Using syslog, admin is free to configure logger to
* reduce repeated log messages
* forward logs to remote logger
* execute a command on certain log pattern
* alert people for certain log pattern by email, snmp etc
* and many more
Change-Id: Ibacbcbbc547192893fc4a46b387496b622e4811f
BUG: 928648
Signed-off-by: Bala.FA <barumuga@redhat.com>
Reviewed-on: http://review.gluster.org/4915
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2013-04-30 17:39:30 +05:30
USE_SYSLOG="yes"
if test "x$enable_syslog" != "xno"; then
AC_DEFINE(GF_USE_SYSLOG, 1, [Use syslog for logging])
else
USE_SYSLOG="no"
fi
AM_CONDITIONAL([ENABLE_SYSLOG], [test x$USE_SYSLOG = xyes])
#end syslog section
2010-07-08 08:16:13 +00:00
BUILD_READLINE=no
AC_CHECK_LIB([readline -lcurses],[readline],[RLLIBS="-lreadline -lcurses"])
AC_CHECK_LIB([readline -ltermcap],[readline],[RLLIBS="-lreadline -ltermcap"])
AC_CHECK_LIB([readline -lncurses],[readline],[RLLIBS="-lreadline -lncurses"])
if test "x$RLLIBS" != "x"; then
2014-05-16 16:58:20 +02:00
if test "x$RL_UNDO" = "xyes"; then
2014-04-17 15:54:34 -07:00
AC_DEFINE(HAVE_READLINE, 1, [readline enabled CLI])
BUILD_READLINE=yes
else
BUILD_READLINE="no (present but missing undo)"
fi
2010-07-08 08:16:13 +00:00
fi
2011-09-30 13:29:18 +05:30
BUILD_LIBAIO=no
AC_CHECK_LIB([aio],[io_setup],[LIBAIO="-laio"])
if test "x$LIBAIO" != "x"; then
AC_DEFINE(HAVE_LIBAIO, 1, [libaio based POSIX enabled])
BUILD_LIBAIO=yes
fi
2013-05-26 21:55:23 +05:30
# glupy section
BUILD_GLUPY=no
have_python2=no
have_Python_h=no
2013-05-14 16:07:03 -04:00
AM_PATH_PYTHON()
2013-05-26 21:55:23 +05:30
if echo $PYTHON_VERSION | grep ^2; then
have_python2=yes
fi
2014-02-09 21:57:45 -05:00
# Save flags before testing python
2013-11-17 01:51:48 +01:00
saved_CFLAGS=$CFLAGS
saved_CPPFLAGS=$CPPFLAGS
saved_LDFLAGS=$LDFLAGS
2014-04-17 15:54:34 -07:00
2014-10-29 20:35:10 +01:00
CFLAGS="`${PYTHON}-config --cflags`"
CPPFLAGS=$CFLAGS
2014-11-25 10:41:53 +01:00
LDFLAGS="-L`${PYTHON}-config --prefix`/lib -L`${PYTHON}-config --prefix`/$libdir `${PYTHON}-config --ldflags`"
2014-04-17 15:54:34 -07:00
2013-05-26 21:55:23 +05:30
AC_CHECK_HEADERS([python$PYTHON_VERSION/Python.h],[have_Python_h=yes],[])
AC_ARG_ENABLE([glupy],
2013-06-17 13:44:10 -04:00
AS_HELP_STRING([--enable-glupy],
[build glupy]))
2013-05-26 21:55:23 +05:30
case x$enable_glupy in
xyes)
if test "x$have_python2" = "xyes" -a "x$have_Python_h" = "xyes"; then
2014-04-17 15:54:34 -07:00
BUILD_GLUPY=yes
2014-02-09 21:57:45 -05:00
PYTHONDEV_CFLAGS="$CFLAGS"
PYTHONDEV_CPPFLAGS="$CPPFLAGS"
PYTHONDEV_LDFLAGS="$LDFLAGS"
AC_SUBST(PYTHONDEV_CFLAGS)
AC_SUBST(PYTHONDEV_CPPFLAGS)
AC_SUBST(PYTHONDEV_LDFLAGS)
2013-05-26 21:55:23 +05:30
else
2014-04-17 15:54:34 -07:00
AC_MSG_ERROR([glupy requires python-devel/python-dev package and python2.x])
2013-05-26 21:55:23 +05:30
fi
;;
xno)
;;
*)
if test "x$have_python2" = "xyes" -a "x$have_Python_h" = "xyes"; then
2014-04-17 15:54:34 -07:00
BUILD_GLUPY=yes
2014-02-09 21:57:45 -05:00
PYTHONDEV_CFLAGS="$CFLAGS"
PYTHONDEV_CPPFLAGS="$CPPFLAGS"
PYTHONDEV_LDFLAGS="$LDFLAGS"
AC_SUBST(PYTHONDEV_CFLAGS)
AC_SUBST(PYTHONDEV_CPPFLAGS)
AC_SUBST(PYTHONDEV_LDFLAGS)
2013-05-26 21:55:23 +05:30
else
2014-04-17 15:54:34 -07:00
AC_MSG_WARN([
2013-05-26 21:55:23 +05:30
---------------------------------------------------------------------------------
cannot build glupy. python 2.x and python-devel/python-dev package are required.
---------------------------------------------------------------------------------])
fi
;;
esac
2014-02-09 21:57:45 -05:00
# Restore flags
2013-11-17 01:51:48 +01:00
CFLAGS=$saved_CFLAGS
CPPFLAGS=$saved_CPPFLAGS
LDFLAGS=$saved_LDFLAGS
2013-05-26 21:55:23 +05:30
2014-04-24 17:09:24 -07:00
case $host_os in
darwin*)
BUILD_GLUPY=no
;;
esac
2013-05-26 21:55:23 +05:30
if test "x$BUILD_GLUPY" = "xyes"; then
2014-10-29 20:35:10 +01:00
BUILD_PYTHON_SITE_PACKAGES=`$PYTHON -c 'from distutils.sysconfig import get_python_lib; print(get_python_lib())'`
2013-05-26 21:55:23 +05:30
BUILD_PYTHON_INC=`$PYTHON -c "from distutils import sysconfig; print sysconfig.get_python_inc()"`
BUILD_PYTHON_LIB=python$PYTHON_VERSION
GLUPY_SUBDIR=glupy
GLUPY_SUBDIR_MAKEFILE=xlators/features/glupy/Makefile
GLUPY_SUBDIR_SRC_MAKEFILE=xlators/features/glupy/src/Makefile
echo "building glupy with -isystem $BUILD_PYTHON_INC -l $BUILD_PYTHON_LIB"
2014-10-29 20:35:10 +01:00
AC_SUBST(BUILD_PYTHON_SITE_PACKAGES)
2013-05-26 21:55:23 +05:30
AC_SUBST(BUILD_PYTHON_INC)
AC_SUBST(BUILD_PYTHON_LIB)
AC_SUBST(GLUPY_SUBDIR)
AC_SUBST(GLUPY_SUBDIR_MAKEFILE)
AC_SUBST(GLUPY_SUBDIR_SRC_MAKEFILE)
fi
# end glupy section
2013-04-30 00:38:04 +05:30
2015-01-06 15:12:59 +05:30
dnl Check for userspace-rcu
PKG_CHECK_MODULES([URCU], [liburcu-bp])
PKG_CHECK_MODULES([URCU_CDS], [liburcu-cds >= 0.8], [],
[PKG_CHECK_MODULES([URCU_CDS], [liburcu-cds >= 0.7],
[AC_DEFINE(URCU_0_7, 1, [Define if liburcu 0.7 is found])],
[AC_MSG_ERROR([liburcu >= 0.7 required])])])
2015-02-18 14:47:01 +01:00
BUILD_UNITTEST="no"
AC_ARG_ENABLE([cmocka],
AC_HELP_STRING([--enable-cmocka],
[Enable cmocka build options.]))
if test "x$enable_cmocka" = "xyes"; then
BUILD_UNITTEST="yes"
PKG_CHECK_MODULES([UNITTEST], [cmocka], [],[
AC_CHECK_LIB([cmocka], [mock_assert], [
UNITTEST_LDFLAGS="-lcmocka -lgcov"
UNITTEST_CFLAGS="-Wall -Werror"
], [
AC_MSG_ERROR([cmocka library is required to build glusterfs])
])
])
fi
AM_CONDITIONAL([UNITTEST], [test x$BUILD_UNITTEST = xyes])
dnl Define UNIT_TESTING only for building cmocka binaries.
UNITTEST_CFLAGS="${UNITTEST_CFLAGS} -DUNIT_TESTING=1"
dnl Add cmocka for unit tests
case $host_os in
freebsd*)
dnl remove --coverage on FreeBSD due to a known llvm packaging bug
UNITTEST_CFLAGS="${UNITTEST_CPPFLAGS} ${UNITTEST_CFLAGS} -g -DDEBUG -O0"
UNITTEST_LDFLAGS="${UNITTEST_LIBS} ${UNITTEST_LDFLAGS}"
;;
*)
UNITTEST_CFLAGS="${UNITTEST_CPPFLAGS} ${UNITTEST_CFLAGS} -g -DDEBUG -O0 --coverage"
UNITTEST_LDFLAGS="${UNITTEST_LIBS} ${UNITTEST_LDFLAGS}"
;;
esac
AC_SUBST(UNITTEST_CFLAGS)
AC_SUBST(UNITTEST_LDFLAGS)
2013-11-26 12:58:31 -05:00
AC_SUBST(CFLAGS)
# end enable debug section
2009-02-18 17:36:07 +05:30
AC_SUBST(GF_HOST_OS)
AC_SUBST(GF_CFLAGS)
AC_SUBST(GF_LDFLAGS)
AC_SUBST(GF_LDADD)
2011-05-20 16:56:27 +00:00
AC_SUBST(GF_FUSE_LDADD)
2010-05-17 07:06:58 +00:00
AC_SUBST(GF_FUSE_CFLAGS)
2010-07-08 08:16:13 +00:00
AC_SUBST(RLLIBS)
2011-09-30 13:29:18 +05:30
AC_SUBST(LIBAIO)
2011-08-05 14:04:43 +05:30
AC_SUBST(AM_MAKEFLAGS)
2011-08-05 14:52:01 +05:30
AC_SUBST(AM_LIBTOOLFLAGS)
2009-02-18 17:36:07 +05:30
2009-08-11 18:26:11 -07:00
CONTRIBDIR='$(top_srcdir)/contrib'
AC_SUBST(CONTRIBDIR)
2012-10-02 10:42:01 -04:00
GF_CPPDEFINES='-D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -D$(GF_HOST_OS)'
2014-04-17 15:54:34 -07:00
GF_CPPINCLUDES='-I$(top_srcdir)/libglusterfs/src -I$(CONTRIBDIR)/uuid'
2012-10-02 10:42:01 -04:00
GF_CPPFLAGS="$GF_CPPDEFINES $GF_CPPINCLUDES"
2012-10-01 16:09:26 -04:00
AC_SUBST([GF_CPPFLAGS])
2010-09-03 13:58:11 +00:00
2014-06-21 02:00:23 -07:00
AM_CONDITIONAL([GF_LINUX_HOST_OS], test "${GF_HOST_OS}" = "GF_LINUX_HOST_OS")
Replace GPLV3 MD5 with OpenSSL MD5
Ric asked me to look at replacing the GPL licensed MD5 code with
something better, i.e. perhaps faster, and with a less restrictive
license, etc. So I took a couple hour holiday from working on
wrapping up the client_t and did this.
OpenSSL (nee SSLeay) is released under the OpenSSL license, a BSD/MIT
style license. OpenSSL (libcrypto.so) is used on Linux, OS X and *BSD,
Open Solaris, etc. IOW it's universally available on the platforms we
care about. It's written by Eric Young (eay), now at EMC/RSA, and I
can say from experience that the OpenSSL implementation of MD5 (at least)
is every bit as fast as RSA's proprietary implementation (primarily
because the implementations are very, very similar.) The last time I
surveyed MD5 implementations I found they're all pretty much the same
speed.
I changed the APIs (and ABIs) for the strong and weak checksums.
Strictly speaking I didn't need to do that. They're only called on
short strings of data, i.e. pathnames, so using int32_t and uint32_t
is ostensibly okay. My change is arguably a better, more general API
for this sort of thing. It's also what bit me when gerrit/jenkins
validation failed due to glusterfs segv-ing. (I didn't pay close enough
attention to the implementation of the weak checksum. But it forced me
to learn what gerrit/jenkins are doing and going forward I can do better
testing before submitting to gerrit.)
Now resubmitting with a BZ
Change-Id: I545fade1604e74fc68399894550229bd57a5e0df
BUG: 807718
Signed-off-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-on: http://review.gluster.com/3019
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
2012-03-27 11:14:23 -04:00
AM_CONDITIONAL([GF_DARWIN_HOST_OS], test "${GF_HOST_OS}" = "GF_DARWIN_HOST_OS")
2014-06-21 02:00:23 -07:00
AM_CONDITIONAL([GF_BSD_HOST_OS], test "${GF_HOST_OS}" = "GF_BSD_HOST_OS")
2009-02-18 17:36:07 +05:30
2014-06-29 18:56:44 -07:00
AC_SUBST(GLUSTERD_WORKDIR)
AM_CONDITIONAL([GF_INSTALL_GLUSTERD_WORKDIR], test ! -d ${GLUSTERD_WORKDIR} && test -d ${sysconfdir}/glusterd )
geo-rep: mountbroker user management
Non root geo-replication setup is now simplified. This
patch provides cli for mountbroker user and options management
To set Options,
gluster system:: execute mountbroker opt <KEY> <VALUE>
# for example,
gluster system:: execute mountbroker opt mountbroker-root /var/mountbroker-root
gluster system:: execute mountbroker opt geo-replication-log-group geogroup
gluster system:: execute mountbroker opt rpc-auth-allow-insecure on
To remove option,
gluster system:: execute mountbroker optdel <KEY>
# for example,
gluster system:: execute mountbroker optdel geo-replication-log-group
To add/edit user,
gluster system:: execute mountbroker user <USERNAME> <VOLUMES>
# for example
gluster system:: execute mountbroker user geoaccount slavevol1,slavevol2
To remove user,
gluster system:: execute mountbroker userdel <USERNAME>
# for example
gluster system:: execute mountbroker userdel geoaccount
For info,
gluster system:: execute mountbroker info
gluster system:: execute mountbroker -j info
For JSON output add -j after mountbroker, for example,
gluster system:: execute mountbroker -j user geoaccount slavevol1,slavevol2
PS: Each peer prints its own JSON output, aggregator required from consumer side
BUG: 1136312
Change-Id: Ie52210c0bcc91ac2ffd3ba58988222ffca62b47f
Signed-off-by: Aravinda VK <avishwan@redhat.com>
Reviewed-on: http://review.gluster.org/9398
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: darshan n <dnarayan@redhat.com>
Reviewed-by: Kotresh HR <khiremat@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2015-01-06 18:20:45 +05:30
AC_SUBST(GLUSTERD_VOLFILE)
2015-02-18 19:07:23 +05:30
AC_SUBST(GLUSTERFS_LIBEXECDIR)
AC_SUBST(GLUSTERFSD_MISCDIR)
2012-05-15 22:12:53 +05:30
build: Start using library versioning for various libraries
According to libtool three individual numbers stand for
CURRENT:REVISION:AGE, or C:R:A for short. The libtool
script typically tacks these three numbers onto the end
of the name of the .so file it creates. The formula for
calculating the file numbers on Linux and Solaris is
/path/to/library/<library_name>.(C - A).(A).(R)
As you release new versions of your library, you will
update the library's C:R:A. Although the rules for changing
these version numbers can quickly become confusing, a few
simple tips should help keep you on track. The libtool
documentation goes into greater depth.
In essence, every time you make a change to the library and
release it, the C:R:A should change. A new library should start
with 0:0:0. Each time you change the public interface
(i.e., your installed header files), you should increment the
CURRENT number. This is called your interface number. The main
use of this interface number is to tag successive revisions
of your API.
The AGE number is how many consecutive versions of the API the
current implementation supports. Thus if the CURRENT library
API is the sixth published version of the interface and it is
also binary compatible with the fourth and fifth versions
(i.e., the last two), the C:R:A might be 6:0:2. When you break
binary compatibility, you need to set AGE to 0 and of course
increment CURRENT.
The REVISION marks a change in the source code of the library
that doesn't affect the interface-for example, a minor bug fix.
Anytime you increment CURRENT, you should set REVISION back to 0.
Change-Id: Id72e74c1642c804fea6f93ec109135c7c16f1810
BUG: 862082
Signed-off-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-on: http://review.gluster.org/5645
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2013-08-17 13:01:23 -07:00
dnl pkg-config versioning
2014-11-20 16:26:36 +01:00
dnl
dnl Once we released gluster-api.pc with version=4. Since then we undid the
dnl library versioning and replaced it with symbol-versioning. The current
dnl libgfapi.so has version 0, but the symbols have the version from the main
dnl package at the time they were added.
dnl
dnl Because other packages (like samba) use the pkg-config version, we can not
dnl drop it, or decrease the version easily. The simplest solution is to keep
dnl the version=4 and add sub-digits for the actual package/symbol versions.
GFAPI_VERSION="4."${PACKAGE_VERSION}
build: Start using library versioning for various libraries
According to libtool three individual numbers stand for
CURRENT:REVISION:AGE, or C:R:A for short. The libtool
script typically tacks these three numbers onto the end
of the name of the .so file it creates. The formula for
calculating the file numbers on Linux and Solaris is
/path/to/library/<library_name>.(C - A).(A).(R)
As you release new versions of your library, you will
update the library's C:R:A. Although the rules for changing
these version numbers can quickly become confusing, a few
simple tips should help keep you on track. The libtool
documentation goes into greater depth.
In essence, every time you make a change to the library and
release it, the C:R:A should change. A new library should start
with 0:0:0. Each time you change the public interface
(i.e., your installed header files), you should increment the
CURRENT number. This is called your interface number. The main
use of this interface number is to tag successive revisions
of your API.
The AGE number is how many consecutive versions of the API the
current implementation supports. Thus if the CURRENT library
API is the sixth published version of the interface and it is
also binary compatible with the fourth and fifth versions
(i.e., the last two), the C:R:A might be 6:0:2. When you break
binary compatibility, you need to set AGE to 0 and of course
increment CURRENT.
The REVISION marks a change in the source code of the library
that doesn't affect the interface-for example, a minor bug fix.
Anytime you increment CURRENT, you should set REVISION back to 0.
Change-Id: Id72e74c1642c804fea6f93ec109135c7c16f1810
BUG: 862082
Signed-off-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-on: http://review.gluster.org/5645
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2013-08-17 13:01:23 -07:00
LIBGFCHANGELOG_VERSION="0.0.1"
AC_SUBST(GFAPI_VERSION)
AC_SUBST(LIBGFCHANGELOG_VERSION)
2015-02-18 19:45:23 +05:30
LIBGFDB_VERSION="0.0.1"
AC_SUBST(LIBGFDB_VERSION)
build: Start using library versioning for various libraries
According to libtool three individual numbers stand for
CURRENT:REVISION:AGE, or C:R:A for short. The libtool
script typically tacks these three numbers onto the end
of the name of the .so file it creates. The formula for
calculating the file numbers on Linux and Solaris is
/path/to/library/<library_name>.(C - A).(A).(R)
As you release new versions of your library, you will
update the library's C:R:A. Although the rules for changing
these version numbers can quickly become confusing, a few
simple tips should help keep you on track. The libtool
documentation goes into greater depth.
In essence, every time you make a change to the library and
release it, the C:R:A should change. A new library should start
with 0:0:0. Each time you change the public interface
(i.e., your installed header files), you should increment the
CURRENT number. This is called your interface number. The main
use of this interface number is to tag successive revisions
of your API.
The AGE number is how many consecutive versions of the API the
current implementation supports. Thus if the CURRENT library
API is the sixth published version of the interface and it is
also binary compatible with the fourth and fifth versions
(i.e., the last two), the C:R:A might be 6:0:2. When you break
binary compatibility, you need to set AGE to 0 and of course
increment CURRENT.
The REVISION marks a change in the source code of the library
that doesn't affect the interface-for example, a minor bug fix.
Anytime you increment CURRENT, you should set REVISION back to 0.
Change-Id: Id72e74c1642c804fea6f93ec109135c7c16f1810
BUG: 862082
Signed-off-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-on: http://review.gluster.org/5645
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2013-08-17 13:01:23 -07:00
dnl libtool versioning
LIBGFXDR_LT_VERSION="0:1:0"
LIBGFRPC_LT_VERSION="0:1:0"
LIBGLUSTERFS_LT_VERSION="0:1:0"
LIBGFCHANGELOG_LT_VERSION="0:1:0"
api: versioned symbols in libgfapi.so for compatibility
Use versioned symbols to keep libgfapi at libgfapi.so.0.0.0
Some nits uncovered:
+ there are a couple functions declared that do not have an
associated definition, e.g. glfs_truncate(), glfs_caller_specific_init()
+ there are seven private/internal functions used by heal/src/glfsheal
and the gfapi master xlator (glfs-master.c): glfs_loc_touchup(),
glfs_active_subvol(), and glfs_subvol_done(), glfs_init_done(),
glfs_resolve_at(), glfs_free_from_ctx(), and glfs_new_from_ctx();
which are not declared in glfs.h;
+ for this initial pass at versioned symbols, we use the earliest version
of all public symbols, i.e. those for which there are declarations in
glfs.h or glfs-handles.h.
Further investigation as we do backports to 3.6, 3.4, and 3.4
will be required to determine if older implementations need to
be preserved (forward ported) and their associated alias(es) and
symbol version(s) defined.
FWIW, we should consider linking all of our libraries with a map, it'll
result in a cleaner ABI. Perhaps something for an intern to do or a
Google Summer of Code project.
Change-Id: I499456807a5cd26acb39843216ece4276f8e9b84
BUG: 1160709
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
Reviewed-on: http://review.gluster.org/9036
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Tested-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2014-11-03 16:07:30 -05:00
GFAPI_LT_VERSION="0:0:0"
build: Start using library versioning for various libraries
According to libtool three individual numbers stand for
CURRENT:REVISION:AGE, or C:R:A for short. The libtool
script typically tacks these three numbers onto the end
of the name of the .so file it creates. The formula for
calculating the file numbers on Linux and Solaris is
/path/to/library/<library_name>.(C - A).(A).(R)
As you release new versions of your library, you will
update the library's C:R:A. Although the rules for changing
these version numbers can quickly become confusing, a few
simple tips should help keep you on track. The libtool
documentation goes into greater depth.
In essence, every time you make a change to the library and
release it, the C:R:A should change. A new library should start
with 0:0:0. Each time you change the public interface
(i.e., your installed header files), you should increment the
CURRENT number. This is called your interface number. The main
use of this interface number is to tag successive revisions
of your API.
The AGE number is how many consecutive versions of the API the
current implementation supports. Thus if the CURRENT library
API is the sixth published version of the interface and it is
also binary compatible with the fourth and fifth versions
(i.e., the last two), the C:R:A might be 6:0:2. When you break
binary compatibility, you need to set AGE to 0 and of course
increment CURRENT.
The REVISION marks a change in the source code of the library
that doesn't affect the interface-for example, a minor bug fix.
Anytime you increment CURRENT, you should set REVISION back to 0.
Change-Id: Id72e74c1642c804fea6f93ec109135c7c16f1810
BUG: 862082
Signed-off-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-on: http://review.gluster.org/5645
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2013-08-17 13:01:23 -07:00
AC_SUBST(LIBGFXDR_LT_VERSION)
AC_SUBST(LIBGFRPC_LT_VERSION)
AC_SUBST(LIBGLUSTERFS_LT_VERSION)
AC_SUBST(LIBGFCHANGELOG_LT_VERSION)
AC_SUBST(GFAPI_LT_VERSION)
api: versioned symbols in libgfapi.so for compatibility
Use versioned symbols to keep libgfapi at libgfapi.so.0.0.0
Revisited to address broken build on Mac OS X
See http://review.gluster.org/9036
Rebased to include http://review.gluster.org/#/c/9376/ (glfs_resolve())
but note that gerrit's "Rebase Change" couldn't do it.
N.B. noticed that glfs_get_volumeid() decl in glfs.h was missing
the __THROW, added it.
On systems using ELF and the GNU toolchain, symbol versions are created
with a .symver asm operand in the .c source file. Clang is claimed to
be compatible with gcc, so we'll pretend for now that this also works
with clang.
On Mac OS X, aliases are created with __asm "magic" in the .h header
file. In the normal case, when both the decl and defn match, that's
all that's needed. In our case though the decl and defn don't match ---
we have, e.g. a defn such as 'int glfs_foo(...)' and the corresponding
decl is 'int pub_glfs_foo(...)'. To make this work we create the necessary
aliases in the library at link time with the -alias_list link option.
Note that this results in there being pairs of symbols in the .dylib,
e.g. _pub_glfs_foo and _glfs_foo$GFAPI_3.4.0. We could use another
link option, -unexported_symbols_list to elide the _pub_glfs_* symbols.
(And we probably should.)
Linux symbol versioning was essentially copied from Solaris; in general
I would expect this to "just work" on Solaris, but until someone tries
we don't really know.
Change-Id: Icb96a3c2d80be7b6d7a6849bb9168f03a947f47c
BUG: 1160709
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
Reviewed-on: http://review.gluster.org/9143
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Shyamsundar Ranganathan <srangana@redhat.com>
2014-11-18 11:08:16 -05:00
AC_SUBST(GFAPI_EXTRA_LDFLAGS)
build: Start using library versioning for various libraries
According to libtool three individual numbers stand for
CURRENT:REVISION:AGE, or C:R:A for short. The libtool
script typically tacks these three numbers onto the end
of the name of the .so file it creates. The formula for
calculating the file numbers on Linux and Solaris is
/path/to/library/<library_name>.(C - A).(A).(R)
As you release new versions of your library, you will
update the library's C:R:A. Although the rules for changing
these version numbers can quickly become confusing, a few
simple tips should help keep you on track. The libtool
documentation goes into greater depth.
In essence, every time you make a change to the library and
release it, the C:R:A should change. A new library should start
with 0:0:0. Each time you change the public interface
(i.e., your installed header files), you should increment the
CURRENT number. This is called your interface number. The main
use of this interface number is to tag successive revisions
of your API.
The AGE number is how many consecutive versions of the API the
current implementation supports. Thus if the CURRENT library
API is the sixth published version of the interface and it is
also binary compatible with the fourth and fifth versions
(i.e., the last two), the C:R:A might be 6:0:2. When you break
binary compatibility, you need to set AGE to 0 and of course
increment CURRENT.
The REVISION marks a change in the source code of the library
that doesn't affect the interface-for example, a minor bug fix.
Anytime you increment CURRENT, you should set REVISION back to 0.
Change-Id: Id72e74c1642c804fea6f93ec109135c7c16f1810
BUG: 862082
Signed-off-by: Harshavardhana <harsha@harshavardhana.net>
Reviewed-on: http://review.gluster.org/5645
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2013-08-17 13:01:23 -07:00
2015-02-10 19:13:35 +01:00
GFAPI_LIBS="${ACL_LIBS}"
AC_SUBST(GFAPI_LIBS)
2014-06-29 18:56:44 -07:00
dnl this change necessary for run-tests.sh
AC_CONFIG_FILES([tests/env.rc],[ln -s ${ac_abs_builddir}/env.rc ${ac_abs_srcdir}/env.rc 2>/dev/null])
2009-02-18 17:36:07 +05:30
AC_OUTPUT
echo
echo "GlusterFS configure summary"
echo "==========================="
2012-11-29 21:46:05 +05:30
echo "FUSE client : $BUILD_FUSE_CLIENT"
echo "Infiniband verbs : $BUILD_IBVERBS"
echo "epoll IO multiplex : $BUILD_EPOLL"
echo "argp-standalone : $BUILD_ARGP_STANDALONE"
echo "fusermount : $BUILD_FUSERMOUNT"
echo "readline : $BUILD_READLINE"
echo "georeplication : $BUILD_SYNCDAEMON"
echo "Linux-AIO : $BUILD_LIBAIO"
2013-05-13 15:03:22 -04:00
echo "Enable Debug : $BUILD_DEBUG"
2015-02-03 05:30:50 -05:00
## echo "systemtap : $BUILD_SYSTEMTAP"
2013-11-13 22:44:42 +05:30
echo "Block Device xlator : $BUILD_BD_XLATOR"
2013-05-26 21:55:23 +05:30
echo "glupy : $BUILD_GLUPY"
log: enhance syslog logging using CEE format
This patch enables to use syslog as log target in addition to the
default. The logs are sent in CEE format (http://cee.mitre.org/).
This logging can be disabled using compile time option by
./configure --disable-syslog
(or)
rpmbuild glusterfs.tar.gz --without syslog
The framework provides two api
void gf_openlog (const char *ident, int option, int facility);
void gf_syslog (int error_code, int facility_priority, char *format, ...);
consumers need to call gf_openlog() prior to gf_syslog() like the way
traditional syslog function calls. error_code is mandatory when using
gf_syslog(). For example,
gf_openlog (NULL, -1, -1);
gf_syslog (GF_ERR_DEV, LOG_ERR, "error reading configuration file");
Using syslog, admin is free to configure logger to
* reduce repeated log messages
* forward logs to remote logger
* execute a command on certain log pattern
* alert people for certain log pattern by email, snmp etc
* and many more
Change-Id: Ibacbcbbc547192893fc4a46b387496b622e4811f
BUG: 928648
Signed-off-by: Bala.FA <barumuga@redhat.com>
Reviewed-on: http://review.gluster.org/4915
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
2013-04-30 17:39:30 +05:30
echo "Use syslog : $USE_SYSLOG"
2013-04-08 16:49:34 +05:30
echo "XML output : $BUILD_XML_OUTPUT"
2013-03-05 14:48:28 -08:00
echo "QEMU Block formats : $BUILD_QEMU_BLOCK"
Transparent data encryption and metadata authentication
.. in the systems with non-trusted server
This new functionality can be useful in various cloud technologies.
It is implemented via a special encryption/crypt translator,which
works on the client side and performs encryption and authentication;
1. Class of supported algorithms
The crypt translator can support any atomic symmetric block cipher
algorithms (which require to pad plain/cipher text before performing
encryption/decryption transform (see glossary in atom.c for
definitions). In particular, it can support algorithms with the EOF
issue (which require to pad the end of file by extra-data).
Crypt translator performs translations
user -> (offset, size) -> (aligned-offset, padded-size) ->server
(and backward), and resolves individual FOPs (write(), truncate(),
etc) to read-modify-write sequences.
A volume can contain files encrypted by different algorithms of the
mentioned class. To change some option value just reconfigure the
volume.
Currently only one algorithm is supported: AES_XTS.
Example of algorithms, which can not be supported by the crypt
translator:
1. Asymmetric block cipher algorithms, which inflate data, e.g. RSA;
2. Symmetric block cipher algorithms with inline MACs for data
authentication.
2. Implementation notes.
a) Atomic algorithms
Since any process in a stackable file system manipulates with local
data (which can be obsoleted by local data of another process), any
atomic cipher algorithm without proper support can lead to non-POSIX
behavior. To resolve the "collisions" we introduce locks: before
performing FOP->read(), FOP->write(), etc. the process should first
lock the file.
b) Algorithms with EOF issue
Such algorithms require to pad the end of file with some extra-data.
Without proper support this will result in losing information about
real file size. Keeping a track of real file size is a responsibility
of the crypt translator. A special extended attribute with the name
"trusted.glusterfs.crypt.att.size" is used for this purpose. All files
contained in bricks of encrypted volume do have "padded" sizes.
3. Non-trusted servers and
Metadata authentication
We assume that server, where user's data is stored on is non-trusted.
It means that the server can be subjected to various attacks directed
to reveal user's encrypted personal data. We provide protection
against such attacks.
Every encrypted file has specific private attributes (cipher algorithm
id, atom size, etc), which are packed to a string (so-called "format
string") and stored as a special extended attribute with the name
"trusted.glusterfs.crypt.att.cfmt". We protect the string from
tampering. This protection is mandatory, hardcoded and is always on.
Without such protection various attacks (based on extending the scope
of per-file secret keys) are possible.
Our authentication method has been developed in tight collaboration
with Red Hat security team and is implemented as "metadata loader of
version 1" (see file metadata.c). This method is NIST-compliant and is
based on checking 8-byte per-hardlink MACs created(updated) by
FOP->create(), FOP->link(), FOP->unlink(), FOP->rename() by the
following unique entities:
. file (hardlink) name;
. verified file's object id (gfid).
Every time, before manipulating with a file, we check it's MACs at
FOP->open() time. Some FOPs don't require a file to be opened (e.g.
FOP->truncate()). In such cases the crypt translator opens the file
mandatory.
4. Generating keys
Unique per-file keys are derived by NIST-compliant methods from the
a) parent key;
b) unique verified object-id of the file (gfid);
Per-volume master key, provided by user at mount time is in the root
of this "tree of keys".
Those keys are used to:
1) encrypt/decrypt file data;
2) encrypt/decrypt file metadata;
3) create per-file and per-link MACs for metadata authentication.
5. Instructions
Getting started with crypt translator
Example:
1) Create a volume "myvol" and enable encryption:
# gluster volume create myvol pepelac:/vols/xvol
# gluster volume set myvol encryption on
2) Set location (absolute pathname) of your master key:
# gluster volume set myvol encryption.master-key /home/me/mykey
3) Set other options to override default options, if needed.
Start the volume.
4) On the client side make sure that the file /home/me/mykey exists
and contains proper per-volume master key (that is 256-bit AES
key). This key has to be in hex form, i.e. should be represented
by 64 symbols from the set {'0', ..., '9', 'a', ..., 'f'}.
The key should start at the beginning of the file. All symbols at
offsets >= 64 are ignored.
5) Mount the volume "myvol" on the client side:
# glusterfs --volfile-server=pepelac --volfile-id=myvol /mnt
After successful mount the file which contains master key may be
removed. NOTE: Keeping the master key between mount sessions is in
user's competence.
**********************************************************************
WARNING! Losing the master key will make content of all regular files
inaccessible. Mount with improper master key allows to access content
of directories: file names are not encrypted.
**********************************************************************
6. Options of crypt translator
1) "master-key": specifies location (absolute pathname) of the file
which contains per-volume master key. There is no default location
for master key.
2) "data-key-size": specifies size of per-file key for data encryption
Possible values:
. "256" default value
. "512"
3) "block-size": specifies atom size. Possible values:
. "512"
. "1024"
. "2048"
. "4096" default value;
7. Test cases
Any workload, which involves the following file operations:
->create();
->open();
->readv();
->writev();
->truncate();
->ftruncate();
->link();
->unlink();
->rename();
->readdirp().
8. TODOs:
1) Currently size of IOs issued by crypt translator is restricted
by block_size (4K by default). We can use larger IOs to improve
performance.
Change-Id: I2601fe95c5c4dc5b22308a53d0cbdc071d5e5cee
BUG: 1030058
Signed-off-by: Edward Shishkin <edward@redhat.com>
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/4667
Tested-by: Gluster Build System <jenkins@build.gluster.com>
2013-03-13 21:56:46 +01:00
echo "Encryption xlator : $BUILD_CRYPT_XLATOR"
2015-02-18 14:47:01 +01:00
echo "Unit Tests : $BUILD_UNITTEST"
2015-02-10 19:13:35 +01:00
echo "POSIX ACLs : $USE_POSIX_ACLS"
2015-02-18 19:45:23 +05:30
echo "Data Classification : $BUILD_GFDB"
2009-02-18 17:36:07 +05:30
echo
