It is highly recommended to secure the BeeGFS installation by enabling connection based
authentication. Services will not start if no
connAuthFile is configured. To run a system
without connection authentication,
connDisableAuthentication must be set to
true in all
service configuration files.
A pre-shared secret can be configured using the
connAuthFile option in the configuration files
of all BeeGFS daemons and clients.
By doing so requests are only accepted from connections that can provide the pre-shared secret.
In that option you can set the path to a file that can be of any type containing the secret.
Create a file which contains a shared secret
$ dd if=/dev/random of=/etc/beegfs/connauthfile bs=128 count=1
Ensure the file is only readable by the root user:
$ chown root:root /etc/beegfs/connauthfile $ chmod 400 /etc/beegfs/connauthfile
Copy the file to all hosts in the cluster (mgmtd, meta, storage, client, mon).
Edit all configuration files of all services you are currently using (incl. helperd/mon) on all host in the cluster and configure the
connAuthFile=/etc/beegfs/connauthfilewith the absolute path/filename to the file which contains a shared secret.
Restart the services
$ systemctl restart beegfs-mgmtd.service $ systemctl restart beegfs-meta.service $ systemctl restart beegfs-storage.service $ systemctl restart beegfs-client.service $ systemctl restart beegfs-mon.service
After all services have correctly restarted no client without the shared secret file can connect the cluster. Without the shared secret file, the management daemon will log (log level 4):
Accepted new connection from 192.168.133.7:36082 [SockFD: 32] Rejecting message from unauthenticated peer: 192.168.133.7:36082 Problem encountered during processing of a message. Disconnecting: 192.168.133.7:36082
Changing the secret in an already secured cluster¶
In order to exchange the
connauthsecret on an already configured/secured cluster,
just replace the secret file on all nodes with a new one, as described in the steps above.