Introducing Certificate Support for DAOS

Quigley, David



In the near future a series of patches will land that introduces secure communications support for all of the gRPC connections in DAOS.  These channels are used for communications between the Go components in daos (daos_shell, daos_agent, and daos_server). By default certificates are required however it is easy to turn them off. The two ways of turning off certificate support are as follows


1)      In daos.yml, daos_agent.yml, and daos_server.yml you can add the line insecure:true. This will tell all of the component not to attempt to load any certificates and will keep all of the channels insecure (plain text http/2).

2)      When starting daos_agent, daos_server, and daos_shell pass either –i or --insecure on the command-line (this is the approach taken in the various tests in DAOS.


Regardless of which method you chose make sure all 3 components are either running with certificates or without. Mixing the components will cause the system to fail. It should notify you in the error logs that it is a TLS failure but it might not always be obvious.


Once the patches are merged I will present on how to use the certificate support if desired for testing. There is already a script for generating a set of certificates including a Certificate Authority for the DAOS cluster. For now though it is best to either modify your configuration files or pass in the appropriate command line flags once the patches are merged.


Dave Quigley