How to Deploy GFS2 on Encrypted Volumes in a Clustered Multipath Storage Environment

GFS2 with Encrypted Volumes

Learn how to securely deploy GFS2 on encrypted volumes over multipath storage in a high-availability Linux cluster. Includes CLI examples, automation tips, and best practices.

Table of Contents

Introduction

In modern enterprise IT environments, the need for secure, resilient, and high-availability storage systems is more critical than ever. Combining GFS2, multipath storage, and LUKS encryption provides a powerful solution that enables shared, encrypted block storage access across multiple Linux nodes. This blog post guides you step-by-step through the setup process and best practices for deploying GFS2 on encrypted volumes in a clustered multipath environment.

🔍 What is GFS2 and Why Use It?

GFS2 (Global File System 2) is a clustered file system developed by Red Hat. It allows multiple nodes in a cluster to simultaneously access and write to the same file system on a shared block device.

💡 Why Use GFS2?

  • Enables HA shared storage
  • Ensures consistency across nodes
  • Built-in locking mechanism (DLM)
  • Kernel-integrated
  • Works with Pacemaker/Corosync for cluster control

🧱 Architecture Overview

Below is a diagram representing the architecture of GFS2 with encrypted volumes and multipath:

GFS2 with Encrypted Volumes

Photo by admingeek from Infotechys

✅ Prerequisites and Planning

RequirementDescription
OSRHEL, CentOS, Rocky Linux 8/9
Packagespcs, gfs2, lvm2, cryptsetup, fence-agents
Shared storageSAN LUN visible via multipath
Cluster softwarePacemaker, Corosync
SecurityLUKS encryption for block devices
FencingEssential for GFS2 integrity

🛠️ GFS2 Encrypted Volumes: Step-by-Step Configuration

Install Required Packages on All Nodes

Become the root user, and execute the following command:

				
					dnf install -y pcs gfs2 lvm2-cluster cryptsetup fence-agents

Start pcsd and enable autostart upon reboot:

				
					systemctl enable --now pcsd

Authenticate Cluster Nodes

				
					echo MySecret | passwd hacluster
pcs host auth node1 node2 -u hacluster -p MySecret

Create and Start the Cluster

				
					pcs cluster setup --name gfs2cluster node1 node2
pcs cluster start --all
pcs cluster enable --all

Enable Cluster Services and Fencing

				
					pcs property set stonith-enabled=true
pcs resource create dlm ocf:pacemaker:controld op monitor interval=30s
pcs resource create clvmd ocf:heartbeat:clvm op monitor interval=30s

Encrypt the Shared Multipath Device

On one node only:

				
					cryptsetup luksFormat /dev/mapper/mpatha
cryptsetup open /dev/mapper/mpatha crypt_gfs2

Create LVM on Encrypted Device

				
					pvcreate /dev/mapper/crypt_gfs2
vgcreate vg_gfs2 /dev/mapper/crypt_gfs2
lvcreate -n lv_gfs2 -L 20G vg_gfs2

Format with GFS2

				
					mkfs.gfs2 -p lock_dlm -t gfs2cluster:mygfs2fs -j 2 /dev/vg_gfs2/lv_gfs2

Mount on All Nodes

				
					mkdir -p /gfs2
echo "/dev/vg_gfs2/lv_gfs2 /gfs2 gfs2 _netdev 0 0" >> /etc/fstab
mount -a

🧰 Multipath Setup and Best Practices

View Active Multipath Devices

				
					multipath -ll

Recommended /etc/lvm/lvm.conf Filter

				
					devices {
    filter = [ "a|/dev/mapper/mpath.*|", "r|/dev/sd.*|", "r|.*|" ]
    multipath_component_detection = 1
}

This ensures LVM ignores raw devices and only uses valid multipath mappers.

🔐 Managing Encrypted Volumes Across Cluster Nodes

Each node must manually or automatically unlock the encrypted device before the GFS2 mount happens.

Manual Unlock

				
					cryptsetup open /dev/mapper/mpatha crypt_gfs2

🤖 Automating Volume Unlocking

Use /etc/crypttab on all nodes:

				
					crypt_gfs2 /dev/mapper/mpatha none luks

You can also automate this using Clevis + Tang or key escrow systems for enterprise environments.

⚠️ What Happens When a Node Fails?

ScenarioOutcome
Node crashesPacemaker detects failure
Fencing is triggeredNode is forcibly rebooted or powered off
Surviving nodesContinue I/O normally if fencing succeeds
No fencingI/O to GFS2 freezes on all nodes to prevent corruption

Check Node Status

				
					pcs status
dmesg | grep gfs2

📊 Key Configuration Summary

LayerDevice/CommandNotes
Physical/dev/mapper/mpathaMultipath LUN
Encrypted/dev/mapper/crypt_gfs2LUKS device
LVMvg_gfs2, lv_gfs2Shared VG across nodes
FilesystemGFS2Cluster-aware FS
ClusterPacemaker + DLMHandles quorum and locking

🧠 FAQs

Q1: Can I use XFS or ext4 with shared encrypted LUNs?

❌ No — they’re not cluster-aware. Use GFS2 or OCFS2 only.

Q2: Can two nodes mount the same encrypted volume?

✅ Yes, but only after all have unlocked the LUKS device.

Q3: Is fencing mandatory?

✅ Yes. GFS2 requires fencing for safety against split-brain and data corruption.

🏁 Conclusion

Deploying GFS2 on encrypted multipath volumes provides a robust, secure, and high-availability shared storage setup suitable for critical workloads. However, it’s crucial to:

  • Properly configure multipath and LVM filters

  • Ensure encryption is transparent to GFS2

  • Implement and test fencing

  • Automate decryption securely (e.g., via Clevis)

Did you find this article helpful? Your feedback is invaluable to us! Feel free to share this post with those who may benefit, and let us know your thoughts in the comments section below.

Related Posts
Tags

Leave a Reply

Your email address will not be published. Required fields are marked *