The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.
How to deploy TLS certificates for Aerospike in ramfs/tmpfs
Context
When using certificate manager software, it may be required to deploy certificates from the manager to Aerospike without storing them on the node hard drives. Storing certificates in this way may be necessary when security protocols disallow storage of certificates on permanent storage. This can be achieved using the linux ramfs/tmpfs functionality. This will create a temporary, RAM-based disk in which the certificate can be stored prior to Aerospike starting. This certificate will be removed, together with the ramfs/tmpfs drive when the machine is either rebooted or powered off.
Method
Using systemd
Create the following systemd file in order to ensure the script responsible for certificate copying runs before Aerospike:
$ cat <<EOF > /etc/systemd/systemd/certificates.service
[Unit]
Description=Copy Certificates to tmpfs
After=network.target
RequiredBy=aerospike.service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/certs.sh
[Install]
WantedBy=multi-user.target
EOF
Enable the systemd script:
$ chmod 755 /etc/systemd/systemd/certificates.service
$ systemctl enable certificates.service
Now create the certs.sh
file, which will do the actual work. The SizeOfMount
may be adjusted for the requirements of the particular system in question:
cat <<EOF > /usr/local/bin/certs.sh
#!/bin/bash
SizeOfMount="100m"
mkdir /mnt/certs
mount -t tmpfs -o size=${SizeOfMount} certs /mnt/certs
### put the code handling for the certificate manager here
### the code should store certificates in /mnt/certs created in the previous step
Make the script executable:
$ chmod 755 /ust/local/bin/certs.sh
When configuring Aerospike for TLS, use the certificates from the /mnt/certs
path as created previously.
Using sysvinit
Create the following startup script in /etc/init.d/
with order allowing it to run before Aerospike starts:
$ cat <<EOF > /etc/init.d/certificates
#!/bin/bash
### BEGIN INIT INFO
# Provides: certificates
# Required-Start: $local_fs
# Required-Stop:
# X-Start-Before: aerospike
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Mount certificates for Aerospike
# Description: Mount certificate storage for Aerospike
### END INIT INFO
case $1 in
start)
SizeOfMount="100m"
mkdir /mnt/certs
mount -t tmpfs -o size=${SizeOfMount} certs /mnt/certs
### put the code handling for your certificate manager here
### the code should store certificates in /mnt/certs we just created
unset SizeOfMount
;;
esac
EOF
Make the file executable:
$ chmod +x /etc/init.d/certificates
Enable the startup script:
# on debian/ubuntu
update-rc.d certificates defaults
# on RHEL/centos
chkconfig --add certificates
It is important to check that the correct startup order has been preserved. For this, check that the links in /etc/rc*.d
with SXXcertificates
have the XX
number lower than the SXXaerospike
ones. This means that the certificates script will start before Aerospike. If this is not the case, adjust manually as necessary (or using the relevant chkconfig/update-rc.d).
Notes
Do not unmount the ramfs drive after Aerospike has started. For proper functioning of certificate handling, Aerospike requires access to the certificate files at all times while it is running.
Keywords
TLS RAMFS TMPFS CERTIFICATE MANAGER
Timestamp
September 2019