[Pacemaker] SFEX resource agent

Lars Marowsky-Bree lmb at suse.de
Sat Feb 21 15:49:51 UTC 2009


On 2009-02-20T21:07:51, Priyanka Ranjan <priyanka3rdfeb at gmail.com> wrote:

> can we create volumegroup or filesystem  on this sfex device. i tried but
> the sfex daemon failed

No. But what you can do is to use one partition as a "lock" and make the
other resources depend on it.

> other thing i would like to ask is i understand that sfex daemon grants
> exclusive access of sfex device to  a node (on which sfex is running)  but
> even then some malicious application from other node can still access the
> sfex device right??
>  from these malicious application i mean some other application which does
> not belong to cluster in anyways.

It is close to impossible to protect against malicious applications from
other cluster nodes. sfex, LVM exclusive activation, and SCSI2/SCSI3
reservations likewise can be broken - they must be able to be broken, or
else the cluster could never orchestrate a fail-over.

They protect against the cluster managers doing wrong things and provide
certain help with "trivial" admin errors. If someone side-steps this
protection, there always is a way.

If you go to that level of paranoia, you need to secure the cluster
against running untrusted applications through host-based security.


Regards,
    Lars

-- 
Teamlead Kernel, SuSE Labs, Research and Development
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
"Experience is the name everyone gives to their mistakes." -- Oscar Wilde





More information about the Pacemaker mailing list