[Pacemaker] authentication in the cluster

Kostiantyn Ponomarenko konstantin.ponomarenko at gmail.com
Tue Jan 27 12:20:58 EST 2015

Hi Chrissie,

I know that this setup it crazy thing =)
First of all I needed to say - think about each two-node cluster as one box
with two nodes.

> You can't connect clusters together like that.
I know that.

>All nodes in the cluster have just 1 authkey file.
That is true. But in this example there are two clusters, each of them have
its own auth key.

>What you have there is not a ring, it's err, a linked-cross?!
Yep, I showed the wrong way of connecting two clusters.

> Why do you need to connect the two clusters together - is it for failover?
No, it is not. I really don't (and won't) connect them in that way. It
But, in real life those two clusters will be standing (physically, in the
same room, in the same rack) pretty close to each other.
And my concern is - if someone do that connection by a mistake. What will
be in that situation?
What I would like to get in that situation, is something which prevent
simultaneous work of two nodes in one cluster - because it will cause data

The situation is pretty simple when there is only one "ring_addr" defined
per node.
In this case, when some one cross-linked two separate clusters, it will
lead to 4 clusters each of which is missing one node - because two
connected nodes has different auth keys, and that is why they will not see
each other even when there is a connection.
STONITH always works in the same cluster.
So, STONITH will be rebooting the other one in the cluster.
That will prevent simultaneous access to the data.

I tried to do my best in describing the situation, the problem and the
Looking forward to hear any suggestions =)

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20150127/c7c8cb32/attachment-0003.html>

More information about the Pacemaker mailing list