[ClusterLabs] Security with Corosync

Nikhil Utane nikhil.subscribed at gmail.com
Thu Mar 17 07:44:06 UTC 2016


Honza,

Actually this is only for a PoC (Proof of Concept) setup.
Next step is to move it to a different platform where we are
cross-compiling from the sources. I'd like the PoC setup to have the same
version as the final one.

Thanks.

On Thu, Mar 17, 2016 at 1:07 PM, Jan Friesse <jfriesse at redhat.com> wrote:

> Nikhil Utane napsal(a):
>
>> [root at node3 corosync]# corosync -v
>> Corosync Cluster Engine, version '1.4.7'
>> Copyright (c) 2006-2009 Red Hat, Inc.
>>
>> So it is 1.x :(
>> When I begun I was following multiple tutorials and ended up installing
>> multiple packages. Let me try moving to corosync 2.0.
>> I suppose it should be as easy as doing yum install.
>>
>
> It depends of what distribution are you using (for example RHEL/CentOS has
> only 1.x + cman in 6.x and 2.x in 7.x). But main question is, why you want
> to upgrade? 1.x is fully supported and if it works for you there is no
> reason to upgrade to 2.x. It's best to stay with whatever your distro ships.
>
> Honza
>
>
>
>
>> On Wed, Mar 16, 2016 at 10:29 PM, Jan Friesse <jfriesse at redhat.com>
>> wrote:
>>
>> Nikhil Utane napsal(a):
>>>
>>> Honza,
>>>>
>>>> In my CIB I see the infrastructure being set to cman. pcs status is
>>>> reporting the same.
>>>>
>>>> <nvpair id="cib-bootstrap-options-cluster-infrastructure"
>>>> name="cluster-infrastructure" value="*cman*"/>
>>>>
>>>> [root at node3 corosync]# pcs status
>>>> Cluster name: mycluster
>>>> Last updated: Wed Mar 16 16:57:46 2016
>>>> Last change: Wed Mar 16 16:56:23 2016
>>>> Stack: *cman*
>>>>
>>>> But corosync also is running fine.
>>>>
>>>> [root at node2 nikhil]# pcs status nodes corosync
>>>> Corosync Nodes:
>>>>    Online: node2 node3
>>>>    Offline: node1
>>>>
>>>> I did a cibadmin query and replace from cman to corosync but it doesn't
>>>> change (even though replace operation succeeds)
>>>> I read that CMAN internally uses corosync but in corosync 2 CMAN support
>>>> is
>>>> removed.
>>>> Totally confused. Please help.
>>>>
>>>>
>>> Best start is to find out what versions you are using? If you have
>>> corosync 1.x and really using cman (what is highly probable),
>>> corosync.conf
>>> is completely ignored and instead cluster.conf
>>> (/etc/cluster/cluster.conf)
>>> is used. cluster.conf uses cman keyfile and if this is not provided,
>>> encryption key is simply cluster name. This is probably reason why
>>> everything worked when you haven't had authkey on one of nodes.
>>>
>>> Honza
>>>
>>>
>>>
>>> -Thanks
>>>> Nikhil
>>>>
>>>> On Mon, Mar 14, 2016 at 1:19 PM, Jan Friesse <jfriesse at redhat.com>
>>>> wrote:
>>>>
>>>> Nikhil Utane napsal(a):
>>>>
>>>>>
>>>>> Follow-up question.
>>>>>
>>>>>> I noticed that secauth was turned off in my corosync.conf file. I
>>>>>> enabled
>>>>>> it on all 3 nodes and restarted the cluster. Everything was working
>>>>>> fine.
>>>>>> However I just noticed that I had forgotten to copy the authkey to one
>>>>>> of
>>>>>> the node. It is present on 2 nodes but not the third. And I did a
>>>>>> failover
>>>>>> and the third node took over without any issue.
>>>>>> How is the 3rd node participating in the cluster if it doesn't have
>>>>>> the
>>>>>> authkey?
>>>>>>
>>>>>>
>>>>>> It's just not possible. If you would enabled secauth correctly and you
>>>>> didn't have /etc/corosync/authkey, message like "Could not open
>>>>> /etc/corosync/authkey: No such file or directory" would show up. There
>>>>> are
>>>>> few exceptions:
>>>>> - you have changed totem.keyfile with file existing on all nodes
>>>>> - you are using totem.key then everything works as expected (it has
>>>>> priority over default authkey file but not over totem.keyfile)
>>>>> - you are using COROSYNC_TOTEM_AUTHKEY_FILE env with file existing on
>>>>> all
>>>>> nodes
>>>>>
>>>>> Regards,
>>>>>     Honza
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Mar 11, 2016 at 4:15 PM, Nikhil Utane <
>>>>>
>>>>>> nikhil.subscribed at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> Perfect. Thanks for the quick response Honza.
>>>>>>
>>>>>>
>>>>>>> Cheers
>>>>>>> Nikhil
>>>>>>>
>>>>>>> On Fri, Mar 11, 2016 at 4:10 PM, Jan Friesse <jfriesse at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Nikhil,
>>>>>>>
>>>>>>>
>>>>>>>> Nikhil Utane napsal(a):
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>
>>>>>>>>> I changed some configuration and captured packets. I can see that
>>>>>>>>> the
>>>>>>>>> data
>>>>>>>>> is already garbled and not in the clear.
>>>>>>>>> So does corosync already have this built-in?
>>>>>>>>> Can somebody provide more details as to what all security features
>>>>>>>>> are
>>>>>>>>> incorporated?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> See man page corosync.conf(5) options crypto_hash, crypto_cipher
>>>>>>>>> (for
>>>>>>>>>
>>>>>>>> corosync 2.x) and potentially secauth (for coorsync 1.x and 2.x).
>>>>>>>>
>>>>>>>> Basically corosync by default uses aes256 for encryption and sha1
>>>>>>>> for
>>>>>>>> hmac authentication.
>>>>>>>>
>>>>>>>> Pacemaker uses corosync cpg API so as long as encryption is enabled
>>>>>>>> in
>>>>>>>> the corosync.conf, messages interchanged between nodes are
>>>>>>>> encrypted.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>      Honza
>>>>>>>>
>>>>>>>>
>>>>>>>> -Thanks
>>>>>>>>
>>>>>>>> Nikhil
>>>>>>>>>
>>>>>>>>> On Fri, Mar 11, 2016 at 11:38 AM, Nikhil Utane <
>>>>>>>>> nikhil.subscribed at gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Does corosync provide mechanism to secure the communication path
>>>>>>>>>> between
>>>>>>>>>> nodes of a cluster?
>>>>>>>>>> I would like all the data that gets exchanged between all nodes to
>>>>>>>>>> be
>>>>>>>>>> encrypted.
>>>>>>>>>>
>>>>>>>>>> A quick google threw up this link:
>>>>>>>>>> https://github.com/corosync/corosync/blob/master/SECURITY
>>>>>>>>>>
>>>>>>>>>> Can I make use of it with pacemaker?
>>>>>>>>>>
>>>>>>>>>> -Thanks
>>>>>>>>>> Nikhil
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list: Users at clusterlabs.org
>>>>>>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>>>>>>
>>>>>>>>> Project Home: http://www.clusterlabs.org
>>>>>>>>> Getting started:
>>>>>>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>>>>>>> Bugs: http://bugs.clusterlabs.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>>
>>>>>>>> Users mailing list: Users at clusterlabs.org
>>>>>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>>>>>
>>>>>>>> Project Home: http://www.clusterlabs.org
>>>>>>>> Getting started:
>>>>>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>>>>>> Bugs: http://bugs.clusterlabs.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list: Users at clusterlabs.org
>>>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>>>
>>>>>> Project Home: http://www.clusterlabs.org
>>>>>> Getting started:
>>>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>>>> Bugs: http://bugs.clusterlabs.org
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>> Users mailing list: Users at clusterlabs.org
>>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>>
>>>>> Project Home: http://www.clusterlabs.org
>>>>> Getting started:
>>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>>> Bugs: http://bugs.clusterlabs.org
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list: Users at clusterlabs.org
>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>
>>>> Project Home: http://www.clusterlabs.org
>>>> Getting started:
>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>> Bugs: http://bugs.clusterlabs.org
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Users mailing list: Users at clusterlabs.org
>>> http://clusterlabs.org/mailman/listinfo/users
>>>
>>> Project Home: http://www.clusterlabs.org
>>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>> Bugs: http://bugs.clusterlabs.org
>>>
>>>
>>
>>
>> _______________________________________________
>> Users mailing list: Users at clusterlabs.org
>> http://clusterlabs.org/mailman/listinfo/users
>>
>> Project Home: http://www.clusterlabs.org
>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>> Bugs: http://bugs.clusterlabs.org
>>
>>
>
> _______________________________________________
> Users mailing list: Users at clusterlabs.org
> http://clusterlabs.org/mailman/listinfo/users
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.clusterlabs.org/pipermail/users/attachments/20160317/61605b97/attachment-0002.html>


More information about the Users mailing list