[ClusterLabs] VirtualDomain as non-root / encrypted

Ken Gaillot kgaillot at redhat.com
Wed Mar 8 14:50:57 UTC 2017


On 03/08/2017 04:19 AM, philipp.achmueller at arz.at wrote:
> hi,
> 
> Any ideas how to run VirtualDomain Resource as non-root user with
> encrypted transport to remote hypervisor(ssh)?
> 
> i'm able to start/stop/migrate vm via libvirt as non-root, but it
> doesn't work with pacemaker - pacemaker runs VirtualDomain as root, also
> there is no option to pass user via parameter
> 
> thank you!

There's no way to do this within Pacemaker currently. The closest
workaround would be to copy the VirtualDomain agent, and edit it to
switch users before doing anything.

Since we added the alerts feature, we've been keeping a future
enhancement in mind to allow selecting the user that alert agents run as
(currently, it's always hacluster). If we do that, the same mechanism
will likely work with resource agents as well. There is a lot of
high-priority work ahead of that, though.

Keep in mind that some agents maintain state data somewhere like
/var/run, and they may break even if they can otherwise run as a
different user. If they offer the state location as an option, that's an
easy workaround.




More information about the Users mailing list