[ClusterLabs] pcs cluster setup removes /etc/pacemaker/authkey

Faaland, Olaf P. faaland1 at llnl.gov
Mon Feb 26 14:00:41 EST 2018 

Hi Tomas,

Thanks for your reply.  It was very helpful.

Maybe we don't need "--local".   I'll try removing that from our cluster setup script.

To answer your question, though, here was our reasoning for using it in the first place.

Only one host in our cluster, the one where we run "pcs setup", runs pacemaker.  The rest run pacemaker_remote.

One reason we use "--local" is that at the time we are configuring the cluster, the other hosts may not be present, or powered on, or fully configured.

Another reason is that the other hosts are diskless, and their configuration is stored in the image they boot from (they typically all share one such image), with some customization at the time the host boots, via a configuration management tool.

So for us, if pcs were to try to connect to the remote node to copy authkey into place, it would be lost when the node reboots.  We put the key into either the image or the configuration management tool so is in place on every boot.

Where can I look to understand how pacemaker copes with the chicken-and-egg problem with distributing authkey?

Olaf P. Faaland
Livermore Computing

________________________________________
From: Users <users-bounces at clusterlabs.org> on behalf of Tomas Jelinek <tojeline at redhat.com>
Sent: Friday, February 23, 2018 12:44 AM
To: users at clusterlabs.org
Subject: Re: [ClusterLabs] pcs cluster setup removes /etc/pacemaker/authkey

Hi,

Since upstream version 0.9.158, pcs takes care of the pacemaker authkey
itself [1] (Pacemaker version doesn't matter in this case).
That means:
* pcs wipes out the authkey on "cluster destroy"
* pcs creates and distributes the authkey on "cluster setup"
* pcs distributes the authkey when adding a node to a cluster
* pcs removes the authkey from a node when removing the node from a cluster

The preferred solution is to let pcs do its job.
pcs cluster setup --name <cluster-name> <node1> <node2> ... <nodeN>
will create and distribute all config files including a pacemaker
authkey to all nodes specified for you. Why are you using the --local
flag anyway?

In RHEL 7.4 the situation is a bit different. RHEL 7.4 pcs packages
contain a patch which makes the "pcs cluster setup" command use an
existing pacemaker authkey. [2] This patch however does not apply when
the --local flag is used in the setup command.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1176018
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1459503


Regards,
Tomas

Dne 22.2.2018 v 20:50 Faaland, Olaf P. napsal(a):
> Hi,
>
>
> I see when I invoke
>
>
> # pcs cluster setup --force --local --name <cluster-name>
> <net-interface-name>
>
>
> It reports "Removing all cluster configuration files..." and true to its
> word, removes /etc/pacemaker/authkey.
>
>
> My cluster configuration depends on nodes running pacemaker_remote and
> so I depend on the authkey to communicate with them.  The authkey is
> distributed among the nodes by a configuration management tool, in this
> case CFEngine, and if the authkey were not deleted, when pacemaker was
> started it and the remotes would successfully communicate with each
> other immediately.
>
>
> Is there some other solution to this key distribution problem that is
> preferred, and that is not affected by the removal of authkey?  Or is
> there some way to tell pcs not to remove that file?
>
>
> I see this behavior on RHEL 7.4 / pacemaker-1.1.16-12.el7.x86_64
>
>
> Also, is this a recent change?  I don't recall this occurring with an
> earlier version of RHEL/pacemaker.
>
>
> thanks,
>
>
> Olaf P. Faaland
> Livermore Computing
>
>
>
> _______________________________________________
> Users mailing list: Users at clusterlabs.org
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
>
_______________________________________________
Users mailing list: Users at clusterlabs.org
https://lists.clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

More information about the Users mailing list