[ClusterLabs] pcs cluster setup removes /etc/pacemaker/authkey

Tomas Jelinek tojeline at redhat.com
Tue Feb 27 03:54:59 EST 2018 

Hi,

Your setup does not look highly available to me. I am not sure what 
happens when your one pacemaker node goes down but it cannot be anything 
good. You should have at least two pacemaker nodes so that when one goes 
down the other can run the remote resources.

Remote nodes should not be listed in the pcs cluster setup command, only 
pacemaker nodes go there.

In your current setup, if you first distribute the pacemaker authkey to 
your pacemaker node and then run
pcs cluster setup --name <cluster-name> <your-one-node>
on your one node, pcs will keep your authkey in place and you should be 
good. This will work for clusters with more than one node as well.


Regards,
Tomas


Dne 26.2.2018 v 20:00 Faaland, Olaf P. napsal(a):
> Hi Tomas,
> 
> Thanks for your reply.  It was very helpful.
> 
> Maybe we don't need "--local".   I'll try removing that from our cluster setup script.
> 
> To answer your question, though, here was our reasoning for using it in the first place.
> 
> Only one host in our cluster, the one where we run "pcs setup", runs pacemaker.  The rest run pacemaker_remote.
> 
> One reason we use "--local" is that at the time we are configuring the cluster, the other hosts may not be present, or powered on, or fully configured.
> 
> Another reason is that the other hosts are diskless, and their configuration is stored in the image they boot from (they typically all share one such image), with some customization at the time the host boots, via a configuration management tool.
> 
> So for us, if pcs were to try to connect to the remote node to copy authkey into place, it would be lost when the node reboots.  We put the key into either the image or the configuration management tool so is in place on every boot.
> 
> Where can I look to understand how pacemaker copes with the chicken-and-egg problem with distributing authkey?
> 
> Olaf P. Faaland
> Livermore Computing
> 
> ________________________________________
> From: Users <users-bounces at clusterlabs.org> on behalf of Tomas Jelinek <tojeline at redhat.com>
> Sent: Friday, February 23, 2018 12:44 AM
> To: users at clusterlabs.org
> Subject: Re: [ClusterLabs] pcs cluster setup removes /etc/pacemaker/authkey
> 
> Hi,
> 
> Since upstream version 0.9.158, pcs takes care of the pacemaker authkey
> itself [1] (Pacemaker version doesn't matter in this case).
> That means:
> * pcs wipes out the authkey on "cluster destroy"
> * pcs creates and distributes the authkey on "cluster setup"
> * pcs distributes the authkey when adding a node to a cluster
> * pcs removes the authkey from a node when removing the node from a cluster
> 
> The preferred solution is to let pcs do its job.
> pcs cluster setup --name <cluster-name> <node1> <node2> ... <nodeN>
> will create and distribute all config files including a pacemaker
> authkey to all nodes specified for you. Why are you using the --local
> flag anyway?
> 
> In RHEL 7.4 the situation is a bit different. RHEL 7.4 pcs packages
> contain a patch which makes the "pcs cluster setup" command use an
> existing pacemaker authkey. [2] This patch however does not apply when
> the --local flag is used in the setup command.
> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1176018
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1459503
> 
> 
> Regards,
> Tomas
> 
> Dne 22.2.2018 v 20:50 Faaland, Olaf P. napsal(a):
>> Hi,
>>
>>
>> I see when I invoke
>>
>>
>> # pcs cluster setup --force --local --name <cluster-name>
>> <net-interface-name>
>>
>>
>> It reports "Removing all cluster configuration files..." and true to its
>> word, removes /etc/pacemaker/authkey.
>>
>>
>> My cluster configuration depends on nodes running pacemaker_remote and
>> so I depend on the authkey to communicate with them.  The authkey is
>> distributed among the nodes by a configuration management tool, in this
>> case CFEngine, and if the authkey were not deleted, when pacemaker was
>> started it and the remotes would successfully communicate with each
>> other immediately.
>>
>>
>> Is there some other solution to this key distribution problem that is
>> preferred, and that is not affected by the removal of authkey?  Or is
>> there some way to tell pcs not to remove that file?
>>
>>
>> I see this behavior on RHEL 7.4 / pacemaker-1.1.16-12.el7.x86_64
>>
>>
>> Also, is this a recent change?  I don't recall this occurring with an
>> earlier version of RHEL/pacemaker.
>>
>>
>> thanks,
>>
>>
>> Olaf P. Faaland
>> Livermore Computing
>>
>>
>>
>> _______________________________________________
>> Users mailing list: Users at clusterlabs.org
>> https://lists.clusterlabs.org/mailman/listinfo/users
>>
>> Project Home: http://www.clusterlabs.org
>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>> Bugs: http://bugs.clusterlabs.org
>>
> _______________________________________________
> Users mailing list: Users at clusterlabs.org
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
> _______________________________________________
> Users mailing list: Users at clusterlabs.org
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
>

More information about the Users mailing list