[ClusterLabs] how to connect to the cluster from a docker container

Jan Pokorný jpokorny at redhat.com
Tue Aug 6 07:36:49 EDT 2019 

Hello Dejan,

nice to see you around,

On 06/08/19 10:37 +0200, Dejan Muhamedagic wrote:
> Hawk runs in a docker container on one of the cluster nodes (the
> nodes run Debian and apparently it's rather difficult to install
> hawk on a non-SUSE distribution, hence docker). Now, how to
> connect to the cluster? Hawk uses the pacemaker command line
> tools such as cibadmin. I have a vague recollection that there is
> a way to connect over tcp/ip, but, if that is so, I cannot find
> any documentation about it.

I think that what you are after is one of:

1. have docker runtime for the particular container have the abstract
   Unix sockets shared from the host (--network=host? don't remember
   exactly)

   - apparently, this weak style of compartmentalization comes with
     many drawbacks, so you may be facing hefty work of cutting any
     other interferences stemming from pre-chrooting assumptions of
     what is a singleton on the system, incl. sockets etc.

2. use modern enough libqb (v1.0.2+) and use

     touch /etc/libqb/force-filesystem-sockets

   on both host and within the container (assuming those two locations
   are fully disjoint, i.e., not an overlay-based reuse), you should
   then be able to share the respective reified sockets simply by
   sharing the pertaining directory (normally /var/run it seems)

   - if indeed a directory as generic as /var/run is involved,
     it may also lead to unexpected interferences, so the more
     minimalistic the container is, the better I think
     (or you can recompile libqb and play with path mapping
     in container configuration to achieve smoother plug-in)

Then, pacemaker utilities would hopefully work across the container
boundaries just as if they were fully native, hence hawk shall as
well.

Let us know how far you'll get and where we can colletively join you
in your attempts, I don't think we had such experience disseminated
here.  I know for sure I haven't ever tried this in practice, some
one else here could have.  Also, there may be a lot of fun with various
Linux Security Modules like SELinux.

-- 
Jan (Poki)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20190806/a9b8f60a/attachment.sig>

More information about the Users mailing list