[ClusterLabs] Coming in Pacemaker 2.0.3: Pacemaker Remote hardening

Ken Gaillot kgaillot at redhat.com
Thu Oct 3 11:11:39 EDT 2019 

Hi all,

Currently, the Pacemaker Remote server always binds to the wildcard IP
address, and always uses the same TLS cipher priority list (which can
be configured at compile-time, and in some cases use the system-wide
policy).

Some users want to restrict these for security hardening purposes.

The upcoming Pacemaker 2.0.3 will support two new environment variables
(in /etc/sysconfig/pacemaker, /etc/default/pacemaker, or wherever your
distro keeps such things):


# If the Pacemaker Remote service is run on the local node, it will listen
# for connections on this address. The value may be a resolvable hostname or an
# IPv4 or IPv6 numeric address. When resolving names or using the default
# wildcard address (i.e. listen on all available addresses), IPv6 will be
# preferred if available. When listening on an IPv6 address, IPv4 clients will
# be supported (via IPv4-mapped IPv6 addresses).
# PCMK_remote_address="192.0.2.1"

# Use these GnuTLS cipher priorities for TLS connections. See:
#
#   https://gnutls.org/manual/html_node/Priority-Strings.html
#
# Pacemaker will append ":+ANON-DH" for remote CIB access (when enabled) and
# ":+DHE-PSK:+PSK" for Pacemaker Remote connections, as they are required for
# the respective functionality.
# PCMK_tls_priorities="NORMAL"


In addition, bundles gain a new capability, since there's no equivalent
of that file inside a container. You can already pass environment
variables to a container via the bundle's "options" property, but those
must be identical on all hosts. Now, if you mount a file from the host
as /etc/pacemaker/pcmk-init.env inside the container (via the existing
"storage-mapping" property), Pacemaker Remote inside the container will
parse that file for NAME=VALUE pairs and set them as environment
variables.

This allows you to set not only PCMK_remote_address, but other
Pacemaker environment variables such as PCMK_debug, to a different
value for the container to use on each host.

The first release candidate is expected in a couple of weeks.
-- 
Ken Gaillot <kgaillot at redhat.com>

More information about the Users mailing list