[ClusterLabs] Coming in Pacemaker 2.0.3: Pacemaker Remote hardening
kgaillot at redhat.com
Thu Oct 3 11:11:39 EDT 2019
Currently, the Pacemaker Remote server always binds to the wildcard IP
address, and always uses the same TLS cipher priority list (which can
be configured at compile-time, and in some cases use the system-wide
Some users want to restrict these for security hardening purposes.
The upcoming Pacemaker 2.0.3 will support two new environment variables
(in /etc/sysconfig/pacemaker, /etc/default/pacemaker, or wherever your
distro keeps such things):
# If the Pacemaker Remote service is run on the local node, it will listen
# for connections on this address. The value may be a resolvable hostname or an
# IPv4 or IPv6 numeric address. When resolving names or using the default
# wildcard address (i.e. listen on all available addresses), IPv6 will be
# preferred if available. When listening on an IPv6 address, IPv4 clients will
# be supported (via IPv4-mapped IPv6 addresses).
# Use these GnuTLS cipher priorities for TLS connections. See:
# Pacemaker will append ":+ANON-DH" for remote CIB access (when enabled) and
# ":+DHE-PSK:+PSK" for Pacemaker Remote connections, as they are required for
# the respective functionality.
In addition, bundles gain a new capability, since there's no equivalent
of that file inside a container. You can already pass environment
variables to a container via the bundle's "options" property, but those
must be identical on all hosts. Now, if you mount a file from the host
as /etc/pacemaker/pcmk-init.env inside the container (via the existing
"storage-mapping" property), Pacemaker Remote inside the container will
parse that file for NAME=VALUE pairs and set them as environment
This allows you to set not only PCMK_remote_address, but other
Pacemaker environment variables such as PCMK_debug, to a different
value for the container to use on each host.
The first release candidate is expected in a couple of weeks.
Ken Gaillot <kgaillot at redhat.com>
More information about the Users