[ClusterLabs] Initial Setup

Angelo M Ruggiero angeloruggiero at yahoo.com
Fri Aug 16 12:41:19 UTC 2024


Hello,

I have been learning and playing with the pacemaker. Its great. We are going to use is in SAP R3/HANA on RHEL8 hopefully in the next few months.

I am trying to make sure I know how it works from a security point of view. As in my world I have to explain to security powers at be ....

So been looking at the man pages, netstatin,tcpdumping, lsofing etc and looking at the code even as far as i can.

Here is an initial sort of description what actually happens during the initial setup until all processes are up and "trusted" thereafter with resources is less of an issue.

I know it some how not exact enough. But I need some sort of pointers or some basic corrections then I will make it better. Happy to contribute something here if people think valuable.
I got some pics as well.

Just to be I do not have a problem it is all working.

So can someone help me to review the below.

  1.  packages pcs, pacemaker, corosync., ... installed on each host  hacluster password set and pcsd started
  2.  On one of the intended cluster hosts....pcs host add <list of hosts>
     *   pcs(1) connects to the local pcsd(8) via only root writable unix domain socket
     *   local pcsd connects to each remote host on port 2244 via TLS and configured cipher
        *   the remote pcsd via PAM requests uid, password authentication (hacluster and the above set passwd)
           *   if successfull the remote pcsd
              *   writes into the local /var/lib/pcsd/known_hosts its own entry
              *   writes the node list entry into the /etc/corosync/corosync.,conf
              *   if there is no /etc/corosync/authkey the corosync_keygen is running to generate and write the key
        *   the local pcsd
           *   writes also the remotes pcsd the remote hosts entry
              *   writes the node list entry into the /etc/corosync/corosync.,conf
              *   if there is no /etc/corosync/authkey the corosync_keygen is running to generate and write the key
  3.  On one of the intended cluster hosts... pcs cluster setup <list of hosts>
     *   pcs(1) connects to the local pcsd(8) via only root writable unix domain socket
     *   allocates a random /etc/pacemaker/authkey
     *   connects to each of the list of hosts via TLS and for each
        *   presents the remote host token from the previously setup known hosts entry for authentication
        *   presents the /etc/pacemaker/authkey if not yet on the remote host
        *   send the configuration data

Angelo



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20240816/f74d1a8b/attachment.htm>


More information about the Users mailing list