[ClusterLabs] Initial Setup

Ken Gaillot kgaillot at redhat.com
Mon Aug 19 17:14:23 UTC 2024 

Your summary looks correct to me.

Note that by default, pcs cluster setup will configure the cluster
communication layer (knet) to use encryption with cipher AES-256 and
hash SHA-256. That covers Corosync and Pacemaker communication between
nodes during cluster operation.

In addition, Pacemaker's configuration (CIB) is readable and writable
only by root. Users may optionally be added to the haclient group to
gain read/write access, and ACLs may optionally be configured to
restrict that access to specific portions.

On Fri, 2024-08-16 at 12:41 +0000, Angelo M Ruggiero via Users wrote:
> Hello,
> 
> I have been learning and playing with the pacemaker. Its great. We
> are going to use is in SAP R3/HANA on RHEL8 hopefully in the next few
> months.
> 
> I am trying to make sure I know how it works from a security point of
> view. As in my world I have to explain to security powers at be ....
> 
> So been looking at the man pages, netstatin,tcpdumping, lsofing etc
> and looking at the code even as far as i can.
> 
> Here is an initial sort of description what actually happens during
> the initial setup until all processes are up and "trusted" thereafter
> with resources is less of an issue.
> 
> I know it some how not exact enough. But I need some sort of pointers
> or some basic corrections then I will make it better. Happy to
> contribute something here if people think valuable.
> I got some pics as well. 
> 
> Just to be I do not have a problem it is all working. 
> 
> So can someone help me to review the below.
> packages pcs, pacemaker, corosync., ... installed on each host 
> hacluster password set and pcsd started
> On one of the intended cluster hosts....pcs host add <list of hosts>
> pcs(1) connects to the local pcsd(8) via only root writable unix
> domain socket
> local pcsd connects to each remote host on port 2244 via TLS and
> configured cipher
> the remote pcsd via PAM requests uid, password authentication
> (hacluster and the above set passwd)
> if successfull the remote pcsd
> writes into the local /var/lib/pcsd/known_hosts its own entry
> writes the node list entry into the /etc/corosync/corosync.,conf
> if there is no /etc/corosync/authkey the corosync_keygen is running
> to generate and write the key
> the local pcsd
> writes also the remotes pcsd the remote hosts entry
> writes the node list entry into the /etc/corosync/corosync.,conf
> if there is no /etc/corosync/authkey the corosync_keygen is running
> to generate and write the key
> On one of the intended cluster hosts... pcs cluster setup <list of
> hosts>
> pcs(1) connects to the local pcsd(8) via only root writable unix
> domain socket
> allocates a random /etc/pacemaker/authkey
> connects to each of the list of hosts via TLS and for each
> presents the remote host token from the previously setup known hosts
> entry for authentication
> presents the /etc/pacemaker/authkey if not yet on the remote host
> send the configuration data
> 
> Angelo
> 
-- 
Ken Gaillot <kgaillot at redhat.com>

More information about the Users mailing list