[ClusterLabs] Initial Setup
Peter Romancik
promanci at redhat.com
Wed Aug 21 12:56:13 UTC 2024
Hi,
You seem to have gained a pretty nice understanding of the process of
initial cluster setup. However, there are some details that should be
addressed:
- You probably meant 'pcs host auth', since there is no 'pcs host add'
- There are two Unix domain sockets used by pcsd:
- For communication between Python and Ruby pcsd
("/var/run/pcsd-ruby.socket"). This is due to some legacy parts of the
daemon still running in Ruby. So, if Python gets a request that should be
handled by Ruby daemon, it forwards it using this socket.
- For communication between clients and pcsd
("/var/run/pcsd.socket"). However, PCS does not currently utilize this
socket to communicate with the local pcsd.
-
- All the communication in the network commands is done using tls, as
you mentioned. However, the communication between pcs and the local pcsd is
not done using unix domain socket. Unix domain socket is only used for the
already mentioned Python to Ruby daemon communication.
- The commands can even be run on a node that will not be part of the
cluster after the setup. In the case of 'pcs cluster setup,' it must run on
a node with all the intended cluster nodes authenticated.
- There are no Corosync files involved in 'pcs host auth'. Being
authenticated to pcsd and being a part of a cluster are separate things.
There also seems to be a little confusion about what the two mentioned
commands do. So here is an overview of how they work:
- 'pcs host auth <list of hosts>'
1. For each node in the list of hosts (even the local node)
1. pcs sends https request for authentication
2. Remote node authenticates using PAM (username + password)
3. Remote node generates a token, saves it, and sends it in
response
2. Local known-hosts file is updated locally with the tokens received
from responses and distributed to all nodes
- 'pcs cluster setup <list of hosts>'
1. Requests for destroying cluster and removal of pcsd config files
are sent to all nodes
- in case there is some old unwanted configuration on the nodes
2. The local known-hosts file is distributed to all nodes
3. corosync_authkey and pacemaker_authkey are generated and
distributed to all nodes
- each node receives the keys and saves them
4. New pcsd tls certificate and key is generated and distributed
- so that all nodes have the same certificate
- each remote node saves the files and reloads tls certificate
used by the daemon
5. corosync_conf is generated and distributed to all nodes
- Again, each node receives the config file and saves it
Regards,
Peter
On Fri, Aug 16, 2024 at 2:41 PM Angelo M Ruggiero via Users <
users at clusterlabs.org> wrote:
> Hello,
>
> I have been learning and playing with the pacemaker. Its great. We are
> going to use is in SAP R3/HANA on RHEL8 hopefully in the next few months.
>
> I am trying to make sure I know how it works from a security point of
> view. As in my world I have to explain to security powers at be ....
>
> So been looking at the man pages, netstatin,tcpdumping, lsofing etc and
> looking at the code even as far as i can.
>
> Here is an initial sort of description what actually happens during the
> initial setup until all processes are up and "trusted" thereafter with
> resources is less of an issue.
>
> I know it some how not exact enough. But I need some sort of pointers or
> some basic corrections then I will make it better. Happy to contribute
> something here if people think valuable.
> I got some pics as well.
>
> Just to be I do not have a problem it is all working.
>
> So can someone help me to review the below.
>
> 1. packages pcs, pacemaker, corosync., ... installed on each host
> hacluster password set and pcsd started
> 2. On one of the intended cluster hosts....pcs host add <list of hosts>
> 1. pcs(1) connects to the local pcsd(8) via only root writable unix
> domain socket
> 2. local pcsd connects to each remote host on port 2244 via TLS and
> configured cipher
> 1. the remote pcsd via PAM requests uid, password authentication
> (hacluster and the above set passwd)
> 1. if successfull the remote pcsd
> 1. writes into the local /var/lib/pcsd/known_hosts its own
> entry
> 2. writes the node list entry into the
> /etc/corosync/corosync.,conf
> 3. if there is no /etc/corosync/authkey the
> corosync_keygen is running to generate and write the key
> 2. the local pcsd
> 1. writes also the remotes pcsd the remote hosts entry
> 1. writes the node list entry into the
> /etc/corosync/corosync.,conf
> 2. if there is no /etc/corosync/authkey the
> corosync_keygen is running to generate and write the key
> 3. On one of the intended cluster hosts... pcs cluster setup
> <list of hosts>
> 1. pcs(1) connects to the local pcsd(8) via only root writable unix
> domain socket
> 2. allocates a random /etc/pacemaker/authkey
> 3. connects to each of the list of hosts via TLS and for each
> 1. presents the remote host token from the previously setup
> known hosts entry for authentication
> 2. presents the /etc/pacemaker/authkey if not yet on the remote
> host
> 3. send the configuration data
>
>
> Angelo
>
>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20240821/13f56e93/attachment.htm>
More information about the Users
mailing list