[ClusterLabs] Fencing agent fence_xvm using multicast

Klaus Wenninger kwenning at redhat.com
Thu Jul 24 15:56:31 UTC 2025 

On Thu, Jul 24, 2025 at 6:47 AM Pierre C. Dussault <
pierrecharles.dussault at outlook.com> wrote:

> Hi Reid,
>
> Thanks for the feedback and suggestions. Sorry for delayed answer, I was
> away on vacation.
>
> For now I'll try to use SBD fencing since I haven't been able to figure
> out the issue. It definitely wasn't nftables since I disabled it prior to
> doing configurations. I haven't touched any of the configuration in Proxmox
> for Apparmor, so that's running in its default settings. It seems some
> programs have an active profile in enforcing mode, but it doesn't seem like
> they are programs that would interact with KVM (although I may be wrong).
> I'll try to focus my efforts on SBD fencing and I'll circle back to
> fence_vxm once I get it working with SBD.
>

If you have a single hypervisor where you have access to - some sort of at
least - going with SBD will
probably give you more issues than it will help you.
I'm using SBD on qemu-kvm either with i6300 or q35 virtual watchdog both
for watchdog-fencing
and for poison-pill-fencing. Good thing is that with qemu-kvm (guess
proxmox is still running
on top of qemu-kvm) you have at least a proper virtual watchdog (e.g. <watchdog
model='i6300esb' action='reset'/>
in the <devices>) For the case you wanna go with poison-pill-fencing that
works well using a
shared disk-image - no need for setting up an iSCSI-target or something -
using something like
<disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='SHARED_IMAGE_FILE_A'/>
      <target dev='sdb' bus='scsi'/>
      <serial>SBD-A</serial>
      <shareable/>
 </disk>
But again I would encourage you to try something different unless you need
any of the
points where SBD shines. I'm using it in this kind of environment as I'm
working
on SBD development.

Regards,
Klaus

> Thanks again,
> Pierre
>
> ------------------------------
> *From:* Reid Wahl <nwahl at redhat.com>
> *Sent:* Thursday, July 10, 2025 4:44 PM
> *To:* Cluster Labs - All topics related to open-source clustering
> welcomed <users at clusterlabs.org>; pierrecharles.dussault at outlook.com <
> pierrecharles.dussault at outlook.com>
> *Subject:* Re: [ClusterLabs] Fencing agent fence_xvm using multicast
>
> On Mon, Jul 7, 2025 at 12:12 PM Pierre C. Dussault
> <pierrecharles.dussault at outlook.com> wrote:
> >
> > Hi all,
> >
> > I am trying to get a working fencing device on a single Proxmox 8 host
> (not using the Proxmox tools) with fence_virtd and fence_virt/vxm. I can't
> get the command
> >     # fence_xvm -o list
> > to output anything, it keeps failing via timeout despite many attempts
> at finding the fault. The exact return message is:
> >     Timed out waiting for response
> >     Operation failed
> >
> > I am trying to configure it using the multicast Listener with the
> Libvirt backend. All settings were left to defaults except the listening
> interface which was set to the Linux bridge connecting the host and the
> guests. The fence_xvm.key file was copied in the /etc/cluster/ directory on
> the host and on the guests.
> >
> > I followed this:
> https://projects.clusterlabs.org/w/fencing/guest_fencing/ which didn't
> work,
> > then this:
> https://kevwells.com/it-knowledge-base/how-to-install-cluster-fencing-using-libvert-on-kvm-virtual-machines/
> which also didn't work.
> >
> > I read the man pages for fence_virt, fence_xvm, fence_virtd and
> fence_virt.conf.
> > I read the README and doc files in "agents/virt" and "agent/virt/docs"
> from the source repository.
> >
> > I am at a loss here. Is there a better guide out there (or more up to
> date)?
> >
> > Thanks.
> > _______________________________________________
> > Manage your subscription:
> > https://lists.clusterlabs.org/mailman/listinfo/users
> >
> > ClusterLabs home: https://www.clusterlabs.org/
>
> Can you try with the firewall disabled on both the host and the
> guests? If it works, then we know it's a firewall issue. You probably
> need to allow traffic through 1229/udp on the host, in addition to
> 1229/tcp on the guests, if you are not already doing so. (Not sure if
> 1229/tcp is needed on the host.)
>
> You can also try with SELinux (or AppArmor or whatever) disabled or
> not-enforcing.
>
> I haven't configured or troubleshot fence_xvm or fence_virt in a long
> time. Firewall issues have been the most common problem for me though.
>
> --
> Regards,
>
> Reid Wahl (He/Him)
> Senior Software Engineer, Red Hat
> RHEL High Availability - Pacemaker
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20250724/8287152f/attachment.htm>

More information about the Users mailing list