<div dir="ltr">Hi Ken,<div>very thanks for SELinux advice ! I forget to check it. After I disabled SELinux temporarily, pacmaker starts to handle the DRBD resources well. (I checked the agent scripts earlier, but they were same as in the scripts subdir of drbd9 source). And I will check my email settings.</div><div>Thanks again: lados.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Ken Gaillot <<a href="mailto:kgaillot@redhat.com">kgaillot@redhat.com</a>> ezt írta (időpont: 2019. máj. 23., Cs, 16:21):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, 2019-05-23 at 13:21 +0200, László Neduki wrote:<br>
> Hi,<br>
> <br>
> (<br>
> I sent a similar question from an other acount 3 days ago, but: <br>
> - I do not see it on the list. Maybe I should not see my own email? <br>
<br>
A DRBD message from <a href="mailto:govomevo@gmail.com" target="_blank">govomevo@gmail.com</a> did make it to the list a week<br>
ago. You should get your own emails from the list server, though your<br>
own mail server or client might filter them.<br>
<br>
> So I created a new account<br>
> - I have additional infos (but no solution), so I rewrite the<br>
> question<br>
> )<br>
> <br>
> pacemaker cannot start drbd9 resources. As I see, root has very<br>
> limited privileges in the drbd resource agent, when it run by the<br>
> pacemaker. I downloaded the latest pacemaker this week, and I<br>
> compiled drbd9 rpms also. I hope, You can help me, I do not find the<br>
> cause of this behaviour. Please see the below test cases:<br>
<br>
I'm not a DRBD expert, but given the symptoms you describe, my first<br>
thoughts would be that either the ocf:linbit:drbd agent you're using<br>
isn't the right version for your DRBD version, or something like<br>
SELinux is restricting access.<br>
<br>
> 1. When I create Pacemaker DRBD resource I get errors<br>
> # pcs resource create DrbdDB ocf:linbit:drbd drbd_resource=drbd_db op<br>
> monitor interval=60s meta notify=true<br>
> # pcs resource master DrbdDBClone DrbdDB master-max=1 master-node-<br>
> max=1 clone-node-max=1 notify=true<br>
> # pcs constraint location DrbdDBClone prefers node1=INFINITY<br>
> # pcs cluster stop --all; pcs cluster start --all; pcs status<br>
> <br>
> Failed Actions:<br>
> * DrbdDB_monitor_0 on node1 'not installed' (5): call=6,<br>
> status=complete, exitreason='DRBD kernel (module) not available?',<br>
> last-rc-change='Thu May 23 09:54:09 2019', queued=0ms, exec=58ms<br>
> * DrbdDB_monitor_0 on node2 'not installed' (5): call=6,<br>
> status=complete, exitreason='DRBD kernel (module) not available?',<br>
> last-rc-change='Thu May 23 10:00:22 2019', queued=0ms, exec=71ms<br>
> <br>
> 2. when I try to start drbd_db by drbdadm directly, it works well:<br>
> # modprobe drbd #on each node<br>
> # drbdadm up drbd_db #on each node<br>
> # drbdadm primary drbd_db<br>
> # drbdadm status <br>
> it shows drbd_db is UpToDate on each node<br>
> I also can promote and mount filesystem well<br>
> <br>
> 3. When I use debug-start, it works fine (so the resource syntax<br>
> sould be correct)<br>
> # drbdadm status<br>
> No currently configured DRBD found.<br>
> # pcs resource debug-start DrbdDBMaster<br>
> Error: unable to debug-start a master, try the master's resource:<br>
> DrbdDB<br>
> # pcs resource debug-start DrbdDB #on each node<br>
> Operation start for DrbdDB:0 (ocf:linbit:drbd) returned: 'ok' (0)<br>
> # drbdadm status<br>
> it shows drbd_db is UpToDate on each node<br>
> <br>
> 4. Pacemaker handle other resources well . If I set auto_promote=yes,<br>
> and I start (but not promote) the drbd_db by drbdadm, then pacemaker<br>
> can create filesystem on it well, and also the appserver, database<br>
> resources. <br>
> <br>
> 5. The strangest behaviour for me. Root have very limited privileges<br>
> whitin the drbd resource agent. If I write this line to the<br>
> srbd_start() method of /usr/lib/ocf/resource.d/linbit/drbd<br>
> <br>
> ocf_log err "lados " $(whoami) $( ls -l /home/opc/tmp/modprobe2.trace<br>
> ) $( do_cmd touch /home/opc/tmp/modprobe2.trace )<br>
> <br>
> I got theese messeges in log, when I start the cluster<br>
> <br>
> # tail -f /var/log/cluster/corosync.log | grep -A 8 -B 3 -i lados<br>
> <br>
> ...<br>
> May 21 15:35:12 drbd(DrbdDB)[31649]: ERROR: lados root<br>
> May 21 15:35:12 [31309] node1 lrmd: notice:<br>
> operation_finished: DrbdDB_start_0:31649:stderr [ ls: cannot<br>
> access /home/opc/tmp/modprobe2.trace: Permission denied ]<br>
> May 21 15:35:12 [31309] node1 lrmd: notice:<br>
> operation_finished: DrbdFra_start_0:31649:stderr [ touch: cannot<br>
> touch '/home/opc/tmp/modprobe2.trace': Permission denied ]<br>
> ...<br>
> and also, when I try to strace the "modprobe -s drbd `$DRBDADM sh-<br>
> mod-parms`" in drbd resource agent, I only see 1 line in the<br>
> /root/modprobe2.trace. This meens for me:<br>
> - root cannot trace the calls in drbdadm (even if root can strace<br>
> drbdadm outside of pacemaker well)<br>
> - root can write into files his own directory<br>
> (/root/modprobe2.trace) <br>
> <br>
> 6. Opposit of previous test<br>
> root has these privileges outside from pacamaker<br>
> <br>
> # sudo su -<br>
> # touch /home/opc/tmp/modprobe2.trace<br>
> # ls -l /home/opc/tmp/modprobe2.trace<br>
> -rw-r--r--. 1 root root 0 May 21 15:44 /home/opc/tmp/modprobe2.trace<br>
> <br>
> <br>
> Thanks: lados.<br>
> <br>
> <br>
> _______________________________________________<br>
> Manage your subscription:<br>
> <a href="https://lists.clusterlabs.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.clusterlabs.org/mailman/listinfo/users</a><br>
> <br>
> ClusterLabs home: <a href="https://www.clusterlabs.org/" rel="noreferrer" target="_blank">https://www.clusterlabs.org/</a><br>
-- <br>
Ken Gaillot <<a href="mailto:kgaillot@redhat.com" target="_blank">kgaillot@redhat.com</a>><br>
<br>
_______________________________________________<br>
Manage your subscription:<br>
<a href="https://lists.clusterlabs.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.clusterlabs.org/mailman/listinfo/users</a><br>
<br>
ClusterLabs home: <a href="https://www.clusterlabs.org/" rel="noreferrer" target="_blank">https://www.clusterlabs.org/</a></blockquote></div>