<div dir="ltr"><div>Hi,</div><div><br></div><div>You seem to have gained a pretty nice understanding of the process of initial cluster setup. However, there are some details that should be addressed:<br></div><div><ul><li>You probably meant 'pcs host auth', since there is no 'pcs host add'</li><li>There are two Unix domain sockets used by pcsd:</li><ul><li>For communication between Python and Ruby pcsd ("/var/run/pcsd-ruby.socket"). This is due to some legacy parts of the daemon still running in Ruby. So, if Python gets a request that should be handled by Ruby daemon, it forwards it using this socket.</li><li>For communication between clients and pcsd ("/var/run/pcsd.socket"). However, PCS does not currently utilize this socket to communicate with the local pcsd.</li></ul><li><div></div></li><li>All the communication in the network commands is done using tls, as you mentioned. However, the communication between pcs and the local pcsd is not done using unix domain socket. Unix domain socket is only used for the already mentioned Python to Ruby daemon communication.</li></ul></div><li>The commands can even be run on a node that will not be part of the cluster after the setup. In the case of 'pcs cluster setup,' it must run on a node with all the intended cluster nodes authenticated.</li><li>There are no Corosync files involved in 'pcs host auth'. Being authenticated to pcsd and being a part of a cluster are separate things.</li><div>There also seems to be a little confusion about what the two mentioned commands do. So here is an overview of how they work:</div><div><ul><li>'pcs host auth <list of hosts>'</li><ol><li>For each node in the list of hosts (even the local node)</li><ol><li>pcs sends https request for authentication</li><li>Remote node authenticates using PAM (username + password)</li><li>Remote node generates a token, saves it, and sends it in response</li></ol><li>Local known-hosts file is updated locally with the tokens received from responses and distributed to all nodes</li></ol><li>'pcs cluster setup <list of hosts>'</li><ol><li>Requests for destroying cluster and removal of pcsd config files are sent to all nodes</li><ul><li>in case there is some old unwanted configuration on the nodes</li></ul><li>The local known-hosts file is distributed to all nodes</li><li>corosync_authkey and pacemaker_authkey are generated and distributed to all nodes</li><ul><li>each node receives the keys and saves them</li></ul><li>New pcsd tls certificate and key is generated and distributed</li><ul><li>so that all nodes have the same certificate</li><li>each remote node saves the files and reloads tls certificate used by the daemon</li></ul><li>corosync_conf is generated and distributed to all nodes</li><ul><li>Again, each node receives the config file and saves it</li></ul></ol></ul></div><div><br></div><div>Regards,</div><div>Peter<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 16, 2024 at 2:41 PM Angelo M Ruggiero via Users <<a href="mailto:users@clusterlabs.org">users@clusterlabs.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg1842941299910496464">
<div dir="ltr">
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
Hello,</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
I have been learning and playing with the pacemaker. Its great. We are going to use is in SAP R3/HANA on RHEL8 hopefully in the next few months.</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
I am trying to make sure I know how it works from a security point of view. As in my world I have to explain to security powers at be ....</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
So been looking at the man pages, netstatin,tcpdumping, lsofing etc and looking at the code even as far as i can.</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
Here is an initial sort of description what actually happens during the initial setup until all processes are up and "trusted" thereafter with resources is less of an issue.</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
I know it some how not exact enough. But I need some sort of pointers or some basic corrections then I will make it better. Happy to contribute something here if people think valuable.</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
I got some pics as well. </div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
Just to be I do not have a problem it is all working. </div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
So can someone help me to review the below.</div>
<ol start="1" style="text-align:left;margin-bottom:0cm">
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
packages pcs, pacemaker, corosync., ... installed on each host hacluster password set and pcsd started</li><li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
On one of the intended cluster hosts....pcs host add <list of hosts></li><ol start="1" style="margin-bottom:0cm">
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
pcs(1) connects to the local pcsd(8) via only root writable unix domain socket</li><li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
local pcsd connects to each remote host on port 2244 via TLS and configured cipher</li><ol start="1" style="margin-bottom:0cm">
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
the remote pcsd via PAM requests uid, password authentication (hacluster and the above set passwd)</li><ol start="1" style="margin-bottom:0cm">
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
if successfull the remote pcsd</li><ol start="1" style="margin-bottom:0cm">
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
writes into the local /var/lib/pcsd/known_hosts its own entry</li><li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
writes the node list entry into the /etc/corosync/corosync.,conf</li><li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
if there is no /etc/corosync/authkey the corosync_keygen is running to generate and write the key</li></ol>
</ol>
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
the local pcsd</li><ol start="1" style="margin-bottom:0cm">
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
writes also the remotes pcsd the remote hosts entry</li><ol start="1" style="margin-bottom:0cm">
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
writes the node list entry into the /etc/corosync/corosync.,conf</li><li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
if there is no /etc/corosync/authkey the corosync_keygen is running to generate and write the key</li></ol>
</ol>
</ol>
</ol>
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
On one of the intended cluster hosts... pcs cluster setup <list of hosts></li><ol start="1" style="margin-bottom:0cm">
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
pcs(1) connects to the local pcsd(8) via only root writable unix domain socket</li><li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
allocates a random /etc/pacemaker/authkey</li><li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
connects to each of the list of hosts via TLS and for each</li><ol start="1" style="margin-bottom:0cm">
<li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
presents the remote host token from the previously setup known hosts entry for authentication</li><li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
presents the /etc/pacemaker/authkey if not yet on the remote host</li><li style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0);margin:0cm 0cm 0.0001pt">
send the configuration data</li></ol>
</ol>
</ol>
<div style="margin:0cm 0cm 0.0001pt;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="margin:0cm 0cm 0.0001pt;font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
Angelo</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
</div>
_______________________________________________<br>
Manage your subscription:<br>
<a href="https://lists.clusterlabs.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.clusterlabs.org/mailman/listinfo/users</a><br>
<br>
ClusterLabs home: <a href="https://www.clusterlabs.org/" rel="noreferrer" target="_blank">https://www.clusterlabs.org/</a><br>
</div></blockquote></div>