<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Thu, Jul 24, 2025 at 6:47 AM Pierre C. Dussault <<a href="mailto:pierrecharles.dussault@outlook.com">pierrecharles.dussault@outlook.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg2627270492963279607">
<div dir="ltr">
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Hi Reid,</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Thanks for the feedback and suggestions. Sorry for delayed answer, I was away on vacation.</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
For now I'll try to use SBD fencing since I haven't been able to figure out the issue. It definitely wasn't nftables since I disabled it prior to doing configurations. I haven't touched any of the configuration in Proxmox for Apparmor, so that's running in
its default settings. It seems some programs have an active profile in enforcing mode, but it doesn't seem like they are programs that would interact with KVM (although I may be wrong). I'll try to focus my efforts on SBD fencing and I'll circle back to fence_vxm
once I get it working with SBD.</div></div></div></blockquote><div><br></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">If you have a single hypervisor where you have access to - some sort of at least - going with SBD will</font></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">probably give you more issues than it will help you.</font></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">I'm using SBD on qemu-kvm either with i6300 or q35 virtual watchdog both for watchdog-fencing</font></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">and for poison-pill-fencing. Good thing is that with qemu-kvm (guess proxmox is still running</font></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">on top of qemu-kvm) you have at least a proper virtual watchdog (e.g</font><span style="color:rgb(0,0,0);font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:medium">. </span><watchdog model='i6300esb' action='reset'/></div><div><span style="color:rgb(0,0,0);font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:medium">in the <devices>) For the case you wanna go </span><span style="color:rgb(0,0,0);font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:medium">with poison-pill-fencing that works well using a</span></div><div><span style="color:rgb(0,0,0);font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:medium">shared disk-image - no need for setting up an iSCSI-target or something - using something like</span></div><div><disk type='file' device='disk'><br> <driver name='qemu' type='raw' cache='none'/><br> <source file='SHARED_IMAGE_FILE_A'/><br> <target dev='sdb' bus='scsi'/><br> <serial>SBD-A</serial><br> <shareable/><br> </disk></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">But again I would encourage you to try something different unless you need any of the</font></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">points where SBD shines. I'm using it in this kind of environment as I'm working</font></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">on SBD development.</font></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3"><br></font></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">Regards,</font></div><div><font color="#000000" face="Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif" size="3">Klaus</font></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg2627270492963279607"><div dir="ltr">
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Thanks again,</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Pierre</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="m_2627270492963279607appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_2627270492963279607divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Reid Wahl <<a href="mailto:nwahl@redhat.com" target="_blank">nwahl@redhat.com</a>><br>
<b>Sent:</b> Thursday, July 10, 2025 4:44 PM<br>
<b>To:</b> Cluster Labs - All topics related to open-source clustering welcomed <<a href="mailto:users@clusterlabs.org" target="_blank">users@clusterlabs.org</a>>; <a href="mailto:pierrecharles.dussault@outlook.com" target="_blank">pierrecharles.dussault@outlook.com</a> <<a href="mailto:pierrecharles.dussault@outlook.com" target="_blank">pierrecharles.dussault@outlook.com</a>><br>
<b>Subject:</b> Re: [ClusterLabs] Fencing agent fence_xvm using multicast</font>
<div> </div>
</div>
<div><font size="2"><span style="font-size:11pt">
<div>On Mon, Jul 7, 2025 at 12:12 PM Pierre C. Dussault<br>
<<a href="mailto:pierrecharles.dussault@outlook.com" target="_blank">pierrecharles.dussault@outlook.com</a>> wrote:<br>
><br>
> Hi all,<br>
><br>
> I am trying to get a working fencing device on a single Proxmox 8 host (not using the Proxmox tools) with fence_virtd and fence_virt/vxm. I can't get the command<br>
> # fence_xvm -o list<br>
> to output anything, it keeps failing via timeout despite many attempts at finding the fault. The exact return message is:<br>
> Timed out waiting for response<br>
> Operation failed<br>
><br>
> I am trying to configure it using the multicast Listener with the Libvirt backend. All settings were left to defaults except the listening interface which was set to the Linux bridge connecting the host and the guests. The fence_xvm.key file was copied in
the /etc/cluster/ directory on the host and on the guests.<br>
><br>
> I followed this: <a href="https://projects.clusterlabs.org/w/fencing/guest_fencing/" target="_blank">
https://projects.clusterlabs.org/w/fencing/guest_fencing/</a> which didn't work,<br>
> then this: <a href="https://kevwells.com/it-knowledge-base/how-to-install-cluster-fencing-using-libvert-on-kvm-virtual-machines/" target="_blank">
https://kevwells.com/it-knowledge-base/how-to-install-cluster-fencing-using-libvert-on-kvm-virtual-machines/</a> which also didn't work.<br>
><br>
> I read the man pages for fence_virt, fence_xvm, fence_virtd and fence_virt.conf.<br>
> I read the README and doc files in "agents/virt" and "agent/virt/docs" from the source repository.<br>
><br>
> I am at a loss here. Is there a better guide out there (or more up to date)?<br>
><br>
> Thanks.<br>
> _______________________________________________<br>
> Manage your subscription:<br>
> <a href="https://lists.clusterlabs.org/mailman/listinfo/users" target="_blank">https://lists.clusterlabs.org/mailman/listinfo/users</a><br>
><br>
> ClusterLabs home: <a href="https://www.clusterlabs.org/" target="_blank">https://www.clusterlabs.org/</a><br>
<br>
Can you try with the firewall disabled on both the host and the<br>
guests? If it works, then we know it's a firewall issue. You probably<br>
need to allow traffic through 1229/udp on the host, in addition to<br>
1229/tcp on the guests, if you are not already doing so. (Not sure if<br>
1229/tcp is needed on the host.)<br>
<br>
You can also try with SELinux (or AppArmor or whatever) disabled or<br>
not-enforcing.<br>
<br>
I haven't configured or troubleshot fence_xvm or fence_virt in a long<br>
time. Firewall issues have been the most common problem for me though.<br>
<br>
-- <br>
Regards,<br>
<br>
Reid Wahl (He/Him)<br>
Senior Software Engineer, Red Hat<br>
RHEL High Availability - Pacemaker<br>
<br>
</div>
</span></font></div>
</div>
_______________________________________________<br>
Manage your subscription:<br>
<a href="https://lists.clusterlabs.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.clusterlabs.org/mailman/listinfo/users</a><br>
<br>
ClusterLabs home: <a href="https://www.clusterlabs.org/" rel="noreferrer" target="_blank">https://www.clusterlabs.org/</a><br>
</div></blockquote></div></div>