On Mon, Feb 23, 2009 at 01:09:58PM -0600, David Teigland wrote: > On Mon, Feb 23, 2009 at 07:52:55PM +0100, Fabio M. Di Nitto wrote: > > What can stop a user to run fence_node -U from another node to do remote > > (un)fencing? > > It would work. Users can do anything they like, that's beside the point.
It would not work for scsi reservations. With scsi reservations, an unfence operation is as simple a registering with the device(s). It cannot be done remotely. A registration exists on an "IT nexus"; the relationship between initiator and target. Bottom line is that a remote node cannot register another node --- the registration (sg_persist command) has to be run on the node that wants to "unfence" itself.
