Re: [ClusterLabs] Unable to create HAProxy resource: no such resource agent

2016-03-11 Thread Ken Gaillot 
On 03/11/2016 03:25 PM, Matthew Mucker wrote:
> I found the problem. When I used wget to retrieve the file, I was actually 
> downloading an HTML error page from my proxy server instead of the intended 
> file.
> 
> 
> Oops.

:-) I've done that before too ...

> 
> 
> 
> 
> I've created a Pacemaker cluster and have created a virtual IP address 
> resource that works properly. I am now attempting to add HAProxy as a 
> resource and I'm having problems.
> 
> 
> - I installed HAProxy on all nodes of the cluster
> 
> - I downloaded http://github.com/russki/cluster-agents/raw/master/haproxy to 
> /usr/lib/ocf/resource.d/heartbeat/haproxy on each node
> 
> - I ran chmod 755 on /usr/lib/ocf/resource.d/heartbeat/haproxy on each node
> 
> - I configured HAProxy.cfg on each node
> 
> - I edited /etc/default/haproxy to enable haproxy
> 
> - I've tested and confirmed that HAProxy will start as a service on the node 
> hosting the virtual IP address
> 
> 
> However, when I run the command:
> 
> 
> crm configure primitive haproxy ocf:heartbeat:haproxy op monitor interval=15s
> 
> 
> I get output:
> 
> 
> ERROR: None
> ERROR: ocf:heartbeat:haproxy: meta-data contains no resource-agent element
> ERROR: None
> ERROR: ocf:heartbeat:haproxy: meta-data contains no resource-agent element
> ERROR: ocf:heartbeat:haproxy: no such resource agent
> 
> 
> I've been unable to find a solution to this problem in the searching I've 
> done online. Does anyone have any idea what the cause and the solution to 
> this problem might be?
> 
> 
> Thanks,
> 
> 
> -Matthew


___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Re: [ClusterLabs] Unable to create HAProxy resource: no such resource agent

2016-03-11 Thread Ken Gaillot 
On 03/11/2016 02:18 PM, Matthew Mucker wrote:
> I've created a Pacemaker cluster and have created a virtual IP address 
> resource that works properly. I am now attempting to add HAProxy as a 
> resource and I'm having problems.
> 
> 
> - I installed HAProxy on all nodes of the cluster
> 
> - I downloaded http://github.com/russki/cluster-agents/raw/master/haproxy to 
> /usr/lib/ocf/resource.d/heartbeat/haproxy on each node
> 
> - I ran chmod 755 on /usr/lib/ocf/resource.d/heartbeat/haproxy on each node
> 
> - I configured HAProxy.cfg on each node
> 
> - I edited /etc/default/haproxy to enable haproxy

FYI, this file will be ignored when the service is managed by the
cluster (unless the RA specifically reads it, which I've rarely seen).
That won't cause any problems, but any desired settings should be made
in the resource's cluster configuration rather than here.

> - I've tested and confirmed that HAProxy will start as a service on the node 
> hosting the virtual IP address

So far, so good. Good prep work.

> 
> However, when I run the command:
> 
> 
> crm configure primitive haproxy ocf:heartbeat:haproxy op monitor interval=15s
> 
> 
> I get output:
> 
> 
> ERROR: None
> ERROR: ocf:heartbeat:haproxy: meta-data contains no resource-agent element
> ERROR: None
> ERROR: ocf:heartbeat:haproxy: meta-data contains no resource-agent element
> ERROR: ocf:heartbeat:haproxy: no such resource agent
> 
> 
> I've been unable to find a solution to this problem in the searching I've 
> done online. Does anyone have any idea what the cause and the solution to 
> this problem might be?

What does this command return:

crm_resource --show-metadata ocf:heartbeat:haproxy

> 
> Thanks,
> 
> 
> -Matthew


___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Re: [ClusterLabs] pacemaker remote configuration on ubuntu 14.04

2016-03-11 Thread Ken Gaillot 
On 03/10/2016 11:36 PM, Сергей Филатов wrote:
> This one is the right log

Something in the cluster configuration and state (for example, an
unsatisfied constraint) is preventing the cluster from starting the
resource:

Mar 10 04:00:53 [11785] controller-1.domain.compengine: info:
native_print: compute-1   (ocf::pacemaker:remote):Stopped
Mar 10 04:00:53 [11785] controller-1.domain.compengine: info:
native_color: Resource compute-1 cannot run anywhere


> 
> 
> 
>> On 10 Mar 2016, at 08:17, Сергей Филатов > > wrote:
>>
>> pcs resource show compute-1
>>
>>  Resource: compute-1 (class=ocf provider=pacemaker type=remote)
>>  Operations: monitor interval=60s (compute-1-monitor-interval-60s)
>>
>> Can’t find _start_0 template in pacemaker logs
>> I don’t have ipv6 address for remote node, but I guess it should be 
>> listening 
>> on both
>>
>> attached pacemaker.log for cluster node
>> 
>>
>>
>>> On 09 Mar 2016, at 10:23, Ken Gaillot >> > wrote:
>>>
>>> On 03/08/2016 11:38 PM, Сергей Филатов wrote:
 ssh -p 3121 compute-1
 ssh_exchange_identification: read: Connection reset by peer

 That’s what I get in /var/log/pacemaker.log after restarting 
 pacemaker_remote:
 Mar 09 05:30:27 [28031] compute-1.domain.com 
  
   lrmd: info: crm_signal_dispatch:  Invoking handler for signal 
 15: 
 Terminated
 Mar 09 05:30:27 [28031] compute-1.domain.com 
  
   lrmd: info: lrmd_shutdown:Terminating with  0 clients
 Mar 09 05:30:27 [28031] compute-1.domain.com 
  
   lrmd: info: qb_ipcs_us_withdraw:  withdrawing server sockets
 Mar 09 05:30:27 [28031] compute-1.domain.com 
  
   lrmd: info: crm_xml_cleanup:  Cleaning up memory from libxml2
 Mar 09 05:30:27 [28193] compute-1.domain.com 
  
   lrmd: info: crm_log_init: Changed active directory to 
 /var/lib/heartbeat/cores/root
 Mar 09 05:30:27 [28193] compute-1.domain.com 
  
   lrmd: info: qb_ipcs_us_publish:   server name: lrmd
 Mar 09 05:30:27 [28193] compute-1.domain.com 
  
   lrmd:   notice: lrmd_init_remote_tls_server:  Starting a tls 
 listener 
 on port 3121.
 Mar 09 05:30:28 [28193] compute-1.domain.com 
  
   lrmd:   notice: bind_and_listen:  Listening on address ::
 Mar 09 05:30:28 [28193] compute-1.domain.com 
  
   lrmd: info: qb_ipcs_us_publish:   server name: cib_ro
 Mar 09 05:30:28 [28193] compute-1.domain.com 
  
   lrmd: info: qb_ipcs_us_publish:   server name: cib_rw
 Mar 09 05:30:28 [28193] compute-1.domain.com 
  
   lrmd: info: qb_ipcs_us_publish:   server name: cib_shm
 Mar 09 05:30:28 [28193] compute-1.domain.com 
  
   lrmd: info: qb_ipcs_us_publish:   server name: attrd
 Mar 09 05:30:28 [28193] compute-1.domain.com 
  
   lrmd: info: qb_ipcs_us_publish:   server name: stonith-ng
 Mar 09 05:30:28 [28193] compute-1.domain.com 
  
   lrmd: info: qb_ipcs_us_publish:   server name: crmd
 Mar 09 05:30:28 [28193] compute-1.domain.com 
  
   lrmd: info: main: Starting
>>>
>>> It looks like the cluster is not even trying to connect to the remote
>>> node. pacemaker_remote here is binding only to IPv6, so the cluster will
>>> need to contact it on that address.
>>>
>>> What is your ocf:pacemaker:remote resource configuration?
>>>
>>> Check your cluster node logs for the start action -- if your resource is
>>> named R, the start action will be R_start_0. There will be two nodes of
>>> interest: the node assigned the remote node resource, and the DC.
>>>
 I got only pacemaker-remote resource-agents pcs installed, so no 
 /etc/default/pacemaker file on remote node
 selinux is disabled and I specifically opened firewall on 2224, 3121 and 
 21064 tcp and 5405 udp

> On 08 Mar 2016, at 08:51, Ken Gaillot  > wrote:
>
> On 03/07/2016 09:10 PM, Сергей Филатов wrote:
>> Thanks for an answer. Turned out the problem was not in ipv6.
>> Remote node is listening on 3121 port and it’s name is resolving fine.
>> Got authkey file at /etc/pacemaker on both remote and cluster nodes.
>> What can I check in addition? Is there any walkthrough for

Re: [ClusterLabs] Security with Corosync

2016-03-11 Thread Nikhil Utane 
Perfect. Thanks for the quick response Honza.

Cheers
Nikhil

On Fri, Mar 11, 2016 at 4:10 PM, Jan Friesse  wrote:

> Nikhil,
>
> Nikhil Utane napsal(a):
>
>> Hi,
>>
>> I changed some configuration and captured packets. I can see that the data
>> is already garbled and not in the clear.
>> So does corosync already have this built-in?
>> Can somebody provide more details as to what all security features are
>> incorporated?
>>
>
> See man page corosync.conf(5) options crypto_hash, crypto_cipher (for
> corosync 2.x) and potentially secauth (for coorsync 1.x and 2.x).
>
> Basically corosync by default uses aes256 for encryption and sha1 for hmac
> authentication.
>
> Pacemaker uses corosync cpg API so as long as encryption is enabled in the
> corosync.conf, messages interchanged between nodes are encrypted.
>
> Regards,
>   Honza
>
>
>> -Thanks
>> Nikhil
>>
>> On Fri, Mar 11, 2016 at 11:38 AM, Nikhil Utane <
>> nikhil.subscri...@gmail.com>
>> wrote:
>>
>> Hi,
>>>
>>> Does corosync provide mechanism to secure the communication path between
>>> nodes of a cluster?
>>> I would like all the data that gets exchanged between all nodes to be
>>> encrypted.
>>>
>>> A quick google threw up this link:
>>> https://github.com/corosync/corosync/blob/master/SECURITY
>>>
>>> Can I make use of it with pacemaker?
>>>
>>> -Thanks
>>> Nikhil
>>>
>>>
>>>
>>
>>
>> ___
>> Users mailing list: Users@clusterlabs.org
>> http://clusterlabs.org/mailman/listinfo/users
>>
>> Project Home: http://www.clusterlabs.org
>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>> Bugs: http://bugs.clusterlabs.org
>>
>>
>
> ___
> Users mailing list: Users@clusterlabs.org
> http://clusterlabs.org/mailman/listinfo/users
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
>
___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Re: [ClusterLabs] Security with Corosync

2016-03-11 Thread Jan Friesse 

Nikhil,

Nikhil Utane napsal(a):

Hi,

I changed some configuration and captured packets. I can see that the data
is already garbled and not in the clear.
So does corosync already have this built-in?
Can somebody provide more details as to what all security features are
incorporated?


See man page corosync.conf(5) options crypto_hash, crypto_cipher (for 
corosync 2.x) and potentially secauth (for coorsync 1.x and 2.x).


Basically corosync by default uses aes256 for encryption and sha1 for 
hmac authentication.


Pacemaker uses corosync cpg API so as long as encryption is enabled in 
the corosync.conf, messages interchanged between nodes are encrypted.


Regards,
  Honza



-Thanks
Nikhil

On Fri, Mar 11, 2016 at 11:38 AM, Nikhil Utane 
wrote:


Hi,

Does corosync provide mechanism to secure the communication path between
nodes of a cluster?
I would like all the data that gets exchanged between all nodes to be
encrypted.

A quick google threw up this link:
https://github.com/corosync/corosync/blob/master/SECURITY

Can I make use of it with pacemaker?

-Thanks
Nikhil






___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org




___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Re: [ClusterLabs] Security with Corosync

2016-03-11 Thread Nikhil Utane 
Hi,

I changed some configuration and captured packets. I can see that the data
is already garbled and not in the clear.
So does corosync already have this built-in?
Can somebody provide more details as to what all security features are
incorporated?

-Thanks
Nikhil

On Fri, Mar 11, 2016 at 11:38 AM, Nikhil Utane 
wrote:

> Hi,
>
> Does corosync provide mechanism to secure the communication path between
> nodes of a cluster?
> I would like all the data that gets exchanged between all nodes to be
> encrypted.
>
> A quick google threw up this link:
> https://github.com/corosync/corosync/blob/master/SECURITY
>
> Can I make use of it with pacemaker?
>
> -Thanks
> Nikhil
>
>
___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org