Serge, I did double check that the pacemaker processes were running under hacluster/haclient uid/gid. I will double check for my own sanity (I may have seen one running as root). However, according to the pacemaker docs that I referenced above, root and hacluster users should always have full access (which is somewhat in conflict with the INSTALL file you reference):
> Users are regular UNIX users, so the same user accounts must be present on > all nodes in the cluster. > > All user accounts must be in the haclient group. > > Pacemaker 1.1.5 or newer must be installed on all cluster nodes. > > The CIB must be configured to use the pacemaker-1.1 or 1.2 schema. This can > be set by running: > > cibadmin --modify --xml-text '<cib validate-with="pacemaker-1.1"/>' > The enable-acl option must be set. If ACLs are not explicitly enabled, the > previous behaviour will be used (i.e. all users in the haclient group have > full access): > > crm configure property enable-acl=true > Once this is done, ACLs can be configured as described below. > > Note that the root and hacluster users will always have full access. > > If nonprivileged users will be using the crm shell and CLI tools (as opposed > to only using Hawk or the Python GUI) they will need to have /usr/sbin added > to their path. If it were a necessity to add the ACL entry, then I would have expected that the hacluster charm code would always have needed this requirement and pacemaker should have always denied access. Additionally, since the charm has done no configuration of the ACLs, I would expect all nodes to get denied or allowed the same. Instead, what has been observed is that *some* of the nodes in the cluster have the pacemaker process successfully communicate with the corosync process, while others get this invalid credentials error that is seen. I've already proposed a change (which has been merged into the /next branches of the hacluster charm) which incorporates JuanJo's comments (thank you JuanJo!) by explicitly defining the ACL entry, but would better like to understand why the inconsistent behavior. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1439649 Title: Pacemaker unable to communicate with corosync on restart under lxc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1439649/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
