Hi all, Currently, the Pacemaker Remote server always binds to the wildcard IP address, and always uses the same TLS cipher priority list (which can be configured at compile-time, and in some cases use the system-wide policy).
Some users want to restrict these for security hardening purposes. The upcoming Pacemaker 2.0.3 will support two new environment variables (in /etc/sysconfig/pacemaker, /etc/default/pacemaker, or wherever your distro keeps such things): # If the Pacemaker Remote service is run on the local node, it will listen # for connections on this address. The value may be a resolvable hostname or an # IPv4 or IPv6 numeric address. When resolving names or using the default # wildcard address (i.e. listen on all available addresses), IPv6 will be # preferred if available. When listening on an IPv6 address, IPv4 clients will # be supported (via IPv4-mapped IPv6 addresses). # PCMK_remote_address="192.0.2.1" # Use these GnuTLS cipher priorities for TLS connections. See: # # https://gnutls.org/manual/html_node/Priority-Strings.html # # Pacemaker will append ":+ANON-DH" for remote CIB access (when enabled) and # ":+DHE-PSK:+PSK" for Pacemaker Remote connections, as they are required for # the respective functionality. # PCMK_tls_priorities="NORMAL" In addition, bundles gain a new capability, since there's no equivalent of that file inside a container. You can already pass environment variables to a container via the bundle's "options" property, but those must be identical on all hosts. Now, if you mount a file from the host as /etc/pacemaker/pcmk-init.env inside the container (via the existing "storage-mapping" property), Pacemaker Remote inside the container will parse that file for NAME=VALUE pairs and set them as environment variables. This allows you to set not only PCMK_remote_address, but other Pacemaker environment variables such as PCMK_debug, to a different value for the container to use on each host. The first release candidate is expected in a couple of weeks. -- Ken Gaillot <[email protected]> _______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/
