[ClusterLabs] Initial Setup

Angelo M Ruggiero via Users Fri, 16 Aug 2024 05:41:45 -0700

Hello,

I have been learning and playing with the pacemaker. Its great. We are going to 
use is in SAP R3/HANA on RHEL8 hopefully in the next few months.


I am trying to make sure I know how it works from a security point of view. As 
in my world I have to explain to security powers at be ....

So been looking at the man pages, netstatin,tcpdumping, lsofing etc and looking 
at the code even as far as i can.

Here is an initial sort of description what actually happens during the initial 
setup until all processes are up and "trusted" thereafter with resources is 
less of an issue.

I know it some how not exact enough. But I need some sort of pointers or some 
basic corrections then I will make it better. Happy to contribute something 
here if people think valuable.
I got some pics as well.

Just to be I do not have a problem it is all working.

So can someone help me to review the below.

  1.  packages pcs, pacemaker, corosync., ... installed on each host  hacluster 
password set and pcsd started
  2.  On one of the intended cluster hosts....pcs host add <list of hosts>
     *   pcs(1) connects to the local pcsd(8) via only root writable unix 
domain socket
     *   local pcsd connects to each remote host on port 2244 via TLS and 
configured cipher
        *   the remote pcsd via PAM requests uid, password authentication 
(hacluster and the above set passwd)
           *   if successfull the remote pcsd
              *   writes into the local /var/lib/pcsd/known_hosts its own entry
              *   writes the node list entry into the 
/etc/corosync/corosync.,conf
              *   if there is no /etc/corosync/authkey the corosync_keygen is 
running to generate and write the key
        *   the local pcsd
           *   writes also the remotes pcsd the remote hosts entry
              *   writes the node list entry into the 
/etc/corosync/corosync.,conf
              *   if there is no /etc/corosync/authkey the corosync_keygen is 
running to generate and write the key
  3.  On one of the intended cluster hosts... pcs cluster setup <list of hosts>
     *   pcs(1) connects to the local pcsd(8) via only root writable unix 
domain socket
     *   allocates a random /etc/pacemaker/authkey
     *   connects to each of the list of hosts via TLS and for each
        *   presents the remote host token from the previously setup known 
hosts entry for authentication
        *   presents the /etc/pacemaker/authkey if not yet on the remote host
        *   send the configuration data

Angelo

_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

[ClusterLabs] Initial Setup

Reply via email to