[Pacemaker] SFEX resource agent
Lars Marowsky-Bree
lmb at suse.de
Sat Feb 21 15:49:51 UTC 2009
On 2009-02-20T21:07:51, Priyanka Ranjan <priyanka3rdfeb at gmail.com> wrote:
> can we create volumegroup or filesystem on this sfex device. i tried but
> the sfex daemon failed
No. But what you can do is to use one partition as a "lock" and make the
other resources depend on it.
> other thing i would like to ask is i understand that sfex daemon grants
> exclusive access of sfex device to a node (on which sfex is running) but
> even then some malicious application from other node can still access the
> sfex device right??
> from these malicious application i mean some other application which does
> not belong to cluster in anyways.
It is close to impossible to protect against malicious applications from
other cluster nodes. sfex, LVM exclusive activation, and SCSI2/SCSI3
reservations likewise can be broken - they must be able to be broken, or
else the cluster could never orchestrate a fail-over.
They protect against the cluster managers doing wrong things and provide
certain help with "trivial" admin errors. If someone side-steps this
protection, there always is a way.
If you go to that level of paranoia, you need to secure the cluster
against running untrusted applications through host-based security.
Regards,
Lars
--
Teamlead Kernel, SuSE Labs, Research and Development
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
"Experience is the name everyone gives to their mistakes." -- Oscar Wilde
More information about the Pacemaker
mailing list