[Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1

senrabdet at aol.com senrabdet at aol.com
Wed Mar 6 10:05:47 EST 2013 

Thanks Lars - will digest your response a bit, get back - appreciate the help!
 

 

 

-----Original Message-----
From: Lars Ellenberg <lars.ellenberg at linbit.com>
To: pacemaker <pacemaker at oss.clusterlabs.org>
Sent: Wed, Mar 6, 2013 5:40 am
Subject: Re: [Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1


On Mon, Mar 04, 2013 at 04:27:24PM -0500, senrabdet at aol.com wrote:
> Hi All:
> 
> We're new to pacemaker (just got some great help from this forum
> getting it working with LVM as backing device), and would like to
> explore the Physical Volume option. We're trying configure on top of
> an existing Encrypted RAID1 set up and employ LVM.
> 
> NOTE:  our goal is to run many virtual servers, each in its own
> logical volume and it looks like putting LVM on top of the DRBD would
> allow us to add logical volumes "on the fly", but also have a
> "simpler" setup with one drbd device for all the logical volumes and
> one related pacemaker config.  Hence, exploring DRBD as a physical
> volume.


A single DRBD has a single "activity log",
running "many virtual servers" from there will very likely cause
the "worst possible" workload (many totally random writes).

You really want to use DRBD 8.4.3,
see https://blogs.linbit.com/p/469/843-random-writes-faster/
for why.


> Q:  For pacemaker to work, how do we do the DRBD disk/device mapping
> in the drbd.conf file?  And should we set things up and encrypt last,
> or can we apply DRBD and Pacemaker to an existing Encypted RAID1
> setup?


Neither Pacemaker nor DRBD do particularly care.

If you want to stack the encryption layer on top of DRBD, fine.
(you'd probably need to teach some pacemaker resource agent to "start"
the encryption layer).

If you want to stack DRBD on top of the encryption layer, just as fine.

Unless you provide the decryption key in plaintext somewhere, failover
will likely be easier to automate if you have DRBD on top of encryption,
so if you want the real device encrypted, I'd recommend to put
encryption below DRBD.

Obviously, the DRBD replication traffic will still be "plaintext" in
that case.

> The examples we've seen show mapping between the drbd device and a
> physical disk (e.g., sdb) in the drbd.conf, and then  "pvcreate
> /dev/drbdnum" and creating a volume group and logical volume on the
> drbd device.
> 
> So for this type of set up, drbd.conf might look like:
> 
> device    /dev/drbd1;    
> disk      /dev/sdb;
> address xx.xx.xx.xx:7789;
>     meta-disk internal;
> 
> In our case, because we have an existing RAID1 (md2) and it's
> encrypted (md2_crypt or /dev/dm-7 ...  we're unsure which partition
> actually has the data), any thoughts on how to do the DRBD mapping?
> E.g., 
> 
> device /dev/drbd1 minor 1;
> disk /dev/???????;
> address xx.xx.xx.xx:7789; 
> meta-disk internal;
> 
> I.e., what goes in the "disk /dev/?????;"?  Would it be "disk 
/dev/md2_crypt;"?

Yes.

> And can we do our setup on an existing Encrypted RAID1 setup

Yes.

> (if we do pvcreate on drbd1, we get errors)?

Huh?

-- 
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com

DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.

_______________________________________________
Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20130306/c49a6b1a/attachment-0003.html>

More information about the Pacemaker mailing list