[Pacemaker] pacemaker-remote tls handshaking

David Vossel dvossel at redhat.com
Thu May 16 22:47:00 UTC 2013


----- Original Message -----
> From: "Lindsay Todd" <rltodd.ml1 at gmail.com>
> To: "The Pacemaker cluster resource manager" <Pacemaker at oss.clusterlabs.org>
> Sent: Thursday, May 16, 2013 3:44:09 PM
> Subject: [Pacemaker] pacemaker-remote tls handshaking
> 
> I've built pacemaker 1.1.10rc2 and am trying to get the pacemaker-remote
> features working on my Scientific Linux 6.4 system. It almost works...
> 
> The /etc/pacemaker/authkey file is on all the cluster nodes, as well as my
> test VM (readable to all users, and checksums are the same everywhere). I
> can connect via telnet to port 3121 of the VM.
>
> I even see the ghost node
> appear for my VM when I use either 'crm status' or 'pcs status'. (Aside:
> crmsh doesn't know about the new meta attributes for remote...)
> 
> But the communication isn't quite working. In my log I see:
> 
> May 16 15:58:34 cvmh04 crmd[4893]: warning: lrmd_tcp_connect_cb: Client tls
> han
> dshake failed for server swbuildsl6:3121. Disconnecting
> May 16 15:58:34 swbuildsl6 pacemaker_remoted[2308]: error: lrmd_remote_client
> _msg: Remote lrmd tls handshake failed
> May 16 15:58:35 cvmh04 crmd[4893]: warning: lrmd_tcp_connect_cb: Client tls
> han
> dshake failed for server swbuildsl6:3121. Disconnecting
> May 16 15:58:35 swbuildsl6 pacemaker_remoted[2308]: error: lrmd_remote_client
> _msg: Remote lrmd tls handshake failed
> 
> and it isn't long before pacemaker stops trying.
> 
> Is there some additional configuration I need?

Ah, you dared to try my new feature, and this is what you get! :D

It looks like you have it covered.  If you can telnet into the vm from the host (it should kick you off pretty quickly), then then all the firewall rules are correct. I'm not sure what is going on.  The only thing I can think of is perhaps your gnutls version doesn't like that I'm using a non-blocking socket during the tls handshake.

I doubt this will make a difference, but here's the key I use during testing, lrmd:ce9db0bc3cec583d3b3bf38b0ac9ff91

Has anyone else had success or ran into something similar yet?  I'll help investigate this next week. I'll be out of the office until Tuesday.

-- Vossel

> /Lindsay
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
> 




More information about the Pacemaker mailing list