[Pacemaker] authentication in the cluster

Christine Caulfield ccaulfie at redhat.com
Tue Jan 27 16:32:48 UTC 2015


On 27/01/15 15:56, Kostiantyn Ponomarenko wrote:
> Hi all,
> 
> Here is a situation - there are two "two-node" clusters.
> They have totally identical configuration.
> Nodes in the clusters are connected directly, without any switches.
> 

You can't connect clusters together like that. All nodes in the cluster
have just 1 authkey file. Also, corosync clusters are a ring, even if
you have two nodes. What you have there is not a ring, it's err, a
linked-cross?!

Why do you need to connect the two clusters together - is it for
failover? There must be a better way of achieving what you need, have a
look for 'stretch clusters' (not my speciality TBH) if they are at
separate sites. If you just want to run resources outside of the cluster
then pacemaker_remote might be more useful.

If it's just for isolation of resources then pacemaker can do that
anyway so you don't need to partition the cluster like that.

If you can explain just why you think you need this system we might be
able to come up with something that will work :)

Chrissie

> totem {
> version: 2
> 
> cluster_name: mycluster
> transport: udpu
> 
> crypto_hash: sha256
> crypto_cipher: none
> rrp_mode: passive
> }
> 
> nodelist {
> node {
> name: node-a
> nodeid: 1
> ring0_addr: 169.254.0.2
> ring1_addr: 169.254.1.2
> }
> 
> node {
> name: node-b
> nodeid: 2
> ring0_addr: 169.254.0.3
> ring1_addr: 169.254.1.3
> }
> }
> 
> The only difference between those two clusters is authentication key (
> /etc/corosync/authkey ) - it is different for both clusters.
> 
> QUESTION:
> ------------------
> What will be the behavior if the next mess in connection occurs:
> "ring1_addr" of node-a (cluster-A) is connected to "ring1_addr" of node-b
> (cluster-B)
> "ring1_addr" of node-a (cluster-B) is connected to "ring1_addr" of node-b
> (cluster-A)
> 
> I attached a pic which shows the connections.
> 
> My actual goal - do not let the clusters work in such case.
> To achieve it, I decided to use "authentication key" mechanism.
> But I don't know the result in the situation which I described ... .
> 
> Thank you,
> Kostya
> 
> 
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
> 





More information about the Pacemaker mailing list