[ClusterLabs] Security with Corosync

Nikhil Utane nikhil.subscribed at gmail.com
Sat Mar 12 11:48:09 CET 2016


Follow-up question.
I noticed that secauth was turned off in my corosync.conf file. I enabled
it on all 3 nodes and restarted the cluster. Everything was working fine.
However I just noticed that I had forgotten to copy the authkey to one of
the node. It is present on 2 nodes but not the third. And I did a failover
and the third node took over without any issue.
How is the 3rd node participating in the cluster if it doesn't have the
authkey?

On Fri, Mar 11, 2016 at 4:15 PM, Nikhil Utane <nikhil.subscribed at gmail.com>
wrote:

> Perfect. Thanks for the quick response Honza.
>
> Cheers
> Nikhil
>
> On Fri, Mar 11, 2016 at 4:10 PM, Jan Friesse <jfriesse at redhat.com> wrote:
>
>> Nikhil,
>>
>> Nikhil Utane napsal(a):
>>
>>> Hi,
>>>
>>> I changed some configuration and captured packets. I can see that the
>>> data
>>> is already garbled and not in the clear.
>>> So does corosync already have this built-in?
>>> Can somebody provide more details as to what all security features are
>>> incorporated?
>>>
>>
>> See man page corosync.conf(5) options crypto_hash, crypto_cipher (for
>> corosync 2.x) and potentially secauth (for coorsync 1.x and 2.x).
>>
>> Basically corosync by default uses aes256 for encryption and sha1 for
>> hmac authentication.
>>
>> Pacemaker uses corosync cpg API so as long as encryption is enabled in
>> the corosync.conf, messages interchanged between nodes are encrypted.
>>
>> Regards,
>>   Honza
>>
>>
>>> -Thanks
>>> Nikhil
>>>
>>> On Fri, Mar 11, 2016 at 11:38 AM, Nikhil Utane <
>>> nikhil.subscribed at gmail.com>
>>> wrote:
>>>
>>> Hi,
>>>>
>>>> Does corosync provide mechanism to secure the communication path between
>>>> nodes of a cluster?
>>>> I would like all the data that gets exchanged between all nodes to be
>>>> encrypted.
>>>>
>>>> A quick google threw up this link:
>>>> https://github.com/corosync/corosync/blob/master/SECURITY
>>>>
>>>> Can I make use of it with pacemaker?
>>>>
>>>> -Thanks
>>>> Nikhil
>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list: Users at clusterlabs.org
>>> http://clusterlabs.org/mailman/listinfo/users
>>>
>>> Project Home: http://www.clusterlabs.org
>>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>> Bugs: http://bugs.clusterlabs.org
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list: Users at clusterlabs.org
>> http://clusterlabs.org/mailman/listinfo/users
>>
>> Project Home: http://www.clusterlabs.org
>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>> Bugs: http://bugs.clusterlabs.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://clusterlabs.org/pipermail/users/attachments/20160312/2547e847/attachment.html>


More information about the Users mailing list