[ClusterLabs] Security with Corosync

Nikhil Utane nikhil.subscribed at gmail.com
Wed Mar 16 12:44:36 CET 2016


Honza,

In my CIB I see the infrastructure being set to cman. pcs status is
reporting the same.

<nvpair id="cib-bootstrap-options-cluster-infrastructure"
name="cluster-infrastructure" value="*cman*"/>

[root at node3 corosync]# pcs status
Cluster name: mycluster
Last updated: Wed Mar 16 16:57:46 2016
Last change: Wed Mar 16 16:56:23 2016
Stack: *cman*

But corosync also is running fine.

[root at node2 nikhil]# pcs status nodes corosync
Corosync Nodes:
 Online: node2 node3
 Offline: node1

I did a cibadmin query and replace from cman to corosync but it doesn't
change (even though replace operation succeeds)
I read that CMAN internally uses corosync but in corosync 2 CMAN support is
removed.
Totally confused. Please help.

-Thanks
Nikhil

On Mon, Mar 14, 2016 at 1:19 PM, Jan Friesse <jfriesse at redhat.com> wrote:

> Nikhil Utane napsal(a):
>
>> Follow-up question.
>> I noticed that secauth was turned off in my corosync.conf file. I enabled
>> it on all 3 nodes and restarted the cluster. Everything was working fine.
>> However I just noticed that I had forgotten to copy the authkey to one of
>> the node. It is present on 2 nodes but not the third. And I did a failover
>> and the third node took over without any issue.
>> How is the 3rd node participating in the cluster if it doesn't have the
>> authkey?
>>
>
> It's just not possible. If you would enabled secauth correctly and you
> didn't have /etc/corosync/authkey, message like "Could not open
> /etc/corosync/authkey: No such file or directory" would show up. There are
> few exceptions:
> - you have changed totem.keyfile with file existing on all nodes
> - you are using totem.key then everything works as expected (it has
> priority over default authkey file but not over totem.keyfile)
> - you are using COROSYNC_TOTEM_AUTHKEY_FILE env with file existing on all
> nodes
>
> Regards,
>   Honza
>
>
>
>> On Fri, Mar 11, 2016 at 4:15 PM, Nikhil Utane <
>> nikhil.subscribed at gmail.com>
>> wrote:
>>
>> Perfect. Thanks for the quick response Honza.
>>>
>>> Cheers
>>> Nikhil
>>>
>>> On Fri, Mar 11, 2016 at 4:10 PM, Jan Friesse <jfriesse at redhat.com>
>>> wrote:
>>>
>>> Nikhil,
>>>>
>>>> Nikhil Utane napsal(a):
>>>>
>>>> Hi,
>>>>>
>>>>> I changed some configuration and captured packets. I can see that the
>>>>> data
>>>>> is already garbled and not in the clear.
>>>>> So does corosync already have this built-in?
>>>>> Can somebody provide more details as to what all security features are
>>>>> incorporated?
>>>>>
>>>>>
>>>> See man page corosync.conf(5) options crypto_hash, crypto_cipher (for
>>>> corosync 2.x) and potentially secauth (for coorsync 1.x and 2.x).
>>>>
>>>> Basically corosync by default uses aes256 for encryption and sha1 for
>>>> hmac authentication.
>>>>
>>>> Pacemaker uses corosync cpg API so as long as encryption is enabled in
>>>> the corosync.conf, messages interchanged between nodes are encrypted.
>>>>
>>>> Regards,
>>>>    Honza
>>>>
>>>>
>>>> -Thanks
>>>>> Nikhil
>>>>>
>>>>> On Fri, Mar 11, 2016 at 11:38 AM, Nikhil Utane <
>>>>> nikhil.subscribed at gmail.com>
>>>>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>>
>>>>>> Does corosync provide mechanism to secure the communication path
>>>>>> between
>>>>>> nodes of a cluster?
>>>>>> I would like all the data that gets exchanged between all nodes to be
>>>>>> encrypted.
>>>>>>
>>>>>> A quick google threw up this link:
>>>>>> https://github.com/corosync/corosync/blob/master/SECURITY
>>>>>>
>>>>>> Can I make use of it with pacemaker?
>>>>>>
>>>>>> -Thanks
>>>>>> Nikhil
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list: Users at clusterlabs.org
>>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>>
>>>>> Project Home: http://www.clusterlabs.org
>>>>> Getting started:
>>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>>> Bugs: http://bugs.clusterlabs.org
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Users mailing list: Users at clusterlabs.org
>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>
>>>> Project Home: http://www.clusterlabs.org
>>>> Getting started:
>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>> Bugs: http://bugs.clusterlabs.org
>>>>
>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Users mailing list: Users at clusterlabs.org
>> http://clusterlabs.org/mailman/listinfo/users
>>
>> Project Home: http://www.clusterlabs.org
>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>> Bugs: http://bugs.clusterlabs.org
>>
>>
>
> _______________________________________________
> Users mailing list: Users at clusterlabs.org
> http://clusterlabs.org/mailman/listinfo/users
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://clusterlabs.org/pipermail/users/attachments/20160316/7b0bfa09/attachment.html>


More information about the Users mailing list