[ClusterLabs] Security with Corosync

Nikhil Utane nikhil.subscribed at gmail.com
Thu Mar 17 05:04:01 CET 2016


[root at node3 corosync]# corosync -v
Corosync Cluster Engine, version '1.4.7'
Copyright (c) 2006-2009 Red Hat, Inc.

So it is 1.x :(
When I begun I was following multiple tutorials and ended up installing
multiple packages. Let me try moving to corosync 2.0.
I suppose it should be as easy as doing yum install.

On Wed, Mar 16, 2016 at 10:29 PM, Jan Friesse <jfriesse at redhat.com> wrote:

> Nikhil Utane napsal(a):
>
>> Honza,
>>
>> In my CIB I see the infrastructure being set to cman. pcs status is
>> reporting the same.
>>
>> <nvpair id="cib-bootstrap-options-cluster-infrastructure"
>> name="cluster-infrastructure" value="*cman*"/>
>>
>> [root at node3 corosync]# pcs status
>> Cluster name: mycluster
>> Last updated: Wed Mar 16 16:57:46 2016
>> Last change: Wed Mar 16 16:56:23 2016
>> Stack: *cman*
>>
>> But corosync also is running fine.
>>
>> [root at node2 nikhil]# pcs status nodes corosync
>> Corosync Nodes:
>>   Online: node2 node3
>>   Offline: node1
>>
>> I did a cibadmin query and replace from cman to corosync but it doesn't
>> change (even though replace operation succeeds)
>> I read that CMAN internally uses corosync but in corosync 2 CMAN support
>> is
>> removed.
>> Totally confused. Please help.
>>
>
> Best start is to find out what versions you are using? If you have
> corosync 1.x and really using cman (what is highly probable), corosync.conf
> is completely ignored and instead cluster.conf (/etc/cluster/cluster.conf)
> is used. cluster.conf uses cman keyfile and if this is not provided,
> encryption key is simply cluster name. This is probably reason why
> everything worked when you haven't had authkey on one of nodes.
>
> Honza
>
>
>
>> -Thanks
>> Nikhil
>>
>> On Mon, Mar 14, 2016 at 1:19 PM, Jan Friesse <jfriesse at redhat.com> wrote:
>>
>> Nikhil Utane napsal(a):
>>>
>>> Follow-up question.
>>>> I noticed that secauth was turned off in my corosync.conf file. I
>>>> enabled
>>>> it on all 3 nodes and restarted the cluster. Everything was working
>>>> fine.
>>>> However I just noticed that I had forgotten to copy the authkey to one
>>>> of
>>>> the node. It is present on 2 nodes but not the third. And I did a
>>>> failover
>>>> and the third node took over without any issue.
>>>> How is the 3rd node participating in the cluster if it doesn't have the
>>>> authkey?
>>>>
>>>>
>>> It's just not possible. If you would enabled secauth correctly and you
>>> didn't have /etc/corosync/authkey, message like "Could not open
>>> /etc/corosync/authkey: No such file or directory" would show up. There
>>> are
>>> few exceptions:
>>> - you have changed totem.keyfile with file existing on all nodes
>>> - you are using totem.key then everything works as expected (it has
>>> priority over default authkey file but not over totem.keyfile)
>>> - you are using COROSYNC_TOTEM_AUTHKEY_FILE env with file existing on all
>>> nodes
>>>
>>> Regards,
>>>    Honza
>>>
>>>
>>>
>>> On Fri, Mar 11, 2016 at 4:15 PM, Nikhil Utane <
>>>> nikhil.subscribed at gmail.com>
>>>> wrote:
>>>>
>>>> Perfect. Thanks for the quick response Honza.
>>>>
>>>>>
>>>>> Cheers
>>>>> Nikhil
>>>>>
>>>>> On Fri, Mar 11, 2016 at 4:10 PM, Jan Friesse <jfriesse at redhat.com>
>>>>> wrote:
>>>>>
>>>>> Nikhil,
>>>>>
>>>>>>
>>>>>> Nikhil Utane napsal(a):
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>>
>>>>>>> I changed some configuration and captured packets. I can see that the
>>>>>>> data
>>>>>>> is already garbled and not in the clear.
>>>>>>> So does corosync already have this built-in?
>>>>>>> Can somebody provide more details as to what all security features
>>>>>>> are
>>>>>>> incorporated?
>>>>>>>
>>>>>>>
>>>>>>> See man page corosync.conf(5) options crypto_hash, crypto_cipher (for
>>>>>> corosync 2.x) and potentially secauth (for coorsync 1.x and 2.x).
>>>>>>
>>>>>> Basically corosync by default uses aes256 for encryption and sha1 for
>>>>>> hmac authentication.
>>>>>>
>>>>>> Pacemaker uses corosync cpg API so as long as encryption is enabled in
>>>>>> the corosync.conf, messages interchanged between nodes are encrypted.
>>>>>>
>>>>>> Regards,
>>>>>>     Honza
>>>>>>
>>>>>>
>>>>>> -Thanks
>>>>>>
>>>>>>> Nikhil
>>>>>>>
>>>>>>> On Fri, Mar 11, 2016 at 11:38 AM, Nikhil Utane <
>>>>>>> nikhil.subscribed at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>
>>>>>>>> Does corosync provide mechanism to secure the communication path
>>>>>>>> between
>>>>>>>> nodes of a cluster?
>>>>>>>> I would like all the data that gets exchanged between all nodes to
>>>>>>>> be
>>>>>>>> encrypted.
>>>>>>>>
>>>>>>>> A quick google threw up this link:
>>>>>>>> https://github.com/corosync/corosync/blob/master/SECURITY
>>>>>>>>
>>>>>>>> Can I make use of it with pacemaker?
>>>>>>>>
>>>>>>>> -Thanks
>>>>>>>> Nikhil
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list: Users at clusterlabs.org
>>>>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>>>>
>>>>>>> Project Home: http://www.clusterlabs.org
>>>>>>> Getting started:
>>>>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>>>>> Bugs: http://bugs.clusterlabs.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>> Users mailing list: Users at clusterlabs.org
>>>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>>>
>>>>>> Project Home: http://www.clusterlabs.org
>>>>>> Getting started:
>>>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>>>> Bugs: http://bugs.clusterlabs.org
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list: Users at clusterlabs.org
>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>
>>>> Project Home: http://www.clusterlabs.org
>>>> Getting started:
>>>> http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>> Bugs: http://bugs.clusterlabs.org
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Users mailing list: Users at clusterlabs.org
>>> http://clusterlabs.org/mailman/listinfo/users
>>>
>>> Project Home: http://www.clusterlabs.org
>>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>> Bugs: http://bugs.clusterlabs.org
>>>
>>>
>>
>>
>> _______________________________________________
>> Users mailing list: Users at clusterlabs.org
>> http://clusterlabs.org/mailman/listinfo/users
>>
>> Project Home: http://www.clusterlabs.org
>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>> Bugs: http://bugs.clusterlabs.org
>>
>>
>
> _______________________________________________
> Users mailing list: Users at clusterlabs.org
> http://clusterlabs.org/mailman/listinfo/users
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://clusterlabs.org/pipermail/users/attachments/20160317/8c509369/attachment.html>


More information about the Users mailing list