[ClusterLabs] Security with Corosync

Jan Friesse jfriesse at redhat.com
Mon Mar 14 07:49:49 UTC 2016


Nikhil Utane napsal(a):
> Follow-up question.
> I noticed that secauth was turned off in my corosync.conf file. I enabled
> it on all 3 nodes and restarted the cluster. Everything was working fine.
> However I just noticed that I had forgotten to copy the authkey to one of
> the node. It is present on 2 nodes but not the third. And I did a failover
> and the third node took over without any issue.
> How is the 3rd node participating in the cluster if it doesn't have the
> authkey?

It's just not possible. If you would enabled secauth correctly and you 
didn't have /etc/corosync/authkey, message like "Could not open 
/etc/corosync/authkey: No such file or directory" would show up. There 
are few exceptions:
- you have changed totem.keyfile with file existing on all nodes
- you are using totem.key then everything works as expected (it has 
priority over default authkey file but not over totem.keyfile)
- you are using COROSYNC_TOTEM_AUTHKEY_FILE env with file existing on 
all nodes

Regards,
   Honza

>
> On Fri, Mar 11, 2016 at 4:15 PM, Nikhil Utane <nikhil.subscribed at gmail.com>
> wrote:
>
>> Perfect. Thanks for the quick response Honza.
>>
>> Cheers
>> Nikhil
>>
>> On Fri, Mar 11, 2016 at 4:10 PM, Jan Friesse <jfriesse at redhat.com> wrote:
>>
>>> Nikhil,
>>>
>>> Nikhil Utane napsal(a):
>>>
>>>> Hi,
>>>>
>>>> I changed some configuration and captured packets. I can see that the
>>>> data
>>>> is already garbled and not in the clear.
>>>> So does corosync already have this built-in?
>>>> Can somebody provide more details as to what all security features are
>>>> incorporated?
>>>>
>>>
>>> See man page corosync.conf(5) options crypto_hash, crypto_cipher (for
>>> corosync 2.x) and potentially secauth (for coorsync 1.x and 2.x).
>>>
>>> Basically corosync by default uses aes256 for encryption and sha1 for
>>> hmac authentication.
>>>
>>> Pacemaker uses corosync cpg API so as long as encryption is enabled in
>>> the corosync.conf, messages interchanged between nodes are encrypted.
>>>
>>> Regards,
>>>    Honza
>>>
>>>
>>>> -Thanks
>>>> Nikhil
>>>>
>>>> On Fri, Mar 11, 2016 at 11:38 AM, Nikhil Utane <
>>>> nikhil.subscribed at gmail.com>
>>>> wrote:
>>>>
>>>> Hi,
>>>>>
>>>>> Does corosync provide mechanism to secure the communication path between
>>>>> nodes of a cluster?
>>>>> I would like all the data that gets exchanged between all nodes to be
>>>>> encrypted.
>>>>>
>>>>> A quick google threw up this link:
>>>>> https://github.com/corosync/corosync/blob/master/SECURITY
>>>>>
>>>>> Can I make use of it with pacemaker?
>>>>>
>>>>> -Thanks
>>>>> Nikhil
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list: Users at clusterlabs.org
>>>> http://clusterlabs.org/mailman/listinfo/users
>>>>
>>>> Project Home: http://www.clusterlabs.org
>>>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>>> Bugs: http://bugs.clusterlabs.org
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list: Users at clusterlabs.org
>>> http://clusterlabs.org/mailman/listinfo/users
>>>
>>> Project Home: http://www.clusterlabs.org
>>> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
>>> Bugs: http://bugs.clusterlabs.org
>>>
>>
>>
>
>
>
> _______________________________________________
> Users mailing list: Users at clusterlabs.org
> http://clusterlabs.org/mailman/listinfo/users
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
>





More information about the Users mailing list