On 23/01/2023 10:38, S Sathish S wrote:
Hi Jan/Team,
Yes , In syslog we noticed "crypto: none" during startup of corosync service.
Ok, so then communication is unencrypted.
In Corosync communication which protocols/ports transfer sensitive data which
need to be secured ?
Corosync implements its own protocol and for udpu it is using port 5405
by default.
Or It will have only binary protocol like 5405 port for all corosync
communication?
Yes
Basically if you dump UDP traffic port 5405 you should see messages sent
via cpg.
For example I've tried:
tcpdump -i eth1 -nN -nn udp
and send "This is nice test" using testcpg (which is using CPG group
called GROUP) and entry
"16:12:22.534234 IP 192.168.63.35.52319 > 192.168.63.36.5405: UDP,
length 321
E..]D?@.@.....?#..?$._...I."......"..............?#..................................)...(...........?#............o.............................a........................GROUP........................................................................................................................................................U..This
is nice test"
was logged.
Regards,
Honza
Thanks and Regards,
S Sathish S
-----Original Message-----
From: Jan Friesse <jfrie...@redhat.com>
Sent: 23 January 2023 14:50
To: Cluster Labs - All topics related to open-source clustering welcomed
<users@clusterlabs.org>
Cc: S Sathish S <s.s.sath...@ericsson.com>
Subject: Re: [ClusterLabs] corosync 2.4.4 version provide secure the
communication by default
Hi,
On 23/01/2023 01:37, S Sathish S via Users wrote:
Hi Team,
corosync 2.4.4 version provide mechanism to secure the communication path
between nodes of a cluster by default? bcoz in our configuration secauth is
turned off but still communication occur is encrypted.
Note : Capture tcpdump for port 5405 and I can see that the data is already
garbled and not in the clear.
It's binary protocol so don't expect some really readable format (like
xml/json/...). But with your config it should be unencrypted. You can check message
"notice [TOTEM ] Initializing transmit/receive security
(NSS) crypto: none hash: none" during start of corosync.
Regards,
Honza
[root@node1 ~]# cat /etc/corosync/corosync.conf totem {
version: 2
cluster_name: OCC
secauth: off
transport: udpu
}
nodelist {
node {
ring0_addr: node1
nodeid: 1
}
node {
ring0_addr: node2
nodeid: 2
}
node {
ring0_addr: node3
nodeid: 3
}
}
quorum {
provider: corosync_votequorum
}
logging {
to_logfile: yes
logfile: /var/log/cluster/corosync.log
to_syslog: no
timestamp: on
}
Thanks and Regards,
S Sathish S
_______________________________________________
Manage your subscription:
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
5555731-d41b18997a64a81a&q=1&e=d75dcac1-7d11-41aa-b596-47366bde2862&u=
https%3A%2F%2Flists.clusterlabs.org%2Fmailman%2Flistinfo%2Fusers
ClusterLabs home:
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
5555731-b3537e65a3f1def4&q=1&e=d75dcac1-7d11-41aa-b596-47366bde2862&u=
https%3A%2F%2Fwww.clusterlabs.org%2F
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
