[Pacemaker] Sources for dlm and cman
Hello folkz, Could somebody please point me out where I can get tar balls of dlm (libdlm) and cman (libcman) sources. My search in google yielded nothing definitive. Many thanks in advance, Alex ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] crm_attribte failed with Multiple attributes match
On Mon, Jan 11, 2010 at 2:45 AM, Andrew Beekhof wrote: > > >> > >> When I checked the cib, it has only one entry for each host. > >> > >> [r...@silverthorne2 tmp]# cibadmin -Ql | grep master-vmrd > >>>> id="status-copper2-master-vmrd-res:0" value="5"/> > >>>> id="status-copper1-master-vmrd-res:1" value="2"/> > > > > Either case is a problem. If the cib has two entries per one node, then > cib > > update has a problem. If the cib has one entry per node correctly, then > cib > > query has a problem. > > Can you please provide the _complete_ cib + output for both problems. > I rebooted the system a few days ago. If it happens again, will post it. But can you guess any how cib query returns multiple entries? hj ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] openais/corosync
On Mon, 2010-01-11 at 21:00 +0100, Andreas Mock wrote: > > -Ursprüngliche Nachricht- > > Von: "Steven Dake" > > Gesendet: 11.01.10 20:13:39 > > An: pacema...@clusterlabs.org > > Betreff: Re: [Pacemaker] openais/corosync > > > > > > See reasoning here: > > http://www.corosync.org/doku.php?id=faq:why > > Hi Steve, > > thank you for that link. A piece of documentation I didn't find. > > They know why they do have "improved documentation" on > their 2010 agenda. ;-) > Ya its pretty clear Corosync documentation is weak. We really focused on developing a great quality implementation and a good release model at the expense of all other activities such as documentation and project marketing. We hope developers can deal with the documentation warts in the near term until we sort that out. In most cases, users don't need much documentation on Corosync at all except managing corosync.conf which is very well documented in man pages. Corosync's functionality should mostly be hidden behind application's functionality. That said, we do want to improve documentation. Beyond man pages for all tools and APIs, we would eventually like to produce a user guide and a separate developer guide which may number 100-200 PDF pages combined. These objectives will happen this year. Regards -steve ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] attrd does not update crm_master
On Mon, Jan 11, 2010 at 1:22 PM, hj lee wrote: > Hi, > > I have a situation crm_master does not update a master score. I increased > log level at attrd. And I found that current value is 2 but stored value > is 5. I don't know how attrd ends up this state. But attrd ignores this > update, so a master score does not change at all. I think the code should > check the stored value, not current value in memory. As long as the stored > value is different, then it should update. Should I create a bug? > > Thanks > hj > > > 2010-01-11 09:37:16.425570 copper2-attrd: [4649]: debug: debug3: > log_data_element: attrd_ipc_callback: attrd_ipc_callback t="attrd" src="crm_attribute" task="update" attr_name="master-vmrd-res:0" > attr_value="2" attr_section="status" attr_host="copper2" /> > 2010-01-11 09:37:16.425602 copper2-attrd: [4649]: debug: > attrd_local_callback: update message from crm_attribute: > master-vmrd-res:0=2 > 2010-01-11 09:37:16.425611 copper2-attrd: [4649]: debug: debug2: > find_hash_entry: #011master-vmrd-res:0->section: status > 2010-01-11 09:37:16.425642 copper2-attrd: [4649]: debug: debug2: > log_hash_entry: Found (and updated) entry: > 2010-01-11 09:37:16.425651 copper2-attrd: [4649]: debug: debug2: > log_hash_entry: Set: status > 2010-01-11 09:37:16.425658 copper2-attrd: [4649]: debug: debug2: > log_hash_entry: Name:master-vmrd-res:0 > 2010-01-11 09:37:16.425667 copper2-attrd: [4649]: debug: debug2: > log_hash_entry: Value: 2 > 2010-01-11 09:37:16.425699 copper2-attrd: [4649]: debug: debug2: > log_hash_entry: Timeout: (null) > 2010-01-11 09:37:16.425708 copper2-attrd: [4649]: debug: > attrd_local_callback: Supplied: 2, Current: 2, Stored: 5 > 2010-01-11 09:37:16.425740 copper2-attrd: [4649]: debug: debug2: > attrd_local_callback: Ignoring non-change > > Hi again, Thanks to the pacemaker log, I could browse the source code for this issue. The stored_value is only updated after cib_ok returned, but current is updated to the supplied value on request before sending update to cib. So this can cause the difference in current and stored value. The code compares only the supplied and current value. So if the cib update fails, then it ends up this situation! The fix will be very simple, either remove compares it against the stored_value or update current only after cib_ok returns. Thanks hj ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
[Pacemaker] attrd does not update crm_master
Hi, I have a situation crm_master does not update a master score. I increased log level at attrd. And I found that current value is 2 but stored value is 5. I don't know how attrd ends up this state. But attrd ignores this update, so a master score does not change at all. I think the code should check the stored value, not current value in memory. As long as the stored value is different, then it should update. Should I create a bug? Thanks hj 2010-01-11 09:37:16.425427 copper2-attrd: [4649]: debug: debug5: log_data_element: Dumping attrd_update 2010-01-11 09:37:16.425460 copper2-attrd: [4649]: debug: debug5: log_data_element: Dumping 2010-01-11 09:37:16.425602 copper2-attrd: [4649]: debug: attrd_local_callback: update message from crm_attribute: master-vmrd-res:0=2 2010-01-11 09:37:16.425611 copper2-attrd: [4649]: debug: debug2: find_hash_entry: #011master-vmrd-res:0->section: status 2010-01-11 09:37:16.425642 copper2-attrd: [4649]: debug: debug2: log_hash_entry: Found (and updated) entry: 2010-01-11 09:37:16.425651 copper2-attrd: [4649]: debug: debug2: log_hash_entry: Set: status 2010-01-11 09:37:16.425658 copper2-attrd: [4649]: debug: debug2: log_hash_entry: Name:master-vmrd-res:0 2010-01-11 09:37:16.425667 copper2-attrd: [4649]: debug: debug2: log_hash_entry: Value: 2 2010-01-11 09:37:16.425699 copper2-attrd: [4649]: debug: debug2: log_hash_entry: Timeout: (null) 2010-01-11 09:37:16.425708 copper2-attrd: [4649]: debug: attrd_local_callback: Supplied: 2, Current: 2, Stored: 5 2010-01-11 09:37:16.425740 copper2-attrd: [4649]: debug: debug2: attrd_local_callback: Ignoring non-change ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] openais/corosync
> -Ursprüngliche Nachricht- > Von: "Steven Dake" > Gesendet: 11.01.10 20:13:39 > An: pacema...@clusterlabs.org > Betreff: Re: [Pacemaker] openais/corosync > > See reasoning here: > http://www.corosync.org/doku.php?id=faq:why Hi Steve, thank you for that link. A piece of documentation I didn't find. They know why they do have "improved documentation" on their 2010 agenda. ;-) > the clusterlabs documentation is technically correct. You can use > openais whitetank (see link above) but I recommend just using Corosync > instead. I'll try it. Thank you for the fast reply. Best regards Andreas Mock ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] openais/corosync
On Mon, 2010-01-11 at 19:59 +0100, Andreas Mock wrote: > Hi all, > > I don't understand the distinction between > openais and corosync. The prebuild packages are > named after corosync while the documentation > always talk about openais. > See reasoning here: http://www.corosync.org/doku.php?id=faq:why > The infos I get from the homepages of openais/corosync > dont help either. There is one paper on corosync's homepage > saying that pacemaker is using corosync while the installation > guide at http://www.clusterlabs.org/wiki/Install#OpenAIS.2A > says to download openais. > the clusterlabs documentation is technically correct. You can use openais whitetank (see link above) but I recommend just using Corosync instead. > Can someone enlight me even this may be more related > to openais/corosync. I'm sure that the users of this code > can tell me how the parts fit together. ;-) > > Best regards > Andreas Mock > > > ___ > Pacemaker mailing list > Pacemaker@oss.clusterlabs.org > http://oss.clusterlabs.org/mailman/listinfo/pacemaker ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
[Pacemaker] openais/corosync
Hi all, I don't understand the distinction between openais and corosync. The prebuild packages are named after corosync while the documentation always talk about openais. The infos I get from the homepages of openais/corosync dont help either. There is one paper on corosync's homepage saying that pacemaker is using corosync while the installation guide at http://www.clusterlabs.org/wiki/Install#OpenAIS.2A says to download openais. Can someone enlight me even this may be more related to openais/corosync. I'm sure that the users of this code can tell me how the parts fit together. ;-) Best regards Andreas Mock ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
[Pacemaker] Pacemaker/OpenAIS Software for openSuSE 11.2
Hi all, after a long period I started to check out the current state of clustering with linux. As it seems that the SuSE guys go to the direction of pacemaker/openais I want to give that a try. a) Is this the right mailing list or can I ask pacemaker/openais questions also on the ha-linux mailing without beeing redirected elsewhere? b) Where can I find packages for openSuSE 11.2? (pacemaker/openais) c) If not available how could I build them (easily)? d) If I would try to compile from source as described at http://www.clusterlabs.org/wiki/Install#First_Steps one step is to get openais. Why are all the relevant prebuild library packages called corosync? I don't understand the distinction between openais and corosync and how this two pieces fit together. By the way: There homepage doesn't enlight me either. Enough questions for a restart. Best regards Andreas Mock ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] How to configure the rule with crm command?
Hi, On Mon, Jan 11, 2010 at 08:19:02PM +0800, Jason Lee wrote: > HI,ALL: > I'm reading the document: > http://www.clusterlabs.org/doc/en-US/Pacemaker/1.0/html/Pacemaker_Explained/index.html > > Now i reach the ch8.4 and ch8.5,the document only list the xml > example,but don't tell me how to > get this. > Who could tell me how to use crm command to get the Example 8.11 and > Example 8.12? Try crm configure help location. Or read the crm_cli doc at clusterlabs.org. Thanks, Dejan ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] Multi-level ACLs for the CIB
On 2010-01-11T15:02:29, Andrew Beekhof wrote: > > For this authentication issue of local access we discussed last time, I > > added a geteuid() in the cib_native_signon_raw() function from libcib. > > Once a client signs on the CIB, it'll invoke the function and transfer > > its uid to the server end. > I don't see anywhere that the server checks passwords. Is that really > intentional? I agree, the server needs to verify the credentials. Client-side UID is not strong enough - after all, we're trying to authenticate & authorize the _client_, and it won't do to have the client tell us what it thinks its auth level should be - that would be a bit easy to cheack ;-) > Whats the role of this code, is it meant to provide actual security? > Or is it just casual protection from people accidentally touching > stuff they probably didn't mean to touch? If we provide the latter, they'll expect it to provide the former. So we need to verify credentials in the CIB server process instead. For SSL connections to the server, this means username/password transfer, or challenge-response. For local sockets, we can use code similar to the IPC socket stuff from heartbeat to get the uuid from the other end of the socket? In the mean-time, reviewing the syntax is probably quite important too. Regards, Lars -- Architect Storage/HA, OPS Engineering, Novell, Inc. SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) "Experience is the name everyone gives to their mistakes." -- Oscar Wilde ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] Multi-level ACLs for the CIB
On Mon, Jan 11, 2010 at 2:01 PM, Yan Gao wrote: > Hi all, Andrew, Lars, > > Here's the status update about this feature. > > I've implemented the main functionalities of ACL, including the ACLs > configuration parser, the CIB output filter and the modification checker... > > Yan Gao wrote: >> On 12/09/09 18:28, Andrew Beekhof wrote: >>> On Wed, Dec 9, 2009 at 11:00 AM, Yan Gao wrote: Hi Andrew, Lars, On 12/08/09 21:16, Lars Marowsky-Bree wrote: > On 2009-12-08T09:22:52, Andrew Beekhof wrote: > >>> Basically, we'd like to see an ACL mechanism. It would be implemented at >>> the CIB level. So that all the clients - CLI , CRM shell, GUI, etc... - >>> could benefit. Clients are authenticated via PAM, so we can use uid/gid >>> for identification. >> Actually you probably can't do this. >> Daemons (like the cib) which are not running as root can only >> authenticate the username/password of the user they're running as. > Well, the non-root internal uids/daemons would of course get exceptions > just like root, this is about external interfaces. Actually, after thinking over the problem, I'm a bit confused...So I briefly describe what in my mind, please correct me if there's any problem. First, currently non-root users are able to connect the cib through either unix or network sockets as long as they belong to "haclient" group. We could keep this requirement. Then the cib should authenticate the client via PAM to identify who is connecting to it. >>> Thats what I'm saying, it can only do this for the hacluster user. >>> Because its not running as root. >> Indeed, that's the real problem. Without authentication, that would not >> be a real access control. No idea if there's any other solution... Lars, >> what's your recommendation? > > For this authentication issue of local access we discussed last time, I > added a geteuid() in the cib_native_signon_raw() function from libcib. > Once a client signs on the CIB, it'll invoke the function and transfer > its uid to the server end. I don't see anywhere that the server checks passwords. Is that really intentional? > > Strictly speaking, an user could hack his client program or libcib to > obtain the privileged right to CIB. But he also could hack the server > end, right? ;-) Or use a local (modified) copy of libcib, or just bypass it altogether. Both of which are far more trivial than installing modified code on the server-side. Whats the role of this code, is it meant to provide actual security? Or is it just casual protection from people accidentally touching stuff they probably didn't mean to touch? > > Above all, any user still needs to be added into "haclient" group by the > privileged user to get the access to CIB. That means at least the ACL > implementation would not lower the security of the current stuff. > > Besides, for remote access, an user still needs to pass the PAM > authentication, to get his appropriate permission. Although for now it > only supports "hacluster" user. > > The ACL checks would always be bypassed for privileged users, "root" and > "hacluster" . > > The following is an example configuration to demonstrate how to use this > feature: > > .. > > > > value="123"/> > > > value="started"/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > .. > > The user "ygao" is a system account. > We could define several roles as we wish, such as "admin", "operator" and > "monitor", > which could contain a member list respectively if more than one user have the > same > permissions. A role also could be referenced by a particular "" > definition. > > As mentioned , the ACL is a black-/whitelist, and the first match defines > whether access is granted or denied. > > So for user "ygao", the configuration means: > > 1. "ygao" has the write access to the "target-role" nvpair of "rsc0", hence > he could start/stop the resource. > > Note: A "" ACL object also implies to grant read access. > > 2. "ygao" could read any other definitions of "rsc0" except "password" nvpair. > > 3. "ygao" can _read_ "nodes" and "status" sections. > > Why is _read_ rather than _write_ ? We already referenced the "operator" > role who has write access, didn't we? > But we also put "ygao" into the members of "monitor" role, which is defined > prior to " him actually > is like: > > > > > > > > > > Please always remember the basic rule: > "The first match determines the permission" > > 4. Everything else would be denied. > > > Those ACL objects, including "", "" and > "" could be interleaved with "" in definition. > > > Consider we have the definition: > > > This means the user could write any XML element who's ID is "rsc0". > S
Re: [Pacemaker] Multi-level ACLs for the CIB
Hi all, Andrew, Lars, Here's the status update about this feature. I've implemented the main functionalities of ACL, including the ACLs configuration parser, the CIB output filter and the modification checker... Yan Gao wrote: > On 12/09/09 18:28, Andrew Beekhof wrote: >> On Wed, Dec 9, 2009 at 11:00 AM, Yan Gao wrote: >>> Hi Andrew, Lars, >>> >>> On 12/08/09 21:16, Lars Marowsky-Bree wrote: On 2009-12-08T09:22:52, Andrew Beekhof wrote: >> Basically, we'd like to see an ACL mechanism. It would be implemented at >> the CIB level. So that all the clients - CLI , CRM shell, GUI, etc... - >> could benefit. Clients are authenticated via PAM, so we can use uid/gid >> for identification. > Actually you probably can't do this. > Daemons (like the cib) which are not running as root can only > authenticate the username/password of the user they're running as. Well, the non-root internal uids/daemons would of course get exceptions just like root, this is about external interfaces. >>> Actually, after thinking over the problem, I'm a bit confused...So I >>> briefly describe what in my mind, please correct me if there's any problem. >>> >>> First, currently non-root users are able to connect the cib through >>> either unix or network sockets as long as they belong to "haclient" >>> group. We could keep this requirement. >>> >>> Then the cib should authenticate the client via PAM to identify who is >>> connecting to it. >> Thats what I'm saying, it can only do this for the hacluster user. >> Because its not running as root. > Indeed, that's the real problem. Without authentication, that would not > be a real access control. No idea if there's any other solution... Lars, > what's your recommendation? For this authentication issue of local access we discussed last time, I added a geteuid() in the cib_native_signon_raw() function from libcib. Once a client signs on the CIB, it'll invoke the function and transfer its uid to the server end. Strictly speaking, an user could hack his client program or libcib to obtain the privileged right to CIB. But he also could hack the server end, right? ;-) Above all, any user still needs to be added into "haclient" group by the privileged user to get the access to CIB. That means at least the ACL implementation would not lower the security of the current stuff. Besides, for remote access, an user still needs to pass the PAM authentication, to get his appropriate permission. Although for now it only supports "hacluster" user. The ACL checks would always be bypassed for privileged users, "root" and "hacluster" . The following is an example configuration to demonstrate how to use this feature: .. .. The user "ygao" is a system account. We could define several roles as we wish, such as "admin", "operator" and "monitor", which could contain a member list respectively if more than one user have the same permissions. A role also could be referenced by a particular "" definition. As mentioned , the ACL is a black-/whitelist, and the first match defines whether access is granted or denied. So for user "ygao", the configuration means: 1. "ygao" has the write access to the "target-role" nvpair of "rsc0", hence he could start/stop the resource. Note: A "" ACL object also implies to grant read access. 2. "ygao" could read any other definitions of "rsc0" except "password" nvpair. 3. "ygao" can _read_ "nodes" and "status" sections. Why is _read_ rather than _write_ ? We already referenced the "operator" role who has write access, didn't we? But we also put "ygao" into the members of "monitor" role, which is defined prior to " Please always remember the basic rule: "The first match determines the permission" 4. Everything else would be denied. Those ACL objects, including "", "" and "" could be interleaved with "" in definition. Consider we have the definition: This means the user could write any XML element who's ID is "rsc0". So this applies to both the "primitive" and the "lrm_resource". If we mean to grant the access only to the "primitive" one, we should specify like: BTW, when you test it, please notice that the following command: /usr/sbin/crm_resource -C -r rsc0 is not equal to: /usr/sbin/cibadmin -D --xpath "//lrm_resour...@id='rsc0']" The first command is achieved by requesting lrmd, which is running as root, to do the cleanup for the client. So it could always bypass the ACL check. BTW, there're some changes comparing to the original design: For any of those ACL objects, including "", "" and "", we need to specify an "id" for it, which it not in the original design. I added it because some of the CIB modifications depend on element's
[Pacemaker] How to configure the rule with crm command?
HI,ALL: I'm reading the document: http://www.clusterlabs.org/doc/en-US/Pacemaker/1.0/html/Pacemaker_Explained/index.html Now i reach the ch8.4 and ch8.5,the document only list the xml example,but don't tell me how to get this. Who could tell me how to use crm command to get the Example 8.11 and Example 8.12? ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] crm_attribte failed with Multiple attributes match
On Thu, Jan 7, 2010 at 10:44 PM, hj lee wrote: > > > On Thu, Jan 7, 2010 at 12:49 PM, hj lee wrote: >> >> >> On Thu, Jan 7, 2010 at 5:24 AM, Andrew Beekhof wrote: >>> >>> On Wed, Jan 6, 2010 at 3:09 AM, hj lee wrote: >>> > Hi, >>> > >>> > I have a very simple master/slave in two node cluster. The >>> > crm_attribute >>> > failed to master score because find_nvpair_attr() found multiple >>> > matches. >>> > But I think that's not possible, there should be always one entry for >>> > master >>> > score for each node. I just had one failure today. The log is below. I >>> > think >>> > this is a bug somewhere around cib query. >>> >>> cibadmin -Ql ??? >>> >> >> When I checked the cib, it has only one entry for each host. >> >> [r...@silverthorne2 tmp]# cibadmin -Ql | grep master-vmrd >> > id="status-copper2-master-vmrd-res:0" value="5"/> >> > id="status-copper1-master-vmrd-res:1" value="2"/> > > Either case is a problem. If the cib has two entries per one node, then cib > update has a problem. If the cib has one entry per node correctly, then cib > query has a problem. Can you please provide the _complete_ cib + output for both problems. ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] OCF scripts for cups and courier-imap
On 2010-01-09 10:00, cheibi welid wrote: > Hi all, > > I am currently testing a HA cluster with DRBD (Pacemaker, Heartbeat, > DRBD) and i need OCF scripts for cups and courier-imap. I want to know > if those scripts already exist or should i develop them and in this > case, is there some guides or guidelines to follow ? Any reason not to use the LSB init scripts bundled with either of these? Cheers, Florian signature.asc Description: OpenPGP digital signature ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Re: [Pacemaker] problem setting up STONITH for DRAC
On 2010-01-11 08:15, frank wrote: > > Hi Sander, > I also have many troubles with drac stonith, and finally I had to change > the source code to make drac5 stonith work; Did you send a patch? Where's the bugzilla entry for this? > but with drac6 it failed > again because output strings are different. And where's the bugzilla for that? Cheers, Florian signature.asc Description: OpenPGP digital signature ___ Pacemaker mailing list Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker