Re: [Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1

2013-03-06 Thread senrabdet
Thanks Lars - will digest your response a bit, get back - appreciate the help!
 

 

 

-Original Message-
From: Lars Ellenberg 
To: pacemaker 
Sent: Wed, Mar 6, 2013 5:40 am
Subject: Re: [Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1


On Mon, Mar 04, 2013 at 04:27:24PM -0500, senrab...@aol.com wrote:
> Hi All:
> 
> We're new to pacemaker (just got some great help from this forum
> getting it working with LVM as backing device), and would like to
> explore the Physical Volume option. We're trying configure on top of
> an existing Encrypted RAID1 set up and employ LVM.
> 
> NOTE:  our goal is to run many virtual servers, each in its own
> logical volume and it looks like putting LVM on top of the DRBD would
> allow us to add logical volumes "on the fly", but also have a
> "simpler" setup with one drbd device for all the logical volumes and
> one related pacemaker config.  Hence, exploring DRBD as a physical
> volume.


A single DRBD has a single "activity log",
running "many virtual servers" from there will very likely cause
the "worst possible" workload (many totally random writes).

You really want to use DRBD 8.4.3,
see https://blogs.linbit.com/p/469/843-random-writes-faster/
for why.


> Q:  For pacemaker to work, how do we do the DRBD disk/device mapping
> in the drbd.conf file?  And should we set things up and encrypt last,
> or can we apply DRBD and Pacemaker to an existing Encypted RAID1
> setup?


Neither Pacemaker nor DRBD do particularly care.

If you want to stack the encryption layer on top of DRBD, fine.
(you'd probably need to teach some pacemaker resource agent to "start"
the encryption layer).

If you want to stack DRBD on top of the encryption layer, just as fine.

Unless you provide the decryption key in plaintext somewhere, failover
will likely be easier to automate if you have DRBD on top of encryption,
so if you want the real device encrypted, I'd recommend to put
encryption below DRBD.

Obviously, the DRBD replication traffic will still be "plaintext" in
that case.

> The examples we've seen show mapping between the drbd device and a
> physical disk (e.g., sdb) in the drbd.conf, and then  "pvcreate
> /dev/drbdnum" and creating a volume group and logical volume on the
> drbd device.
> 
> So for this type of set up, drbd.conf might look like:
> 
> device/dev/drbd1;
> disk  /dev/sdb;
> address xx.xx.xx.xx:7789;
> meta-disk internal;
> 
> In our case, because we have an existing RAID1 (md2) and it's
> encrypted (md2_crypt or /dev/dm-7 ...  we're unsure which partition
> actually has the data), any thoughts on how to do the DRBD mapping?
> E.g., 
> 
> device /dev/drbd1 minor 1;
> disk /dev/???;
> address xx.xx.xx.xx:7789; 
> meta-disk internal;
> 
> I.e., what goes in the "disk /dev/?;"?  Would it be "disk 
/dev/md2_crypt;"?

Yes.

> And can we do our setup on an existing Encrypted RAID1 setup

Yes.

> (if we do pvcreate on drbd1, we get errors)?

Huh?

-- 
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com

DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.

___
Pacemaker mailing list: Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

 
___
Pacemaker mailing list: Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org


Re: [Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1

2013-03-06 Thread Lars Ellenberg
On Mon, Mar 04, 2013 at 04:27:24PM -0500, senrab...@aol.com wrote:
> Hi All:
> 
> We're new to pacemaker (just got some great help from this forum
> getting it working with LVM as backing device), and would like to
> explore the Physical Volume option. We're trying configure on top of
> an existing Encrypted RAID1 set up and employ LVM.
> 
> NOTE:  our goal is to run many virtual servers, each in its own
> logical volume and it looks like putting LVM on top of the DRBD would
> allow us to add logical volumes "on the fly", but also have a
> "simpler" setup with one drbd device for all the logical volumes and
> one related pacemaker config.  Hence, exploring DRBD as a physical
> volume.


A single DRBD has a single "activity log",
running "many virtual servers" from there will very likely cause
the "worst possible" workload (many totally random writes).

You really want to use DRBD 8.4.3,
see https://blogs.linbit.com/p/469/843-random-writes-faster/
for why.


> Q:  For pacemaker to work, how do we do the DRBD disk/device mapping
> in the drbd.conf file?  And should we set things up and encrypt last,
> or can we apply DRBD and Pacemaker to an existing Encypted RAID1
> setup?


Neither Pacemaker nor DRBD do particularly care.

If you want to stack the encryption layer on top of DRBD, fine.
(you'd probably need to teach some pacemaker resource agent to "start"
the encryption layer).

If you want to stack DRBD on top of the encryption layer, just as fine.

Unless you provide the decryption key in plaintext somewhere, failover
will likely be easier to automate if you have DRBD on top of encryption,
so if you want the real device encrypted, I'd recommend to put
encryption below DRBD.

Obviously, the DRBD replication traffic will still be "plaintext" in
that case.

> The examples we've seen show mapping between the drbd device and a
> physical disk (e.g., sdb) in the drbd.conf, and then  "pvcreate
> /dev/drbdnum" and creating a volume group and logical volume on the
> drbd device.
> 
> So for this type of set up, drbd.conf might look like:
> 
> device/dev/drbd1;
> disk  /dev/sdb;
> address xx.xx.xx.xx:7789;
> meta-disk internal;
> 
> In our case, because we have an existing RAID1 (md2) and it's
> encrypted (md2_crypt or /dev/dm-7 ...  we're unsure which partition
> actually has the data), any thoughts on how to do the DRBD mapping?
> E.g., 
> 
> device /dev/drbd1 minor 1;
> disk /dev/???;
> address xx.xx.xx.xx:7789; 
> meta-disk internal;
> 
> I.e., what goes in the "disk /dev/?;"?  Would it be "disk 
> /dev/md2_crypt;"?

Yes.

> And can we do our setup on an existing Encrypted RAID1 setup

Yes.

> (if we do pvcreate on drbd1, we get errors)?

Huh?

-- 
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com

DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.

___
Pacemaker mailing list: Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org


[Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1

2013-03-04 Thread senrabdet
Hi All:

We're new to pacemaker (just got some great help from this forum getting it 
working with LVM as backing device), and would like to explore the Physical 
Volume option. We're trying configure on top of an existing Encrypted RAID1 set 
up and employ LVM.

NOTE:  our goal is to run many virtual servers, each in its own logical volume 
and it looks like putting LVM on top of the DRBD would allow us to add logical 
volumes "on the fly", but also have a "simpler" setup with one drbd device for 
all the logical volumes and one related pacemaker config.  Hence, exploring 
DRBD as a physical volume.

Q:  For pacemaker to work, how do we do the DRBD disk/device mapping in the 
drbd.conf file?  And should we set things up and encrypt last, or can we apply 
DRBD and Pacemaker to an existing Encypted RAID1 setup?

The examples we've seen show mapping between the drbd device and a physical 
disk (e.g., sdb) in the drbd.conf, and then  "pvcreate /dev/drbdnum" and 
creating a volume group and logical volume on the drbd device.

So for this type of set up, drbd.conf might look like:

device/dev/drbd1;
disk  /dev/sdb;
address xx.xx.xx.xx:7789;
meta-disk internal;

In our case, because we have an existing RAID1 (md2) and it's encrypted 
(md2_crypt or /dev/dm-7 ...  we're unsure which partition actually has the 
data), any thoughts on how to do the DRBD mapping?  E.g., 

device /dev/drbd1 minor 1;
disk /dev/???;
address xx.xx.xx.xx:7789; 
meta-disk internal;

I.e., what goes in the "disk /dev/?;"?  Would it be "disk /dev/md2_crypt;"?

And can we do our setup on an existing Encrypted RAID1 setup (if we do pvcreate 
on drbd1, we get errors)?

Thanks!

Ted
___
Pacemaker mailing list: Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org