Re: [Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1
Thanks Lars - will digest your response a bit, get back - appreciate the help! -Original Message- From: Lars Ellenberg To: pacemaker Sent: Wed, Mar 6, 2013 5:40 am Subject: Re: [Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1 On Mon, Mar 04, 2013 at 04:27:24PM -0500, senrab...@aol.com wrote: > Hi All: > > We're new to pacemaker (just got some great help from this forum > getting it working with LVM as backing device), and would like to > explore the Physical Volume option. We're trying configure on top of > an existing Encrypted RAID1 set up and employ LVM. > > NOTE: our goal is to run many virtual servers, each in its own > logical volume and it looks like putting LVM on top of the DRBD would > allow us to add logical volumes "on the fly", but also have a > "simpler" setup with one drbd device for all the logical volumes and > one related pacemaker config. Hence, exploring DRBD as a physical > volume. A single DRBD has a single "activity log", running "many virtual servers" from there will very likely cause the "worst possible" workload (many totally random writes). You really want to use DRBD 8.4.3, see https://blogs.linbit.com/p/469/843-random-writes-faster/ for why. > Q: For pacemaker to work, how do we do the DRBD disk/device mapping > in the drbd.conf file? And should we set things up and encrypt last, > or can we apply DRBD and Pacemaker to an existing Encypted RAID1 > setup? Neither Pacemaker nor DRBD do particularly care. If you want to stack the encryption layer on top of DRBD, fine. (you'd probably need to teach some pacemaker resource agent to "start" the encryption layer). If you want to stack DRBD on top of the encryption layer, just as fine. Unless you provide the decryption key in plaintext somewhere, failover will likely be easier to automate if you have DRBD on top of encryption, so if you want the real device encrypted, I'd recommend to put encryption below DRBD. Obviously, the DRBD replication traffic will still be "plaintext" in that case. > The examples we've seen show mapping between the drbd device and a > physical disk (e.g., sdb) in the drbd.conf, and then "pvcreate > /dev/drbdnum" and creating a volume group and logical volume on the > drbd device. > > So for this type of set up, drbd.conf might look like: > > device/dev/drbd1; > disk /dev/sdb; > address xx.xx.xx.xx:7789; > meta-disk internal; > > In our case, because we have an existing RAID1 (md2) and it's > encrypted (md2_crypt or /dev/dm-7 ... we're unsure which partition > actually has the data), any thoughts on how to do the DRBD mapping? > E.g., > > device /dev/drbd1 minor 1; > disk /dev/???; > address xx.xx.xx.xx:7789; > meta-disk internal; > > I.e., what goes in the "disk /dev/?;"? Would it be "disk /dev/md2_crypt;"? Yes. > And can we do our setup on an existing Encrypted RAID1 setup Yes. > (if we do pvcreate on drbd1, we get errors)? Huh? -- : Lars Ellenberg : LINBIT | Your Way to High Availability : DRBD/HA support and consulting http://www.linbit.com DRBD® and LINBIT® are registered trademarks of LINBIT, Austria. ___ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org ___ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
Re: [Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1
On Mon, Mar 04, 2013 at 04:27:24PM -0500, senrab...@aol.com wrote: > Hi All: > > We're new to pacemaker (just got some great help from this forum > getting it working with LVM as backing device), and would like to > explore the Physical Volume option. We're trying configure on top of > an existing Encrypted RAID1 set up and employ LVM. > > NOTE: our goal is to run many virtual servers, each in its own > logical volume and it looks like putting LVM on top of the DRBD would > allow us to add logical volumes "on the fly", but also have a > "simpler" setup with one drbd device for all the logical volumes and > one related pacemaker config. Hence, exploring DRBD as a physical > volume. A single DRBD has a single "activity log", running "many virtual servers" from there will very likely cause the "worst possible" workload (many totally random writes). You really want to use DRBD 8.4.3, see https://blogs.linbit.com/p/469/843-random-writes-faster/ for why. > Q: For pacemaker to work, how do we do the DRBD disk/device mapping > in the drbd.conf file? And should we set things up and encrypt last, > or can we apply DRBD and Pacemaker to an existing Encypted RAID1 > setup? Neither Pacemaker nor DRBD do particularly care. If you want to stack the encryption layer on top of DRBD, fine. (you'd probably need to teach some pacemaker resource agent to "start" the encryption layer). If you want to stack DRBD on top of the encryption layer, just as fine. Unless you provide the decryption key in plaintext somewhere, failover will likely be easier to automate if you have DRBD on top of encryption, so if you want the real device encrypted, I'd recommend to put encryption below DRBD. Obviously, the DRBD replication traffic will still be "plaintext" in that case. > The examples we've seen show mapping between the drbd device and a > physical disk (e.g., sdb) in the drbd.conf, and then "pvcreate > /dev/drbdnum" and creating a volume group and logical volume on the > drbd device. > > So for this type of set up, drbd.conf might look like: > > device/dev/drbd1; > disk /dev/sdb; > address xx.xx.xx.xx:7789; > meta-disk internal; > > In our case, because we have an existing RAID1 (md2) and it's > encrypted (md2_crypt or /dev/dm-7 ... we're unsure which partition > actually has the data), any thoughts on how to do the DRBD mapping? > E.g., > > device /dev/drbd1 minor 1; > disk /dev/???; > address xx.xx.xx.xx:7789; > meta-disk internal; > > I.e., what goes in the "disk /dev/?;"? Would it be "disk > /dev/md2_crypt;"? Yes. > And can we do our setup on an existing Encrypted RAID1 setup Yes. > (if we do pvcreate on drbd1, we get errors)? Huh? -- : Lars Ellenberg : LINBIT | Your Way to High Availability : DRBD/HA support and consulting http://www.linbit.com DRBD® and LINBIT® are registered trademarks of LINBIT, Austria. ___ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
[Pacemaker] Pacemaker DRBD as Physical Volume on Encrypted RAID1
Hi All: We're new to pacemaker (just got some great help from this forum getting it working with LVM as backing device), and would like to explore the Physical Volume option. We're trying configure on top of an existing Encrypted RAID1 set up and employ LVM. NOTE: our goal is to run many virtual servers, each in its own logical volume and it looks like putting LVM on top of the DRBD would allow us to add logical volumes "on the fly", but also have a "simpler" setup with one drbd device for all the logical volumes and one related pacemaker config. Hence, exploring DRBD as a physical volume. Q: For pacemaker to work, how do we do the DRBD disk/device mapping in the drbd.conf file? And should we set things up and encrypt last, or can we apply DRBD and Pacemaker to an existing Encypted RAID1 setup? The examples we've seen show mapping between the drbd device and a physical disk (e.g., sdb) in the drbd.conf, and then "pvcreate /dev/drbdnum" and creating a volume group and logical volume on the drbd device. So for this type of set up, drbd.conf might look like: device/dev/drbd1; disk /dev/sdb; address xx.xx.xx.xx:7789; meta-disk internal; In our case, because we have an existing RAID1 (md2) and it's encrypted (md2_crypt or /dev/dm-7 ... we're unsure which partition actually has the data), any thoughts on how to do the DRBD mapping? E.g., device /dev/drbd1 minor 1; disk /dev/???; address xx.xx.xx.xx:7789; meta-disk internal; I.e., what goes in the "disk /dev/?;"? Would it be "disk /dev/md2_crypt;"? And can we do our setup on an existing Encrypted RAID1 setup (if we do pvcreate on drbd1, we get errors)? Thanks! Ted ___ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org