If you are not using remote CIB administration in Pacemaker, you can
completely disregard this email. For the several that do, starting in
Pacemaker 3.0.2, we've introduced a variety of changes:
* PSK is now a supported authentication method, alongside TLS
certificates. This brings it in line with the supported authentication
methods for Pacemaker Remote nodes. The Pacemaker Administration
document has all the details for how to set this up, but the quick
overview is you create a secret key, put it on the client and cluster
node, and then set up the right environment variables for Pacemaker to
know where to look for the key. You will still need to log in with a
username and password, and there is some weirdness around this at the
moment, which I am hoping to fix relatively soon.
* The remote-clear-port cluster property is deprecated and will be
removed soon. This property allows you to perform remote cluster
administration with no encryption at all. You still need to log in with
a username and password, but that would happen in the clear. We've
suggested only using this on secure networks, but it's time to stop
offering it at all. Instead, use the remote-tls-port property which was
introduced in 2014.
* Anonymous authentication for remote CIB administration is deprecated
and will be removed soon. This allowed you to perform remote cluster
administration over an encrypted channel, but with no authentication on
that channel. Instead, move to using TLS certificates or the new PSK
support.
Of the two authentication methods (TLS certs and PSK), PSK is far easier
to set up and is what I would suggest for the more casual user (if there
any casual users of remote CIB administration).
- Chris
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
