diff --git a/doc/Pacemaker_Remote/en-US/Ch-Baremetal-Tutorial.txt b/doc/Pacemaker_Remote/en-US/Ch-Baremetal-Tutorial.txt index d0fd14b02f..13eae07cb0 100644 --- a/doc/Pacemaker_Remote/en-US/Ch-Baremetal-Tutorial.txt +++ b/doc/Pacemaker_Remote/en-US/Ch-Baremetal-Tutorial.txt @@ -1,230 +1,235 @@ = Baremetal Walk-through = -+What this tutorial is:+ This tutorial is an in-depth walk-through of how to get pacemaker to integrate a baremetal remote-node into the cluster as a node capable of running cluster resources. +*What this tutorial is:* An in-depth walk-through of how to get Pacemaker to +integrate a remote node into the cluster as a node capable of running cluster +resources. -+What this tutorial is not:+ This tutorial is not a realistic deployment scenario. The steps shown here are meant to get users familiar with the concept of remote-nodes as quickly as possible. +*What this tutorial is not:* A realistic deployment scenario. The steps shown +here are meant to get users familiar with the concept of remote nodes as +quickly as possible. This tutorial requires three machines. Two machines to act as cluster-nodes and a third to act as the baremetal remote-node. This tutorial was tested using Fedora 20 on both the cluster-nodes and baremetal remote-node. Anything that is capable of running pacemaker v1.1.11 or greater will do though. An installation guide for installing Fedora 20 can be found here, http://docs.fedoraproject.org/en-US/Fedora/20/html/Installation_Guide/. Fedora 20 (or similar distro) host preparation steps. == SElinux and Firewall Considerations == In order to simply this tutorial we will disable selinux and the firewall on all the nodes. +WARNING:+ These actions will open a significant security threat to machines exposed to the outside world. -[source,C] ---- # setenforce 0 # sed -i.bak "s/SELINUX=enforcing/SELINUX=permissive/g" /etc/selinux/config # firewall-cmd --add-port 3121/tcp --permanent # systemctl disable iptables.service # systemctl disable ip6tables.service # rm '/etc/systemd/system/basic.target.wants/iptables.service' # rm '/etc/systemd/system/basic.target.wants/ip6tables.service' # systemctl stop iptables.service # systemctl stop ip6tables.service ---- == Setup Pacemaker Remote on Baremetal remote-node == On the baremetal remote-node machine run these commands to generate an authkey and copy it to the /etc/pacemaker folder. -[source,C] ---- # mkdir /etc/pacemaker # dd if=/dev/urandom of=/etc/pacemaker/authkey bs=4096 count=1 ---- Make sure to distribute this key to both of the cluster-nodes as well. All the nodes must have the same /etc/pacemaker/authkey installed for the communication to work correctly. Now install and start the pacemaker_remote daemon on the baremetal remote-node. -[source,C] ---- # yum install -y pacemaker-remote resource-agents pcs # systemctl enable pacemaker_remote.service # systemctl start pacemaker_remote.service ---- Verify the start is successful. -[source,C] ---- # systemctl status pacemaker_remote pacemaker_remote.service - Pacemaker Remote Service Loaded: loaded (/usr/lib/systemd/system/pacemaker_remote.service; enabled) Active: active (running) since Thu 2013-03-14 18:24:04 EDT; 2min 8s ago Main PID: 1233 (pacemaker_remot) CGroup: name=systemd:/system/pacemaker_remote.service └─1233 /usr/sbin/pacemaker_remoted Mar 14 18:24:04 remote1 systemd[1]: Starting Pacemaker Remote Service... Mar 14 18:24:04 remote1 systemd[1]: Started Pacemaker Remote Service. Mar 14 18:24:04 remote1 pacemaker_remoted[1233]: notice: lrmd_init_remote_tls_server: Starting a tls listener on port 3121. ---- == Verify cluster-node Connection to baremetal-node == Before moving forward it's worth going ahead and verifying the cluster-nodes can contact the baremetal node on port 3121. Here's a trick you can use. Connect using telnet from each of the cluster-nodes. The connection will get destroyed, but how it is destroyed tells you whether it worked or not. -First add the baremetal remote-node's hostname (we're using remote1 in this tutorial) to the cluster-nodes' /etc/hosts files if you haven't already. This is required unless you have dns setup in a way where remote1's address can be discovered. +First, add the remote node's hostname (we're using *remote1* in this tutorial) +to the cluster-nodes' +/etc/hosts+ files if you haven't already. This +is required unless you have DNS set up in a way where remote1's address can be +discovered. Execute the following on each cluster-node, replacing the ip address with the actual ip address of the baremetal remote-node. -[source,C] ---- # cat << END >> /etc/hosts 192.168.122.10 remote1 END ---- If running the telnet command on one of the cluster-nodes results in this output before disconnecting, the connection works. -[source,C] ---- # telnet remote1 3121 Trying 192.168.122.10... Connected to remote1. Escape character is '^]'. Connection closed by foreign host. ---- If you see this, the connection is not working. -[source,C] ---- # telnet remote1 3121 Trying 192.168.122.10... telnet: connect to address 192.168.122.10: No route to host ---- Once you can successfully connect to the baremetal remote-node from the both cluster-nodes, move on to setting up pacemaker on the cluster-nodes. == Install cluster-node Software == On the two cluster-nodes install the following packages. -[source,C] ---- # yum install -y pacemaker corosync pcs resource-agents ---- == Setup Corosync on cluster-nodes == Corosync handles pacemaker's cluster membership and messaging. The corosync config file is located in /etc/corosync/corosync.conf. That config file must be initialized with information about the two cluster-nodes before pacemaker can start. To initialize the corosync config file, execute the following pcs command on both nodes filling in the information in <> with your nodes' information. -[source,C] ---- # pcs cluster setup --local mycluster ---- A recent syntax change in pcs may cause the above command to fail. If so try this alternative. -[source,C] ---- # pcs cluster setup --force --local --name mycluster ---- == Start Pacemaker on cluster-nodes == Start the cluster stack on both cluster nodes using the following command. -[source,C] ---- # pcs cluster start ---- Verify corosync membership -[source,C] ---- # pcs status corosync Membership information Nodeid Votes Name 1795270848 1 node1 (local) ---- -Verify pacemaker status. At first the 'pcs cluster status' output will look like this. +Verify Pacemaker status. At first, the `pcs cluster status` output will look +like this. -[source,C] ---- # pcs status Last updated: Thu Mar 14 12:26:00 2013 Last change: Thu Mar 14 12:25:55 2013 via crmd on example-host Stack: corosync Current DC: Version: 1.1.11 1 Nodes configured, unknown expected votes 0 Resources configured. ---- After about a minute you should see your two cluster-nodes come online. -[source,C] ---- # pcs status Last updated: Thu Mar 14 12:28:23 2013 Last change: Thu Mar 14 12:25:55 2013 via crmd on node1 Stack: corosync Current DC: node1 (1795270848) - partition with quorum Version: 1.1.11 2 Nodes configured, unknown expected votes 0 Resources configured. Online: [ node1 node2 ] ---- For the sake of this tutorial, we are going to disable stonith to avoid having to cover fencing device configuration. -[source,C] ---- # pcs property set stonith-enabled=false ---- == Integrate Baremetal remote-node into Cluster == -Integrating a baremetal remote-node into the cluster is achieved through the creation of a remote-node connection resource. The remote-node connection resource both establishes the connection to the remote-node and defines that the remote-node exists. Note that this resource is actually internal to Pacemaker's crmd component. A metadata file for this resource can be found in the /usr/lib/ocf/resource.d/pacemaker/remote file that describes what options are available, but there is no actual ocf:pacemaker:remote resource agent script that performs any work. +Integrating a remote node into the cluster is achieved through the +creation of a remote node connection resource. The remote node connection +resource both establishes the connection to the remote node and defines that +the remote node exists. Note that this resource is actually internal to +Pacemaker's crmd component. A metadata file for this resource can be found in +the +/usr/lib/ocf/resource.d/pacemaker/remote+ file that describes what options +are available, but there is no actual *ocf:pacemaker:remote* resource agent +script that performs any work. -Define the remote-node connection resource to our baremetal remote-node, remote1, using the following command. +Define the remote node connection resource to our remote node, +*remote1*, using the following command on any cluster node. -[source,C] ---- # pcs resource create remote1 ocf:pacemaker:remote ---- That's it. After a moment you should see the remote-node come online. -[source,C] ---- Last updated: Fri Oct 18 18:47:21 2013 Last change: Fri Oct 18 18:46:14 2013 via cibadmin on node1 Stack: corosync Current DC: node1 (1) - partition with quorum Version: 1.1.11 3 Nodes configured 1 Resources configured Online: [ node1 node2 ] RemoteOnline: [ remote1 ] remote1 (ocf::pacemaker:remote): Started node1 ---- == Starting Resources on baremetal remote-node == +"Warning: Never involve a remote-node connection resource in a resource group, colocation, or order constraint"+ Once the baremetal remote-node is integrated into the cluster, starting resources on a baremetal remote-node is the exact same as the cluster nodes. Refer to the Clusters from Scratch document for examples on resource creation. http://clusterlabs.org/doc/ == Fencing baremetal remote-nodes == The cluster understands how to fence baremetal remote-nodes and can use standard fencing devices to do so. No special considerations are required. Note however that remote-nodes can never initiate a fencing action. Only cluster-nodes are capable of actually executing the fencing operation on another node. == Accessing Cluster Tools from a Baremetal remote-node == -Besides allowing the cluster to manage resources on a remote-node, pacemaker_remote has one other trick. +The pacemaker_remote daemon allows nearly all the pacemaker tools (crm_resource, crm_mon, crm_attribute, crm_master) to work on remote nodes natively.+ -Try it, run +crm_mon+ or +pcs status+ on the baremetal node after pacemaker has integrated the remote-node into the cluster. These tools just work. These means resource agents such as master/slave resources which need access to tools like crm_master work seamlessly on the remote-nodes. +Besides allowing the cluster to manage resources on a remote node, +pacemaker_remote has one other trick. The pacemaker_remote daemon allows +nearly all the pacemaker tools (`crm_resource`, `crm_mon`, `crm_attribute`, +`crm_master`, etc.) to work on remote nodes natively. +Try it: Run `crm_mon` or `pcs status` on the remote node after pacemaker has +integrated it into the cluster. These tools just work. These means resource +agents such as master/slave resources which need access to tools like +`crm_master` work seamlessly on the remote nodes. diff --git a/doc/Pacemaker_Remote/en-US/Ch-Example.txt b/doc/Pacemaker_Remote/en-US/Ch-Example.txt index 5db250f551..b12c92e601 100644 --- a/doc/Pacemaker_Remote/en-US/Ch-Example.txt +++ b/doc/Pacemaker_Remote/en-US/Ch-Example.txt @@ -1,107 +1,108 @@ = KVM Remote-node Quick Example = If you already know how to use pacemaker, you'll likely be able to grasp this new concept of remote-nodes by reading through this quick example without having to sort through all the detailed walk-through steps. Here are the key configuration ingredients that make this possible using libvirt and KVM virtual guests. These steps strip everything down to the very basics. == Mile High View of Configuration Steps == * +Put an authkey with this path, /etc/pacemaker/authkey, on every cluster-node and virtual machine+. This secures remote communication and authentication. Run this command if you want to make a somewhat random authkey. -[source,C] ---- dd if=/dev/urandom of=/etc/pacemaker/authkey bs=4096 count=1 ---- -* +Install pacemaker_remote packages on every virtual machine, enable pacemaker_remote on startup, and poke hole in firewall for tcp port 3121.+ - -[source,C] +* Install pacemaker_remote on every virtual machine, enabling it to start at + boot, and if a local firewall is used, allow the node to accept connections + on TCP port 3121. ++ ---- yum install pacemaker-remote resource-agents systemctl enable pacemaker_remote # If you just want to see this work, disable iptables and ip6tables on most distros. # You may have to put selinux in permissive mode as well for the time being. firewall-cmd --add-port 3121/tcp --permanent ---- * +Give each virtual machine a static network address and unique hostname+ * +Tell pacemaker to launch a virtual machine and that the virtual machine is a remote-node capable of running resources by using the "remote-node" meta-attribute.+ with pcs -[source,C] ---- # pcs resource create vm-guest1 VirtualDomain hypervisor="qemu:///system" config="vm-guest1.xml" meta +remote-node=guest1+ ---- raw xml [source,XML] ---- ---- -In the example above the meta-attribute 'remote-node=guest1' tells pacemaker that this resource is a remote-node with the hostname 'guest1' that is capable of being integrated into the cluster. The cluster will attempt to contact the virtual machine's pacemaker_remote service at the hostname 'guest1' after it launches. +In the example above, the meta-attribute *remote-node="guest1"* tells Pacemaker +that this resource is a guest node with the hostname *guest1*. The cluster will +attempt to contact the virtual machine's pacemaker_remote service at the +hostname *guest1* after it launches. == What those steps just did == Those steps just told pacemaker to launch a virtual machine called vm-guest1 and integrate that virtual machine as a remote-node called 'guest1'. -Example crm_mon output after guest1 is integrated into cluster. +Guest nodes will show up in `crm_mon` output as normal: -[source,C] +.Example `crm_mon` output after *guest1* is integrated into cluster ---- Last updated: Wed Mar 13 13:52:39 2013 Last change: Wed Mar 13 13:25:17 2013 via crmd on node1 Stack: corosync Current DC: node1 (24815808) - partition with quorum Version: 1.1.10 2 Nodes configured, unknown expected votes 2 Resources configured. Online: [ node1 guest1] vm-guest1 (ocf::heartbeat:VirtualDomain): Started node1 ---- -Now, you could place a resource, such as a webserver on guest1. - -[source,C] +Now, you could place a resource, such as a webserver, on *guest1*: ---- # pcs resource create webserver apache params configfile=/etc/httpd/conf/httpd.conf op monitor interval=30s # pcs constraint webserver prefers guest1 ---- -Now the crm_mon output would show a webserver launched on the guest1 remote-node. - -[source,C] +Now, the crm_mon output would show: ---- Last updated: Wed Mar 13 13:52:39 2013 Last change: Wed Mar 13 13:25:17 2013 via crmd on node1 Stack: corosync Current DC: node1 (24815808) - partition with quorum Version: 1.1.10 2 Nodes configured, unknown expected votes 2 Resources configured. Online: [ node1 guest1] vm-guest1 (ocf::heartbeat:VirtualDomain): Started node1 webserver (ocf::heartbeat::apache): Started guest1 ---- -== Accessing Cluster from Remote-node == - -It is worth noting that after 'guest1' is integrated into the cluster, all the pacemaker cli tools immediately become available to the remote node. This means things like crm_mon, crm_resource, and crm_attribute will work natively on the remote-node as long as the connection between the remote-node and cluster-node exists. This is particularly important for any master/slave resources executing on the remote-node that need access to crm_master to set the nodes transient attributes. - +It is worth noting that after *guest1* is integrated into the cluster, all the +Pacemaker command-line tools immediately become available to the guest node. +This means things like `crm_mon`, `crm_resource`, and `crm_attribute` will work +natively on the guest node, as long as the connection between the guest node +and a cluster node exists. This is particularly important for any master/slave +resources executing on the guest node that need access to `crm_master` to set +transient attributes. diff --git a/doc/Pacemaker_Remote/en-US/Ch-KVM-Tutorial.txt b/doc/Pacemaker_Remote/en-US/Ch-KVM-Tutorial.txt index 4e0fbeae52..ae6f033e1a 100644 --- a/doc/Pacemaker_Remote/en-US/Ch-KVM-Tutorial.txt +++ b/doc/Pacemaker_Remote/en-US/Ch-KVM-Tutorial.txt @@ -1,481 +1,474 @@ = KVM Walk-through = -+What this tutorial is:+ This tutorial is an in-depth walk-through of how to get pacemaker to manage a KVM guest instance and integrate that guest into the cluster as a remote-node. +*What this tutorial is:* An in-depth walk-through of how to get Pacemaker to +manage a KVM guest instance and integrate that guest into the cluster as a +guest node. -+What this tutorial is not:+ This tutorial is not a realistic deployment scenario. The steps shown here are meant to get users familiar with the concept of remote-nodes as quickly as possible. +*What this tutorial is not:* A realistic deployment scenario. The steps shown +here are meant to get users familiar with the concept of guest nodes as quickly +as possible. == Step 1: Setup the Host == This tutorial was created using Fedora 20 on the host and guest nodes. Anything that is capable of running libvirt and pacemaker v1.1.10 or greater will do though. An installation guide for installing Fedora 20 can be found here, http://docs.fedoraproject.org/en-US/Fedora/20/html/Installation_Guide/. Fedora 20 (or similar distro) host preparation steps. === SElinux and Firewall === In order to simply this tutorial we will disable the selinux and the firewall on the host. +WARNING:+ These actions will open a significant security threat to machines exposed to the outside world. -[source,C] ---- # setenforce 0 # sed -i.bak "s/SELINUX=enforcing/SELINUX=permissive/g" /etc/selinux/config # systemctl disable iptables.service # systemctl disable ip6tables.service # rm '/etc/systemd/system/basic.target.wants/iptables.service' # rm '/etc/systemd/system/basic.target.wants/ip6tables.service' # systemctl stop iptables.service # systemctl stop ip6tables.service ---- === Install Cluster Software === -[source,C] ---- # yum install -y pacemaker corosync pcs resource-agents ---- === Setup Corosync === Corosync handles pacemaker's cluster membership and messaging. The corosync config file is located in /etc/corosync/corosync.conf. That config file must be initialized with information about the cluster-nodes before pacemaker can start. To initialize the corosync config file, execute the following pcs command on both nodes filling in the information in <> with your nodes' information. -[source,C] ---- # pcs cluster setup --local mycluster ---- A recent syntax change in pcs may cause the above command to fail. If so try this alternative. -[source,C] ---- # pcs cluster setup --force --local --name mycluster ---- === Verify Cluster Software === Start the cluster - -[source,C] ---- # pcs cluster start ---- Verify corosync membership - -[source,C] ---- # pcs status corosync Membership information Nodeid Votes Name 1795270848 1 example-host (local) ---- -Verify pacemaker status. At first the 'pcs cluster status' output will look like this. - -[source,C] +Verify pacemaker status. At first, the output will look like this: ---- # pcs status Last updated: Thu Mar 14 12:26:00 2013 Last change: Thu Mar 14 12:25:55 2013 via crmd on example-host Stack: corosync Current DC: Version: 1.1.10 1 Nodes configured, unknown expected votes 0 Resources configured. ---- After about a minute you should see your host as a single node in the cluster. -[source,C] ---- # pcs status Last updated: Thu Mar 14 12:28:23 2013 Last change: Thu Mar 14 12:25:55 2013 via crmd on example-host Stack: corosync Current DC: example-host (1795270848) - partition WITHOUT quorum Version: 1.1.8-9b13ea1 1 Nodes configured, unknown expected votes 0 Resources configured. Online: [ example-host ] ---- Go ahead and stop the cluster for now after verifying everything is in order. - -[source,C] ---- # pcs cluster stop ---- === Install Virtualization Software === -[source,C] ---- # yum install -y kvm libvirt qemu-system qemu-kvm bridge-utils virt-manager # systemctl enable libvirtd.service ---- reboot the host == Step2: Create the KVM guest == I am not going to outline the installation steps required to create a kvm guest. There are plenty of tutorials available elsewhere that do that. I recommend using a Fedora 18 or greater distro as your guest as that is what I am testing this tutorial with. === Setup Guest Network === Run the commands below to set up a static ip address (192.168.122.10) and hostname (guest1). -[source,C] ---- export remote_hostname=guest1 export remote_ip=192.168.122.10 export remote_gateway=192.168.122.1 yum remove -y NetworkManager rm -f /etc/hostname cat << END >> /etc/hostname $remote_hostname END hostname $remote_hostname cat << END >> /etc/sysconfig/network HOSTNAME=$remote_hostname GATEWAY=$remote_gateway END sed -i.bak "s/.*BOOTPROTO=.*/BOOTPROTO=none/g" /etc/sysconfig/network-scripts/ifcfg-eth0 cat << END >> /etc/sysconfig/network-scripts/ifcfg-eth0 IPADDR0=$remote_ip PREFIX0=24 GATEWAY0=$remote_gateway DNS1=$remote_gateway END systemctl restart network systemctl enable network.service systemctl enable sshd systemctl start sshd echo "checking connectivity" ping www.google.com ---- To simplify the tutorial we'll go ahead and disable selinux on the guest. We'll also need to poke a hole through the firewall on port 3121 (the default port for pacemaker_remote) so the host can contact the guest. -[source,C] ---- # setenforce 0 # sed -i.bak "s/SELINUX=enforcing/SELINUX=permissive/g" /etc/selinux/config # firewall-cmd --add-port 3121/tcp --permanent ---- If you still encounter connection issues just disable iptables and ipv6tables on the guest like we did on the host to guarantee you'll be able to contact the guest from the host. At this point you should be able to ssh into the guest from the host. === Setup Pacemaker Remote === -On the +HOST+ machine run these commands to generate an authkey and copy it to the /etc/pacemaker folder on both the host and guest. +On the 'host' machine, run these commands to generate an authkey and copy it to +the /etc/pacemaker folder on both the host and guest. -[source,C] ---- # mkdir /etc/pacemaker # dd if=/dev/urandom of=/etc/pacemaker/authkey bs=4096 count=1 # scp -r /etc/pacemaker root@192.168.122.10:/etc/ ---- -Now on the +GUEST+ install pacemaker-remote package and enable the daemon to run at startup. In the commands below you will notice the 'pacemaker' and 'pacemaker_remote' packages are being installed. The 'pacemaker' package is not required. The only reason it is being installed for this tutorial is because it contains the a 'Dummy' resource agent we will be using later on to test the remote-node. +Now on the 'guest', install the pacemaker-remote package, and enable the daemon +to run at startup. In the commands below, you will notice the pacemaker +package is also installed. It is not required; the only reason it is being +installed for this tutorial is because it contains the a Dummy resource agent +that we will use later for testing. -[source,C] ---- # yum install -y pacemaker pacemaker-remote resource-agents # systemctl enable pacemaker_remote.service ---- Now start pacemaker_remote on the guest and verify the start was successful. -[source,C] ---- # systemctl start pacemaker_remote.service # systemctl status pacemaker_remote pacemaker_remote.service - Pacemaker Remote Service Loaded: loaded (/usr/lib/systemd/system/pacemaker_remote.service; enabled) Active: active (running) since Thu 2013-03-14 18:24:04 EDT; 2min 8s ago Main PID: 1233 (pacemaker_remot) CGroup: name=systemd:/system/pacemaker_remote.service └─1233 /usr/sbin/pacemaker_remoted Mar 14 18:24:04 guest1 systemd[1]: Starting Pacemaker Remote Service... Mar 14 18:24:04 guest1 systemd[1]: Started Pacemaker Remote Service. Mar 14 18:24:04 guest1 pacemaker_remoted[1233]: notice: lrmd_init_remote_tls_server: Starting a tls listener on port 3121. ---- === Verify Host Connection to Guest === Before moving forward it's worth going ahead and verifying the host can contact the guest on port 3121. Here's a trick you can use. Connect using telnet from the host. The connection will get destroyed, but how it is destroyed tells you whether it worked or not. First add guest1 to the host machine's /etc/hosts file if you haven't already. This is required unless you have dns setup in a way where guest1's address can be discovered. -[source,C] ---- # cat << END >> /etc/hosts 192.168.122.10 guest1 END ---- If running the telnet command on the host results in this output before disconnecting, the connection works. -[source,C] ---- # telnet guest1 3121 Trying 192.168.122.10... Connected to guest1. Escape character is '^]'. Connection closed by foreign host. ---- If you see this, the connection is not working. -[source,C] ---- # telnet guest1 3121 Trying 192.168.122.10... telnet: connect to address 192.168.122.10: No route to host ---- Once you can successfully connect to the guest from the host, shutdown the guest. Pacemaker will be managing the virtual machine from this point forward. == Step3: Integrate KVM guest into Cluster. == Now the fun part, integrating the virtual machine you've just created into the cluster. It is incredibly simple. === Start the Cluster === On the host, start pacemaker. -[source,C] ---- # pcs cluster start ---- -Wait for the host to become the DC. The output of 'pcs status' should look similar to this after about a minute. +Wait for the host to become the DC. The output of `pcs status` should look +similar to this after about a minute. -[source,C] ---- Last updated: Thu Mar 14 16:41:22 2013 Last change: Thu Mar 14 16:41:08 2013 via crmd on example-host Stack: corosync Current DC: example-host (1795270848) - partition WITHOUT quorum Version: 1.1.10 1 Nodes configured, unknown expected votes 0 Resources configured. Online: [ example-host ] ---- Now enable the cluster to work without quorum or stonith. This is required just for the sake of getting this tutorial to work with a single cluster-node. -[source,C] ---- # pcs property set stonith-enabled=false # pcs property set no-quorum-policy=ignore ---- === Integrate KVM Guest as remote-node === If you didn't already do this earlier in the verify host to guest connection section, add the KVM guest's ip to the host's /etc/hosts file so we can connect by hostname. The command below will do that if you used the same ip address I used earlier. -[source,C] ---- # cat << END >> /etc/hosts 192.168.122.10 guest1 END ---- -We will use the +VirtualDomain+ resource agent for the management of the virtual machine. This agent requires the virtual machine's xml config to be dumped to a file on disk. To do this pick out the name of the virtual machine you just created from the output of this list. +We will use the *VirtualDomain* resource agent for the management of the +virtual machine. This agent requires the virtual machine's XML config to be +dumped to a file on disk. To do this, pick out the name of the virtual machine +you just created from the output of this list. -[source,C] ---- # virsh list --all Id Name State ______________________________________________ - guest1 shut off ---- In my case I named it guest1. Dump the xml to a file somewhere on the host using the following command. -[source,C] ---- # virsh dumpxml guest1 > /root/guest1.xml ---- Now just register the resource with pacemaker and you're set! -[source,C] ---- # pcs resource create vm-guest1 VirtualDomain hypervisor="qemu:///system" config="/root/guest1.xml" meta remote-node=guest1 ---- -Once the 'vm-guest1' resource is started you will see 'guest1' appear in the 'pcs status' output as a node. The final 'pcs status' output should look something like this. +Once the *vm-guest1* resource is started you will see *guest1* appear in the +`pcs status` output as a node. The final `pcs status` output should look +something like this. -[source,C] ---- Last updated: Fri Mar 15 09:30:30 2013 Last change: Thu Mar 14 17:21:35 2013 via cibadmin on example-host Stack: corosync Current DC: example-host (1795270848) - partition WITHOUT quorum Version: 1.1.10 2 Nodes configured, unknown expected votes 2 Resources configured. Online: [ example-host guest1 ] Full list of resources: vm-guest1 (ocf::heartbeat:VirtualDomain): Started example-host ---- === Starting Resources on KVM Guest === The commands below demonstrate how resources can be executed on both the remote-node and the cluster-node. Create a few Dummy resources. Dummy resources are real resource agents used just for testing purposes. They actually execute on the host they are assigned to just like an apache server or database would, except their execution just means a file was created. When the resource is stopped, that the file it created is removed. -[source,C] ---- # pcs resource create FAKE1 ocf:pacemaker:Dummy # pcs resource create FAKE2 ocf:pacemaker:Dummy # pcs resource create FAKE3 ocf:pacemaker:Dummy # pcs resource create FAKE4 ocf:pacemaker:Dummy # pcs resource create FAKE5 ocf:pacemaker:Dummy ---- -Now check your 'pcs status' output. In the resource section you should see something like the following, where some of the resources got started on the cluster-node, and some started on the remote-node. +Now check your `pcs status` output. In the resource section, you should see +something like the following, where some of the resources started on the +cluster node, and some started on the guest node. -[source,C] ---- Full list of resources: vm-guest1 (ocf::heartbeat:VirtualDomain): Started example-host FAKE1 (ocf::pacemaker:Dummy): Started guest1 FAKE2 (ocf::pacemaker:Dummy): Started guest1 FAKE3 (ocf::pacemaker:Dummy): Started example-host FAKE4 (ocf::pacemaker:Dummy): Started guest1 FAKE5 (ocf::pacemaker:Dummy): Started example-host ---- -The remote-node, 'guest1', reacts just like any other node in the cluster. For example, pick out a resource that is running on your cluster-node. For my purposes I am picking FAKE3 from the output above. We can force FAKE3 to run on 'guest1' in the exact same way we would any other node. +The guest node, *guest1*, reacts just like any other node in the cluster. For +example, pick out a resource that is running on your cluster node. For my +purposes, I am picking FAKE3 from the output above. We can force FAKE3 to run +on *guest1* in the exact same way we would any other node. -[source,C] ---- # pcs constraint FAKE3 prefers guest1 ---- -Now looking at the bottom of the 'pcs status' output you'll see FAKE3 is on 'guest1'. +Now, looking at the bottom of the `pcs status` output you'll see FAKE3 is on +*guest1*. -[source,C] ---- Full list of resources: vm-guest1 (ocf::heartbeat:VirtualDomain): Started example-host FAKE1 (ocf::pacemaker:Dummy): Started guest1 FAKE2 (ocf::pacemaker:Dummy): Started guest1 FAKE3 (ocf::pacemaker:Dummy): Started guest1 FAKE4 (ocf::pacemaker:Dummy): Started example-host FAKE5 (ocf::pacemaker:Dummy): Started example-host ---- === Testing Remote-node Recovery and Fencing === Pacemaker's policy engine is smart enough to know fencing remote-nodes associated with a virtual machine means shutting off/rebooting the virtual machine. No special configuration is necessary to make this happen. If you are interested in testing this functionality out, trying stopping the guest's pacemaker_remote daemon. This would be equivalent of abruptly terminating a cluster-node's corosync membership without properly shutting it down. ssh into the guest and run this command. -[source,C] ---- # kill -9 `pidof pacemaker_remoted` ---- -After a few seconds or so you'll see this in your 'pcs status' output. The 'guest1' node will be show as offline as it is being recovered. +After a few seconds or so, you'll see this in your `pcs status` output. The +*guest1* node will be show as offline as it is being recovered. -[source,C] ---- Last updated: Fri Mar 15 11:00:31 2013 Last change: Fri Mar 15 09:54:16 2013 via cibadmin on example-host Stack: corosync Current DC: example-host (1795270848) - partition WITHOUT quorum Version: 1.1.10 2 Nodes configured, unknown expected votes 7 Resources configured. Online: [ example-host ] OFFLINE: [ guest1 ] Full list of resources: vm-guest1 (ocf::heartbeat:VirtualDomain): Started example-host FAKE1 (ocf::pacemaker:Dummy): Stopped FAKE2 (ocf::pacemaker:Dummy): Stopped FAKE3 (ocf::pacemaker:Dummy): Stopped FAKE4 (ocf::pacemaker:Dummy): Started example-host FAKE5 (ocf::pacemaker:Dummy): Started example-host Failed actions: guest1_monitor_30000 (node=example-host, call=3, rc=7, status=complete): not running ---- -Once recovery of the guest is complete, you'll see it automatically get re-integrated into the cluster. The final 'pcs status' output should look something like this. +Once recovery of the guest is complete, you'll see it automatically get +re-integrated into the cluster. The final `pcs status` output should look +something like this. -[source,C] ---- Last updated: Fri Mar 15 11:03:17 2013 Last change: Fri Mar 15 09:54:16 2013 via cibadmin on example-host Stack: corosync Current DC: example-host (1795270848) - partition WITHOUT quorum Version: 1.1.10 2 Nodes configured, unknown expected votes 7 Resources configured. Online: [ example-host guest1 ] Full list of resources: vm-guest1 (ocf::heartbeat:VirtualDomain): Started example-host FAKE1 (ocf::pacemaker:Dummy): Started guest1 FAKE2 (ocf::pacemaker:Dummy): Started guest1 FAKE3 (ocf::pacemaker:Dummy): Started guest1 FAKE4 (ocf::pacemaker:Dummy): Started example-host FAKE5 (ocf::pacemaker:Dummy): Started example-host Failed actions: guest1_monitor_30000 (node=example-host, call=3, rc=7, status=complete): not running ---- === Accessing Cluster Tools from Remote-node === -Besides just allowing the cluster to manage resources on a remote-node, pacemaker_remote has one other trick. +The pacemaker_remote daemon allows nearly all the pacemaker tools (crm_resource, crm_mon, crm_attribute, crm_master) to work on remote nodes natively.+ +Besides allowing the cluster to manage resources on a guest node, +pacemaker_remote has one other trick. The pacemaker_remote daemon allows +nearly all the pacemaker tools (`crm_resource`, `crm_mon`, `crm_attribute`, +`crm_master`, etc.) to work on guest nodes natively. -Try it, run +crm_mon+ or +pcs status+ on the guest after pacemaker has integrated the remote-node into the cluster. These tools just work. These means resource agents such as master/slave resources which need access to tools like crm_master work seamlessly on the remote-nodes. +Try it: Run `crm_mon` or `pcs status` on the guest after pacemaker has +integrated the guest node into the cluster. These tools just work. This +means resource agents such as master/slave resources which need access to tools +like `crm_master` work seamlessly on the guest nodes. [NOTE] ====== It is possible to run `pacemaker_remote` inside an LXC container instead of a virtual machine, following a similar process. This approach is deprecated since Pacemaker now has built-in support for managing containers and services inside containers. It can still be a useful alternative however, especially in testing scenarios, to simulate a large number of guest nodes. The *pacemaker-cts* packages includes a helpful script, +/usr/share/pacemaker/tests/cts/lxc_autogen.sh+, for generating libvirt XML files for LXC containers. The configuration is otherwise very similar to guest nodes; the *VirtualDomain* resource for a container will need the options *force_stop="true" hypervisor="lxc:///"*. ====== diff --git a/doc/Pacemaker_Remote/en-US/Ch-Options.txt b/doc/Pacemaker_Remote/en-US/Ch-Options.txt index cbaccd5c88..2d1d9bf1e9 100644 --- a/doc/Pacemaker_Remote/en-US/Ch-Options.txt +++ b/doc/Pacemaker_Remote/en-US/Ch-Options.txt @@ -1,79 +1,89 @@ = Configuration Explained = The walk-through examples use some of these options, but don't explain exactly what they mean or do. This section is meant to be the go-to resource for all the options available for configuring remote-nodes. == Resource Meta-Attributes for Guest Nodes == When configuring a virtual machine to use as a guest node, these are the metadata options available to enable the resource as a guest node and define its connection parameters. .Meta-attributes for configuring VM resources as guest nodes [width="95%",cols="2m,1,4<",options="header",align="center"] |========================================================= |Option |Default |Description -|+remote-node+ -| -|The name of the remote-node this resource defines. This both enables the resource as a remote-node and defines the unique name used to identify the remote-node. If no other parameters are set, this value will also be assumed as the hostname to connect to at port 3121. +WARNING+ This value cannot overlap with any resource or node IDs. - -|+remote-port+ +|remote-node +|'none' +|The node name of the guest node this resource defines. This both enables the +resource as a guest node and defines the unique name used to identify the +guest node. If no other parameters are set, this value will also be assumed as +the hostname to use when connecting to pacemaker_remote on the VM. This value +*must not* overlap with any resource or node IDs. + +|remote-port |3121 |Configure a custom port to use for the guest connection to pacemaker_remote. -|+remote-addr+ -|+remote-node+ value used as hostname -|The ip address or hostname to connect to if remote-node's name is not the hostname of the guest. +|remote-addr +|'value of' +remote-node+ +|The IP address or hostname to use when connecting to pacemaker_remote on the VM. -|+remote-connect-timeout+ +|remote-connect-timeout |60s |How long before a pending guest connection will time out. |========================================================= == Baremetal remote-node Options == Baremetal remote-nodes are defined by a connection resource. That connection resource has the following instance attributes that define where the baremetal remote-node is located on the network and how to communicate with that remote-node. Descriptions of these options can be retrieved using the following pcs command. -[source,C] ---- # pcs resource describe remote Resource options for: ocf:pacemaker:remote server: Server location to connect to. This can be an ip address or hostname. port: tcp port to connect to. ---- -When defining a baremetal remote-node's connection resource, it is common and recommended to name the connection resource the same name as the baremeatal remote-node's hostname. By default, if no "server" option is provided, the cluster will attempt to contact the remote-node using the resource name as the hostname. +When defining a remote node's connection resource, it is common and recommended +to name the connection resource the same as the remote node's hostname. By +default, if no *server* option is provided, the cluster will attempt to contact +the remote node using the resource name as the hostname. -Example, defining a baremetal remote-node with the hostname "remote1" -[source,C] +Example defining a remote node with the hostname *remote1*: ---- # pcs resource create remote1 remote ---- Example, defining a baremetal remote-node to connect to a specific ip and port. -[source,C] ---- # pcs resource create remote1 remote server=192.168.122.200 port=8938 ---- == Host and Guest Authentication == -Authentication and encryption of the connection between cluster-nodes (pacemaker) to remote-nodes (pacemaker_remote) is achieved using TLS with PSK encryption/authentication on +tcp port 3121+. This means both the cluster-node and remote-node must share the same private key. By default this +key must be placed at "/etc/pacemaker/authkey" on both cluster-nodes and remote-nodes+. +Authentication and encryption of the connection between cluster nodes +and nodes running pacemaker_remote is achieved using +with https://en.wikipedia.org/wiki/TLS-PSK[TLS-PSK] encryption/authentication +over TCP (port 3121 by default). This means that both the cluster node and +remote node must share the same private key. By default, this +key is placed at +/etc/pacemaker/authkey+ on each node. == Pacemaker and pacemaker_remote Options == -If you need to change the default port or authkey location for either pacemaker or pacemaker_remote, there are environment variables you can set that affect both of those daemons. These environment variables can be enabled by placing them in the /etc/sysconfig/pacemaker file. -[source,C] +You can change the default port and/or key location for Pacemaker and +pacemaker_remote via environment variables. These environment variables can be +enabled by placing them in the +/etc/sysconfig/pacemaker+ file. ---- #==#==# Pacemaker Remote # Use a custom directory for finding the authkey. PCMK_authkey_location=/etc/pacemaker/authkey # # Specify a custom port for Pacemaker Remote connections PCMK_remote_port=3121 ----