[Bug 1439649] Re: Pacemaker unable to communicate with corosync on restart under lxc

Billy Olsen billy.olsen at canonical.com
Fri Sep 4 18:13:40 UTC 2015 

Serge,

I did double check that the pacemaker processes were running under
hacluster/haclient uid/gid. I will double check for my own sanity (I may
have seen one running as root). However, according to the pacemaker docs
that I referenced above, root and hacluster users should always have
full access (which is somewhat in conflict with the INSTALL file you
reference):

> Users are regular UNIX users, so the same user accounts must be present on all nodes in the cluster.
>
> All user accounts must be in the haclient group.
> 
> Pacemaker 1.1.5 or newer must be installed on all cluster nodes.
> 
> The CIB must be configured to use the pacemaker-1.1 or 1.2 schema. This can be set by running:
> 
> cibadmin --modify --xml-text '<cib validate-with="pacemaker-1.1"/>'
> The enable-acl option must be set. If ACLs are not explicitly enabled, the previous behaviour will be used (i.e. all users in the haclient group have full access):
>
> crm configure property enable-acl=true
> Once this is done, ACLs can be configured as described below.
>
> Note that the root and hacluster users will always have full access.
>
> If nonprivileged users will be using the crm shell and CLI tools (as opposed to only using Hawk or the Python GUI) they will need to have /usr/sbin added to their path.

If it were a necessity to add the ACL entry, then I would have expected
that the hacluster charm code would always have needed this requirement
and pacemaker should have always denied access. Additionally, since the
charm has done no configuration of the ACLs, I would expect all nodes to
get denied or allowed the same. Instead, what has been observed is that
*some* of the nodes in the cluster have the pacemaker process
successfully communicate with the corosync process, while others get
this invalid credentials error that is seen.

I've already proposed a change (which has been merged into the /next
branches of the hacluster charm) which incorporates JuanJo's comments
(thank you JuanJo!) by explicitly defining the ACL entry, but would
better like to understand why the inconsistent behavior.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1439649

Title:
  Pacemaker unable to communicate with corosync on restart under lxc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1439649/+subscriptions

More information about the Ubuntu-server-bugs mailing list