Anvil! Tutorial 3 on EL6
| Alteeve Wiki :: How To :: Anvil! Tutorial 3 on EL6 | 
This is the third Anvil! tutorial built on Red Hat's Enterprise Linux 6.5 and newer. It is meant to be a stop-gap / learning cluster before RHEL 7 is released and stabilized.
Before We Begin
This tutorial does not require prior Anvil! experience (or any clustering experience), but it does expect a certain familiarity with Linux and a low-intermediate understanding of networking. Where possible, steps are explained in detail and rationale is provided for why certain decisions are made.
For those with Anvil! experience;
Please be careful not to skip too much. There are some major and some subtle changes from previous tutorials.
OS Setup
|  | Warning: RHEL v6.5 or newer is required. | 
Post OS Install
Stuff.
If you're using RHEL proper, register your nodes with RHN.
|  | Note: You need to replace $user and $pass with your RHN account details. | 
| an-a04n01 | rhnreg_ks --username "$user" --password "$pass" --force --profilename "an-a04n01.alteeve.ca"
rhn-channel --add --user "$user" --password "$pass" --channel=rhel-x86_64-server-rs-6
 | 
|---|---|
| an-a04n02 | rhnreg_ks --username "$user" --password "$pass" --force --profilename "an-a04n02.alteeve.ca"
rhn-channel --add --user "$user" --password "$pass" --channel=rhel-x86_64-server-rs-6
 | 
Adding AN! Repo
AN! offers a new repo with a few RPMs not in stock EL 6 distros.
| an-a04n01 | an-a04n02 | 
|---|---|
| vi /etc/yum.repos.d/an.repo
[an-repo]
name=AN! Repo for Anvil! stuff
baseurl=https://alteeve.ca/repo/el6/
enabled=1
gpgcheck=0
protect=1
yum clean all
 | vi /etc/yum.repos.d/an.repo
[an-repo]
name=AN! Repo for Anvil! stuff
baseurl=https://alteeve.ca/repo/el6/
enabled=1
gpgcheck=0
protect=1
yum clean all
 | 
Done.
Install
Not all of these are required, but most are used at one point or another in this tutorial.
|  | Note: The fence-agents-virsh package is not available in RHEL 7 beta. Further, it's only needed if you're building your Anvil! using VMs. | 
| an-a04n01 | an-a04n02 | 
|---|---|
| yum -y update
yum -y install bridge-utils vim pacemaker corosync cman gfs2-utils \
               gfs2-cluster ccs pcs
 | yum -y update
yum -y install bridge-utils vim pacemaker corosync cman gfs2-utils \
               gfs2-cluster ccs pcs
 | 
Setup Networking
TODO: Explain this.
Remap all NICs to have purpose-based names.
- IFN Bridge
| an-a04n01 | an-a04n02 | 
|---|---|
| vim /etc/sysconfig/network-scripts/ifcfg-ifn-bridge1
# Internet-Facing Network - Bridge
DEVICE="ifn-bridge1"
TYPE="Bridge"
BOOTPROTO="none"
IPADDR="10.255.40.1"
NETMASK="255.255.0.0"
GATEWAY="10.255.255.254"
DNS1="8.8.8.8"
DNS2="8.8.4.4"
DEFROUTE="yes"
 | vim /etc/sysconfig/network-scripts/ifcfg-ifn-bridge1
# Internet-Facing Network - Bridge
DEVICE="ifn-bridge1"
TYPE="Bridge"
BOOTPROTO="none"
IPADDR="10.255.40.2"
NETMASK="255.255.0.0"
GATEWAY="10.255.255.254"
DNS1="8.8.8.8"
DNS2="8.8.4.4"
DEFROUTE="yes"
 | 
- IFN Bond
| an-a04n01 | vim /etc/sysconfig/network-scripts/ifcfg-ifn-bond1
# Internet-Facing Network - Bond
DEVICE="ifn-bond1"
BRIDGE="ifn-bridge1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
BONDING_OPTS="mode=1 miimon=100 use_carrier=1 updelay=120000 downdelay=0 primary=ifn-link1"
 | 
|---|---|
| an-a04n02 | vim /etc/sysconfig/network-scripts/ifcfg-ifn-bond1
# Internet-Facing Network - Bond
DEVICE="ifn-bond1"
BRIDGE="ifn-bridge1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
BONDING_OPTS="mode=1 miimon=100 use_carrier=1 updelay=120000 downdelay=0 primary=ifn-link1"
 | 
- IFN Links
| an-a04n01 | an-a04n02 | 
|---|---|
| vim /etc/sysconfig/network-scripts/ifcfg-ifn-link1
# Internet-Facing Network - Link 1
HWADDR="00:1B:21:81:C3:34"
DEVICE="ifn-link1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="ifn-bond1"
SLAVE="yes"
vim /etc/sysconfig/network-scripts/ifcfg-ifn-link2
# Internet-Facing Network - Link 2
HWADDR="A0:36:9F:02:E0:05"
DEVICE="ifn-link2"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="ifn-bond1"
SLAVE="yes"
 | vim /etc/sysconfig/network-scripts/ifcfg-ifn-link1
# Internet-Facing Network - Link 1
HWADDR="00:1B:21:81:C2:EA"
DEVICE="ifn-link1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="ifn-bond1"
SLAVE="yes"
vim /etc/sysconfig/network-scripts/ifcfg-ifn-link2
# Internet-Facing Network - Link 2
HWADDR="A0:36:9F:07:D6:2F"
DEVICE="ifn-link2"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="ifn-bond1"
SLAVE="yes"
 | 
- SN Bond
| an-a04n01 | vim /etc/sysconfig/network-scripts/ifcfg-sn-bond1
# Storage Network - Bond
DEVICE="sn-bond1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
BONDING_OPTS="mode=1 miimon=100 use_carrier=1 updelay=120000 downdelay=0 primary=sn-link1"
IPADDR="10.10.40.1"
NETMASK="255.255.0.0"
 | 
|---|---|
| an-a04n02 | vim /etc/sysconfig/network-scripts/ifcfg-sn-bond1
# Storage Network - Bond
DEVICE="sn-bond1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
BONDING_OPTS="mode=1 miimon=100 use_carrier=1 updelay=120000 downdelay=0 primary=sn-link1"
IPADDR="10.10.40.2"
NETMASK="255.255.0.0"
 | 
- SN Links
| an-a04n01 | an-a04n02 | 
|---|---|
| vim /etc/sysconfig/network-scripts/ifcfg-sn-link1
# Storage Network - Link 1
HWADDR="00:19:99:9C:9B:9F"
DEVICE="sn-link1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="sn-bond1"
SLAVE="yes"
vim /etc/sysconfig/network-scripts/ifcfg-sn-link2
# Storage Network - Link 2
HWADDR="A0:36:9F:02:E0:04"
DEVICE="sn-link2"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="sn-bond1"
SLAVE="yes"
 | vim /etc/sysconfig/network-scripts/ifcfg-sn-link1
# Storage Network - Link 1
HWADDR="00:19:99:9C:A0:6D"
DEVICE="sn-link1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="sn-bond1"
SLAVE="yes"
vim /etc/sysconfig/network-scripts/ifcfg-sn-link2
# Storage Network - Link 2
HWADDR="A0:36:9F:07:D6:2E"
DEVICE="sn-link2"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="sn-bond1"
SLAVE="yes"
 | 
- BCN Bond
| an-a04n01 | vim /etc/sysconfig/network-scripts/ifcfg-bcn-bond1
# Back-Channel Network - Bond
DEVICE="bcn-bond1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
BONDING_OPTS="mode=1 miimon=100 use_carrier=1 updelay=120000 downdelay=0 primary=bcn-link1"
IPADDR="10.20.40.1"
NETMASK="255.255.0.0"
 | 
|---|---|
| an-a04n02 | vim /etc/sysconfig/network-scripts/ifcfg-bcn-bond1
# Back-Channel Network - Bond
DEVICE="bcn-bond1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
BONDING_OPTS="mode=1 miimon=100 use_carrier=1 updelay=120000 downdelay=0 primary=bcn-link1"
IPADDR="10.20.40.2"
NETMASK="255.255.0.0"
 | 
- BCN Links
| an-a04n01 | an-a04n02 | 
|---|---|
| vim /etc/sysconfig/network-scripts/ifcfg-bcn-link1
# Back-Channel Network - Link 1
HWADDR="00:19:99:9C:9B:9E"
DEVICE="bcn-link1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="bcn-bond1"
SLAVE="yes"
vim /etc/sysconfig/network-scripts/ifcfg-bcn-link2
# Back-Channel Network - Link 2
HWADDR="00:1B:21:81:C3:35"
DEVICE="bcn-link2"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="bcn-bond1"
SLAVE="yes"
 | vim /etc/sysconfig/network-scripts/ifcfg-bcn-link1
# Back-Channel Network - Link 1
HWADDR="00:19:99:9C:A0:6C"
DEVICE="bcn-link1"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="bcn-bond1"
SLAVE="yes"
vim /etc/sysconfig/network-scripts/ifcfg-bcn-link2
# Back-Channel Network - Link 2
HWADDR="00:1B:21:81:C2:EB"
DEVICE="bcn-link2"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
MASTER="bcn-bond1"
SLAVE="yes"
 | 
Making ssh faster when the net is down
By default, the nodes will try to resolve the host name of an incoming ssh connection. When the internet connection is down, DNS lookups have to time out, which can make login times quite slow. When something goes wrong, seconds count and waiting for up to a minute for an SSH password prompt can be maddening.
For this reason, we will make two changes to /etc/ssh/sshd_config that disable this login delay.
Please be aware that this can reduce security. If this is a concern, skip this step.
| an-a04n01 | sed -i.anvil 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
systemctl restart sshd.service
diff -u /etc/ssh/sshd_config.anvil /etc/ssh/sshd_config
--- /etc/ssh/sshd_config.anvil	2013-09-30 03:08:17.000000000 -0400
+++ /etc/ssh/sshd_config	2014-05-28 00:35:30.954000741 -0400
@@ -77,8 +77,8 @@
 #KerberosUseKuserok yes
 
 # GSSAPI options
-#GSSAPIAuthentication no
-GSSAPIAuthentication yes
+GSSAPIAuthentication no
+#GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
 GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
@@ -119,7 +119,7 @@
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #ShowPatchLevel no
-#UseDNS yes
+UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 | 
|---|---|
| an-a04n02 | sed -i.anvil 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
systemctl restart sshd.service
diff -u /etc/ssh/sshd_config.anvil /etc/ssh/sshd_config
--- /etc/ssh/sshd_config.anvil	2013-09-30 03:08:17.000000000 -0400
+++ /etc/ssh/sshd_config	2014-05-28 00:35:33.016999110 -0400
@@ -77,8 +77,8 @@
 #KerberosUseKuserok yes
 
 # GSSAPI options
-#GSSAPIAuthentication no
-GSSAPIAuthentication yes
+GSSAPIAuthentication no
+#GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
 GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
@@ -119,7 +119,7 @@
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #ShowPatchLevel no
-#UseDNS yes
+UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 | 
Subsequent logins when the net is down should be quick.
Setting the Hostname
TODO
Setup The hosts File
You can use DNS if you prefer. For now, lets use /etc/hosts for node name resolution.
| an-a04n01 | vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
### Anvil! systems
# Anvil! 03, Node 01
10.20.40.1	an-a04n01.bcn an-a04n01 an-a04n01.alteeve.ca
10.20.41.1	an-a04n01.ipmi
10.10.40.1	an-a04n01.sn
10.255.40.1	an-a04n01.ifn
# Anvil! 03, Node 02
10.20.40.2	an-a04n02.bcn an-a04n02 an-a04n02.alteeve.ca
10.20.41.2	an-a04n02.ipmi
10.10.40.2	an-a04n02.sn
10.255.40.2	an-a04n02.ifn
### Foundation Pack
# Network Switches
10.20.1.1	an-s01 an-s01.alteeve.ca
10.20.1.2	an-s02 an-s02.alteeve.ca	# Only accessible when out of the stack
 
# Switched PDUs
10.20.2.1	an-p01 an-p01.alteeve.ca
10.20.2.2	an-p02 an-p02.alteeve.ca
 
# Network-monitored UPSes
10.20.3.1	an-u01 an-u01.alteeve.ca
10.20.3.2	an-u02 an-u02.alteeve.ca
 
### Monitor Packs
10.20.4.1	an-m01 an-m01.alteeve.ca
10.255.4.1	an-m01.ifn
10.20.4.2	an-m02 an-m02.alteeve.ca
10.255.4.2	an-m02.ifn
 | 
|---|---|
| an-a04n02 | vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
### Anvil! systems
# Anvil! 03, Node 01
10.20.40.1	an-a04n01.bcn an-a04n01 an-a04n01.alteeve.ca
10.20.41.1	an-a04n01.ipmi
10.10.40.1	an-a04n01.sn
10.255.40.1	an-a04n01.ifn
# Anvil! 03, Node 02
10.20.40.2	an-a04n02.bcn an-a04n02 an-a04n02.alteeve.ca
10.20.41.2	an-a04n02.ipmi
10.10.40.2	an-a04n02.sn
10.255.40.2	an-a04n02.ifn
### Foundation Pack
# Network Switches
10.20.1.1	an-s01 an-s01.alteeve.ca
10.20.1.2	an-s02 an-s02.alteeve.ca	# Only accessible when out of the stack
 
# Switched PDUs
10.20.2.1	an-p01 an-p01.alteeve.ca
10.20.2.2	an-p02 an-p02.alteeve.ca
 
# Network-monitored UPSes
10.20.3.1	an-u01 an-u01.alteeve.ca
10.20.3.2	an-u02 an-u02.alteeve.ca
 
### Monitor Packs
10.20.4.1	an-m01 an-m01.alteeve.ca
10.255.4.1	an-m01.ifn
10.20.4.2	an-m02 an-m02.alteeve.ca
10.255.4.2	an-m02.ifn
 | 
Setup SSH
Same as before.
Populating And Pushing ~/.ssh/known_hosts
| an-a04n01 | ssh-keygen -t rsa -N "" -b 8191 -f ~/.ssh/id_rsa
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f9:41:7e:aa:96:8e:fa:47:79:f5:3a:33:89:c3:9a:4b root@an-a04n01.alteeve.ca
The key's randomart image is:
+--[ RSA 8191]----+
|                 |
|                 |
|          .      |
|         +  .    |
|        S.o...   |
|        o..+  .  |
|       .E+o. o   |
|       o+o+ *    |
|    .oo+*o . +   |
+-----------------+
 | 
|---|---|
| an-a04n01 | ssh-keygen -t rsa -N "" -b 8191 -f ~/.ssh/id_rsa
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
3f:1a:02:17:44:10:5e:6f:2b:98:44:09:e5:e0:ea:4b root@an-a04n02.alteeve.ca
The key's randomart image is:
+--[ RSA 8191]----+
|  oo==+          |
| . =.o .         |
|  . + . o        |
| . . o o .       |
|.   + o S        |
|.    o . .       |
| E    . . o      |
|. .    . o .     |
| .      .        |
+-----------------+
 | 
Setup autorized_keys:
| an-a04n01 | cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
ssh root@an-a04n02 "cat /root/.ssh/id_rsa.pub" >> ~/.ssh/authorized_keys
The authenticity of host 'an-a04n02 (10.20.40.2)' can't be established.
RSA key fingerprint is 22:09:7b:0c:8b:d8:80:08:80:6d:0e:bc:fb:5a:e1:de.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'an-a04n02,10.20.40.2' (RSA) to the list of known hosts.
root@an-a04n02's password:
 | 
|---|
Populate ~/.ssh/known_hosts:
| an-a04n01 | ssh-keyscan an-a04n01.alteeve.ca >> ~/.ssh/known_hosts
# an-a04n01.alteeve.ca SSH-2.0-OpenSSH_5.3
ssh-keyscan an-a04n01 >> ~/.ssh/known_hosts
# an-a04n01 SSH-2.0-OpenSSH_5.3
ssh-keyscan an-a04n01.bcn >> ~/.ssh/known_hosts
# an-a04n01.bcn SSH-2.0-OpenSSH_5.3
ssh-keyscan an-a04n01.sn >> ~/.ssh/known_hosts
# an-a04n01.sn SSH-2.0-OpenSSH_5.3
ssh-keyscan an-a04n01.ifn >> ~/.ssh/known_hosts
# an-a04n01.ifn SSH-2.0-OpenSSH_5.3
ssh-keyscan an-a04n02.alteeve.ca >> ~/.ssh/known_hosts
# an-a04n02.alteeve.ca SSH-2.0-OpenSSH_5.3
ssh-keyscan an-a04n02 >> ~/.ssh/known_hosts
# an-a04n02 SSH-2.0-OpenSSH_5.3
ssh-keyscan an-a04n02.bcn >> ~/.ssh/known_hosts
# an-a04n02.bcn SSH-2.0-OpenSSH_5.3
ssh-keyscan an-a04n02.sn >> ~/.ssh/known_hosts
# an-a04n02.sn SSH-2.0-OpenSSH_5.3
ssh-keyscan an-a04n02.ifn >> ~/.ssh/known_hosts
# an-a04n02.ifn SSH-2.0-OpenSSH_5.3
 | 
|---|
Now copy the files to the second node:
| an-a04n01 | rsync -av ~/.ssh/authorized_keys root@an-a04n02:/root/.ssh/
root@an-a04n02's password:
sending incremental file list
authorized_keys
sent 2937 bytes  received 31 bytes  1187.20 bytes/sec
total size is 2854  speedup is 0.96
rsync -av ~/.ssh/known_hosts root@an-a04n02:/root/.ssh/
sending incremental file list
known_hosts
sent 4829 bytes  received 31 bytes  9720.00 bytes/sec
total size is 4750  speedup is 0.98
 | 
|---|
Note that there was no password prompt the second time. Hoozah!
Configuring the Firewall
| an-a04n01 | iptables -I INPUT -m state --state NEW -m multiport -p udp -s 10.20.0.0/16 -d 10.20.0.0/16 --dports 5404,5405 -j ACCEPT
iptables -I INPUT -m addrtype --dst-type MULTICAST -m state --state NEW -m multiport -p udp -s 10.20.0.0/16 --dports 5404,5405 -j ACCEPT
/etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
 | 
|---|---|
| an-a04n01 | iptables -I INPUT -m state --state NEW -m multiport -p udp -s 10.20.0.0/16 -d 10.20.0.0/16 --dports 5404,5405 -j ACCEPT
iptables -I INPUT -m addrtype --dst-type MULTICAST -m state --state NEW -m multiport -p udp -s 10.20.0.0/16 --dports 5404,5405 -j ACCEPT
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
 | 
Keeping Time in Sync
It's not as critical as it used to be to keep the clocks on the nodes in sync, but it's still a good idea.
| an-a04n01 | chkconfig ntpd on
/etc/init.d/ntpd start
Starting ntpd:                                             [  OK  ]
 | 
|---|---|
| an-a04n01 | chkconfig ntpd on
/etc/init.d/ntpd start
Starting ntpd:                                             [  OK  ]
 | 
Configuring the Anvil!
Now we're getting down to business!
For this section, we will be working on an-a04n01 and using ssh to perform tasks on an-a04n02.
|  | Note: TODO: explain what this is and how it works. | 
Configuring cman
With RHEL 6, we do not need to configure corosync directly. We will create a "skeleton" cluster.conf file which will, in turn, handle corosync for us. Once configured and the configuration has been copied to the peer, we will start pacemaker and it will handle starting (and stopping) pacemaker and corosync for us.
We will use 'ccs' to configure the skeleton cluster.conf file.
| an-a04n01 | ccs -f /etc/cluster/cluster.conf --createcluster an-anvil-04
ccs -f /etc/cluster/cluster.conf --setcman two_node="1" expected_votes="1"
ccs -f /etc/cluster/cluster.conf --addnode an-a04n01.alteeve.ca
ccs -f /etc/cluster/cluster.conf --addnode an-a04n02.alteeve.ca
ccs -f /etc/cluster/cluster.conf --addfencedev pcmk agent=fence_pcmk 
ccs -f /etc/cluster/cluster.conf --addmethod pcmk-redirect an-a04n01.alteeve.ca
ccs -f /etc/cluster/cluster.conf --addmethod pcmk-redirect an-a04n02.alteeve.ca
ccs -f /etc/cluster/cluster.conf --addfenceinst pcmk an-a04n01.alteeve.ca pcmk-redirect port=an-a04n01.alteeve.ca
ccs -f /etc/cluster/cluster.conf --addfenceinst pcmk an-a04n02.alteeve.ca pcmk-redirect port=an-a04n02.alteeve.ca
cat /etc/cluster/cluster.conf
<cluster config_version="9" name="an-anvil-04">
  <fence_daemon/>
  <clusternodes>
    <clusternode name="an-a04n01.alteeve.ca" nodeid="1">
      <fence>
	<method name="pcmk-redirect">
          <device name="pcmk" port="an-a04n01.alteeve.ca"/>
        </method>
      </fence>
    </clusternode>
    <clusternode name="an-a04n02.alteeve.ca" nodeid="2">
      <fence>
	<method name="pcmk-redirect">
          <device name="pcmk" port="an-a04n02.alteeve.ca"/>
        </method>
      </fence>
    </clusternode>
  </clusternodes>
  <cman expected_votes="1" two_node="1"/>
  <fencedevices>
    <fencedevice agent="fence_pcmk" name="pcmk"/>
  </fencedevices>
  <rm>
    <failoverdomains/>
    <resources/>
  </rm>
</cluster> | 
|---|
Copy it to an-a04n02;
| an-a04n01 | rsync -av /etc/cluster/cluster.conf root@an-a04n02:/etc/cluster/sending incremental file list
cluster.conf
sent 816 bytes  received 43 bytes  1718.00 bytes/sec
total size is 736  speedup is 0.86 | 
|---|---|
| an-a04n02 | cat /etc/cluster/cluster.conf<cluster config_version="9" name="an-anvil-04">
  <fence_daemon/>
  <clusternodes>
    <clusternode name="an-a04n01.alteeve.ca" nodeid="1">
      <fence>
	<method name="pcmk-redirect">
          <device name="pcmk" port="an-a04n01.alteeve.ca"/>
        </method>
      </fence>
    </clusternode>
    <clusternode name="an-a04n02.alteeve.ca" nodeid="2">
      <fence>
	<method name="pcmk-redirect">
          <device name="pcmk" port="an-a04n02.alteeve.ca"/>
        </method>
      </fence>
    </clusternode>
  </clusternodes>
  <cman expected_votes="1" two_node="1"/>
  <fencedevices>
    <fencedevice agent="fence_pcmk" name="pcmk"/>
  </fencedevices>
  <rm>
    <failoverdomains/>
    <resources/>
  </rm>
</cluster> | 
Configuring Pacemaker
Now start pacemaker proper.
| an-a04n01 | /etc/init.d/pacemaker startStarting cluster: 
   Checking if cluster has been disabled at boot...        [  OK  ]
   Checking Network Manager...                             [  OK  ]
   Global setup...                                         [  OK  ]
   Loading kernel modules...                               [  OK  ]
   Mounting configfs...                                    [  OK  ]
   Starting cman...                                        [  OK  ]
   Waiting for quorum...                                   [  OK  ]
   Starting fenced...                                      [  OK  ]
   Starting dlm_controld...                                [  OK  ]
   Tuning DLM kernel config...                             [  OK  ]
   Starting gfs_controld...                                [  OK  ]
   Unfencing self...                                       [  OK  ]
   Joining fence domain...                                 [  OK  ]
Starting Pacemaker Cluster Manager                         [  OK  ] | 
|---|---|
| an-a04n01 | /etc/init.d/pacemaker startStarting cluster: 
   Checking if cluster has been disabled at boot...        [  OK  ]
   Checking Network Manager...                             [  OK  ]
   Global setup...                                         [  OK  ]
   Loading kernel modules...                               [  OK  ]
   Mounting configfs...                                    [  OK  ]
   Starting cman...                                        [  OK  ]
   Waiting for quorum...                                   [  OK  ]
   Starting fenced...                                      [  OK  ]
   Starting dlm_controld...                                [  OK  ]
   Tuning DLM kernel config...                             [  OK  ]
   Starting gfs_controld...                                [  OK  ]
   Unfencing self...                                       [  OK  ]
   Joining fence domain...                                 [  OK  ]
Starting Pacemaker Cluster Manager                         [  OK  ] | 
Verify pacemaker proper started as expected.
| an-a04n01 | pcs statusCluster name: an-anvil-04
WARNING: no stonith devices and stonith-enabled is not false
Last updated: Wed May 28 20:59:33 2014
Last change: Wed May 28 20:59:18 2014 via crmd on an-a04n01.alteeve.ca
Stack: cman
Current DC: an-a04n01.alteeve.ca - partition with quorum
Version: 1.1.10-14.el6_5.3-368c726
2 Nodes configured
0 Resources configured
Online: [ an-a04n01.alteeve.ca an-a04n02.alteeve.ca ]
Full list of resources: | 
|---|---|
| an-a04n01 | pcs statusWARNING: no stonith devices and stonith-enabled is not false
Last updated: Wed May 28 20:59:29 2014
Last change: Wed May 28 20:59:18 2014 via crmd on an-a04n01.alteeve.ca
Stack: cman
Current DC: an-a04n01.alteeve.ca - partition with quorum
Version: 1.1.10-14.el6_5.3-368c726
2 Nodes configured
0 Resources configured
Online: [ an-a04n01.alteeve.ca an-a04n02.alteeve.ca ]
Full list of resources: | 
Note the error about stonith. We will address that momentarily.
Disabling Quorum
|  | Note: Show the math. | 
With quorum enabled, a two node cluster will lose quorum once either node fails. So we have to disable quorum.
By default, pacemaker uses quorum. You don't see this initially though;
pcs propertyCluster Properties:
 dc-version: 1.1.9-0.1318.a7966fb.git.fc18-a7966fb
 cluster-infrastructure: corosyncTo disable it, we set no-quorum-policy=ignore.
pcs property set no-quorum-policy=ignore
pcs propertyCluster Properties:
 dc-version: 1.1.9-0.1318.a7966fb.git.fc18-a7966fb
 cluster-infrastructure: corosync
 no-quorum-policy: ignoreEnabling and Configuring Fencing
We will use IPMI and PDU based fence devices for redundancy.
You can see the list of available fence agents here. You will need to find the one for your hardware fence devices.
pcs stonith listfence_alom - Fence agent for Sun ALOM
fence_apc - Fence agent for APC over telnet/ssh
fence_apc_snmp - Fence agent for APC over SNMP
fence_baytech - I/O Fencing agent for Baytech RPC switches in combination with a Cyclades Terminal
                Server
fence_bladecenter - Fence agent for IBM BladeCenter
fence_brocade - Fence agent for Brocade over telnet
fence_bullpap - I/O Fencing agent for Bull FAME architecture controlled by a PAP management console.
fence_cisco_mds - Fence agent for Cisco MDS
fence_cisco_ucs - Fence agent for Cisco UCS
fence_cpint - I/O Fencing agent for GFS on s390 and zSeries VM clusters
fence_drac - fencing agent for Dell Remote Access Card
fence_drac5 - Fence agent for Dell DRAC CMC/5
fence_eaton_snmp - Fence agent for Eaton over SNMP
fence_egenera - I/O Fencing agent for the Egenera BladeFrame
fence_eps - Fence agent for ePowerSwitch
fence_hpblade - Fence agent for HP BladeSystem
fence_ibmblade - Fence agent for IBM BladeCenter over SNMP
fence_idrac - Fence agent for IPMI over LAN
fence_ifmib - Fence agent for IF MIB
fence_ilo - Fence agent for HP iLO
fence_ilo2 - Fence agent for HP iLO
fence_ilo3 - Fence agent for IPMI over LAN
fence_ilo_mp - Fence agent for HP iLO MP
fence_imm - Fence agent for IPMI over LAN
fence_intelmodular - Fence agent for Intel Modular
fence_ipdu - Fence agent for iPDU over SNMP
fence_ipmilan - Fence agent for IPMI over LAN
fence_kdump - Fence agent for use with kdump
fence_ldom - Fence agent for Sun LDOM
fence_lpar - Fence agent for IBM LPAR
fence_mcdata - I/O Fencing agent for McData FC switches
fence_rackswitch - fence_rackswitch - I/O Fencing agent for RackSaver RackSwitch
fence_rhevm - Fence agent for RHEV-M REST API
fence_rsa - Fence agent for IBM RSA
fence_rsb - I/O Fencing agent for Fujitsu-Siemens RSB
fence_sanbox2 - Fence agent for QLogic SANBox2 FC switches
fence_scsi - fence agent for SCSI-3 persistent reservations
fence_virsh - Fence agent for virsh
fence_vixel - I/O Fencing agent for Vixel FC switches
fence_vmware - Fence agent for VMWare
fence_vmware_soap - Fence agent for VMWare over SOAP API
fence_wti - Fence agent for WTI
fence_xcat - I/O Fencing agent for xcat environments
fence_xenapi - XenAPI based fencing for the Citrix XenServer virtual machines.
fence_zvm - I/O Fencing agent for GFS on s390 and zSeries VM clustersWe will use fence_ipmilan and fence_apc_snmp.
Configuring IPMI Fencing
Every fence agent has a possibly unique subset of options that can be used. You can see a brief description of these options with the pcs stonith describe fence_X command. Let's look at the options available for fence_ipmilan.
pcs stonith describe fence_ipmilanStonith options for: fence_ipmilan
  auth: IPMI Lan Auth type (md5, password, or none)
  ipaddr: IPMI Lan IP to talk to
  passwd: Password (if required) to control power on IPMI device
  passwd_script: Script to retrieve password (if required)
  lanplus: Use Lanplus
  login: Username/Login (if required) to control power on IPMI device
  action: Operation to perform. Valid operations: on, off, reboot, status, list, diag, monitor or metadata
  timeout: Timeout (sec) for IPMI operation
  cipher: Ciphersuite to use (same as ipmitool -C parameter)
  method: Method to fence (onoff or cycle)
  power_wait: Wait X seconds after on/off operation
  delay: Wait X seconds before fencing is started
  privlvl: Privilege level on IPMI device
  verbose: Verbose modeOne of the nice things about pcs is that it allows us to create a test file to prepare all our changes in. Then, when we're happy with the changes, merge them into the running cluster. So let's make a copy called stonith_cfg
pcs cluster cib stonith_cfgNow add IPMI fencing.
#                  unique name    fence agent   target node                           device addr             options
pcs stonith create fence_n01_ipmi fence_ipmilan pcmk_host_list="an-a03n01.alteeve.ca" ipaddr="an-a03n01.ipmi" action="reboot" login="admin" passwd="secret" delay=15 op monitor interval=60s
pcs stonith create fence_n02_ipmi fence_ipmilan pcmk_host_list="an-a03n02.alteeve.ca" ipaddr="an-a03n02.ipmi" action="reboot" login="admin" passwd="secret" op monitor interval=60sNote that fence_n01_ipmi has a delay=15 set but fence_n02_ipmi does not. If the network connection breaks between the two nodes, they will both try to fence each other at the same time. If acpid is running, the slower node will not die right away. It will continue to run for up to four more seconds, ample time for it to also initiate a fence against the faster node. The end result is that both nodes get fenced. The ten-second delay protects against this by causing an-a03n02 to pause for 10 seconds before initiating a fence against an-a03n01. If both nodes are alive, an-a03n02 will power off before the 10 seconds pass, so it will never fence an-a03n01. However, if an-a03n01 really is dead, after the ten seconds have elapsed, fencing will proceed as normal.
Next, add the PDU fencing. This requires distinct "off" and "on" actions for each outlet on each PDU. With two nodes, each with two PSUs, this translates to eight commands. The "off" commands will be monitored to alert us if the PDU fails for some reason. There is no reason to monitor the "on" actions (it would be redundant). Note also that we don't bother using a "delay". The IPMI fence method will go first, before the PDU actions, so the PDU is already delayed.
# Node 1 - off
pcs stonith create fence_n01_pdu1_off fence_apc_snmp pcmk_host_list="an-a03n01.alteeve.ca" ipaddr="an-p01" action="off" port="1" op monitor interval="60s"
pcs stonith create fence_n01_pdu2_off fence_apc_snmp pcmk_host_list="an-a03n01.alteeve.ca" ipaddr="an-p02" action="off" port="1" power_wait="5" op monitor interval="60s"
# Node 1 - on
pcs stonith create fence_n01_pdu1_on fence_apc_snmp pcmk_host_list="an-a03n01.alteeve.ca" ipaddr="an-p01" action="on" port="1"
pcs stonith create fence_n01_pdu2_on fence_apc_snmp pcmk_host_list="an-a03n01.alteeve.ca" ipaddr="an-p02" action="on" port="1"
# Node 2 - off
pcs stonith create fence_n02_pdu1_off fence_apc_snmp pcmk_host_list="an-a03n02.alteeve.ca" ipaddr="an-p01" action="off" port="2" op monitor interval="60s"
pcs stonith create fence_n02_pdu2_off fence_apc_snmp pcmk_host_list="an-a03n02.alteeve.ca" ipaddr="an-p02" action="off" port="2" power_wait="5" op monitor interval="60s"
# Node 2 - on
pcs stonith create fence_n02_pdu1_on fence_apc_snmp pcmk_host_list="an-a03n02.alteeve.ca" ipaddr="an-p01" action="on" port="2"
pcs stonith create fence_n02_pdu2_on fence_apc_snmp pcmk_host_list="an-a03n02.alteeve.ca" ipaddr="an-p02" action="on" port="2"We can check the new configuration now;
pcs statusCluster name: an-cluster-03
Last updated: Tue Jul  2 16:41:55 2013
Last change: Tue Jul  2 16:41:44 2013 via cibadmin on an-a03n01.alteeve.ca
Stack: corosync
Current DC: an-a03n01.alteeve.ca (1) - partition with quorum
Version: 1.1.9-3.fc19-781a388
2 Nodes configured, unknown expected votes
10 Resources configured.
Online: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
Full list of resources:
 fence_n01_ipmi	(stonith:fence_ipmilan):	Started an-a03n01.alteeve.ca 
 fence_n02_ipmi	(stonith:fence_ipmilan):	Started an-a03n02.alteeve.ca 
 fence_n01_pdu1_off	(stonith:fence_apc_snmp):	Started an-a03n01.alteeve.ca 
 fence_n01_pdu2_off	(stonith:fence_apc_snmp):	Started an-a03n02.alteeve.ca 
 fence_n02_pdu1_off	(stonith:fence_apc_snmp):	Started an-a03n01.alteeve.ca 
 fence_n02_pdu2_off	(stonith:fence_apc_snmp):	Started an-a03n02.alteeve.ca 
 fence_n01_pdu1_on	(stonith:fence_apc_snmp):	Started an-a03n01.alteeve.ca 
 fence_n01_pdu2_on	(stonith:fence_apc_snmp):	Started an-a03n02.alteeve.ca 
 fence_n02_pdu1_on	(stonith:fence_apc_snmp):	Started an-a03n01.alteeve.ca 
 fence_n02_pdu2_on	(stonith:fence_apc_snmp):	Started an-a03n02.alteeve.caBefore we proceed, we need to tell pacemaker to use fencing;
pcs property set stonith-enabled=true
pcs propertyCluster Properties:
Cluster Properties:
 cluster-infrastructure: corosync
 dc-version: 1.1.9-3.fc19-781a388
 no-quorum-policy: ignore
 stonith-enabled: trueExcellent!
Configuring Fence Levels
The goal of fence levels is to tell pacemaker that there are "fence methods" to try and to impose an order on those methods. Each method composes one or more fence primitives and, when 2 or more primitives are tied together, that all primitives must succeed for the overall method to succeed.
So in our case; the order we want is;
- IPMI -> PDUs
The reason is that when IPMI fencing succeeds, we can be very certain the node is truly fenced. When PDU fencing succeeds, it only confirms that the power outlets were cycled. If someone moved a node's power cables to another outlet, we'll get a false positive. On that topic, tie-down the node's PSU cables to the PDU's cable tray when possible, clearly label the power cables and wrap the fingers of anyone who might move them around.
The PDU fencing needs to be implemented using four steps;
- PDU 1, outlet X -> off
- PDU 2, outlet X -> off
- The power_wait="5" setting for the fence_n0X_pdu2_off primitives will cause a 5 second delay here, giving ample time to ensure the nodes lose power
 
- PDU 1, outlet X -> on
- PDU 2, outlet X -> on
This is to ensure that both outlets are off at the same time, ensuring that the node loses power. This works because fencing_topology acts serially.
Putting all this together, we issue this command;
pcs stonith level add 1 an-a03n01.alteeve.ca fence_n01_ipmi
pcs stonith level add 1 an-a03n02.alteeve.ca fence_n02_ipmiThe 1 tells pacemaker that this is our highest priority fence method. We can see that this was set using pcs;
pcs stonith level Node: an-a03n01.alteeve.ca
  Level 1 - fence_n01_ipmi
 Node: an-a03n02.alteeve.ca
  Level 1 - fence_n02_ipmiNow we'll tell pacemaker to use the PDUs as the second fence method. Here we tie together the two off calls and the two on calls into a single method.
pcs stonith level add 2 an-a03n01.alteeve.ca fence_n01_pdu1_off,fence_n01_pdu2_off,fence_n01_pdu1_on,fence_n01_pdu2_on
pcs stonith level add 2 an-a03n02.alteeve.ca fence_n02_pdu1_off,fence_n02_pdu2_off,fence_n02_pdu1_on,fence_n02_pdu2_onCheck again and we'll see that the new methods were added.
pcs stonith level Node: an-a03n01.alteeve.ca
  Level 1 - fence_n01_ipmi
  Level 2 - fence_n01_pdu1_off,fence_n01_pdu2_off,fence_n01_pdu1_on,fence_n01_pdu2_on
 Node: an-a03n02.alteeve.ca
  Level 1 - fence_n02_ipmi
  Level 2 - fence_n02_pdu1_off,fence_n02_pdu2_off,fence_n02_pdu1_on,fence_n02_pdu2_onFor those of us who are XML fans, this is what the cib looks like now:
cat /var/lib/pacemaker/cib/cib.xml<cib epoch="18" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2" cib-last-written="Thu Jul 18 13:15:53 2013" update-origin="an-a03n01.alteeve.ca" update-client="cibadmin" crm_feature_set="3.0.7" have-quorum="1" dc-uuid="1">
  <configuration>
    <crm_config>
      <cluster_property_set id="cib-bootstrap-options">
        <nvpair id="cib-bootstrap-options-dc-version" name="dc-version" value="1.1.9-dde1c52"/>
        <nvpair id="cib-bootstrap-options-cluster-infrastructure" name="cluster-infrastructure" value="corosync"/>
        <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
      </cluster_property_set>
    </crm_config>
    <nodes>
      <node id="1" uname="an-a03n01.alteeve.ca"/>
      <node id="2" uname="an-a03n02.alteeve.ca"/>
    </nodes>
    <resources>
      <primitive class="stonith" id="fence_n01_ipmi" type="fence_ipmilan">
        <instance_attributes id="fence_n01_ipmi-instance_attributes">
          <nvpair id="fence_n01_ipmi-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n01.alteeve.ca"/>
          <nvpair id="fence_n01_ipmi-instance_attributes-ipaddr" name="ipaddr" value="an-a03n01.ipmi"/>
          <nvpair id="fence_n01_ipmi-instance_attributes-action" name="action" value="reboot"/>
          <nvpair id="fence_n01_ipmi-instance_attributes-login" name="login" value="admin"/>
          <nvpair id="fence_n01_ipmi-instance_attributes-passwd" name="passwd" value="secret"/>
          <nvpair id="fence_n01_ipmi-instance_attributes-delay" name="delay" value="15"/>
        </instance_attributes>
        <operations>
          <op id="fence_n01_ipmi-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
      <primitive class="stonith" id="fence_n02_ipmi" type="fence_ipmilan">
        <instance_attributes id="fence_n02_ipmi-instance_attributes">
          <nvpair id="fence_n02_ipmi-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n02.alteeve.ca"/>
          <nvpair id="fence_n02_ipmi-instance_attributes-ipaddr" name="ipaddr" value="an-a03n02.ipmi"/>
          <nvpair id="fence_n02_ipmi-instance_attributes-action" name="action" value="reboot"/>
          <nvpair id="fence_n02_ipmi-instance_attributes-login" name="login" value="admin"/>
          <nvpair id="fence_n02_ipmi-instance_attributes-passwd" name="passwd" value="secret"/>
        </instance_attributes>
        <operations>
          <op id="fence_n02_ipmi-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
      <primitive class="stonith" id="fence_n01_pdu1_off" type="fence_apc_snmp">
        <instance_attributes id="fence_n01_pdu1_off-instance_attributes">
          <nvpair id="fence_n01_pdu1_off-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n01.alteeve.ca"/>
          <nvpair id="fence_n01_pdu1_off-instance_attributes-ipaddr" name="ipaddr" value="an-p01"/>
          <nvpair id="fence_n01_pdu1_off-instance_attributes-action" name="action" value="off"/>
          <nvpair id="fence_n01_pdu1_off-instance_attributes-port" name="port" value="1"/>
        </instance_attributes>
        <operations>
          <op id="fence_n01_pdu1_off-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
      <primitive class="stonith" id="fence_n01_pdu2_off" type="fence_apc_snmp">
        <instance_attributes id="fence_n01_pdu2_off-instance_attributes">
          <nvpair id="fence_n01_pdu2_off-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n01.alteeve.ca"/>
          <nvpair id="fence_n01_pdu2_off-instance_attributes-ipaddr" name="ipaddr" value="an-p02"/>
          <nvpair id="fence_n01_pdu2_off-instance_attributes-action" name="action" value="off"/>
          <nvpair id="fence_n01_pdu2_off-instance_attributes-port" name="port" value="1"/>
          <nvpair id="fence_n01_pdu2_off-instance_attributes-power_wait" name="power_wait" value="5"/>
        </instance_attributes>
        <operations>
          <op id="fence_n01_pdu2_off-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
      <primitive class="stonith" id="fence_n01_pdu1_on" type="fence_apc_snmp">
        <instance_attributes id="fence_n01_pdu1_on-instance_attributes">
          <nvpair id="fence_n01_pdu1_on-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n01.alteeve.ca"/>
          <nvpair id="fence_n01_pdu1_on-instance_attributes-ipaddr" name="ipaddr" value="an-p01"/>
          <nvpair id="fence_n01_pdu1_on-instance_attributes-action" name="action" value="on"/>
          <nvpair id="fence_n01_pdu1_on-instance_attributes-port" name="port" value="1"/>
        </instance_attributes>
        <operations>
          <op id="fence_n01_pdu1_on-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
      <primitive class="stonith" id="fence_n01_pdu2_on" type="fence_apc_snmp">
        <instance_attributes id="fence_n01_pdu2_on-instance_attributes">
          <nvpair id="fence_n01_pdu2_on-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n01.alteeve.ca"/>
          <nvpair id="fence_n01_pdu2_on-instance_attributes-ipaddr" name="ipaddr" value="an-p02"/>
          <nvpair id="fence_n01_pdu2_on-instance_attributes-action" name="action" value="on"/>
          <nvpair id="fence_n01_pdu2_on-instance_attributes-port" name="port" value="1"/>
        </instance_attributes>
        <operations>
          <op id="fence_n01_pdu2_on-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
      <primitive class="stonith" id="fence_n02_pdu1_off" type="fence_apc_snmp">
        <instance_attributes id="fence_n02_pdu1_off-instance_attributes">
          <nvpair id="fence_n02_pdu1_off-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n02.alteeve.ca"/>
          <nvpair id="fence_n02_pdu1_off-instance_attributes-ipaddr" name="ipaddr" value="an-p01"/>
          <nvpair id="fence_n02_pdu1_off-instance_attributes-action" name="action" value="off"/>
          <nvpair id="fence_n02_pdu1_off-instance_attributes-port" name="port" value="2"/>
        </instance_attributes>
        <operations>
          <op id="fence_n02_pdu1_off-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
      <primitive class="stonith" id="fence_n02_pdu2_off" type="fence_apc_snmp">
        <instance_attributes id="fence_n02_pdu2_off-instance_attributes">
          <nvpair id="fence_n02_pdu2_off-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n02.alteeve.ca"/>
          <nvpair id="fence_n02_pdu2_off-instance_attributes-ipaddr" name="ipaddr" value="an-p02"/>
          <nvpair id="fence_n02_pdu2_off-instance_attributes-action" name="action" value="off"/>
          <nvpair id="fence_n02_pdu2_off-instance_attributes-port" name="port" value="2"/>
          <nvpair id="fence_n02_pdu2_off-instance_attributes-power_wait" name="power_wait" value="5"/>
        </instance_attributes>
        <operations>
          <op id="fence_n02_pdu2_off-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
      <primitive class="stonith" id="fence_n02_pdu1_on" type="fence_apc_snmp">
        <instance_attributes id="fence_n02_pdu1_on-instance_attributes">
          <nvpair id="fence_n02_pdu1_on-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n02.alteeve.ca"/>
          <nvpair id="fence_n02_pdu1_on-instance_attributes-ipaddr" name="ipaddr" value="an-p01"/>
          <nvpair id="fence_n02_pdu1_on-instance_attributes-action" name="action" value="on"/>
          <nvpair id="fence_n02_pdu1_on-instance_attributes-port" name="port" value="2"/>
        </instance_attributes>
        <operations>
          <op id="fence_n02_pdu1_on-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
      <primitive class="stonith" id="fence_n02_pdu2_on" type="fence_apc_snmp">
        <instance_attributes id="fence_n02_pdu2_on-instance_attributes">
          <nvpair id="fence_n02_pdu2_on-instance_attributes-pcmk_host_list" name="pcmk_host_list" value="an-a03n02.alteeve.ca"/>
          <nvpair id="fence_n02_pdu2_on-instance_attributes-ipaddr" name="ipaddr" value="an-p02"/>
          <nvpair id="fence_n02_pdu2_on-instance_attributes-action" name="action" value="on"/>
          <nvpair id="fence_n02_pdu2_on-instance_attributes-port" name="port" value="2"/>
        </instance_attributes>
        <operations>
          <op id="fence_n02_pdu2_on-monitor-interval-60s" interval="60s" name="monitor"/>
        </operations>
      </primitive>
    </resources>
    <constraints/>
    <fencing-topology>
      <fencing-level devices="fence_n01_ipmi" id="fl-an-a03n01.alteeve.ca-1" index="1" target="an-a03n01.alteeve.ca"/>
      <fencing-level devices="fence_n02_ipmi" id="fl-an-a03n02.alteeve.ca-1" index="1" target="an-a03n02.alteeve.ca"/>
      <fencing-level devices="fence_n01_pdu1_off,fence_n01_pdu2_off,fence_n01_pdu1_on,fence_n01_pdu2_on" id="fl-an-a03n01.alteeve.ca-2" index="2" target="an-a03n01.alteeve.ca"/>
      <fencing-level devices="fence_n02_pdu1_off,fence_n02_pdu2_off,fence_n02_pdu1_on,fence_n02_pdu2_on" id="fl-an-a03n02.alteeve.ca-2" index="2" target="an-a03n02.alteeve.ca"/>
    </fencing-topology>
  </configuration>
</cib>Fencing using fence_virsh
|  | Note: To write this section, I used two virtual machines called pcmk1 and pcmk2. | 
If you are trying to learn fencing using KVM or Xen virtual machines, you can use the fence_virsh. You can also use fence_virtd, which is actually recommended by many, but I have found it to be rather unreliable.
To use fence_virsh, first install it.
yum -y install fence-agents-virsh<lots of yum output>Now test it from the command line. To do this, we need to know a few things;
- The VM host is at IP 192.168.122.1
- The username and password (-l and -p respectively) are the credentials used to log into VM host over SSH.
- If you don't want your password to be shown, create a little shell script that simply prints your password and then use -S /path/to/script instead of -p "secret".
 
- The name of the target VM, as shown by virsh list --all on the host, is the node (-n) value. For me, the nodes are called an-a03n01 and an-a03n02.
Create the Password Script
In my case, the host is called 'lemass', so I want to create a password script called '/root/lemass.pw'. The name of the script is entirely up to you.
| an-a03n01 | vim /root/lemass.pwecho "my secret password"chmod 755 /root/lemass.pw
/root/lemass.pwmy secret passwordrsync -av /root/lemass.pw root@an-a03n02:/root/sending incremental file list
lemass.pw
sent 102 bytes  received 31 bytes  266.00 bytes/sec
total size is 25  speedup is 0.19 | 
|---|---|
| an-a03n02 | /root/lemass.pwmy secret password | 
Done.
Test fence_virsh Status from the Command Line
| an-a03n01 | fence_virsh -a 192.168.122.1 -l root -S /root/lemass.pw -n an-a03n02 -o statusStatus: ON | 
|---|---|
| an-a03n02 | fence_virsh -a 192.168.122.1 -l root -S /root/lemass.pw -n an-a03n01 -o statusStatus: ON | 
Excellent! Now to configure it in pacemaker;
| an-a03n01 | pcs stonith create fence_n01_virsh fence_virsh pcmk_host_list="an-a03n01.alteeve.ca" ipaddr="192.168.122.1" action="reboot" login="root" passwd_script="/root/lemass.pw" port="an-a03n01" delay=15 op monitor interval=60s
pcs stonith create fence_n02_virsh fence_virsh pcmk_host_list="an-a03n02.alteeve.ca" ipaddr="192.168.122.1" action="reboot" login="root" passwd_script="/root/lemass.pw" port="an-a03n02" op monitor interval=60s
pcs cluster statusCluster Status:
 Last updated: Sun Jan 26 15:45:31 2014
 Last change: Sun Jan 26 15:06:14 2014 via crmd on an-a03n01.alteeve.ca
 Stack: corosync
 Current DC: an-a03n02.alteeve.ca (2) - partition with quorum
 Version: 1.1.10-19.el7-368c726
 2 Nodes configured
 2 Resources configured
PCSD Status:
an-a03n01.alteeve.ca: 
  an-a03n01.alteeve.ca: Online
an-a03n02.alteeve.ca: 
  an-a03n02.alteeve.ca: Online | 
|---|
Test Fencing
ToDo: Kill each node with echo c > /proc/sysrq-trigger and make sure the other node fences it.
DRBD
We will use DRBD 8.4.
Install DRBD 8.4.4 from AN!
|  | Warning: this doesn't work. | 
ToDo: Make a proper repo
| an-a03n01 | rpm -Uvh https://alteeve.ca/files/AN-Cluster_Tutorial_3/drbd84/drbd-8.4.4-4.el7.x86_64.rpm \
         https://alteeve.ca/files/AN-Cluster_Tutorial_3/drbd84/drbd-bash-completion-8.4.4-4.el7.x86_64.rpm \
         https://alteeve.ca/files/AN-Cluster_Tutorial_3/drbd84/drbd-pacemaker-8.4.4-4.el7.x86_64.rpm \
         https://alteeve.ca/files/AN-Cluster_Tutorial_3/drbd84/drbd-udev-8.4.4-4.el7.x86_64.rpm \
         https://alteeve.ca/files/AN-Cluster_Tutorial_3/drbd84/drbd-utils-8.4.4-4.el7.x86_64.rpm \
         https://alteeve.ca/files/AN-Cluster_Tutorial_3/drbd84/drbd-heartbeat-8.4.4-4.el7.x86_64.rpm \
         https://alteeve.ca/files/AN-Cluster_Tutorial_3/drbd84/drbd-xen-8.4.4-4.el7.x86_64.rpm | 
|---|---|
| an-a03n02 | 
Install DRBD 8.4.4 From Source
At this time, no EPEL repo exists for RHEL7, and the Fedora RPMs don't work, so we will install DRBD 8.4.4 from source.
Install dependencies:
yum -y install gcc flex rpm-build wget kernel-devel
wget -c http://oss.linbit.com/drbd/8.4/drbd-8.4.4.tar.gz
tar -xvzf drbd-8.4.4.tar.gz 
cd drbd-8.4.4
./configure \
  --prefix=/usr \
  --localstatedir=/var \
  --sysconfdir=/etc \
  --with-km \
  --with-udev \
  --with-pacemaker \
  --with-bashcompletion \
  --with-utils \
  --without-xen \
  --without-rgmanager \
  --without-heartbeat
make
make installDon't let DRBD start on boot (pacemaker will handle it for us).
systemctl disable drbd.servicedrbd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig drbd offDone.
Optional; Make RPMs
|  | Warning: I've not been able to get the RPMs genreated here to install yet. I'd recommend skipping this, unless you want to help sort out the problems. :) | 
After ./configure above, you can make RPMs instead of installing directly.
Dependencies:
yum install rpmdevtools redhat-rpm-config kernel-devel<install text>Setup RPM dev tree:
cd ~
rpmdev-setuptree
ls -lah ~/rpmbuild/
wget -c http://oss.linbit.com/drbd/8.4/drbd-8.4.4.tar.gz
tar -xvzf drbd-8.4.4.tar.gz
cd drbd-8.4.4
./configure \
  --prefix=/usr \
  --localstatedir=/var \
  --sysconfdir=/etc \
  --with-km \
  --with-udev \
  --with-pacemaker \
  --with-bashcompletion \
  --with-utils \
  --without-xen \
  --without-heartbeattotal 4.0K
drwxr-xr-x. 7 root root   67 Dec 23 20:06 .
dr-xr-x---. 6 root root 4.0K Dec 23 20:06 ..
drwxr-xr-x. 2 root root    6 Dec 23 20:06 BUILD
drwxr-xr-x. 2 root root    6 Dec 23 20:06 RPMS
drwxr-xr-x. 2 root root    6 Dec 23 20:06 SOURCES
drwxr-xr-x. 2 root root    6 Dec 23 20:06 SPECS
drwxr-xr-x. 2 root root    6 Dec 23 20:06 SRPMSUserland tools:
make rpmchecking for presence of 8\.4\.4 in various changelog files
<snip>
+ exit 0
You have now:
/root/rpmbuild/RPMS/x86_64/drbd-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-utils-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-xen-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-udev-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-pacemaker-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-heartbeat-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-bash-completion-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-debuginfo-8.4.4-4.el7.x86_64.rpmKernel module:
make kmp-rpmchecking for presence of 8\.4\.4 in various changelog files
<snip>
+ exit 0
You have now:
/root/rpmbuild/RPMS/x86_64/drbd-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-utils-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-xen-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-udev-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-pacemaker-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-heartbeat-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-bash-completion-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-debuginfo-8.4.4-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/kmod-drbd-8.4.4_3.10.0_54.0.1-4.el7.x86_64.rpm
/root/rpmbuild/RPMS/x86_64/drbd-kernel-debuginfo-8.4.4-4.el7.x86_64.rpmConfigure DRBD
Configure global-common.conf;
vim /etc/drbd.d/global_common.conf# These are options to set for the DRBD daemon sets the default values for
# resources.
global {
	# This tells DRBD that you allow it to report this installation to 
	# LINBIT for statistical purposes. If you have privacy concerns, set
	# this to 'no'. The default is 'ask' which will prompt you each time
	# DRBD is updated. Set to 'yes' to allow it without being prompted.
	usage-count no;
	# minor-count dialog-refresh disable-ip-verification
}
common {
	handlers {
		pri-on-incon-degr "/usr/lib/drbd/notify-pri-on-incon-degr.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
		pri-lost-after-sb "/usr/lib/drbd/notify-pri-lost-after-sb.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
		local-io-error "/usr/lib/drbd/notify-io-error.sh; /usr/lib/drbd/notify-emergency-shutdown.sh; echo o > /proc/sysrq-trigger ; halt -f";
		# split-brain "/usr/lib/drbd/notify-split-brain.sh root";
		# out-of-sync "/usr/lib/drbd/notify-out-of-sync.sh root";
		# before-resync-target "/usr/lib/drbd/snapshot-resync-target-lvm.sh -p 15 -- -c 16k";
		# after-resync-target /usr/lib/drbd/unsnapshot-resync-target-lvm.sh;
		
		# Hook into Pacemaker's fencing.
		fence-peer "/usr/lib/drbd/crm-fence-peer.sh";
	}
	startup {
		# wfc-timeout degr-wfc-timeout outdated-wfc-timeout wait-after-sb
	}
	options {
		# cpu-mask on-no-data-accessible
	}
	disk {
		# size max-bio-bvecs on-io-error fencing disk-barrier disk-flushes
		# disk-drain md-flushes resync-rate resync-after al-extents
                # c-plan-ahead c-delay-target c-fill-target c-max-rate
                # c-min-rate disk-timeout
                fencing resource-and-stonith;
	}
	net {
		# protocol timeout max-epoch-size max-buffers unplug-watermark
		# connect-int ping-int sndbuf-size rcvbuf-size ko-count
		# allow-two-primaries cram-hmac-alg shared-secret after-sb-0pri
		# after-sb-1pri after-sb-2pri always-asbp rr-conflict
		# ping-timeout data-integrity-alg tcp-cork on-congestion
		# congestion-fill congestion-extents csums-alg verify-alg
		# use-rle
		# Protocol "C" tells DRBD not to tell the operating system that
		# the write is complete until the data has reach persistent
		# storage on both nodes. This is the slowest option, but it is
		# also the only one that guarantees consistency between the
		# nodes. It is also required for dual-primary, which we will 
		# be using.
		protocol C;
		# Tell DRBD to allow dual-primary. This is needed to enable 
		# live-migration of our servers.
		allow-two-primaries yes;
		# This tells DRBD what to do in the case of a split-brain when
		# neither node was primary, when one node was primary and when
		# both nodes are primary. In our case, we'll be running
		# dual-primary, so we can not safely recover automatically. The
		# only safe option is for the nodes to disconnect from one
		# another and let a human decide which node to invalidate. Of 
		after-sb-0pri discard-zero-changes;
		after-sb-1pri discard-secondary;
		after-sb-2pri disconnect;
	}
}And now configure the first resource;
vim /etc/drbd.d/r0.res# This is the first DRBD resource. If will store the shared file systems and
# the servers designed to run on node 01.
resource r0 {
	# These options here are common to both nodes. If for some reason you
	# need to set unique values per node, you can move these to the
	# 'on <name> { ... }' section.
	
	# This sets the device name of this DRBD resouce.
	device /dev/drbd0;
	# This tells DRBD what the backing device is for this resource.
	disk /dev/sda5;
	# This controls the location of the metadata. When "internal" is used,
	# as we use here, a little space at the end of the backing devices is
	# set aside (roughly 32 MB per 1 TB of raw storage). External metadata
	# can be used to put the metadata on another partition when converting
	# existing file systems to be DRBD backed, when there is no extra space
	# available for the metadata.
	meta-disk internal;
	# NOTE: this is not required or even recommended with pacemaker. remove
	# 	this options as soon as pacemaker is setup.
	startup {
		# This tells DRBD to promote both nodes to 'primary' when this
		# resource starts. However, we will let pacemaker control this
		# so we comment it out, which tells DRBD to leave both nodes
		# as secondary when drbd starts.
		#become-primary-on both;
	}
	# NOTE: Later, make it an option in the dashboard to trigger a manual
	# 	verify and/or schedule periodic automatic runs
	net {
		# TODO: Test performance differences between sha1 and md5
		# This tells DRBD how to do a block-by-block verification of
		# the data stored on the backing devices. Any verification
		# failures will result in the effected block being marked
		# out-of-sync.
		verify-alg md5;
		# TODO: Test the performance hit of this being enabled.
		# This tells DRBD to generate a checksum for each transmitted
		# packet. If the data received data doesn't generate the same
		# sum, a retransmit request is generated. This protects against
		# otherwise-undetected errors in transmission, like 
		# bit-flipping. See:
		# http://www.drbd.org/users-guide/s-integrity-check.html
		data-integrity-alg md5;
	}
	# WARNING: Confirm that these are safe when the controller's BBU is
	#          depleted/failed and the controller enters write-through 
	#          mode.
	disk {
		# TODO: Test the real-world performance differences gained with
		#       these options.
		# This tells DRBD not to bypass the write-back caching on the
		# RAID controller. Normally, DRBD forces the data to be flushed
		# to disk, rather than allowing the write-back cachine to 
		# handle it. Normally this is dangerous, but with BBU-backed
		# caching, it is safe. The first option disables disk flushing
		# and the second disabled metadata flushes.
		disk-flushes no;
		md-flushes no;
	}
	# This sets up the resource on node 01. The name used below must be the
	# named returned by "uname -n".
	on an-a03n01.alteeve.ca {
		# This is the address and port to use for DRBD traffic on this
		# node. Multiple resources can use the same IP but the ports
		# must differ. By convention, the first resource uses 7788, the
		# second uses 7789 and so on, incrementing by one for each
		# additional resource. 
		address 10.10.30.1:7788;
	}
	on an-a03n02.alteeve.ca {
		address 10.10.30.2:7788;
	}
}Disable drbd from starting on boot.
systemctl disable drbd.servicedrbd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig drbd offLoad the config;
modprobe drbdNow check the config;
drbdadm dump  --==  Thank you for participating in the global usage survey  ==--
The server's response is:
you are the 69th user to install this version
/etc/drbd.d/r0.res:3: in resource r0:
become-primary-on is set to both, but allow-two-primaries is not set.Ignore that error. It has been reported and does not effect operation.
Create the metadisk;
drbdadm create-md r0Writing meta data...
initializing activity log
NOT initializing bitmap
New drbd meta data block successfully created.
successStart the DRBD resource on both nodes;
drbdadm up r0Once /proc/drbd shows both nodes connected, force one to primary and it will sync over the second.
drbdadm primary --force r0You should see the resource syncing now. Push both nodes to primary;
drbdadm primary r0DLM, Clustered LVM and GFS2
| an-a03n01 | sed -i.anvil 's^filter = \[ "a/\.\*/" \]^filter = \[ "a|/dev/drbd*|", "r/.*/" \]^' /etc/lvm/lvm.conf
sed -i 's/locking_type = 1$/locking_type = 3/' /etc/lvm/lvm.conf
sed -i 's/fallback_to_local_locking = 1$/fallback_to_local_locking = 0/' /etc/lvm/lvm.conf 
sed -i 's/use_lvmetad = 1$/use_lvmetad = 0/' /etc/lvm/lvm.conf--- /etc/lvm/lvm.conf.anvil	2013-11-27 03:28:08.000000000 -0500
+++ /etc/lvm/lvm.conf	2014-01-26 18:57:41.026928464 -0500
@@ -84,7 +84,7 @@
     # lvmetad is used" comment that is attached to global/use_lvmetad setting.
 
     # By default we accept every block device:
-    filter = [ "a/.*/" ]
+    filter = [ "a|/dev/drbd*|", "r/.*/" ]
 
     # Exclude the cdrom drive
     # filter = [ "r|/dev/cdrom|" ]
@@ -451,7 +451,7 @@
     # supported in clustered environment. If use_lvmetad=1 and locking_type=3
     # is set at the same time, LVM always issues a warning message about this
     # and then it automatically disables lvmetad use.
-    locking_type = 1
+    locking_type = 3
 
     # Set to 0 to fail when a lock request cannot be satisfied immediately.
     wait_for_locks = 1
@@ -467,7 +467,7 @@
     # to 1 an attempt will be made to use local file-based locking (type 1).
     # If this succeeds, only commands against local volume groups will proceed.
     # Volume Groups marked as clustered will be ignored.
-    fallback_to_local_locking = 1
+    fallback_to_local_locking = 0
 
     # Local non-LV directory that holds file-based locks while commands are
     # in progress.  A directory like /tmp that may get wiped on reboot is OK.
@@ -594,7 +594,7 @@
     # supported in clustered environment. If use_lvmetad=1 and locking_type=3
     # is set at the same time, LVM always issues a warning message about this
     # and then it automatically disables lvmetad use.
-    use_lvmetad = 1
+    use_lvmetad = 0
 
     # Full path of the utility called to check that a thin metadata device
     # is in a state that allows it to be used.rsync -av /etc/lvm/lvm.conf* root@an-a03n02:/etc/lvm/sending incremental file list
lvm.conf
lvm.conf.anvil
sent 48536 bytes  received 440 bytes  97952.00 bytes/sec
total size is 90673  speedup is 1.85 | 
|---|---|
| an-a03n02 | diff -u /etc/lvm/lvm.conf.anvil /etc/lvm/lvm.conf--- /etc/lvm/lvm.conf.anvil	2013-11-27 03:28:08.000000000 -0500
+++ /etc/lvm/lvm.conf	2014-01-26 18:57:41.000000000 -0500
@@ -84,7 +84,7 @@
     # lvmetad is used" comment that is attached to global/use_lvmetad setting.
 
     # By default we accept every block device:
-    filter = [ "a/.*/" ]
+    filter = [ "a|/dev/drbd*|", "r/.*/" ]
 
     # Exclude the cdrom drive
     # filter = [ "r|/dev/cdrom|" ]
@@ -451,7 +451,7 @@
     # supported in clustered environment. If use_lvmetad=1 and locking_type=3
     # is set at the same time, LVM always issues a warning message about this
     # and then it automatically disables lvmetad use.
-    locking_type = 1
+    locking_type = 3
 
     # Set to 0 to fail when a lock request cannot be satisfied immediately.
     wait_for_locks = 1
@@ -467,7 +467,7 @@
     # to 1 an attempt will be made to use local file-based locking (type 1).
     # If this succeeds, only commands against local volume groups will proceed.
     # Volume Groups marked as clustered will be ignored.
-    fallback_to_local_locking = 1
+    fallback_to_local_locking = 0
 
     # Local non-LV directory that holds file-based locks while commands are
     # in progress.  A directory like /tmp that may get wiped on reboot is OK.
@@ -594,7 +594,7 @@
     # supported in clustered environment. If use_lvmetad=1 and locking_type=3
     # is set at the same time, LVM always issues a warning message about this
     # and then it automatically disables lvmetad use.
-    use_lvmetad = 1
+    use_lvmetad = 0
 
     # Full path of the utility called to check that a thin metadata device
     # is in a state that allows it to be used. | 
Disable lvmetad as it's not cluster-aware.
| an-a03n01 | systemctl disable lvm2-lvmetad.service
systemctl disable lvm2-lvmetad.socket
systemctl stop lvm2-lvmetad.servicerm '/etc/systemd/system/sockets.target.wants/lvm2-lvmetad.socket' | 
|---|---|
| an-a03n02 | systemctl disable lvm2-lvmetad.service
systemctl disable lvm2-lvmetad.socket
systemctl stop lvm2-lvmetad.servicerm '/etc/systemd/system/sockets.target.wants/lvm2-lvmetad.socket' | 
|  | Note: This will be moved to pacemaker shortly. We're enabling it here just long enough to configure pacemaker. | 
Start DLM and clvmd;
| an-a03n01 | systemctl start dlm.service
systemctl start clvmd.service | 
|---|---|
| an-a03n02 | systemctl start dlm.service
systemctl start clvmd.service | 
Create the PV, VG and the /shared LV;
| an-a03n01 | pvcreate /dev/drbd0  Physical volume "/dev/drbd0" successfully createdvgcreate an-a03n01_vg0 /dev/drbd0  /proc/devices: No entry for device-mapper found
  Clustered volume group "an-a03n01_vg0" successfully createdlvcreate -L 10G -n shared an-a03n01_vg0  Logical volume "shared" created | 
|---|---|
| an-a03n02 | pvscan  PV /dev/drbd0   VG an-a03n01_vg0   lvm2 [20.00 GiB / 20.00 GiB free]
  Total: 1 [20.00 GiB] / in use: 1 [20.00 GiB] / in no VG: 0 [0   ]vgscan  Reading all physical volumes.  This may take a while...
  Found volume group "an-a03n01_vg0" using metadata type lvm2lvscan  ACTIVE            '/dev/an-a03n01_vg0/shared' [10.00 GiB] inherit | 
Format the /dev/an-a03n01_vg0/shared;
| an-a03n01 | mkfs.gfs2 -j 2 -p lock_dlm -t an-cluster-03:shared /dev/an-a03n01_vg0/shared/dev/an-a03n01_vg0/shared is a symbolic link to /dev/dm-0
This will destroy any data on /dev/dm-0Are you sure you want to proceed? [y/n]yDevice:                    /dev/an-a03n01_vg0/shared
Block size:                4096
Device size:               10.00 GB (2621440 blocks)
Filesystem size:           10.00 GB (2621438 blocks)
Journals:                  2
Resource groups:           40
Locking protocol:          "lock_dlm"
Lock table:                "an-cluster-03:shared"
UUID:                      20bafdb0-1f86-f424-405b-9bf608c0c486mkdir /shared
mount /dev/an-a03n01_vg0/shared /shared
df -hFilesystem                         Size  Used Avail Use% Mounted on
/dev/vda3                           18G  5.6G   12G  32% /
devtmpfs                           932M     0  932M   0% /dev
tmpfs                              937M   61M  877M   7% /dev/shm
tmpfs                              937M  1.9M  935M   1% /run
tmpfs                              937M     0  937M   0% /sys/fs/cgroup
/dev/loop0                         4.4G  4.4G     0 100% /mnt/dvd
/dev/vda1                          484M   83M  401M  18% /boot
/dev/mapper/an--a03n01_vg0-shared   10G  259M  9.8G   3% /shared | 
|---|---|
| an-a03n02 | Filesystem                         Size  Used Avail Use% Mounted on
/dev/vda3                           18G  5.6G   12G  32% /
devtmpfs                           932M     0  932M   0% /dev
tmpfs                              937M   76M  862M   9% /dev/shm
tmpfs                              937M  2.0M  935M   1% /run
tmpfs                              937M     0  937M   0% /sys/fs/cgroup
/dev/loop0                         4.4G  4.4G     0 100% /mnt/dvd
/dev/vda1                          484M   83M  401M  18% /boot
/dev/mapper/an--a03n01_vg0-shared   10G  259M  9.8G   3% /shared | 
Shut down gfs2, clvmd and drbd now.
| an-a03n01 | umount /shared/
systemctl stop clvmd.service
drbdadm down r0 | 
|---|---|
| an-a03n02 | umount /shared/
systemctl stop clvmd.service
drbdadm down r0 | 
Done.
Add Storage to Pacemaker
Configure Dual-Primary DRBD
Setup DRBD as a dual-primary resource.
| an-a03n01 | pcs cluster cib drbd_cfg
pcs -f drbd_cfg resource create drbd_r0 ocf:linbit:drbd drbd_resource=r0 op monitor interval=60s
pcs -f drbd_cfg resource master drbd_r0_Clone drbd_r0 master-max=2 master-node-max=1 clone-max=2 clone-node-max=1 notify=true
pcs cluster cib-push drbd_cfgCIB updated | 
|---|
Give it a couple minutes to promote both nodes to Master on both nodes. Initially, it will appear as Master on one node only.
Once updated, you should see this:
| an-a03n01 | pcs statusCluster name: an-cluster-03
Last updated: Sun Jan 26 20:26:33 2014
Last change: Sun Jan 26 20:23:23 2014 via cibadmin on an-a03n01.alteeve.ca
Stack: corosync
Current DC: an-a03n02.alteeve.ca (2) - partition with quorum
Version: 1.1.10-19.el7-368c726
2 Nodes configured
4 Resources configured
Online: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
Full list of resources:
 fence_n01_virsh	(stonith:fence_virsh):	Started an-a03n01.alteeve.ca 
 fence_n02_virsh	(stonith:fence_virsh):	Started an-a03n02.alteeve.ca 
 Master/Slave Set: drbd_r0_Clone [drbd_r0]
     Masters: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
PCSD Status:
an-a03n01.alteeve.ca: 
  an-a03n01.alteeve.ca: Online
an-a03n02.alteeve.ca: 
  an-a03n02.alteeve.ca: Online
Daemon Status:
  corosync: active/disabled
  pacemaker: active/disabled
  pcsd: active/enabled | 
|---|---|
| an-a03n02 | pcs statusCluster name: an-cluster-03
Last updated: Sun Jan 26 20:26:58 2014
Last change: Sun Jan 26 20:23:23 2014 via cibadmin on an-a03n01.alteeve.ca
Stack: corosync
Current DC: an-a03n02.alteeve.ca (2) - partition with quorum
Version: 1.1.10-19.el7-368c726
2 Nodes configured
4 Resources configured
Online: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
Full list of resources:
 fence_n01_virsh	(stonith:fence_virsh):	Started an-a03n01.alteeve.ca 
 fence_n02_virsh	(stonith:fence_virsh):	Started an-a03n02.alteeve.ca 
 Master/Slave Set: drbd_r0_Clone [drbd_r0]
     Masters: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
PCSD Status:
an-a03n01.alteeve.ca: 
  an-a03n01.alteeve.ca: Online
an-a03n02.alteeve.ca: 
  an-a03n02.alteeve.ca: Online
Daemon Status:
  corosync: active/disabled
  pacemaker: active/disabled
  pcsd: active/enabled | 
Configure DLM
| an-a03n01 | pcs cluster cib dlm_cfg
pcs -f dlm_cfg resource create dlm ocf:pacemaker:controld op monitor interval=60s
pcs -f dlm_cfg resource clone dlm clone-max=2 clone-node-max=1
pcs cluster cib-push dlm_cfgCIB updated | 
|---|---|
| an-a03n02 | pcs statusCluster name: an-cluster-03
Last updated: Sun Jan 26 20:34:36 2014
Last change: Sun Jan 26 20:33:31 2014 via cibadmin on an-a03n01.alteeve.ca
Stack: corosync
Current DC: an-a03n02.alteeve.ca (2) - partition with quorum
Version: 1.1.10-19.el7-368c726
2 Nodes configured
6 Resources configured
Online: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
Full list of resources:
 fence_n01_virsh	(stonith:fence_virsh):	Started an-a03n01.alteeve.ca 
 fence_n02_virsh	(stonith:fence_virsh):	Started an-a03n02.alteeve.ca 
 Master/Slave Set: drbd_r0_Clone [drbd_r0]
     Masters: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
 Clone Set: dlm-clone [dlm]
     Started: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
PCSD Status:
an-a03n01.alteeve.ca: 
  an-a03n01.alteeve.ca: Online
an-a03n02.alteeve.ca: 
  an-a03n02.alteeve.ca: Online
Daemon Status:
  corosync: active/disabled
  pacemaker: active/disabled
  pcsd: active/enabled | 
Configure Cluster LVM
| an-a03n01 | pcs cluster cib clvmd_cfg
pcs -f clvmd_cfg resource create clvmd lsb:clvmd params daemon_timeout=30s op monitor interval=60s
pcs -f clvmd_cfg resource clone clvmd clone-max=2 clone-node-max=1
pcs -f clvmd_cfg constraint colocation add dlm-clone clvmd-clone INFINITY
pcs -f clvmd_cfg constraint order start dlm then start clvmd-clone
pcs cluster cib-push clvmd_cfgCIB updated | 
|---|---|
| an-a03n02 | pcs statusCluster name: an-cluster-03
Last updated: Mon Jan 27 19:00:33 2014
Last change: Mon Jan 27 19:00:19 2014 via crm_resource on an-a03n01.alteeve.ca
Stack: corosync
Current DC: an-a03n01.alteeve.ca (1) - partition with quorum
Version: 1.1.10-19.el7-368c726
2 Nodes configured
8 Resources configured
Online: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
Full list of resources:
 fence_n01_virsh        (stonith:fence_virsh):  Started an-a03n01.alteeve.ca
 fence_n02_virsh        (stonith:fence_virsh):  Started an-a03n02.alteeve.ca
 Master/Slave Set: drbd_r0_Clone [drbd_r0]
     Masters: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
 Clone Set: dlm-clone [dlm]
     Started: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
 Clone Set: clvmd-clone [clvmd]
     Started: [ an-a03n01.alteeve.ca an-a03n02.alteeve.ca ]
PCSD Status:
an-a03n01.alteeve.ca:
  an-a03n01.alteeve.ca: Online
an-a03n02.alteeve.ca:
  an-a03n02.alteeve.ca: Online
Daemon Status:
  corosync: active/disabled
  pacemaker: active/disabled
  pcsd: active/enabled | 
| an-a03n01 | pcs cluster cib fs_cfg
pcs -f fs_cfg resource create sharedFS Filesystem device="/dev/an-a03n01_vg0/shared" directory="/shared" fstype="gfs2"
pcs -f fs_cfg resource clone sharedFS
pcs cluster cib-push fs_cfgCIB updateddf -hFilesystem                         Size  Used Avail Use% Mounted on
/dev/vda3                           18G  5.6G   12G  32% /
devtmpfs                           932M     0  932M   0% /dev
tmpfs                              937M   61M  877M   7% /dev/shm
tmpfs                              937M  2.2M  935M   1% /run
tmpfs                              937M     0  937M   0% /sys/fs/cgroup
/dev/loop0                         4.4G  4.4G     0 100% /mnt/dvd
/dev/vda1                          484M   83M  401M  18% /boot
/dev/mapper/an--a03n01_vg0-shared   10G  259M  9.8G   3% /shared | 
|---|---|
| an-a03n02 | df -hFilesystem                         Size  Used Avail Use% Mounted on
/dev/vda3                           18G  5.6G   12G  32% /
devtmpfs                           932M     0  932M   0% /dev
tmpfs                              937M   76M  862M   9% /dev/shm
tmpfs                              937M  2.6M  935M   1% /run
tmpfs                              937M     0  937M   0% /sys/fs/cgroup
/dev/loop0                         4.4G  4.4G     0 100% /mnt/dvd
/dev/vda1                          484M   83M  401M  18% /boot
/dev/mapper/an--a03n01_vg0-shared   10G  259M  9.8G   3% /shared | 
Configuring Constraints
| an-a03n01 | pcs cluster cib cst_cfg
pcs -f cst_cfg constraint order start dlm then promote drbd_r0_Clone
pcs -f cst_cfg constraint order promote drbd_r0_Clone then start clvmd-clone
pcs -f cst_cfg constraint order promote clvmd-clone then start sharedFS-clone
pcs cluster cib-push cst_cfgCIB updatedpcs constraint showLocation Constraints:
Ordering Constraints:
  start dlm then promote drbd_r0_Clone
  promote drbd_r0_Clone then start clvmd-clone
  start clvmd-clone then start sharedFS-clone
Colocation Constraints: | 
|---|---|
| an-a03n02 | pcs constraint showLocation Constraints:
Ordering Constraints:
  start dlm then promote drbd_r0_Clone
  promote drbd_r0_Clone then start clvmd-clone
  start clvmd-clone then start sharedFS-clone
Colocation Constraints: | 
Odds and Sods
This is a section for random notes. The stuff here will be integrated into the finished tutorial or removed.
Determine multicast Address
Useful if you need to ensure that your switch has persistent multicast addresses set.
corosync-cmapctl | grep mcastaddrtotem.interface.0.mcastaddr (str) = 239.192.122.199
Notes
Thanks
This list will certainly grow as this tutorial progresses;
- Olivier Allart, RCHE for doing a lot of the heavy lifting on the fencing_topology configuration.
| Any questions, feedback, advice, complaints or meanderings are welcome. | |||
| Alteeve's Niche! | Alteeve Enterprise Support | Community Support | |
| © 2025 Alteeve. Intelligent Availability® is a registered trademark of Alteeve's Niche! Inc. 1997-2025 | |||
| legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions. | |||