Fix Pack 8

Pacemaker Cluster sensor

The Pacemaker Cluster sensor discovers a Pacemaker Cluster. The sensor discovers the nodes, resources, resource groups, resource clones, multi-state resources, their meta attributes, resource attributes, cluster properties on the cluster. This sensor script-based and also supports asynchronous discovery.

Sensor name that is used in the GUI and logs

PacemakerClusterSensor

Prerequisites

The Pacemaker Cluster sensor requires:

  • The successful discovery of Linux computer systems
  • The cluster must be in started mode on the node used as a discovery target.
  • The nodes used as a target can be either a Cluster Node or Remote Node.
  • pcs command is available to be run on the cluster node to fetch information about the cluster.
  • Cluster name must be unique in the customer environment as it is used as a Naming Rule attribute and is used to uniquely identify a Pacemaker Cluster.
  • The Sensor uses the IP addresses of the node names of the Cluster to link the discovered nodes of the cluster with the respective computer systems. The IP addresses of the Computer System which are part of the pacemaker cluster must be unique in the customer environment.
  • The IP address of the node names of the cluster is determined either by using the nslookup command on node name or by looking the node names in /etc/hosts file on the target. Either one of these mechanisms must be available to translate node names to IP addresses.

Security issues

A Computer System user is used to discover the Pacemaker Cluster.

This discovery user must have privileges to execute the pcs command and access the cluster information in at least read-only mode.

On Red Hat Enterprise Linux 7, the following steps specify how to give read-only permission to a local user, for more details refer https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-accesscontrol-haar.
  1. Add discovery user to the haclient group by running the following command:

    usermod -a -G <discoveryUser>

  2. Enable Pacemaker ACLs by setting the enable-acl cluster property:

    pcs property set enable-acl=true --force

  3. Create a role with read-only permissions for the cib:

    pcs acl role create <ROLE-NAME> description="Readonly access to cluster" read xpath /cib

  4. Create the user <discoveryUser> in the pcs ACL system and assign that user the read-only role:

    pcs acl user create <discoveryUser> <ROLE-NAME>

Limitations

  1. The scope of discovery must contain the IP address of at least one of the Pacemaker Cluster nodes. A node is any computer that is part of the cluster.
  2. Guest nodes may not be discovered.
  3. Resource operations, Location/Ordering/Colocation/Ticket constraints, Stonith, Fencing, Quorum, Alerts and Multi-Site Cluster using a Booth cluster ticket manager will not be discovered.