On Thu, Nov 12, 2009 at 4:46 PM, Colin <colin....@gmail.com> wrote:
> On Thu, Nov 12, 2009 at 3:36 PM, Andrew Beekhof <and...@beekhof.net> wrote:
>> I used it the other day.
>>
>> http://www.clusterlabs.org/doc/pacemaker-explained/ch-advanced-options.html#s-remote-connection
>>
>> Try setting CIB_encrypted to false.
>
> Thanks, that got me a step further...
>
> ...but there are still various issues:
>
> 1) In cib/remote.c, the function check_group_membership() only checks
> whether the user is explicitly listed as member of the group in
> /etc/group, but does not accept the user if only the users's primary
> group in /etc/passwd is set to the correct group (and the explicit,
> then redundant, membership in /etc/group is missing).
Agreed. Seems to be a PAM thing that I can't do much about though.
>
> 2) "Configuration Explained" does not mention CIB_encryped, that's why
> my first attempts didn't work in the first place.
I know, the docs I pointed you to are the new location for
"configuration explained", they'll be announced shortly.
>
> 3) "Configuration Explained" says "remote-open-port" instead of
> "remote-clear-port" in one place.
the new docs are correct
>
> 4) "Configuration Explained" says that CIB_user must be in the
> "hacluster" group, rather then the "haclient" group.
the new docs are correct
> 5) The log message "cib: [2941]: debug: cib_remote_listen: New
> clear-text connection" should include from where the connection came.
why and how?
> 6) The log message "cib: [2941]: ERROR: cib_remote_listen: User is not
> a member of the required group" might mention which user and which
> group...
it doesn't do so for security reasons
> 7) "Configuration Explained" and the page you just sent me both state
> that CIB_user must be part of the hacluster group; apart from the
> mistake that the group is haclient, the commend in cib/remote.c and my
> observations shows that CIB_user actually must be the user as which
> the cib process is running.
correct
> 8) Just tried with crm_resource: The password prompt when not setting
> CIB_password is sent to stdout, rather than stderr [which makes it
> near impossible to send the output someplace].
we can probably change that
> 9) I am getting completely bogus results via the remote connection,
> e.g. "crm_resource --list" shows only 2 of 8 resources, and shows the
> as stopped, whereas on the cluster nodes I see the -- correct -- list
> with 8 resources which are all started. With "cibadmin -Q" I get:
>
> # cibadmin -Q | wc # on a cluster node
> 379 1895 50474
>
> # cibadmin -Q | wc # via the remote connection
> cibadmin: Opened connection to 192.168.80.10:6900
> 66 193 4731
someone else mentioned that, i've not been able to reproduce it yet.
> 10) It's very easy to trash the cib process, e.g. by connecting via
> telnet and sending a few bytes of garbage; result is an endless loop
> of "cib: [7846]: ERROR: cib_recv_remote_msg: Empty reply" messages,
> one per second, and that I need to "killall -9 cib" in order to get
> everything working again.
ok, thats not good.
I think this patch should fix it though:
diff -r 828b3329a64c cib/remote.c
--- a/cib/remote.c Fri Nov 06 16:28:21 2009 +0100
+++ b/cib/remote.c Mon Nov 16 15:18:41 2009 +0100
@@ -220,7 +220,7 @@ cib_remote_listen(int ssock, gpointer da
}
do {
- crm_debug_2("Iter: %d", lpc++);
+ crm_debug_2("Iter: %d", lpc);
if(ssock == remote_tls_fd) {
#ifdef HAVE_GNUTLS_GNUTLS_H
login = cib_recv_remote_msg(session, TRUE);
@@ -230,7 +230,7 @@ cib_remote_listen(int ssock, gpointer da
}
sleep(1);
- } while(login == NULL && lpc < 10);
+ } while(login == NULL && ++lpc < 10);
crm_log_xml_info(login, "Login: ");
if(login == NULL) {
>
> Only once, out of a couple dozen attempts, did the remote access
> actually yield the correct output, other times it completely fails
> without any apparent reason ... at this point I'm not quite sure what
> to make of all this.
>
> Regards, Colin
>
> _______________________________________________
> Pacemaker mailing list
> Pacemaker@oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>
_______________________________________________
Pacemaker mailing list
Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker
