Guest Fencing

From Cluster Labs

This HowTo applies to versions of Pacemaker >= 1.1.0

Contents 1 Installation 1.1 Fedora-12 and later 1.2 From source 2 Configure the Host 2.1 For Guests Running on a Single Host 2.2 For Guests Running on Multiple Hosts 2.3 Testing the Host 3 Configure the Guest 3.1 Testing the Guest 3.2 Configure Fencing Resource in Pacemaker

Installation

Repeat for all hosts and the guests that will make up the cluster.

Fedora-12 and later

 yum install fence-virt fence-virtd

From source

 git clone git://fence-virt.git.sourceforge.net/gitroot/fence-virt/fence-virt
 cd fence-virt
 ./build
 sudo make install

Configure the Host

For Guests Running on a Single Host

Run the configuration tool:

 fence_virtd -c

Accept all the defaults except for exceptions listed below:

 Setting a preferred interface causes fence_virtd to listen only
 on that interface.  Normally, it listens on all interfaces.
 In environments where the virtual machines are using the host
 machine as a gateway, this *must* be set (typically to virbr0).
 Set to 'none' for no interface.
 
 Interface [none]: virbr0

For now, you should accept the default unless the guests are NATed. My guests do not have an address on the real network, so I need to indicate the interface the host talks to the guests on.

 Key File [none]: /etc/cluster/fence_xvm.key

This ensures only machines with the same file can initiate fencing requests

At the end, it will ask you to

 Replace /etc/fence_virt.conf with the above [y/N]? y

say yes.

Now populate the security key:

 dd if=/dev/random bs=512 count=1 /etc/cluster/fence_xvm.key

You should end up with a configuration like the one below:

 backends {
 	libvirt {
 		uri = "qemu:///system";
 	}
 }
 
 listeners {
 	multicast {
 		key_file = "/etc/cluster/fence_xvm.key";
 		interface = "virbr0";
 		port = "1229";
 		address = "225.0.0.12";
 		family = "ipv4";
 	}
 }
 
 fence_virtd {
 	backend = "libvirt";
 	listener = "multicast";
 	module_path = "/usr/lib64/fence-virt";
 }

For Guests Running on Multiple Hosts

Not yet supported, check back soon.

Rough commands:

 yum install -y libvirt-qpid qpidd
 chkconfig --level 2345 qpidd on
 chkconfig --level 2345 libvirt-qpid on
 service qpidd start
 service libvirt-qpid start
 sed -i.sed s/libvirt/libvirt-qpid/g /etc/fence_virt.conf

Testing the Host

Start the daemon:

 fence_virtd

Then run:

 fence_xvm -o hostlist

You should see output like the following:

 [03:37 PM] root@f12 ~ # fence_xvm -o hostlist
 pcmk-1               17bd6b6a-928f-2820-64ac-7c8d536df65f on
 pcmk-2               f0062842-0196-7ec1-7623-e5bbe3a6632c on
 pcmk-3               33e954b8-39ae-fb4b-e6e8-ecc443516b92 on
 pcmk-4               98cda6de-74c4-97bf-0cfb-3954ff76a5c3 on
 Remote: Operation was successful

Configure the Guest

Just install the key:

 scp /etc/cluster/fence_xvm.key pcmk-1:/etc/cluster/fence_xvm.key
 scp /etc/cluster/fence_xvm.key pcmk-2:/etc/cluster/fence_xvm.key
 scp /etc/cluster/fence_xvm.key pcmk-3:/etc/cluster/fence_xvm.key
 scp /etc/cluster/fence_xvm.key pcmk-4:/etc/cluster/fence_xvm.key

Testing the Guest

Run:

 fence_xvm -o hostlist

You should see the same output as you saw on the host, eg:

 [03:47 PM] root@pcmk-12 ~ # fence_xvm -o hostlist
 pcmk-1               17bd6b6a-928f-2820-64ac-7c8d536df65f on
 pcmk-2               f0062842-0196-7ec1-7623-e5bbe3a6632c on
 pcmk-3               33e954b8-39ae-fb4b-e6e8-ecc443516b92 on
 pcmk-4               98cda6de-74c4-97bf-0cfb-3954ff76a5c3 on
 Remote: Operation was successful

Configure Fencing Resource in Pacemaker

Now create the resource in Pacemaker:

 crm configure primitive st-virt stonith:fence_xvm

Done!