Hawk (HA Web Konsole) is a web-based GUI for Pacemaker HA clusters.
So, why another management tool, given that we already have the crm shell, the Python GUI, and DRBD MC? In order:
- We have the usual rationale for a GUI over (or in addition to) a CLI tool; it is (or should be) easier to use, for a wider audience.
- The Python GUI is not always easily installable/runnable (think: sysadmins with Windows desktops and/or people who don't want to, or can't, forward X).
- There are a number of cases where site policy prohibits ssh access to servers (which is what DRBD MC uses internally).
There are also some differing goals; Hawk is not intended to expose absolutely everything. There will be point somewhere where you have to say "and now you must learn to use a shell". Likewise, Hawk is not intended to install the base cluster stack for you (whereas DRBD MC does a good job of this).
As at 2010-05-19 (version 0.4.1), we have:
- Reasonable feature parity with crm_mon (displays node and resource status, failed ops)
- The ability to perform basic operator tasks:
- Node: standby, online, fence
- Resource: start, stop, migrate, unmigrate, clean up.
- The ability to create, edit and delete primitives, groups, clones and m/s resources.
- The ability to create, edit and delete location, colocation and ordering constraints.
- The ability to edit crm_config properties.
Hawk will show you the nodes and resources in your cluster, and some general summary information (Pacemaker version, stack, DC, etc.). Errors and failed ops appear in a red bar at the top of the display. The display of nodes and resources is collapsible (collapsed by default), but if something breaks while you're looking at it, the display will expand to show the broken nodes and/or resources.
Note that because it's possible to manipulate the cluster, you will first be presented with a login screen. The same rules apply as for the python GUI; you need to log in as a user in the "haclient" group (the easiest thing to do is assign a password to the existing "hacluster" user, then log in using that account).
No descriptive page such as this is complete without screenshots. Here they are:
- Login Screen
- Main Status Screen
- Node Popup Menu
- Node Standby Confirmation
- Node on Standby
- Pending Resources (requires op_defaults record-pending=true)
- Create Primitive Resource Screen
- Create Clone Screen
- Resource Popup Menu
- Cluster Configuration Screen
- Constraint List Screen
- Order Constraint Editor (colocation constraint editor works the same way)
- Location Constraint Editor (simple)
- Location Constraint Editor (rules/expressions)
Implementation is proceeding in a staged fashion, so that we generally have something useful most of the time, rather than nothing functional for several months. Version numbers for the 0.n.n series correspond roughly to major areas of functionality:
|0.1.x||Initial cluster status display & scaffolding|
|0.2.x||Status display comparable to crm_mon (includes failed ops)|
|0.3.x||Login screen, basic management operations (node online/offline/fence, resource start/stop/migrate/cleanup)|
|0.4.x||Cluster configuration (create/delete resources, configure cluster properties)|
Areas of functionality coming in future versions are:
- Explore failure scenarios (shadow CIB magic to see what would happen if a node/resource failed).
For further details see Hawk/Design.
Hawk is intended to run on each node in your cluster. You can then access it by pointing your web browser at the IP address of any cluster node, or the address of any IPaddr(2) resource you may have configured.
Hawk is a Ruby on Rails app which runs from a standalone instance of lighttpd. All required Ruby gems are frozen into the Hawk package at build time. Its runtime dependencies are thus:
When building Hawk from source, you will also need:
- rubygem-rails >= 2.3
- ruby-fcgi (openSUSE/SLES only)
- fdupes (openSUSE/SLES only)
- libpacemaker-devel (openSUSE/SLES)
- pacemaker-libs-devel (Fedora)
Installing The Easy Way
Hawk 0.3 is included with SLE HAE 11 SP1 and openSUSE 11.4. Hawk 0.4 packages for various SUSE distros are available in the network:ha-clustering and network:ha-clustering:Factory repositories on OBS, or you can just search for Hawk on software.opensuse.org.
In any case, install the RPM, then run:
# chkconfig hawk on # rchawk start
Then, go to:
Installing The Other Easy Way
If you have a recent SUSE- or Fedora-based system, you can build an RPM easily from the source tree:
# hg clone http://hg.clusterlabs.org/pacemaker/hawk # cd hawk # hg update tip # make rpm
Then install the RPM on your cluster nodes and:
# chkconfig hawk on # /etc/init.d/hawk start
Then, go to:
The Hard Way
If the above RPM build doesn't work for you, you can build and install straight from the source tree, but read the makefile first to ensure you'll be happy with the outcome:
# hg clone http://hg.clusterlabs.org/pacemaker/hawk # cd hawk # hg update tip # make # sudo make install
The above will install in /srv/www/hawk and run from a SUSE-style init script. To install somewhere else (e.g.: /var/www/hawk) and/or to use a Red Hat-style init script, try:
# make WWW_BASE=/var/www INIT_STYLE=redhat # sudo make WWW_BASE=/var/www INIT_STYLE=redhat install
Finally, go to:
A Note on SSL Certificates
The Hawk init script will automatically generate a self-signed SSL certificate, in /etc/lighttpd/certs/hawk-combined.pem. If you want to use your own certificate, simply replace this file with one of your creation. Note that this is a combined key and certificate, i.e. you'll need to cat key cert > hawk-combined.pem.
Hacking an instance of Hawk that was installed from an RPM is annoying, not least because you have to keep restarting it to have any changed files reloaded. Instead, it's easiest to just run it under WEBrick from within the source tree, but first you need to run make to build the hawk_chkpwd and hawk_invoke helper binaries, then install them setuid-root, group=haclient in /usr/sbin. You should end up with something like:
# ls /usr/sbin/hawk_* -l -rwsr-x--- 1 root haclient 9884 2011-04-14 22:56 /usr/sbin/hawk_chkpwd -rwsr-x--- 1 root haclient 9928 2011-04-14 22:56 /usr/sbin/hawk_invoke -rwxr-xr-x 1 root root 9992 2011-04-14 22:56 /usr/sbin/hawk_monitor
hawk_chkpwd is almost identical to unix2_chkpwd, except it restricts acccess to users in the haclient group, and doesn't inject any delay when invoked by the hacluster user (which is the user Hawk's lighttpd instance runs as).
hawk_invoke allows the hacluster user to run a small assortment of Pacemaker CLI tools as another user in order to support Pacemaker's ACL feature. It is used by Hawk when performing various management tasks.
hawk_monitor is not installed setuid-root. It exists to be polled by the web browser, to facilitate near-realtime updates of the cluster status display. It is not used when running Hawk via WEBrick.
Once you've got the above built and installed, run:
# sudo -u hacluster hawk/script/server
This will give you Hawk running via HTTP (not HTTPS), on port 3000, e.g.:
Note that automatic status updates won't work in this mode, because requests for /monitor aren't routed to /usr/sbin/hawk_monitor. To force a status update every few seconds, try:
Finally, an alternative to running WEBrick as hacluster (which may require fiddling with file permissions in your source directory, depending on how restrictive your defaults are), you can just rsync the source tree to a development cluster node, then and run it as root there.
Comments, Feedback, Questions, Bug Reports
Please direct comments, feedback, questions, etc. to the Pacemaker mailing list. Bug reports can be entered in the Linux Foundation bug tracker, but you might be better off hassling tserong in #linux-cluster or #linux-ha on irc://irc.freenode.org first.