Product SiteDocumentation Site

Chapter 5. Remote Node Walk-through

Table of Contents

5.1. Configure Remote Node
5.1.1. Configure Firewall on Remote Node
5.1.2. Configure pacemaker_remote on Remote Node
5.2. Verify Connection to Remote Node
5.3. Configure Cluster Nodes
5.3.1. Configure Firewall on Cluster Nodes
5.3.2. Install Pacemaker on Cluster Nodes
5.3.3. Copy Authentication Key to Cluster Nodes
5.3.4. Configure Corosync on Cluster Nodes
5.3.5. Start Pacemaker on Cluster Nodes
5.4. Integrate Remote Node into Cluster
5.5. Starting Resources on Remote Node
5.6. Fencing Remote Nodes
5.7. Accessing Cluster Tools from a Remote Node
What this tutorial is: An in-depth walk-through of how to get Pacemaker to integrate a remote node into the cluster as a node capable of running cluster resources.
What this tutorial is not: A realistic deployment scenario. The steps shown here are meant to get users familiar with the concept of remote nodes as quickly as possible.
This tutorial requires three machines: two to act as cluster nodes, and a third to act as the remote node.

5.1. Configure Remote Node

5.1.1. Configure Firewall on Remote Node

Allow cluster-related services through the local firewall:
# firewall-cmd --permanent --add-service=high-availability
success
# firewall-cmd --reload
success

Note

If you are using iptables directly, or some other firewall solution besides firewalld, simply open the following ports, which can be used by various clustering components: TCP ports 2224, 3121, and 21064, and UDP port 5405.
If you run into any problems during testing, you might want to disable the firewall and SELinux entirely until you have everything working. This may create significant security issues and should not be performed on machines that will be exposed to the outside world, but may be appropriate during development and testing on a protected host.
To disable security measures:
# setenforce 0
# sed -i.bak "s/SELINUX=enforcing/SELINUX=permissive/g" /etc/selinux/config
# systemctl mask firewalld.service
# systemctl stop firewalld.service
# iptables --flush

5.1.2. Configure pacemaker_remote on Remote Node

Install the pacemaker_remote daemon on the remote node.
# yum install -y pacemaker-remote resource-agents pcs
Create a location for the shared authentication key:
# mkdir -p --mode=0750 /etc/pacemaker
# chgrp haclient /etc/pacemaker
All nodes (both cluster nodes and remote nodes) must have the same authentication key installed for the communication to work correctly. If you already have a key on an existing node, copy it to the new remote node. Otherwise, create a new key, for example:
# dd if=/dev/urandom of=/etc/pacemaker/authkey bs=4096 count=1
Now start and enable the pacemaker_remote daemon on the remote node.
# systemctl enable pacemaker_remote.service
# systemctl start pacemaker_remote.service
Verify the start is successful.
# systemctl status pacemaker_remote
pacemaker_remote.service - Pacemaker Remote Service
   Loaded: loaded (/usr/lib/systemd/system/pacemaker_remote.service; enabled)
   Active: active (running) since Fri 2015-08-21 15:21:20 CDT; 20s ago
 Main PID: 21273 (pacemaker_remot)
   CGroup: /system.slice/pacemaker_remote.service
           └─21273 /usr/sbin/pacemaker_remoted

Aug 21 15:21:20 remote1 systemd[1]: Starting Pacemaker Remote Service...
Aug 21 15:21:20 remote1 systemd[1]: Started Pacemaker Remote Service.
Aug 21 15:21:20 remote1 pacemaker_remoted[21273]: notice: crm_add_logfile: Additional logging available in /var/log/pacemaker.log
Aug 21 15:21:20 remote1 pacemaker_remoted[21273]: notice: lrmd_init_remote_tls_server: Starting a tls listener on port 3121.
Aug 21 15:21:20 remote1 pacemaker_remoted[21273]: notice: bind_and_listen: Listening on address ::