corosync-qnetd - QNet daemon
corosync-qnetd [-46dfhv] [-l listen_addr] [-p listen_port] [-s tls]
[-c client_cert_required] [-m max_clients] [-S
option=value[,option2=value2,...]]"
corosync-qnetd is a daemon running outside of the cluster with the
purpose of providing a vote to the
corosync-qdevice model net. It's
designed to support multiple clusters and be almost configuration and state
free. New clusters are handled dynamically and no configuration file exists.
It's also able to run as non-root user - which is recommended. Connection
between the
corosync-qdevice model net client can be optionally
configured with TLS client certificate checking. The communication protocol
between server and client is designed to be very simple and allow backwards
compatibility.
- -4
- and its counterpart -6 are used to force IPv4 or
IPv6 communication. The default is to listen on both address
families.
- -d
- Turn on debug logging. By default the messages sent to
syslog are purely operational, this option sends additional debug
messages. For bumping syslog messages priority to info, use the -d
parameter twice.
- -f
- Do not daemonize, run in the foreground.
- -h
- Show short help text
- -v
- Show version and supported communication protocol
messages/options.
- -l
- IP address to listen on. By default the daemon listens on
all addresses (wildcard).
- -p
- TCP port to listen on. Default port is 5403.
- -s
- Determines if TLS should be used and can be one of
on/off/required (the default is on ). on means TLS is
enabled but the client is not required to start TLS, off means TLS
is completely disabled, and required means TLS is required.
on and required require the NSS database to be properly
initialized by running the corosync-qnetd-certutil command.
- -c
- can be set to on/off. This option only makes sense
if TLS is enabled. When -c is on a client is required to
send its client certificate (default).
- -m
- Maximum simultaneous clients. The default is 0 which means
no limit.
- -S
- Set advanced settings described in its own section below.
This option shouldn't be generally used because most of the options are
not safe to change.
It's generally recommended to run
corosync-qnetd as a non root user. If
you get a package from a distribution its highly possible that the packager
has done all the hard work for you. If the installation is performed from
source code, a few steps have to be taken.
First it's necessary to create an unprivileged user/group. The following
commands can be used (executed as root):
# groupadd -r coroqnetd
# useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd
The next step is to set the correct owner and group on /etc/corosync/qnetd and
/var/run/corosync-qnetd directories.
# chown -R coroqnetd:coroqnetd /etc/corosync/qnetd /var/run/corosync-qnetd
Some systems have the /var/run directory on a tmpfs file system which gets
discarded after a reboot. The solution is to use an initscript or systemd
unit, because both of them takes care of the /var/run/corosync-qnetd creation
and sets the correct owner and permissions.
The last step is to make sure
corosync-qnetd is really executed as an
unprivileged user. For initscript systems it's enough to set the line
COROSYNC_QNETD_RUNAS in /etc/(sysconfig|default)/corosync-qnetd file. If the
file is not already installed then use the one provided in the corosync source
code (init/corosync-qnetd.sysconfig.example). For systemd, overwrite/copy the
corosync-qnetd.service unit file and uncomment/change the "User="
directive.
For TLS to work its necessary to create the NSS database. If pcs is used then
the following steps are not needed because pcs does them automatically.
corosync-qnetd-certutil is the tool to perform required actions. Just
run:
# corosync-qnetd-certutil -i
If TLS is not required then simply edit /etc/(sysconfig|default)/corosync-qnetd
or systemd unit file and add the parameter
-s off in the proper
place.
Depending on configuration of NSS (stored in nss.config file usually in
/etc/crypto-policies/back-ends/ directory) disabled ciphers or too short keys
may be rejected. Proper solution is to regenerate NSS databases for both
corosync-qnetd and
corosync-qdevice daemons. As a quick
workaround it's also possible to set environment variable
NSS_IGNORE_SYSTEM_POLICY=1 before running
corosync-qnetd daemon.
When NSS is updated it may also be needed to upgrade database into new format.
There is no consensus on recommended way, but following command seems to work
just fine (if qnetd sysconfdir is set to /etc)
# certutil -N -d /etc/corosync/qnetd/nssdb -f /etc/corosync/qnetd/nssdb/pwdfile.txt
Set by the
-S option. The default value is shown in parentheses.
- listen_backlog
- Parameter passed to the listen syscall on the network
socket. (10)
- max_client_send_buffers
- Maximum number of send buffers for one client. (32)
- max_client_send_size
- Maximum size of one send buffer (message) to be sent to a
client. (32768)
- max_client_receive_size
- Maximum size of the receive buffer for a client message
(maximum allowed message size received by client). (32768)
- nss_db_dir
- NSS database directory. (/etc/corosync/qnetd/nssdb)
- cert_nickname
- NSS nickname of qnetd server certificate. (QNetd Cert)
- heartbeat_interval_min
- Minimum heartbeat timeout accepted by server in ms.
(1000)
- heartbeat_interval_max
- Maximum heartbeat timeout accepted by server in ms.
(120000)
- dpd_enabled
- Dead peer detection enabled. (on)
- dpd_interval_coefficient
- Value is multiplied with heartbeat interval sent by qdevice
client and used as a timeout for dead peer detection. (1.5)
- lock_file
- Lock file location.
(/var/run/corosync-qnetd/corosync-qnetd.pid)
- local_socket_file
- Internal IPC socket file location.
(/var/run/corosync-qnetd/corosync-qnetd.sock)
- local_socket_backlog
- Parameter passed to listen syscall on the local socket.
(10)
- ipc_max_clients
- Maximum allowed simultaneous IPC clients. (10)
- ipc_max_receive_size
- Maximum size of a message received by IPC client.
(4096)
- ipc_max_send_size
- Maximum size of a message sent to an IPC client.
(10485760)
- keep_active_partition_tie_breaker
- When tie happens prefer partition with members of
previously active (quorate) partition. This is hard-coded behavior of LMS
algorithm so this setting affects only FFSplit algorithm. (off)
corosync-qnetd-tool(8) corosync-qnetd-certutil(8)
corosync-qdevice(8)
Jan Friesse