Bug 1505540
Summary: | fence_vmware_soap requires --force when configuring STONITH | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ryan <rblough> |
Component: | fence-agents | Assignee: | Oyvind Albrigtsen <oalbrigt> |
Status: | CLOSED DUPLICATE | QA Contact: | cluster-qe <cluster-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | cluster-maint, tojeline |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-24 15:04:22 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ryan
2017-10-23 20:13:11 UTC
Matching the packages shown in the customer's sosreport, here is the output from pcs for the fence_vmware_soap agent: [root@rhel73_generic ~]# pcs stonith describe fence_vmware_soap fence_vmware_soap - Fence agent for VMWare over SOAP API fence_vmware_soap is an I/O Fencing agent which can be used with the virtual machines managed by VMWare products that have SOAP API v4.1+. .P Name of virtual machine (-n / port) has to be used in inventory path format (e.g. /datacenter/vm/Discovered virtual machine/myMachine). In the cases when name of yours VM is unique you can use it instead. Alternatively you can always use UUID to access virtual machine. Resource options: ipport: TCP/UDP port to use for connection with device notls: Disable TLS negotiation, force SSL 3.0 ssl_secure: SSL connection with verifying fence device's certificate port (required): Physical plug number, name of virtual machine or UUID inet6_only: Forces agent to use IPv6 addresses only ipaddr (required): IP Address or Hostname inet4_only: Forces agent to use IPv4 addresses only passwd_script: Script to retrieve password passwd: Login password or passphrase ssl: SSL connection ssl_insecure: SSL connection without verifying fence device's certificate action: Fencing Action WARNING: specifying 'action' is deprecated and not necessary with current Pacemaker versions login (required): Login Name plug (required): Physical plug number, name of virtual machine or UUID username (required): Login Name ip (required): IP Address or Hostname password: Login password or passphrase password_script: Script to retrieve password debug_file: Write debug information to given file separator: Separator for CSV created by operation list power_wait: Wait X seconds after issuing ON/OFF login_timeout: Wait X seconds for cmd prompt after login power_timeout: Test X seconds for status change after ON/OFF delay: Wait X seconds before fencing is started shell_timeout: Wait X seconds for cmd prompt after issuing command retry_on: Count of attempts to retry power on priority: The priority of the stonith resource. Devices are tried in order of highest priority to lowest. pcmk_host_map: A mapping of host names to ports numbers for devices that do not support host names. Eg. node1:1;node2:2,3 would tell the cluster to use port 1 for node1 and ports 2 and 3 for node2 pcmk_host_list: A list of machines controlled by this device (Optional unless pcmk_host_check=static-list). pcmk_host_check: How to determine which machines are controlled by the device. Allowed values: dynamic-list (query the device), static-list (check the pcmk_host_list attribute), none (assume every device can fence every machine) pcmk_delay_max: Enable random delay for stonith actions and specify the maximum of random delay This prevents double fencing when using slow devices such as sbd. Use this to enable random delay for stonith actions and specify the maximum of random delay. pcmk_action_limit: The maximum number of actions can be performed in parallel on this device Pengine property concurrent-fencing=true needs to be configured first. Then use this to specify the maximum number of actions can be performed in parallel on this device. -1 is unlimited. Comparing to the parameters listed as required in the fence_vmware_soap metadata: [root@rhel73_generic ~]# fence_vmware_soap -o metadata | grep 'required="1"' <parameter name="port" unique="0" required="1" deprecated="1"> <parameter name="ipaddr" unique="0" required="1" deprecated="1"> <parameter name="action" unique="0" required="1"> <parameter name="login" unique="0" required="1" deprecated="1"> <parameter name="plug" unique="0" required="1" obsoletes="port"> <parameter name="username" unique="0" required="1" obsoletes="login"> <parameter name="ip" unique="0" required="1" obsoletes="ipaddr"> So port, ipaddr, and login have been deprecated by plug, ip, and username respectively, but the parameter validation appears to be requiring all six entries. Naively I would expect an either/or logic, like so: port/plug ipaddr/ip login/username Or I would expect a rejection of the deprecated parameters with a message that they have been replaced by the new ones. However, when troubleshooting with the customer we saw that if we switched to the new parameter it would still throw an error requiring the old one. I am trying to replicate the problem on my test machine. I think this has been fixed in pcs-0.9.157-1.el7, see bz1434972 for details. [root@rh74-node1:~]# rpm -q pcs pcs-0.9.158-6.el7.x86_64 [root@rh74-node1:~]# pcs stonith create vmfence fence_vmware_soap pcmk_host_map="node1:EAWVORSOAAP003S-d93885c3-c679-4326-a887-2e9d085a761c;node2:EAWVORSOAAP004S-354828c2-ca43-4148-b206-55f00a63db6c" ipaddr=172.22.124.104 ssl_insecure=1 login=login passwd_script="/etc/corosync/fence/decrypt-fence-key" action=reboot delay=10 [root@rh74-node1:~]# echo $? 0 [root@rh74-node1:~]# pcs stonith show vmfence Resource: vmfence (class=stonith type=fence_vmware_soap) Attributes: action=reboot delay=10 ipaddr=172.22.124.104 login=login passwd_script=/etc/corosync/fence/decrypt-fence-key pcmk_host_map=node1:EAWVORSOAAP003S-d93885c3-c679-4326-a887-2e9d085a761c;node2:EAWVORSOAAP004S-354828c2-ca43-4148-b206-55f00a63db6c ssl_insecure=1 Operations: monitor interval=60s (vmfence-monitor-interval-60s) [root@rh74-node1:~]# pcs stonith describe fence_vmware_soap fence_vmware_soap - Fence agent for VMWare over SOAP API fence_vmware_soap is an I/O Fencing agent which can be used with the virtual machines managed by VMWare products that have SOAP API v4.1+. .P Name of virtual machine (-n / port) has to be used in inventory path format (e.g. /datacenter/vm/Discovered virtual machine/myMachine). In the cases when name of yours VM is unique you can use it instead. Alternatively you can always use UUID to access virtual machine. Stonith options: ipport: TCP/UDP port to use for connection with device notls: Disable TLS negotiation, force SSL 3.0 ssl_secure: SSL connection with verifying fence device's certificate port: Physical plug number, name of virtual machine or UUID inet6_only: Forces agent to use IPv6 addresses only ipaddr (required): IP Address or Hostname inet4_only: Forces agent to use IPv4 addresses only passwd_script: Script to retrieve password passwd: Login password or passphrase ssl: SSL connection ssl_insecure: SSL connection without verifying fence device's certificate action: Fencing Action WARNING: specifying 'action' is deprecated and not necessary with current Pacemaker versions. login (required): Login Name separator: Separator for CSV created by operation list power_wait: Wait X seconds after issuing ON/OFF login_timeout: Wait X seconds for cmd prompt after login power_timeout: Test X seconds for status change after ON/OFF delay: Wait X seconds before fencing is started shell_timeout: Wait X seconds for cmd prompt after issuing command retry_on: Count of attempts to retry power on priority: The priority of the stonith resource. Devices are tried in order of highest priority to lowest. pcmk_host_map: A mapping of host names to ports numbers for devices that do not support host names. Eg. node1:1;node2:2,3 would tell the cluster to use port 1 for node1 and ports 2 and 3 for node2 pcmk_host_list: A list of machines controlled by this device (Optional unless pcmk_host_check=static-list). pcmk_host_check: How to determine which machines are controlled by the device. Allowed values: dynamic-list (query the device), static-list (check the pcmk_host_list attribute), none (assume every device can fence every machine) pcmk_delay_max: Enable a random delay for stonith actions and specify the maximum of random delay. This prevents double fencing when using slow devices such as sbd. Use this to enable a random delay for stonith actions. The overall delay is derived from this random delay value adding a static delay so that the sum is kept below the maximum delay. pcmk_delay_base: Enable a base delay for stonith actions and specify base delay value. This prevents double fencing when different delays are configured on the nodes. Use this to enable a static delay for stonith actions. The overall delay is derived from a random delay value adding this static delay so that the sum is kept below the maximum delay. pcmk_action_limit: The maximum number of actions can be performed in parallel on this device Pengine property concurrent-fencing=true needs to be configured first. Then use this to specify the maximum number of actions can be performed in parallel on this device. -1 is unlimited. Default operations: monitor: interval=60s [root@rh74-node1:~]# fence_vmware_soap -o metadata | grep 'required="1"' <parameter name="port" unique="0" required="1" deprecated="1"> <parameter name="ipaddr" unique="0" required="1" deprecated="1"> <parameter name="action" unique="0" required="1"> <parameter name="login" unique="0" required="1" deprecated="1"> <parameter name="plug" unique="0" required="1" obsoletes="port"> <parameter name="username" unique="0" required="1" obsoletes="login"> <parameter name="ip" unique="0" required="1" obsoletes="ipaddr"> Testing: [root@cs-rh7-7 ~]# rpm -q pcs fence-agents-common fence-agents-vmware-soap pcs-0.9.152-10.el7_3.3.x86_64 fence-agents-common-4.0.11-66.el7_4.3.x86_64 fence-agents-vmware-soap-4.0.11-66.el7_4.3.x86_64 [root@cs-rh7-7 ~]# pcs stonith create test fence_vmware_soap Error: missing required option(s): 'ipaddr, login, plug, username, ip' for resource type: stonith:fence_vmware_soap (use --force to override) [root@cs-rh7-7 ~]# pcs stonith create test fence_vmware_soap ipaddr=test login=test plug=test Error: missing required option(s): 'username, ip' for resource type: stonith:fence_vmware_soap (use --force to override) [root@cs-rh7-7 ~]# pcs stonith create test fence_vmware_soap ip=test username=test plug=test Error: missing required option(s): 'ipaddr, login' for resource type: stonith:fence_vmware_soap (use --force to override) Then applying the fix from the other bug: [root@cs-rh7-7 ~]# rpm -q pcs pcs-0.9.158-6.el7.x86_64 [root@cs-rh7-7 ~]# pcs stonith create test fence_vmware_soap ip=test username=test plug=test Error: invalid resource options: 'ip', 'plug', 'username', allowed options are: action, delay, inet4_only, inet6_only, ipaddr, ipport, login, login_timeout, notls, passwd, passwd_script, pcmk_action_limit, pcmk_delay_max, pcmk_host_argument, pcmk_host_check, pcmk_host_list, pcmk_host_map, pcmk_list_action, pcmk_list_retries, pcmk_list_timeout, pcmk_monitor_action, pcmk_monitor_retries, pcmk_monitor_timeout, pcmk_off_action, pcmk_off_retries, pcmk_off_timeout, pcmk_reboot_action, pcmk_reboot_retries, pcmk_reboot_timeout, pcmk_status_action, pcmk_status_retries, pcmk_status_timeout, port, power_timeout, power_wait, priority, retry_on, separator, shell_timeout, ssl, ssl_insecure, ssl_secure, use --force to override Error: required resource options 'ipaddr', 'login' are missing, use --force to override [root@cs-rh7-7 ~]# pcs stonith create test fence_vmware_soap ipaddr=test login=test [root@cs-rh7-7 ~]# echo $? 0 [root@cs-rh7-7 ~]# pcs stonith show test Resource: test (class=stonith type=fence_vmware_soap) Attributes: ipaddr=test login=test Operations: monitor interval=60s (test-monitor-interval-60s) Fix confirmed! I will mark this as a duplicate. *** This bug has been marked as a duplicate of bug 1434972 *** |