Description of problem: fence_compute currently claims to be able to fence control nodes. This is quite dangerous. Version-Release number of selected component (if applicable): fence-agents-all-4.0.11-27.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Deploy openstack 2. Deploy instance HA using the instructions at https://access.redhat.com/articles/1544823 3. Run: fence_compute -l admin -p ${pass} -t admin --record-only -k http://${ip}:5000/v2.0/ -o status -n overcloud-controller-0; echo $? Results without patch: 0 Results with patch: 1 Additional info: --- /sbin/fence_compute.orig 2015-11-26 20:09:12.165071987 -0500 +++ /sbin/fence_compute 2015-11-26 21:53:20.724927251 -0500 @@ -7,6 +7,7 @@ import requests.exceptions sys.path.append("/usr/share/fence") +from subprocess import * from fencing import * from fencing import fail_usage, is_executable, run_command, run_delay @@ -222,9 +223,15 @@ set_attrd_status(options["--plug"], "yes", options) sys.exit(0) - elif options["--action"] in ["status", "monitor"]: + elif options["--action"] == "monitor": sys.exit(0) + elif options["--action"] == "status": + role=Popen(['crm_attribute', '-N', options["--plug"], '-n', 'osprole', '-d', 'unknown', '-q'], stdout=PIPE).communicate()[0].strip() + if role == "compute": + sys.exit(0) + sys.exit(1) + # The first argument is the Nova client version nova = nova_client.Client('2', options["--username"],
Not an issue if the fencing device points at the overcloud instead of the undercloud. Control nodes wont even be in the list.