RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1552666 - clufter does not filter out some corosync qdevice options (votes,tls) when it generates 'pcs quorum device add...' command
Summary: clufter does not filter out some corosync qdevice options (votes,tls) when it...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: clufter
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Jelinek
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-07 13:52 UTC by Miroslav Lisik
Modified: 2020-05-15 09:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-15 09:11:45 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1476862 0 medium CLOSED pcs quorum help: Improve 'device add' syntax guidance 2021-02-22 00:41:40 UTC

Internal Links: 1476862

Description Miroslav Lisik 2018-03-07 13:52:42 UTC
Description of problem:

If there are options in corosync.conf that pcs does not allow to set, clufter
does not filter it out and adds it to generated 'pcs quorum device...' command.

Version-Release number of selected component (if applicable):

clufter-cli-0.77.0-2.el7

How reproducible:

always


Steps to Reproduce:

1. Create cluster with configured quorum device.

# pcs cluster auth virt-005 virt-006
# pcs cluster setup --name HAcluster virt-005 virt-006 --enable --start
# pcs quorum device add model net algorithm=ffsplit host=virt-007

NOTE: Arbitrator node 'virt-007' should be configured with command:

# pcs qdevice setup model net --enable --start

2. Add option 'tls: on' to the corosync.conf

[root@virt-005 c]# cat /etc/corosync/corosync.conf
totem {
    version: 2
    cluster_name: HAcluster
    secauth: off
    transport: udpu
}

nodelist {
    node {
        ring0_addr: virt-005
        nodeid: 1
    }

    node {
        ring0_addr: virt-006
        nodeid: 2
    }
}

quorum {
    provider: corosync_votequorum

    device {
        model: net
        votes: 1

        net {
            algorithm: ffsplit
            host: virt-007
            tls: on
        }
    }
}

logging {
    to_logfile: yes
    logfile: /var/log/cluster/corosync.log
    to_syslog: yes
}


3. Generete pcs command using clufter:

[root@virt-005 c]# clufter pcs2pcscmd --silent --noguidance --quiet --text-width=-1
#!/usr/bin/sh
# sequence generated on 2018-03-07 06:41:54 with: clufter 0.77.0
# invoked as: ['/usr/bin/clufter', 'pcs2pcscmd', '--silent', '--noguidance', '--quiet', '--text-width=-1']
# targeting system: ('linux', 'redhat', '7.5', 'Maipo')
# using interpreter: CPython 2.7.5
pcs cluster auth virt-005 virt-006 <> /dev/tty
pcs cluster setup --name HAcluster virt-005 virt-006 --transport udpu
pcs cluster start --all --wait=60
pcs quorum device add votes=1 model net algorithm=ffsplit host=virt-007 tls=on
pcs cluster cib tmp-cib.xml
cp tmp-cib.xml tmp-cib.xml.deltasrc
pcs cluster cib-push tmp-cib.xml diff-against=tmp-cib.xml.deltasrc

4. Remove quorum device from cluster and try generated command

[root@virt-005 c]# pcs quorum device remove
Disabling corosync-qdevice...
virt-006: corosync-qdevice disabled
virt-005: corosync-qdevice disabled
Stopping corosync-qdevice...
virt-005: corosync-qdevice stopped
virt-006: corosync-qdevice stopped
Removing qdevice certificates from nodes...
virt-005: Succeeded
virt-006: Succeeded
Sending updated corosync.conf to nodes...
virt-005: Succeeded
virt-006: Succeeded
Corosync configuration reloaded

[root@virt-005 c]# pcs quorum device add votes=1 model net algorithm=ffsplit host=virt-007 tls=on
Error: invalid quorum device model option 'tls', allowed options are: algorithm, connect_timeout, force_ip_version, host, port, tie_breaker, use --force to override
Error: invalid quorum device option 'votes', allowed options are: sync_timeout, timeout, use --force to override


Actual results:

Clufter does not filter out forbidden options when it generates 'pcs quorum...'
command.

Expected results:

Clufter filters out forbidden options when it generates 'pcs quorum...'
command.  Also, clufter could add --force option, but it looks like less
appropriate solution.

Comment 2 Jan Pokorný [poki] 2018-03-07 14:57:32 UTC
Thanks for the report.

Tomáš pointed out that "tls" in particular is enabled by default
([bug 1476862 comment 5]) and ability to disable it is planned.

Comment 3 Jan Pokorný [poki] 2018-03-09 18:46:36 UTC
Fixed in upstream and going to hit planned v0.77.1:

https://pagure.io/clufter/c/b1abb872edbf373d5d49c275cf4ea0cc7e2194fb?branch=next

Comment 4 Jan Pokorný [poki] 2018-03-09 18:51:49 UTC
To test, add for instance "tls: required" under quorum.device.net.tls
section in corosync.conf, then rerun that "clufter pcs2pcscmd" and
observe:

- no 'tls=required" within any of the resulting pcs commands

- on stderr:

> [needleqdevicexml2pcscmd] xslt: WARNING: non-default
>                           `quorum.device.net.tls` value `required`
>                           specified, but current pcs not capable
>                           to set it

Comment 5 Jan Pokorný [poki] 2018-03-13 18:50:34 UTC
re [comment 3]:

actually, forgot to reference this bug, hence the new valid "next" commit
https://pagure.io/clufter/c/28a954072365dff33d2498bdd2bb115b7aa82350?branch=next

Comment 8 Tomas Jelinek 2020-05-15 09:11:45 UTC
Fixed in clufter-0.77.1-1.el7

# clufter pcs2pcscmd --silent --noguidance --quiet --text-width=-1
#!/usr/bin/sh
# sequence generated on 2020-05-15 11:08:26 with: clufter 0.77.1
# invoked as: ['/usr/bin/clufter', 'pcs2pcscmd', '--silent', '--noguidance', '--quiet', '--text-width=-1']
# targeting system: ('linux', 'redhat', '7.8', 'Maipo')
# using interpreter: CPython 2.7.5
pcs cluster auth virt-005 virt-006 <> /dev/tty
pcs cluster setup --name HAcluster virt-005 virt-006 --transport udpu
pcs cluster start --all --wait=60
pcs quorum device add model net algorithm=ffsplit host=virt-007
...{snipped}

# cat /etc/corosync/corosync.conf
totem {
    version: 2
    cluster_name: HAcluster
    secauth: off
    transport: udpu
}

nodelist {
    node {
        ring0_addr: virt-005
        nodeid: 1
    }

    node {
        ring0_addr: virt-006
        nodeid: 2
    }
}

quorum {
    provider: corosync_votequorum

    device {
        model: net
        votes: 1

        net {
            algorithm: ffsplit
            host: virt-007
            tls: on
        }
    }
}

logging {
    to_logfile: yes
    logfile: /var/log/cluster/corosync.log
    to_syslog: yes
}


Note You need to log in before you can comment on or make changes to this bug.