RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1720221 - [RFE] Add support for corosync option totem.block_unlisted_ips
Summary: [RFE] Add support for corosync option totem.block_unlisted_ips
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pcs
Version: 8.1
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: 8.5
Assignee: kmalyjur
QA Contact: cluster-qe@redhat.com
Steven J. Levine
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-13 12:28 UTC by Tomas Jelinek
Modified: 2021-11-09 19:04 UTC (History)
9 users (show)

Fixed In Version: pcs-0.10.8-2.el8
Doc Type: Enhancement
Doc Text:
Feature: Add support for corosync option totem.block_unlisted_ips. Reason: User cannot set the totem.block_unlisted_ips option via pcs. Result: It is possible to set totem.block_unlisted_ips via pcs in commands `pcs cluster config update` and `pcs cluster setup`.
Clone Of:
Environment:
Last Closed: 2021-11-09 17:33:12 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
proposed fix (14.58 KB, patch)
2021-05-07 09:42 UTC, kmalyjur 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1667061 0 high CLOSED [RFE] provide commands for changing corosync configuration of an existing cluster 2023-02-18 04:31:53 UTC
Red Hat Product Errata RHSA-2021:4142 0 None None None 2021-11-09 17:33:37 UTC

Internal Links: 1667061

Description Tomas Jelinek 2019-06-13 12:28:46 UTC 
New option, totem.block_unlisted_ips, has been added in corosync-3.0.2.

From man corosync.conf:
block_unlisted_ips
Allow UDPU and KNET to drop packets from IP addresses that are not known (nodes which don't exist in the nodelist) to corosync.  Value is yes or no.
This feature is mainly to protect against the joining of nodes with outdated configurations after a cluster split.  Another use case is to allow the atomic merge of two independent clusters.
Changing the default value is not recommended, the overhead is tiny and an existing cluster may fail if corosync is started on an unlisted node with an old configuration.
The default value is yes.
Comment 11 RHEL Program Management 2021-02-01 07:41:26 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 15 kmalyjur 2021-05-07 09:42:19 UTC 
Created attachment 1780644 [details]
proposed fix

test:

(pcs) a83-1 ~  $ pcs cluster config | grep block_unlisted_ips
  block_unlisted_ips: yes

(pcs) a83-1 ~  $ pcs cluster config update totem block_unlisted_ips=no                                 
Sending updated corosync.conf to nodes...
a83-1: Succeeded
...

(pcs) a83-1 ~  $ pcs cluster config | grep block_unlisted_ips                                          
  block_unlisted_ips: no

Option block_unlisted_ips is possible to use with commands `pcs cluster setup` and `pcs cluster config update`.
Comment 18 Miroslav Lisik 2021-06-14 13:39:58 UTC 
Test:

[root@r8-node-01 ~]# rpm -q pcs
pcs-0.10.8-2.el8.x86_64

[root@r8-node-01 ~]# pcs cluster config | grep block_unlisted_ips
[root@r8-node-01 ~]# pcs cluster config update totem block_unlisted_ips=1
Error: '1' is not a valid block_unlisted_ips value, use 'no', 'yes'
Error: Errors have occurred, therefore pcs is unable to continue
[root@r8-node-01 ~]# pcs cluster config update totem block_unlisted_ips=yes
Sending updated corosync.conf to nodes...
r8-node-03: Succeeded
r8-node-01: Succeeded
r8-node-02: Succeeded
r8-node-01: Corosync configuration reloaded
[root@r8-node-01 ~]# pcs cluster config | grep block_unlisted_ips
  block_unlisted_ips: yes
Comment 22 Michal Mazourek 2021-06-21 11:34:59 UTC 
BEFORE:
=======

[root@virt-525 ~]# rpm -q pcs corosync
pcs-0.10.8-1.el8.x86_64
corosync-3.1.0-5.el8.x86_64


[root@virt-525 ~]# pcs cluster config update totem block_unlisted_ips=yes
Error: invalid totem option 'block_unlisted_ips', allowed options are: 'consensus', 'downcheck', 'fail_recv_const', 'heartbeat_failures_allowed', 'hold', 'join', 'max_messages', 'max_network_delay', 'merge', 'miss_count_const', 'send_join', 'seqno_unchanged_const', 'token', 'token_coefficient', 'token_retransmit', 'token_retransmits_before_loss_const', 'window_size'
Error: Errors have occurred, therefore pcs is unable to continue

> not supported yet


AFTER:
======

[root@virt-249 ~]# rpm -q pcs corosync
pcs-0.10.8-2.el8.x86_64
corosync-3.1.0-5.el8.x86_64


[root@virt-249 ~]# pcs cluster config update --help

Usage: pcs cluster config update...
    config update [transport <transport options>]
            [compression <compression options>] [crypto <crypto options>]
            [totem <totem options>] [--corosync_conf <path>]
        Update cluster configuration. If --corosync_conf is specified, update
        cluster configuration in file specified by <path>. All options are
        documented in corosync.conf(5) man page. There are different transport
        options for transport types. Compression and crypto options are only
        available for knet transport. Totem options can be set regardless of
        the transport type.

        Transport options for knet transport are:
            ip_version, knet_pmtud_interval, link_mode
        Transport options for udp and updu transports are:
            ip_version, netmtu
        Compression options are:
            level, model, threshold
        Crypto options are:
            cipher, hash, model
        Totem options are:
            block_unlisted_ips, consensus, downcheck, fail_recv_const,
            heartbeat_failures_allowed, hold, join, max_messages,
            max_network_delay, merge, miss_count_const, send_join,
            seqno_unchanged_const, token, token_coefficient, token_retransmit,
            token_retransmits_before_loss_const, window_size

> OK: 'block_unlisted_ips option' is present in help output for pcs cluster config, as well as in man pcs


## Checking the value before updating it

[root@virt-249 ~]# pcs cluster config | grep block_unlisted_ips
[root@virt-249 ~]# echo $?
1
[root@virt-249 ~]# cat /etc/corosync/corosync.conf | grep block_unlisted_ips
[root@virt-249 ~]# echo $?
1

[root@virt-249 ~]# corosync-cmapctl | grep block_unlisted_ips
runtime.config.totem.block_unlisted_ips (u32) = 1

> OK: The option is not present in corosync.conf, but is in runtime configuration with default value 1


## Updating and checking the value

[root@virt-249 ~]# man corosync.conf | grep block_unlisted_ips -A 2
       block_unlisted_ips
              Allow UDPU and KNET to drop packets from IP addresses that are not known (nodes which don't  exist  in  the  nodelist)  to
              corosync.  Value is yes or no.

> Valid values are yes/no, according to corosync.conf man page

[root@virt-249 ~]# pcs cluster config update totem block_unlisted_ips=yes
Sending updated corosync.conf to nodes...
virt-249: Succeeded
virt-250: Succeeded
virt-249: Corosync configuration reloaded
[root@virt-249 ~]# echo $?
0

[root@virt-249 ~]# pcs cluster config | grep block_unlisted_ips -B 1
Totem Options:
  block_unlisted_ips: yes

[root@virt-249 ~]# cat /etc/corosync/corosync.conf | grep block_unlisted_ips -B 6
totem {
    version: 2
    cluster_name: STSRHTS13666
    transport: knet
    crypto_cipher: aes256
    crypto_hash: sha256
    block_unlisted_ips: yes

> OK: the option is present in the config

[root@virt-249 ~]# corosync-cmapctl | grep block_unlisted_ips
runtime.config.totem.block_unlisted_ips (u32) = 1
totem.block_unlisted_ips (str) = yes

> OK: 'yes' value is translated to 1 for 'runtime.config.totem.block_unlisted_ips'


## Switching and checking the value

[root@virt-249 ~]# pcs cluster config update totem block_unlisted_ips=no
Sending updated corosync.conf to nodes...
virt-249: Succeeded
virt-250: Succeeded
virt-249: Corosync configuration reloaded
[root@virt-249 ~]# echo $?
0

[root@virt-249 ~]# pcs cluster config | grep block_unlisted_ips -B 1
Totem Options:
  block_unlisted_ips: no

[root@virt-249 ~]# cat /etc/corosync/corosync.conf | grep block_unlisted_ips -B 6
totem {
    version: 2
    cluster_name: STSRHTS13666
    transport: knet
    crypto_cipher: aes256
    crypto_hash: sha256
    block_unlisted_ips: no

> OK: the option switched the value correctly in the config

[root@virt-249 ~]# corosync-cmapctl | grep block_unlisted_ips
runtime.config.totem.block_unlisted_ips (u32) = 0
totem.block_unlisted_ips (str) = no

> OK: 'no' value in the option switched the 'runtime.config.totem.block_unlisted_ips' to 0


## Changing the option in stopped cluster

[root@virt-249 ~]# pcs cluster stop --all
virt-249: Stopping Cluster (pacemaker)...
virt-250: Stopping Cluster (pacemaker)...
virt-249: Stopping Cluster (corosync)...
virt-250: Stopping Cluster (corosync)...

[root@virt-249 ~]#  pcs cluster config | grep block_unlisted_ips -B 1
Totem Options:
  block_unlisted_ips: no

[root@virt-249 ~]# pcs cluster config update totem block_unlisted_ips=yes
Sending updated corosync.conf to nodes...
virt-249: Succeeded
virt-250: Succeeded
Warning: virt-249: Corosync is not running, therefore reload of the corosync configuration is not possible
Warning: virt-250: Corosync is not running, therefore reload of the corosync configuration is not possible

[root@virt-249 ~]# pcs cluster config | grep block_unlisted_ips -B 1
Totem Options:
  block_unlisted_ips: yes

[root@virt-249 ~]# cat /etc/corosync/corosync.conf | grep block_unlisted_ips -B 6
totem {
    version: 2
    cluster_name: STSRHTS13666
    transport: knet
    crypto_cipher: aes256
    crypto_hash: sha256
    block_unlisted_ips: yes

[root@virt-249 ~]# corosync-cmapctl | grep block_unlisted_ips
Failed to initialize the cmap API. Error CS_ERR_LIBRARY

[root@virt-249 ~]# pcs cluster start --all
virt-250: Starting Cluster...
virt-249: Starting Cluster...

[root@virt-249 ~]# corosync-cmapctl | grep block_unlisted_ips
runtime.config.totem.block_unlisted_ips (u32) = 1
totem.block_unlisted_ips (str) = yes

> OK


## Checking the option from other node

[root@virt-250 ~]# pcs cluster config | grep block_unlisted_ips -B 1
Totem Options:
  block_unlisted_ips: yes
[root@virt-250 ~]# corosync-cmapctl | grep block_unlisted_ips
runtime.config.totem.block_unlisted_ips (u32) = 1
totem.block_unlisted_ips (str) = yes

> OK


## Checking that possibility of changing other totem options preserved

[root@virt-249 ~]# pcs cluster config update totem consensus=3000 downcheck=1200 fail_recv_const=3000 heartbeat_failures_allowed=1 hold=200 join=80 max_messages=15 max_network_delay=70 merge=150 miss_count_const=0 send_join=1 seqno_unchanged_const=20 token=3000 token_coefficient=800 token_retransmit=250 token_retransmits_before_loss_const=5 window_size=25
Sending updated corosync.conf to nodes...
virt-249: Succeeded
virt-250: Succeeded
virt-249: Corosync configuration reloaded

[root@virt-249 ~]# pcs cluster config
Cluster Name: STSRHTS13666
Transport: knet
Nodes:
  virt-249:
    Link 0 address: virt-249
    nodeid: 1
  virt-250:
    Link 0 address: virt-250
    nodeid: 2
Crypto Options:
  cipher: aes256
  hash: sha256
Totem Options:
  block_unlisted_ips: yes
  consensus: 3000
  downcheck: 1200
  fail_recv_const: 3000
  heartbeat_failures_allowed: 1
  hold: 200
  join: 80
  max_messages: 15
  max_network_delay: 70
  merge: 150
  miss_count_const: 0
  send_join: 1
  seqno_unchanged_const: 20
  token: 3000
  token_coefficient: 800
  token_retransmit: 250
  token_retransmits_before_loss_const: 5
  window_size: 25

> OK


## Changing the 'block_unlisted_ips' option to default

[root@virt-249 ~]# pcs cluster config update totem block_unlisted_ips=
Sending updated corosync.conf to nodes...
virt-249: Succeeded
virt-250: Succeeded
virt-249: Corosync configuration reloaded

[root@virt-249 ~]# pcs cluster config | grep block_unlisted_ips -B 1
[root@virt-249 ~]# echo $?
1

[root@virt-249 ~]# cat /etc/corosync/corosync.conf | grep block_unlisted_ips
[root@virt-249 ~]# echo $?
1

[root@virt-249 ~]# corosync-cmapctl | grep block_unlisted_ips
runtime.config.totem.block_unlisted_ips (u32) = 1

> OK


## Setting the 'block_unlisted_ips' option in cluster setup

[root@virt-249 ~]# pcs cluster destroy --all
virt-250: Stopping Cluster (pacemaker)...
virt-249: Stopping Cluster (pacemaker)...
virt-249: Successfully destroyed cluster
virt-250: Successfully destroyed cluster

[root@virt-249 ~]# pcs cluster setup hacluster virt-2{49,50} totem block_unlisted_ips=no --start --wait
{..setup output..}
virt-249: Cluster started
virt-250: Cluster started

[root@virt-249 ~]# pcs cluster config | grep block_unlisted_ips -B 1
Totem Options:
  block_unlisted_ips: no

[root@virt-249 ~]# cat /etc/corosync/corosync.conf | grep block_unlisted_ips
    block_unlisted_ips: no

[root@virt-249 ~]# corosync-cmapctl | grep block_unlisted_ips
runtime.config.totem.block_unlisted_ips (u32) = 0
totem.block_unlisted_ips (str) = no

> OK


## Invalid inputs

# wrong values
[root@virt-249 ~]# pcs cluster config update totem block_unlisted_ips=1
Error: '1' is not a valid block_unlisted_ips value, use 'no', 'yes'
Error: Errors have occurred, therefore pcs is unable to continue
[root@virt-249 ~]# echo $?
1

> OK

[root@virt-249 ~]# pcs cluster config update totem block_unlisted_ips=false
Error: 'false' is not a valid block_unlisted_ips value, use 'no', 'yes'
Error: Errors have occurred, therefore pcs is unable to continue
[root@virt-249 ~]# echo $?
1

> OK

# Non-ASCII character
[root@virt-249 ~]# pcs cluster config update totem block_unlisted_ips=ř
Error: 'ř' is not a valid block_unlisted_ips value, use 'no', 'yes'
Error: Errors have occurred, therefore pcs is unable to continue
[root@virt-249 ~]# echo $?
1

> OK

# omitting key word
[root@virt-249 ~]# pcs cluster config update block_unlisted_ips=no

Usage: pcs cluster config update...
{..usage output..}
[root@virt-249 ~]# echo $?
1

> OK

# wrong key words
[root@virt-249 ~]# pcs cluster config update transport block_unlisted_ips=no
Error: invalid knet transport option 'block_unlisted_ips', allowed options are: 'ip_version', 'knet_pmtud_interval', 'link_mode'
Error: Errors have occurred, therefore pcs is unable to continue
[root@virt-249 ~]# echo $?
1
[root@virt-249 ~]# pcs cluster config update crypto block_unlisted_ips=no
Error: invalid crypto option 'block_unlisted_ips', allowed options are: 'cipher', 'hash', 'model'
Error: Errors have occurred, therefore pcs is unable to continue
[root@virt-249 ~]# echo $?
1
[root@virt-249 ~]# pcs cluster config update compression block_unlisted_ips=no
Error: invalid compression option 'block_unlisted_ips', allowed options are: 'level', 'model', 'threshold'
Error: Errors have occurred, therefore pcs is unable to continue
[root@virt-249 ~]# echo $?
1

> OK

# wrong value in setup
[root@virt-249 ~]# pcs cluster setup hacluster virt-2{49,50} totem block_unlisted_ips=1 --start --wait
No addresses specified for host 'virt-249', using 'virt-249'
No addresses specified for host 'virt-250', using 'virt-250'
Error: '1' is not a valid block_unlisted_ips value, use 'no', 'yes'
Error: Errors have occurred, therefore pcs is unable to continue
[root@virt-249 ~]# echo $?
1

> OK

# wrong key word in setup

[root@virt-249 ~]# pcs cluster setup hacluster virt-2{49,50} transport knet crypto block_unlisted_ips=no --start --wait
No addresses specified for host 'virt-249', using 'virt-249'
No addresses specified for host 'virt-250', using 'virt-250'
Error: invalid crypto option 'block_unlisted_ips', allowed options are: 'cipher', 'hash', 'model'
Error: Errors have occurred, therefore pcs is unable to continue
[root@virt-249 ~]# echo $?
1

> OK


## Functional check of the option itself - tested in bz1153818 comment 21



Marking as VERIFIED for pcs-0.10.8-2.el8
Comment 26 errata-xmlrpc 2021-11-09 17:33:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: pcs security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4142
Note You need to log in before you can comment on or make changes to this bug.