Fencing是什么?设置RHEL CentOS 8的KVM群集
在本文中,我将概述什么是防护,并通过分步教程在RHEL和CentOS 8的KVM HA群集上使用fence_xvm配置群集防护/起搏器防护
希望我们熟悉"高可用性集群体系结构"
什么是Fencing?
随着群集中节点数量的增加,其可用性也会增加,但是其中一个节点在某个时刻发生故障的机会也会增加。
如果与集群中单个节点的通信失败,则"集群中的其他节点必须能够限制或者释放对故障集群节点可能具有访问权限的资源的访问"。
由于群集节点可能没有响应,因此无法通过联系群集节点本身来完成此操作。
相反,我们必须提供一个"外部方法",称为"带有防护代理的隔离"。
根据定义,"群集防护"是将节点从其不应访问的资源或者启动服务中分离或者分离的过程,也与其他节点分离或者分离的过程。
没有配置隔离设备,我们将无法知道已释放的已断开连接的群集节点使用的资源,这可能会阻止服务在任何其他群集节点上运行。
如果没有围墙设备,"将无法确保配置的数据完整性",并且群集配置将不受支持。
进行防护时,不允许运行其他群集操作
使用称为" STONITH"的机制执行围栏
STONITH是"头上的其他节点"的首字母缩写,它可以保护数据免受流氓节点或者并发访问的破坏
设置KVM HA群集
在上一篇文章中,我使用Pacemaker GUI配置了KVM高可用性群集,因此,我将使用相同的起搏器群集设置来使用fence_xvm配置屏蔽功能。
在KVM主机上安装Stonith设备
既然我们已经了解了防护功能,那么就必须在KVM虚拟机上配置群集防护,我们必须在KVM主机上安装与fence相关的rpm。
[root@rhel-8 ~]# yum install fence-virt fence-virtd fence-virtd-libvirt fence-virtd-multicast fence-virtd-serial
在KVM虚拟机上安装fence_xvm
在每个群集节点上安装'fence-virt'软件包
[root@centos8-2 ~]# dnf -y install fence-virt [root@centos8-3 ~]# dnf -y install fence-virt [root@centos8-4 ~]# dnf -y install fence-virt
要列出可用的篱笆代理,请在任何"群集"节点上执行以下命令
# pcs stonith list fence_amt_ws - Fence agent for AMT (WS) fence_apc - Fence agent for APC over telnet/ssh fence_apc_snmp - Fence agent for APC, Tripplite PDU over SNMP fence_bladecenter - Fence agent for IBM BladeCen <Output trimmed>
这将为我们提供一整套fence代理,可用于配置群集防护
要"获取有关各个隔离代理的更多详细信息",可以使用:
[root@centos8-3 ~]# pcs stonith describe fence_xvm fence_xvm - Fence agent for virtual machines fence_xvm is an I/O Fencing agent which can be used withvirtual machines. Stonith options: debug: Specify (stdin) or increment (command line) debug level ip_family: IP Family ([auto], ipv4, ipv6) multicast_address: Multicast address (default=225.0.0.12/ff05::3:1) ipport: TCP, Multicast, or VMChannel IP port (default=1229) retrans: Multicast retransmit time (in 1/10sec; default=20) <Output trimmed>
创建fence密钥
我们必须创建围栏密钥以在/etc/cluster内的KVM主机上设置pacemaker fencing。
默认情况下,KVM主机上不存在/etc/cluster目录。
因此,我们将手动创建此目录
[root@rhel-8 ~]# mkdir -p /etc/cluster
接下来,使用dd命令创建fence键。
我们将把密钥命名为fence_xvm.key。
[root@rhel-8 ~]# dd if=/dev/urandom of=/etc/cluster/fence_xvm.key bs=4k count=1 1+0 records in 1+0 records out 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.000187547 s, 21.8 MB/s
接下来,将此密钥复制到/etc/cluster下的所有KVM HA群集节点。
[root@rhel-8 ~]# scp /etc/cluster/fence_xvm.key centos8-2:/etc/cluster/ [root@rhel-8 ~]# scp /etc/cluster/fence_xvm.key centos8-3:/etc/cluster/ [root@rhel-8 ~]# scp /etc/cluster/fence_xvm.key centos8-4:/etc/cluster/
配置群集防护
要在KVM主机上配置群集防护,我们将使用fence_virtd。
该工具将创建/etc/fence_virt.conf配置文件。
该工具将提示我们输入某些值,我们可以将大多数值保留为默认值或者根据环境进行更改
[root@rhel-8 ~]# fence_virtd -c
Module search path [/usr/lib64/fence-virt]:
Available backends:
libvirt 0.3
Available listeners:
multicast 1.2
Listener modules are responsible for accepting requests
from fencing clients.
Listener module [multicast]:
The multicast listener module is designed for use environments
where the guests and hosts Jan communicate over a network using
multicast.
The multicast address is the address that a client will use to
send fencing requests to fence_virtd.
Multicast IP Address [225.0.0.12]: <-- Leave to default
Using ipv4 as family.
Multicast IP Port [1229]: <-- If you change this then remember to allow this port in firewall
Setting a preferred interface causes fence_virtd to listen only
on that interface. Normally, it listens on all interfaces.
In environments where the virtual machines are using the host
machine as a gateway, this *must* be set (typically to virbr0).
Set to 'none' for no interface.
Interface [virbr0]: <-- I am using virbr0. You can change based on your interface used for Cluster nodes
The key file is the shared key information which is used to
authenticate fencing requests. The contents of this file must
be distributed to each physical host and virtual machine within
a cluster.
Key File [/etc/cluster/fence_xvm.key]: <-- Leave to default
Backend modules are responsible for routing requests to
the appropriate hypervisor or management layer.
Backend module [libvirt]: <-- Leave to default
The libvirt backend module is designed for single desktops or
servers. Do not use in environments where virtual machines
Jan be migrated between hosts.
Libvirt URI [qemu:///system]: <-- Leave to default
Configuration complete.
=== Begin Configuration ===
backends {
libvirt {
uri = "qemu:///system";
}
}
listeners {
multicast {
port = "1229";
family = "ipv4";
interface = "virbr0";
address = "225.0.0.12";
key_file = "/etc/cluster/fence_xvm.key";
}
}
fence_virtd {
module_path = "/usr/lib64/fence-virt";
backend = "libvirt";
listener = "multicast";
}
=== End Configuration ===
Replace /etc/fence_virt.conf with the above [y/N]? y <-- Give confirmation
启动fence_virtd服务
接下来启动fence_virtd服务以启用集群防护
[root@rhel-8 ~]# systemctl enable fence_virtd --now Created symlink /etc/systemd/system/multi-user.target.wants/fence_virtd.service → /usr/lib/systemd/system/fence_virtd.service.
检查fence_virtd的状态以确保其成功运行
[root@rhel-8 ~]# systemctl status fence_virtd
● fence_virtd.service - Fence-Virt system host daemon
Loaded: loaded (/usr/lib/systemd/system/fence_virtd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2017-05-01 12:00:35 IST; 6s ago
Process: 24945 ExecStart=/usr/sbin/fence_virtd $FENCE_VIRTD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 24946 (fence_virtd)
Tasks: 1 (limit: 26213)
Memory: 2.8M
CGroup: /system.slice/fence_virtd.service
└─24946 /usr/sbin/fence_virtd -w
Jan 01 12:00:35 rhel-8.example.com systemd[1]: Starting Fence-Virt system host daemon...
Jan 01 12:00:35 rhel-8.example.com fence_virtd[24946]: fence_virtd starting. Listener: libvirt Backend: multicast
Jan 01 12:00:35 rhel-8.example.com systemd[1]: Started Fence-Virt system host daemon.
在群集节点上启用防护,请确保该属性设置为TRUE
[root@centos8-2 ~]# pcs -f stonith_cfg property Cluster Properties: stonith-enabled: true
如果将群集防护的" stonith"属性设置为FALSE,则可以在所有"群集"节点上将其手动设置为TRUE。
[root@centos8-2 ~]# pcs -f stonith_cfg property set stonith-enabled=true
配置防火墙
由于我们将默认端口1229用于fence_virtd,因此必须在防火墙中允许该TCP端口。
当我们使用firewalld时,我们将允许该端口进入防火墙区域
获取带有界面详细信息的活动区域列表
[root@rhel-8 ~]# firewall-cmd --get-active-zones libvirt interfaces: virbr0 public interfaces: eno49 eno50 nm-bridge
说明:
其中因为我使用的是virbr0接口,所以我必须将防火墙规则定义到管理virbr0接口的区域。
默认情况下,我们将所有规则应用到对我不起作用的公共区域,并且我正在
[root@centos8-2 ~]# fence_xvm -o list Timed out waiting for response Operation failed
但是,如果我们使用的是来自"默认"区域的接口,则可以将这些防火墙规则应用于"默认"区域。
我将使用libvirt防火墙区域。
我们可以根据活动区域修改防火墙命令
[root@rhel-8 ~]# firewall-cmd --add-port=1229/udp --permanent --zone=libvirt [root@rhel-8 ~]# firewall-cmd --add-port=1229/tcp --permanent --zone=libvirt
重新加载防火墙规则以激活更改
[root@rhel-8 ~]# firewall-cmd --reload success
列出防火墙中当前允许的端口
[root@rhel-8 ~]# firewall-cmd --list-ports --zone=libvirt 1229/udp 1229/tcp
列出" libvirt"区域中允许的所有服务和端口
[root@rhel-8 ~]# firewall-cmd --list-all --zone=libvirt
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources:
services: dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
验证集群节点上的Pacemaker防护
要从集群节点检查" fence"状态,请在任何集群节点上使用" fence_xvm",如下所示。
这应该显示由KVM主机管理的虚拟机的列表
[root@centos8-2 ~]# fence_xvm -o list centos8-2 a0c0680a-5655-48ae-9752-fda306e015ed on centos8-3 3ee94484-bf3b-4636-8d64-f4e59a8c5a6d on centos8-4 638841fe-82c6-4fbb-a79a-780c4675b4e6 on rhel-iscsi e0a7fd5f-3b53-4a7c-9a5c-3d2ca4b9c4f6 on
这意味着我们的KVM主机已配置为隔离所有这些VM
该列表的输出将与" virsh"命令中的同一组虚拟机匹配。
[root@rhel-8 ~]# virsh list Id Name State --------------------------------------------------- 75 rhel-iscsi running 80 centos8-3 running 81 centos8-2 running 83 centos8-4 running 91 centos8-5 running
创建Stonith资源
我们将为所有集群节点的集群防护创建" stonith"资源
[root@centos8-2 ~]# pcs stonith create fence-centos8-4 fence_xvm port=centos8-4 pcmk_host_list=centos8-4.example.com [root@centos8-2 ~]# pcs stonith create fence-centos8-3 fence_xvm port=centos8-3 pcmk_host_list=centos8-3.example.com [root@centos8-2 ~]# pcs stonith create fence-centos8-2 fence_xvm port=centos8-2 pcmk_host_list=centos8-2.example.com
pcmk_host_list格式
此属性获取由空格,逗号或者分号分隔的节点列表。
名称应与起搏器所指名称完全匹配,该起搏器源自/etc/corosync/corosync.conf的基本配置,也将反映在" pcs status"输出中。
重要的提示:
重要的是," port"值必须包含与" virsh"输出相同的虚拟机名称,否则,起搏器围栏将失败
验证Stonith资源运行状况
在KVM HA群集节点上创建stonith资源后,请使用crm_mon验证资源状态。
[root@centos8-2 ~]# crm_mon Stack: corosync Current DC: centos8-2 (version 2.0.2-3.el8_1.2-744a30d655) - partition with quorum Last updated: Fri Jan 1 13:08:25 2017 Last change: Fri Jan 1 13:08:14 2017 by root via cibadmin on centos8-2 3 nodes configured 3 resources configured Online: [ centos8-2 centos8-3 centos8-4 ] Active resources: fence-centos8-4 (stonith:fence_xvm): Started centos8-2 fence-centos8-3 (stonith:fence_xvm): Started centos8-3 fence-centos8-2 (stonith:fence_xvm): Started centos8-4
因此,我们所有的" stonith"资源都已成功启动。
我们也可以使用pcs检查stonith资源状态。
[root@centos8-2 ~]# pcs stonith status fence-centos8-4 (stonith:fence_xvm): Started centos8-2 fence-centos8-3 (stonith:fence_xvm): Started centos8-3 fence-centos8-2 (stonith:fence_xvm): Started centos8-4
验证群集防护
要实际隔离节点,我们将必须使用list命令列出的UUID,而不是vm-name。
在这个例子中,我触发了centos8-4的防护。
[root@centos8-2 ~]# fence_xvm -o off -H 638841fe-82c6-4fbb-a79a-780c4675b4e6
接下来检查KVM群集的状态
[root@centos8-2 ~]# pcs cluster status Cluster Status: Stack: corosync Current DC: centos8-2 (version 2.0.2-3.el8_1.2-744a30d655) - partition with quorum Last updated: Fri Jan 1 13:29:15 2017 Last change: Fri Jan 1 13:08:14 2017 by root via cibadmin on centos8-2 3 nodes configured 3 resources configured PCSD Status: centos8-2: Online centos8-3: Online centos8-4: Offline
不出所料,我们的centos8-4群集节点已脱机。
我们也可以使用journalctl检查KVM主机上的日志。
Jan 1 13:29:34 rhel-8 systemd-machined[1877]: Machine qemu-74-centos8-4 terminated.
因此,我们的群集防护正在按预期方式工作。
