]>
Commit | Line | Data |
---|---|---|
9a1955a7 | 1 | .\"/* |
11a861c9 | 2 | .\" * Copyright (C) 2016-2020 Red Hat, Inc. |
9a1955a7 JF |
3 | .\" * |
4 | .\" * All rights reserved. | |
5 | .\" * | |
6 | .\" * Author: Jan Friesse <jfriesse@redhat.com> | |
7 | .\" * | |
8 | .\" * This software licensed under BSD license, the text of which follows: | |
9 | .\" * | |
10 | .\" * Redistribution and use in source and binary forms, with or without | |
11 | .\" * modification, are permitted provided that the following conditions are met: | |
12 | .\" * | |
13 | .\" * - Redistributions of source code must retain the above copyright notice, | |
14 | .\" * this list of conditions and the following disclaimer. | |
15 | .\" * - Redistributions in binary form must reproduce the above copyright notice, | |
16 | .\" * this list of conditions and the following disclaimer in the documentation | |
17 | .\" * and/or other materials provided with the distribution. | |
18 | .\" * - Neither the name of Red Hat, Inc. nor the names of its | |
19 | .\" * contributors may be used to endorse or promote products derived from this | |
20 | .\" * software without specific prior written permission. | |
21 | .\" * | |
22 | .\" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
23 | .\" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
24 | .\" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
25 | .\" * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | |
26 | .\" * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
27 | .\" * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
28 | .\" * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
29 | .\" * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
30 | .\" * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
31 | .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF | |
32 | .\" * THE POSSIBILITY OF SUCH DAMAGE. | |
33 | .\" */ | |
a8b7513d | 34 | .TH COROSYNC-QNETD 8 2020-11-18 |
9a1955a7 JF |
35 | .SH NAME |
36 | corosync-qnetd \- QNet daemon | |
37 | .SH SYNOPSIS | |
38 | .B "corosync-qnetd [-46dfhv] [-l listen_addr] [-p listen_port] [-s tls] | |
39 | .B [-c client_cert_required] [-m max_clients] [-S option=value[,option2=value2,...]]" | |
40 | ||
41 | .SH DESCRIPTION | |
42 | .B corosync-qnetd | |
43 | is a daemon running outside of the cluster with the purpose of providing a vote to the | |
44 | .B corosync-qdevice | |
45 | model net. It's designed to support multiple clusters and be almost configuration | |
46 | and state free. New clusters are handled dynamically and no configuration file exists. | |
47 | It's also able to run as non-root user - which is recommended. Connection between the | |
48 | .B corosync-qdevice | |
49 | model net client can be optionally configured with TLS client certificate checking. | |
50 | The communication protocol between server and client is designed to be very simple | |
51 | and allow backwards compatibility. | |
52 | .SH OPTIONS | |
53 | .TP | |
54 | .B -4 | |
55 | and its counterpart | |
56 | .B -6 | |
57 | are used to force IPv4 or IPv6 communication. The default is to listen on both address families. | |
58 | .TP | |
59 | .B -d | |
f78fd81e JF |
60 | Turn on debug logging. By default the messages sent to syslog are purely operational, this |
61 | option sends additional debug messages. For bumping syslog messages priority to info, use the | |
9a1955a7 JF |
62 | .B -d |
63 | parameter twice. | |
64 | .TP | |
65 | .B -f | |
66 | Do not daemonize, run in the foreground. | |
67 | .TP | |
68 | .B -h | |
69 | Show short help text | |
70 | .TP | |
71 | .B -v | |
72 | Show version and supported communication protocol messages/options. | |
73 | .TP | |
74 | .B -l | |
75 | IP address to listen on. By default the daemon listens on all addresses (wildcard). | |
76 | .TP | |
77 | .B -p | |
78 | TCP port to listen on. Default port is 5403. | |
79 | .TP | |
80 | .B -s | |
81 | Determines if TLS should be used and can be one of | |
82 | .I on/off/required | |
83 | (the default is | |
84 | .I on | |
85 | ). | |
86 | .I on | |
87 | means TLS is enabled but the client is not required to start TLS, | |
88 | .I off | |
89 | means TLS is completely disabled, and | |
90 | .I required | |
91 | means TLS is required. | |
92 | .I on | |
93 | and | |
94 | .I required | |
95 | require the NSS database to be properly initialized by running the | |
96 | .B corosync-qnetd-certutil | |
97 | command. | |
98 | .TP | |
99 | .B -c | |
100 | can be set to | |
101 | .I on/off. | |
102 | This option only makes sense if TLS is enabled. When | |
103 | .B -c | |
104 | is | |
105 | .I on | |
106 | a client is required to send its client certificate (default). | |
107 | .TP | |
108 | .B -m | |
109 | Maximum simultaneous clients. The default is 0 which means no limit. | |
110 | .TP | |
111 | .B -S | |
112 | Set advanced settings described in its own section below. This option | |
113 | shouldn't be generally used because most of the options are | |
114 | not safe to change. | |
115 | .SH UNPRIVILEGED USER CONFIGURATION | |
116 | It's generally recommended to run | |
117 | .B corosync-qnetd | |
118 | as a non root user. If you get a package from a distribution its highly | |
119 | possible that the packager has done all the hard work for you. If the installation | |
120 | is performed from source code, a few steps have to be taken. | |
121 | ||
122 | First it's necessary to create an unprivileged user/group. The following commands | |
123 | can be used (executed as root): | |
124 | ||
125 | .nf | |
126 | # groupadd -r coroqnetd | |
127 | # useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd | |
128 | .fi | |
129 | ||
130 | The next step is to set the correct owner and group on /etc/corosync/qnetd and /var/run/corosync-qnetd | |
131 | directories. | |
132 | ||
133 | .nf | |
134 | # chown -R coroqnetd:coroqnetd /etc/corosync/qnetd /var/run/corosync-qnetd | |
135 | .fi | |
136 | ||
137 | Some systems have the /var/run directory on a tmpfs file system which gets discarded after | |
4cd74c80 JF |
138 | a reboot. The solution is to use an initscript or systemd unit, because both of them takes |
139 | care of the /var/run/corosync-qnetd creation and sets the correct owner and permissions. | |
9a1955a7 JF |
140 | |
141 | The last step is to make sure | |
142 | .B corosync-qnetd | |
143 | is really executed as an unprivileged user. For initscript systems it's enough to set the | |
144 | line COROSYNC_QNETD_RUNAS in /etc/(sysconfig|default)/corosync-qnetd file. If the file | |
145 | is not already installed then use the one provided in the corosync source code | |
146 | (init/corosync-qnetd.sysconfig.example). For systemd, overwrite/copy the | |
147 | corosync-qnetd.service unit file and uncomment/change the "User=" directive. | |
148 | ||
149 | .SH TLS CONFIGURATION | |
150 | For TLS to work its necessary to create the NSS database. If pcs is used then the following | |
151 | steps are not needed because pcs does them automatically. | |
152 | ||
153 | .B corosync-qnetd-certutil | |
154 | is the tool to perform required actions. Just run: | |
155 | ||
156 | .nf | |
157 | # corosync-qnetd-certutil -i | |
158 | .fi | |
159 | ||
160 | If TLS is not required then simply edit /etc/(sysconfig|default)/corosync-qnetd or | |
161 | systemd unit file and add the parameter | |
162 | .B -s | |
163 | .I off | |
164 | in the proper place. | |
165 | ||
cb9ea58e JF |
166 | Depending on configuration of NSS (stored in nss.config file usually in |
167 | /etc/crypto-policies/back-ends/ directory) disabled ciphers or too short keys | |
168 | may be rejected. Proper solution is to regenerate NSS databases for both | |
169 | .B corosync-qnetd | |
170 | and | |
171 | .B corosync-qdevice | |
172 | daemons. As a quick workaround it's also possible to set environment variable | |
173 | .I NSS_IGNORE_SYSTEM_POLICY=1 | |
174 | before running | |
175 | .B corosync-qnetd | |
176 | daemon. | |
177 | ||
178 | When NSS is updated it may also be needed to upgrade database into new format. There is no | |
179 | consensus on recommended way, but following command seems to work just fine (if qnetd | |
180 | sysconfdir is set to /etc) | |
181 | ||
182 | .nf | |
183 | # certutil -N -d /etc/corosync/qnetd/nssdb -f /etc/corosync/qnetd/nssdb/pwdfile.txt | |
184 | .fi | |
185 | ||
9a1955a7 JF |
186 | .SH ADVANCED SETTINGS |
187 | Set by the | |
188 | .B -S | |
189 | option. The default value is shown in parentheses. | |
190 | .TP | |
191 | .B listen_backlog | |
192 | Parameter passed to the listen syscall on the network socket. (10) | |
193 | .TP | |
194 | .B max_client_send_buffers | |
195 | Maximum number of send buffers for one client. (32) | |
196 | .TP | |
197 | .B max_client_send_size | |
198 | Maximum size of one send buffer (message) to be sent to a client. (32768) | |
199 | .TP | |
200 | .B max_client_receive_size | |
201 | Maximum size of the receive buffer for a client message (maximum | |
202 | allowed message size received by client). (32768) | |
203 | .TP | |
204 | .B nss_db_dir | |
205 | NSS database directory. (/etc/corosync/qnetd/nssdb) | |
206 | .TP | |
207 | .B cert_nickname | |
208 | NSS nickname of qnetd server certificate. (QNetd Cert) | |
209 | .TP | |
210 | .B heartbeat_interval_min | |
211 | Minimum heartbeat timeout accepted by server in ms. (1000) | |
212 | .TP | |
213 | .B heartbeat_interval_max | |
214 | Maximum heartbeat timeout accepted by server in ms. (120000) | |
215 | .TP | |
216 | .B dpd_enabled | |
217 | Dead peer detection enabled. (on) | |
218 | .TP | |
a8b7513d JF |
219 | .B dpd_interval_coefficient |
220 | Value is multiplied with heartbeat interval sent by qdevice client and used as a timeout | |
221 | for dead peer detection. (1.5) | |
9a1955a7 JF |
222 | .TP |
223 | .B lock_file | |
224 | Lock file location. (/var/run/corosync-qnetd/corosync-qnetd.pid) | |
225 | .TP | |
226 | .B local_socket_file | |
227 | Internal IPC socket file location. (/var/run/corosync-qnetd/corosync-qnetd.sock) | |
228 | .TP | |
229 | .B local_socket_backlog | |
230 | Parameter passed to listen syscall on the local socket. (10) | |
231 | .TP | |
232 | .B ipc_max_clients | |
233 | Maximum allowed simultaneous IPC clients. (10) | |
234 | .TP | |
235 | .B ipc_max_receive_size | |
236 | Maximum size of a message received by IPC client. (4096) | |
237 | .TP | |
238 | .B ipc_max_send_size | |
239 | Maximum size of a message sent to an IPC client. (10485760) | |
7a0201a5 JF |
240 | .TP |
241 | .B keep_active_partition_tie_breaker | |
242 | When tie happens prefer partition with members of previously active (quorate) partition. | |
243 | This is hard-coded behavior of LMS algorithm so this setting affects only FFSplit algorithm. (off) | |
9a1955a7 JF |
244 | .SH SEE ALSO |
245 | .BR corosync-qnetd-tool (8) | |
246 | .BR corosync-qnetd-certutil (8) | |
247 | .BR corosync-qdevice (8) | |
248 | .SH AUTHOR | |
249 | Jan Friesse | |
250 | .PP |