This article will describe how to use libvirtd as a fencing mechanism for virtualized HA clusters.
In order to use libvirtd based fencing, your hypervisor should have its libvirtd daemon listen on a network socket. This can be either an unecrypted TCP port, or an encryped TLS socket. For production use, it's best to use TLS when possible for improved security.
For libvirtd to listen on an unauthenticated and therefore insecure network socket, add the following lines to your libvirtd configuration file (often /etc/libvirt/libvirtd.conf):
listen_tls = 0
listen_tcp = 1
tcp_port = "16509"base
auth_tcp = "none"
listen_addr = "192.168.0.123"
Leaving the listen_addr empty or commented will result in libvirtd listening on all interfaces.
Finally, the libvirtd daemon must be told to listen on the network. This is done by passing it the "--listen" or "-l" flag. You can set the options passed to the daemon by setting the following option in /etc/default/libvirt-bin on Debian based systems, or /etc/sysconfig/libvirtd on RedHat based systems:
LIBVIRTD_ARGS="--listen"
Once the above options are set, and the libvirtd daemon is restarted, you should see that you have a listening port on the specified port in the output of "netstat -tulpn" or "ss -tuna".
Finally, you should be able to list all the VMs running on the hypervisor from a Virtual Machine (with the libvirt-client package installed) using the following command:
virsh --connect=qemu+tcp://<hypervisor-IP>/system list --all
Find the correct domains (VMs that make up your cluster) in the list and add the appropriate configurations to Pacemaker:
primitive st_alice stonith:external/libvirt \
params hostlist="alice" hypervisor_uri="qemu+tcp://192.168.0.123/system" \
op monitor interval="60"
primitive st_bob stonith:external/libvirt \
params hostlist="bob" hypervisor_uri="qemu+tcp://192.168.0.123/system" \
op monitor interval="60"
location l_st_alice st_alice -inf: alice
location l_st_bob st_bob -inf: bob
property stonith-enabled=true
Now, you can begin to test and tune STONITH in your cluster.
Reviewed 2020/12/01 - DGT