This article will describe how to use the libvirt daemon, libvirtd
, as a fencing mechanism for virtualized high-availability (HA) clusters.
To use libvirt based fencing, your hypervisor should have its libvirt daemon listen on a network socket. This can be either an unencrypted TCP port, or an encrypted TLS socket. For production use, it's best to use TLS when possible for improved security.
For libvirtd
to listen on an unauthenticated and therefore insecure network socket, add the following lines to your libvirtd
configuration file (often /etc/libvirt/libvirtd.conf
):
listen_tls = 0 listen_tcp = 1 tcp_port = 16509base auth_tcp = none listen_addr = 192.168.0.123
Leaving the listen_addr
empty or commenting the line out will result in libvirtd
listening on all interfaces.
Finally, the libvirt daemon must be told to listen on the network. This is done by passing it the --listen
or -l
flag. You can set the options passed to the daemon by setting the following option in /etc/default/libvirt-bin
on Debian based systems, or /etc/sysconfig/libvirtd
on Red Hat based systems:
LIBVIRTD_ARGS=--listen
Once the above options are set, and the libvirt daemon is restarted, you can verify that you have a listening port on the specified port in your configuration by examining the output of netstat -tulpn
or ss -tuna
.
Finally, you should be able to list all the virtual machines (VMs) running on the hypervisor from a VM (with the libvirt-client
package installed) by entering the following command:
virsh --connect=qemu+tcp://<hypervisor-IP>/system list --all
Find the correct libvirt domains (VMs that make up your cluster) in the list and add the appropriate configurations to Pacemaker:
primitive st_alice stonith:external/libvirt \ params hostlist=alice hypervisor_uri=qemu+tcp://192.168.0.123/system \ op monitor interval=60 primitive st_bob stonith:external/libvirt \ params hostlist=bob hypervisor_uri=qemu+tcp://192.168.0.123/system \ op monitor interval=60 location l_st_alice st_alice -inf: alice location l_st_bob st_bob -inf: bob property stonith-enabled=true
Now, you can begin to test and tune STONITH in your cluster.
Reviewed 2020/12/01 - DGT