STONITH
      Back to home
      1. Knowledge Base
      2. Pacemaker Stack
      3. STONITH

      Using the Libvirt Daemon For Fencing Pacemaker Clusters

      This article will describe how to use the libvirt daemon, libvirtd, as a fencing mechanism for virtualized high-availability (HA) clusters.

      To use libvirt based fencing, your hypervisor should have its libvirt daemon listen on a network socket. This can be either an unencrypted TCP port, or an encrypted TLS socket. For production use, it's best to use TLS when possible for improved security.

      For libvirtd to listen on an unauthenticated and therefore insecure network socket, add the following lines to your libvirtd configuration file (often /etc/libvirt/libvirtd.conf):

      listen_tls = 0
listen_tcp = 1
tcp_port = 16509base
auth_tcp = none
listen_addr = 192.168.0.123

      Leaving the listen_addr empty or commenting the line out will result in libvirtd listening on all interfaces.

      Finally, the libvirt daemon must be told to listen on the network. This is done by passing it the --listen or -l flag. You can set the options passed to the daemon by setting the following option in /etc/default/libvirt-bin on Debian based systems, or /etc/sysconfig/libvirtd on Red Hat based systems:

      LIBVIRTD_ARGS=--listen

      Once the above options are set, and the libvirt daemon is restarted, you can verify that you have a listening port on the specified port in your configuration by examining the output of netstat -tulpn or ss -tuna.

      Finally, you should be able to list all the virtual machines (VMs) running on the hypervisor from a VM (with the libvirt-client package installed) by entering the following command:

      virsh --connect=qemu+tcp://<hypervisor-IP>/system list --all

      Find the correct libvirt domains (VMs that make up your cluster) in the list and add the appropriate configurations to Pacemaker:

      primitive st_alice stonith:external/libvirt \
  params hostlist=alice hypervisor_uri=qemu+tcp://192.168.0.123/system \
  op monitor interval=60
primitive st_bob stonith:external/libvirt \
  params hostlist=bob hypervisor_uri=qemu+tcp://192.168.0.123/system \
  op monitor interval=60
location l_st_alice st_alice -inf: alice
location l_st_bob st_bob -inf: bob
property stonith-enabled=true

      Now, you can begin to test and tune STONITH in your cluster.

      Reviewed 2020/12/01 - DGT