HPE Community
Operating System - HP-UX
1840008 Members
3600 Online
110158 Solutions
New Discussion

Re: problem making cluster changes on SG 11.16 (itanium)

 
SOLVED
Go to solution
Douglas D. Denney
Frequent Advisor

‎08-03-2005 02:43 PM

‎08-03-2005 02:43 PM

problem making cluster changes on SG 11.16 (itanium)

Okay. Here's the situation. I have a running cluster. I decided to add these lines to my cmclconf.ascii file:

USER_NAME rz86118
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE FULL_ADMIN

When I do:

cmcheckconf -v -C cmclconf.ascii

I get:
cmcheckconf : Configuration check failed.

When I check /var/adm/syslog/syslog.log I see:
Aug 3 21:39:16 icmfg20 cmcld: ERROR: User root on node icmfg20-hb2 does not hav
e root privileges on this cluster. Denying Access.

icmfg20-hb2 is one of the private heartbeat interfaces, connected to the other node via a crossover cable.

Okay, so now I do:
cmhaltcl
cmdeleteconf

and remove my cluster definition.

Now, when I do:

cmapply -v -C cmclconf.ascii

It works!

Why do I need to delete my cluster configuration before a change to the configuration will take place. My only thought now is that without a valid cluster config in place, it falls back to the cmclnodelist file and THAT is what allows it to work.

Anyone have any thoughts? I can provide additional details if this isn't clear enough.
Thanks,
Doug

0 Kudos
9 REPLIES 9
Geoff Wild
Honored Contributor

‎08-03-2005 03:06 PM

‎08-03-2005 03:06 PM

Re: problem making cluster changes on SG 11.16 (itanium)

You are right - you shouldn't have to delete the cluster config.

I know this sounds strange - as I prefer the command line myself - do you have the Service Guard Maneger GUI installed?

It would be interesting to see if that works or not (re-config the cluster with SG Manager that is).

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Douglas D. Denney
Frequent Advisor

‎08-03-2005 03:34 PM

‎08-03-2005 03:34 PM

Re: problem making cluster changes on SG 11.16 (itanium)

I do have the SG GUI running. I also prefer the command line. But, I'm using the windows version and connecting to my "primary" node, icmfg20. I attempted to add the role for user rz86118 with "ANY SG HOST", etc., - Just point and click. Anyway, it did not work. It also failed in the "check" phase. The /var/adm/syslog/syslog.log file on icmfg20 had this in it:

Aug 3 22:30:21 icmfg20 cmcld: ERROR: User root on node icmfg20-hb2 does not hav
e root privileges on this cluster. Denying Access.

Doug
0 Kudos
Warren_9
Honored Contributor

‎08-03-2005 06:59 PM

‎08-03-2005 06:59 PM

Re: problem making cluster changes on SG 11.16 (itanium)

hi,

base on the SG security guide,
http://docs.hp.com/en/6283/SGsecurityfiles.pdf

Is your /etc/hosts include all the node interfaces?
also need to configure the /etc/nsswitch.conf if you are using the DNS/NIS.

GOOD LUCK!!
0 Kudos
Warren_9
Honored Contributor

‎08-03-2005 07:10 PM

‎08-03-2005 07:10 PM

Re: problem making cluster changes on SG 11.16 (itanium)

From the doc example, all the interfaces have the SAME hostname and alias.



0 Kudos
melvyn burnard
Honored Contributor

‎08-03-2005 07:11 PM

‎08-03-2005 07:11 PM

Re: problem making cluster changes on SG 11.16 (itanium)

With SG 11.16 and above, there have been some security changes that mean cmclnodelist is only used and referenced when there is no cluster binary, i.e. it is used to "bootstrap" the initial configuration.
Once there is a binary, there is now a new Access Control Policy, built into the binary itself.
I would suspect from your symptoms that you do not have all of the network interfaces configured correctly in /etc/hosts or DNS.

I woul drecommend you review the following documents for further information on this:

Release Notes
http://docs.hp.com/en/B3935-90078/B3935-90078.pdf

Security File Editing
http://docs.hp.com/en/6283/SGsecurityfiles.pdf

Securing Serviceguard
http://docs.hp.com/en/5874/securingserviceguard.pdf

My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Douglas D. Denney
Frequent Advisor

‎08-04-2005 01:02 AM

‎08-04-2005 01:02 AM

Re: problem making cluster changes on SG 11.16 (itanium)

Perhaps I'm missing something...

Here's node1, icmfg20:

# cat /etc/hosts
40.1.129.224 dns1a.d51.lilly.com dns1a
40.1.129.225 dns1b.d51.lilly.com dns1b
40.1.240.29 icmfg20.am.lilly.com icmfg20
40.1.240.30 icmfg21.am.lilly.com icmfg21
192.168.100.1 icmfg20-hb1.am.lilly.com icmfg20-hb1
192.168.100.2 icmfg21-hb1.am.lilly.com icmfg21-hb1
192.168.101.1 icmfg20-hb2.am.lilly.com icmfg20-hb2
192.168.101.2 icmfg21-hb2.am.lilly.com icmfg21-hb2
127.0.0.1 localhost loopback
# ifconfig lan5
lan5: flags=843
inet 192.168.100.1 netmask ffffff00 broadcast 192.168.100.255
# ifconfig lan9
lan9: flags=843
inet 192.168.101.1 netmask ffffff00 broadcast 192.168.101.255
# ifconfig lan0
lan0: flags=1843
inet 40.1.240.29 netmask ffffff00 broadcast 40.1.240.255


Here's node 2, icmfg21:

# cat /etc/hosts
40.1.129.224 dns1a.d51.lilly.com dns1a
40.1.129.225 dns1b.d51.lilly.com dns1b
40.1.240.30 icmfg21.am.lilly.com icmfg21
40.1.240.29 icmfg20.am.lilly.com icmfg20
192.168.100.1 icmfg20-hb1.am.lilly.com icmfg20-hb1
192.168.100.2 icmfg21-hb1.am.lilly.com icmfg21-hb1
192.168.101.1 icmfg20-hb2.am.lilly.com icmfg20-hb2
192.168.101.2 icmfg21-hb2.am.lilly.com icmfg21-hb2
127.0.0.1 localhost loopback
# ifconfig lan5
lan5: flags=843
inet 192.168.100.2 netmask ffffff00 broadcast 192.168.100.255
# ifconfig lan9
lan9: flags=843
inet 192.168.101.2 netmask ffffff00 broadcast 192.168.101.255
# ifconfig lan0
lan0: flags=1843
inet 40.1.240.30 netmask ffffff00 broadcast 40.1.240.255


/etc/nsswitch.conf on both servers is identical:

# cat /etc/nsswitch.conf
hosts: files[NOTFOUND=continue UNAVAIL=continue] dns [NOTFOUND=return UNAVAIL=co
ntinue TRYAGAIN=return]
protocols: files[NOTFOUND=return UNAVAIL=continue]
services: files[NOTFOUND=return UNAVAIL=return]
networks: files[NOTFOUND=return UNAVAIL=return]
netgroup: files[NOTFOUND=return UNAVAIL=return]
rpc: files[NOTFOUND=return UNAVAIL=return]

I think I'll try a reboot, just to clear everything up, and try again.

Thanks,
Doug
0 Kudos
Devender Khatana
Honored Contributor

‎08-04-2005 01:20 AM

‎08-04-2005 01:20 AM

Re: problem making cluster changes on SG 11.16 (itanium)

Hi Doug,

How does your cmclnodelist file looks ?


HTH,
Devender
Impossible itself mentions "I m possible"
0 Kudos
melvyn burnard
Honored Contributor

‎08-04-2005 01:31 AM

‎08-04-2005 01:31 AM

Solution

Re: problem making cluster changes on SG 11.16 (itanium)

as per the manual http://docs.hp.com/en/6283/SGsecurityfiles.pdf

try the following:

40.1.240.30 icmfg21.am.lilly.com icmfg21
40.1.240.29 icmfg20.am.lilly.com icmfg20
192.168.100.1 icmfg20-hb1.am.lilly.com icmfg20-hb1 icmfg20
192.168.100.2 icmfg21-hb1.am.lilly.com icmfg21-hb1 icmfg21
192.168.101.1 icmfg20-hb2.am.lilly.com icmfg20-hb2 icmfg20
192.168.101.2 icmfg21-hb2.am.lilly.com icmfg21-hb2 icmfg21
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Douglas D. Denney
Frequent Advisor

‎08-04-2005 01:59 AM

‎08-04-2005 01:59 AM

Re: problem making cluster changes on SG 11.16 (itanium)

That did the trick. I looked at that segment of the host file for many minutes before noticing what you included on the end of the lines. I verified that the cmcheckconf and cmapplyconf are able to correctly work now. I read and re-read the security guides, but never made the connection that ALL the IP addresses needed to have some "alias" back to the cluster host name.

Thanks for all your help.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.