Re: SG cmquerycl error

Sp4admin · ‎11-23-2009

Hello

I'm trying to setup a cluster between two nones. I havve check all the networking and it seem to be correct, however please the the error below.

HPUX 11.31
Blade BL870
SG A.11.18.00

error:
Node hostname is refusing Serviceguard communication.
Please make sure that the proper security access is configured on node
hostname through either file-based access (pre-A.11.16 version) or role-based
access (version A.11.16 or higher) and/or that the host name lookup
on node hostnameresolves the IP address correctly.
cmcheckconf: Failed to gather configuration information

Thanks,
SP

melvyn burnard · ‎11-23-2009

so have you set up the /etc/cmclnodelist files one both nodes correctly?

My house is the bank's, my money the wife's, But my opinions belong to me, not HP!

Sp4admin · ‎11-23-2009

yes, the cmclnodelist contain both servers and root.

hostname1 root
hostname2 root

sp,

Sp4admin · ‎11-23-2009

Also i have verified all the networking config files. I'm using lan900 for the server and lan2 as the heartbeat using 10. address. I verified DNS and check gateway IP. when I do a netstat -rn the routing looks correct. I just don't understand the the file-base accesses or the role-base.

--sp

melvyn burnard · ‎11-23-2009

take a read of:
http://docs.hp.com/en/6283/SGsecurityfiles0903.pdf
and
http://docs.hp.com/en/5874/securingserviceguard0903.pdf

My house is the bank's, my money the wife's, But my opinions belong to me, not HP!

Sp4admin · ‎11-24-2009

I tried to delete the cluster to start over and the error message is listed below. I just don't get it.

cmdeleteconf: Unable to get cluster configuration information: Permission denied.

sp,

melvyn burnard · ‎11-24-2009

ok, silly question, but is identd enabled on the servers, and allowed across th enewtork?

My house is the bank's, my money the wife's, But my opinions belong to me, not HP!

Aneesh Mohan · ‎11-24-2009

Hi,

>>Unable to get cluster configuration information

"auth" line commented out in /etc/inetd.conf
#auth stream tcp6 wait bin /usr/lbin/identd identd

Serviceguard uses identd to validate Serviceguard commands are being performed by nodes in the cluster. If this line is disabled, Serviceguard commands will fail in various ways; one being the "security token exchange' error.

Aneesh

Sp4admin · ‎11-25-2009

I have tried uncommenting the auth in the inied.conf and I get the same error. I have another SG cluster running and that server doen't have the auth uncommented. I confused on where this message is comming from. I have listed the output below.

Command:

cmquerycl -v -C cmclconfig.ascii -n nodename1 -n nodename2

output:

Permission denied to 127.0.0.1
Looking for other clusters ... Done
Node nodename1 is refusing Serviceguard communication.
Please make sure that the proper security access is configured on node
nodename1 through either file-based access (pre-A.11.16 version) or role-based
access (version A.11.16 or higher) and/or that the host name lookup
on node nodename1 resolves the IP address correctly.
Failed to gather configuration information.

Thanks in advance,
sp

Stephen Doud · ‎11-25-2009

Serviceguard uses identd to do a caller-ID-like lookup, attempting to match the IP of the SG command message to the hostname of one of the cluster nodes. If you are building the cluster for the first time, it looks to the cmclnodelist file and /etc/hosts file for hostname resolution.
If you read the documents that Melvyn prescribed, you will know that /etc/hosts must list every fixed IP on each node, and alias them to the simple hostname of the hosting node (yeah - this sounds freaky but it works)

After uncommenting the auth line, or after any modification to /etc/inetd.conf, you must either stop and restart inetd (inetd -k; inetd) or at least have it re-read the inetd.conf file (inetd -c). (Repeat on the other node!)

As for the "Permission denied to 127.0.0.1"
error, insure the cmclnodelist format looks like this:

node1 root
node2 root
(note simple hostnames, and no IPs)
Put a "+" at the bottom for diagnostic purposes. Remove if after resolving the condition.

Verify the permissions an ownership of identd are correct.

At hpux 11.31, you should see these:
-r-xr--r-- 1 bin bin 82192 Nov 6 2007 /usr/lbin/identd

/etc/hosts must have this untouched line:
127.0.0.1 localhost loopback

If 'ps -ef' shows hanging 'cmclconfd -p' processes (they should terminate after 60 seconds of running a SG command, kill them and retry the command.

Servers 'ignited' from a "golden" Ignite/UX backup may get the golden server's /etc/cmcluster/cmclconfig file. If this is a new cluster build and that file exists already, delete it.

Michael Steele_2 · ‎11-25-2009

Hi

Can we verify the physical layer ?

nwmgr --diagnose

Please paste in the results. Also, what does

cmscancl

...report under the lan section.

Support Fatherhood - Stop Family Law

melvyn burnard · ‎11-25-2009

if you read through those manuals, you should be able to see a section where you can disable the authentication, and test if it works then. If all then works fine, you have an issue with hostname/ip address lookup resolution
1. Change the cmclconfd entry in /etc/inetd.conf to appear as:
hacl-cfg stream tcp nowait root /usr/lbin/cmclconfd \
cmclconfd -c -i
2. Change the cmomd entry in /etc/inetd.conf to appear as:
hacl-probe stream tcp nowait root \
/opt/cmom/lbin/cmomd /opt/cmom/lbin/cmomd -i -f \
/var/opt/cmom/cmomd.log -r /var/opt/cmom
3. Restart inetd: “/etc/init.d/inetd restart”

My house is the bank's, my money the wife's, But my opinions belong to me, not HP!

Sp4admin · ‎11-30-2009

Part of the problem has been resolved. I called HP about the permissions thing and they said it was a bug and provieded a fix.

Here is the fix:

1) Move out the /dev/urandom file and check # mv /dev/urandom /tmp If this works then move the urandom file back to /dev and go to next step 2) Check 'rng' module status # kcmodule -v rng If state & state at next boot is as unused, then goto step 3

3) Load the module in kernel
# kcmodule rng=loaded
# kcmodule rng=best

After this try swinstall & swacl commands.
If the above method fails, then try restarting swagentd daemon

Thanks for all the help!
Sp,

sc_dodc_be · ‎12-08-2009

Dude, thanks a lot!

I've also had this problem and I suspect all 4 nodes in my metro cluster went down because of this because my Quorum server was also unreachable...

An indication that there's something wrong in the syslog might be this: cmclconfd[]: Failed to generate 64 from prng.

I've ran kcmodule -v rng and it was scheduled to be loaded next boot but it does not get loaded after I reboot the machine so I'll have to keep this in mind. Or is there a fix for this?

Thanks again for the tip!

Wimmy

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: SG cmquerycl error

SG cmquerycl error