[Linux-HA] STONITH error using apcmaster on heartbeat 2.0.7

Dave Blaschke debltc at us.ibm.com
Wed Jan 17 09:50:40 MST 2007 

George H wrote:
> OK this is worrisome.
>
> I upgraded the APC 7920's firmware to the newest one available from
> APC. It still comes with SNMP v1/2 which generally sucks for security.
> Not only that, because SNMP uses UDP it is unreliable in the first
> place. When we want to send a message to the APC to STONITH it should
> at least give us back a response saying that it received our message.
>
> If not, then a situation could occur that the SNMP packet never
> arrives and the other node cannot acquire the resources of the failed
> node because it hasn't been killed yet. So even with SNMP v3 which has
> authentication built in, the fact that it uses UDP is worthless for
> me.
>
> SSHv2 or HTTP/SSL is the only good way to do it. Using telnet may work
> (but the apcmaster plugin is not functioning correctly right now) but
> this leaves the username and password in clear text for any attacker
> on the network sniffing packets; the nodes will get DOSed. So even if
> telnet does work we'd need encrypted communications and setting up a
> VPN just for the link between the nodes and the STONITH is not
> recomended since the overhead is big and the cisco routers/switches
> costs a lot of money.
>
> Only "proper" option is to go SSHv2 or HTTP/SSL  as apcmaster is
> unsecure because it uses telnet, and apcmastersnmp is unsecure because
> it uses SNMP and it is unreliable beceause it SNMP is UDP and not TCP.
>
> This brings me to my last question, if I wrote my own little script to
> log in to the APC device and turn stuff on/off, how would I integrate
> it into heartbeat ?
http://www.linux-ha.org/ExternalStonithPlugins

Also, if you have the Linux-HA source code, there are working samples in:

lib/plugins/stonith/external
>
> On 1/17/07, George H <george.dma at gmail.com> wrote:
>> Hmm, I did some investigating of my own, I think that the apcmaster
>> plugin isnt recieving the responses from the telnet screen properly. I
>> tried writing a java program to connect to the APC via telnet and I
>> realize how difficult it is to tell when to send the next command.
>>
>> I've never really touched SNMP before, I hear that it is somewhat
>> insecure, that it doesn't use passwords. Have you gotten a way to have
>> a secure setup with SNMP ?  I don't want unsuspected sniffers on our
>> network to start sending SNMPs and killing nodes. Though if I use a
>> VPN it'd solve it.
>>
>> On 1/17/07, Jim Wong <jwong at sharpcast.com> wrote:
>> > Hi,
>> >
>> > Coincidentally, I was trying to get STONITH working with an APC AP7930
>> > PDU last week and ran into similar problems.  I suspect a couple
>> > different things may be going on there, but haven't looked into 
>> them in
>> > depth.  Instead, I switched to the apcmastersnmp module, which 
>> actually
>> > worked fine out-of-the-box for me, despite the fact that it put up a
>> > couple warnings about the fact that my particular model hadn't been
>> > tested.
>> >
>> > Good luck!
>> >
>> > -----Original Message-----
>> > From: linux-ha-bounces at lists.linux-ha.org
>> > [mailto:linux-ha-bounces at lists.linux-ha.org] On Behalf Of George H
>> > Sent: Wednesday, January 17, 2007 1:29 AM
>> > To: General Linux-HA mailing list
>> > Subject: [Linux-HA] STONITH error using apcmaster on heartbeat 2.0.7
>> >
>> > Hi, I'm having some odd problems trying to get the stonith device
>> > working.
>> >
>> > I'm using APC AP7920 and I made sure the devices themselves are setup
>> > correctly. It has telnet server open and I added an outlet username +
>> > password.
>> >
>> > For a simple test I ran /usr/lib/heartbeat/stonithd -a   to start the
>> > daemon
>> > Then  /usr/lib/heartbeat/stonithd -s   tells me that it's running.
>> > I run the /usr/lib/heartbeat/stonithdtest/STONITHBasicSanityTest  
>> and it
>> > passes all tests.
>> >
>> > Then I went to kill my second node manually as the final test.
>> > I ran this command in the console
>> >
>> > stonith -v -t apcmaster ipaddr=7.200.200.11 login=gentoo2
>> > password=secret -T off gentoo2
>> >
>> >
>> > This was the output
>> > ** (process:14047): CRITICAL **: Did not find string Escape 
>> character is
>> > '^]'. from APC MasterSwitch.
>> > ** (process:14047): CRITICAL **: Received [\xff\xfb\u0001\u000dUser
>> > Name: ]
>> > ** (process:14047): CRITICAL **: Did not find string Escape 
>> character is
>> > '^]'. from APC MasterSwitch.
>> > ** (process:14047): CRITICAL **: Received []
>> > ** (process:14047): CRITICAL **: Did not find string Escape 
>> character is
>> > '^]'. from APC MasterSwitch.
>> > ** (process:14047): CRITICAL **: Received []
>> > ** (process:14047): CRITICAL **: Did not find string Escape 
>> character is
>> > '^]'. from APC MasterSwitch.
>> > ** (process:14047): CRITICAL **: Received []
>> > ** (process:14047): CRITICAL **: Did not find string Escape 
>> character is
>> > '^]'. from APC MasterSwitch.
>> > ** (process:14047): CRITICAL **: Received []
>> > ** (process:14047): CRITICAL **: Did not find string Escape 
>> character is
>> > '^]'. from APC MasterSwitch.
>> > ** (process:14047): CRITICAL **: Received []
>> > -----
>> > Anyone got any idea what is happening ? or why? and perhaps how to fix
>> > this?
>> >
>> > Thanks in advance!
>> >
>> > --
>> > "Nothing is impossible for the person that doesn't have to do it"
>> > "The probability of anything happening is in inverse ratio to its
>> > desirability"
>> > "If I were a roman statue, I'd be made alabastard"
>> > --
>> > George H
>> > george.dma at gmail.com
>> > _______________________________________________
>> > Linux-HA mailing list
>> > Linux-HA at lists.linux-ha.org
>> > http://lists.linux-ha.org/mailman/listinfo/linux-ha
>> > See also: http://linux-ha.org/ReportingProblems
>> > _______________________________________________
>> > Linux-HA mailing list
>> > Linux-HA at lists.linux-ha.org
>> > http://lists.linux-ha.org/mailman/listinfo/linux-ha
>> > See also: http://linux-ha.org/ReportingProblems
>> >
>>
>>
>> -- 
>> "Nothing is impossible for the person that doesn't have to do it"
>> "The probability of anything happening is in inverse ratio to its 
>> desirability"
>> "If I were a roman statue, I'd be made alabastard"
>> -- 
>> George H
>> george.dma at gmail.com
>>
>
>
> -- 
> "Nothing is impossible for the person that doesn't have to do it"
> "The probability of anything happening is in inverse ratio to its 
> desirability"
> "If I were a roman statue, I'd be made alabastard"
> -- 
> George H
> george.dma at gmail.com
> _______________________________________________
> Linux-HA mailing list
> Linux-HA at lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems

More information about the Linux-HA mailing list