1COROSYNC-QNETD(8)           System Manager's Manual          COROSYNC-QNETD(8)
2
3
4

NAME

6       corosync-qnetd - QNet daemon
7

SYNOPSIS

9       corosync-qnetd [-46dfhv] [-l listen_addr] [-p listen_port] [-s tls] [-c
10       client_cert_required]          [-m           max_clients]           [-S
11       option=value[,option2=value2,...]]"
12
13

DESCRIPTION

15       corosync-qnetd is a daemon running outside of the cluster with the pur‐
16       pose of providing a  vote  to  the  corosync-qdevice  model  net.  It's
17       designed  to  support multiple clusters and be almost configuration and
18       state free. New clusters are handled dynamically and  no  configuration
19       file  exists.  It's also able to run as non-root user - which is recom‐
20       mended. Connection between the corosync-qdevice model net client can be
21       optionally configured with TLS client certificate checking.  The commu‐
22       nication protocol between server and client is designed to be very sim‐
23       ple and allow backwards compatibility.
24

OPTIONS

26       -4     and its counterpart -6 are used to force IPv4 or IPv6 communica‐
27              tion. The default is to listen on both address families.
28
29       -d     Turn on debug logging. By default the messages  sent  to  syslog
30              are  purely operational, this option sends additional debug mes‐
31              sages. For even more detail use the -d parameter twice.
32
33       -f     Do not daemonize, run in the foreground.
34
35       -h     Show short help text
36
37       -v     Show  version  and   supported   communication   protocol   mes‐
38              sages/options.
39
40       -l     IP  address  to  listen on. By default the daemon listens on all
41              addresses (wildcard).
42
43       -p     TCP port to listen on. Default port is 5403.
44
45       -s     Determines  if  TLS  should  be  used  and   can   be   one   of
46              on/off/required  (the  default is on ).  on means TLS is enabled
47              but the client is not required to start TLS, off  means  TLS  is
48              completely disabled, and required means TLS is required.  on and
49              required require the NSS database to be properly initialized  by
50              running the corosync-qnetd-certutil command.
51
52       -c     can  be  set  to on/off.  This option only makes sense if TLS is
53              enabled. When -c is on a client is required to send  its  client
54              certificate (default).
55
56       -m     Maximum  simultaneous  clients.  The default is 0 which means no
57              limit.
58
59       -S     Set advanced settings described in its own section  below.  This
60              option  shouldn't  be generally used because most of the options
61              are not safe to change.
62

UNPRIVILEGED USER CONFIGURATION

64       It's generally recommended to run corosync-qnetd as a non root user. If
65       you  get  a  package  from  a distribution its highly possible that the
66       packager has done all the hard work for you.  If  the  installation  is
67       performed from source code, a few steps have to be taken.
68
69       First  it's necessary to create an unprivileged user/group. The follow‐
70       ing commands can be used (executed as root):
71
72       # groupadd -r coroqnetd
73       # useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd
74
75       The  next  step  is  to  set   the   correct   owner   and   group   on
76       /etc/corosync/qnetd and /var/run/corosync-qnetd directories.
77
78       # chown -R coroqnetd:coroqnetd /etc/corosync/qnetd /var/run/corosync-qnetd
79
80       Some  systems  have the /var/run directory on a tmpfs file system which
81       gets discarded after a reboot. The solution is  to  use  an  initscript
82       which  takes  care of the /var/run/corosync-qnetd creation and sets the
83       correct owner and permissions. For systems with systemd  it's  possible
84       to  use a tmpfile.d configuration file (installed by default if systemd
85       is enabled during corosync compilation).
86
87       The last step is to make sure corosync-qnetd is really executed  as  an
88       unprivileged  user.  For initscript systems it's enough to set the line
89       COROSYNC_QNETD_RUNAS in  /etc/(sysconfig|default)/corosync-qnetd  file.
90       If  the  file is not already installed then use the one provided in the
91       corosync source code (init/corosync-qnetd.sysconfig.example). For  sys‐
92       temd,  overwrite/copy  the  corosync-qnetd.service unit file and uncom‐
93       ment/change the "User=" directive.
94
95

TLS CONFIGURATION

97       For TLS to work its necessary to create the NSS  database.  If  pcs  is
98       used  then  the  following  steps  are not needed because pcs does them
99       automatically.
100
101       corosync-qnetd-certutil is the tool to perform required  actions.  Just
102       run:
103
104       # corosync-qnetd-certutil -i
105
106       If    TLS    is   not   required   then   simply   edit   /etc/(syscon‐
107       fig|default)/corosync-qnetd or systemd unit file and add the  parameter
108       -s off in the proper place.
109
110

ADVANCED SETTINGS

112       Set by the -S option. The default value is shown in parantheses.
113
114       listen_backlog
115              Parameter  passed  to  the listen syscall on the network socket.
116              (10)
117
118       max_client_send_buffers
119              Maximum number of send buffers for one client. (32)
120
121       max_client_send_size
122              Maximum size of one send  buffer  (message)  to  be  sent  to  a
123              client. (32768)
124
125       max_client_receive_size
126              Maximum size of the receive buffer for a client message (maximum
127              allowed message size received by client). (32768)
128
129       nss_db_dir
130              NSS database directory. (/etc/corosync/qnetd/nssdb)
131
132       cert_nickname
133              NSS nickname of qnetd server certificate. (QNetd Cert)
134
135       heartbeat_interval_min
136              Minimum heartbeat timeout accepted by server in ms. (1000)
137
138       heartbeat_interval_max
139              Maximum heartbeat timeout accepted by server in ms. (120000)
140
141       dpd_enabled
142              Dead peer detection enabled. (on)
143
144       dpd_interval
145              How often the DPD algorithm detects dead peers in ms. (10000)
146
147       lock_file
148              Lock file location. (/var/run/corosync-qnetd/corosync-qnetd.pid)
149
150       local_socket_file
151              Internal   IPC   socket   file   location.   (/var/run/corosync-
152              qnetd/corosync-qnetd.sock)
153
154       local_socket_backlog
155              Parameter passed to listen syscall on the local socket. (10)
156
157       ipc_max_clients
158              Maximum allowed simultaneous IPC clients. (10)
159
160       ipc_max_receive_size
161              Maximum size of a message received by IPC client. (4096)
162
163       ipc_max_send_size
164              Maximum size of a message sent to an IPC client. (10485760)
165

SEE ALSO

167       corosync-qnetd-tool(8) corosync-qnetd-certutil(8) corosync-qdevice(8)
168

AUTHOR

170       Jan Friesse
171
172                                  2016-06-29                 COROSYNC-QNETD(8)
Impressum