1COROSYNC-QNETD(8) System Manager's Manual COROSYNC-QNETD(8)
2
6 corosync-qnetd - QNet daemon
7
9 corosync-qnetd [-46dfhv] [-l listen_addr] [-p listen_port] [-s tls] [-c
10 client_cert_required] [-m max_clients] [-S
11 option=value[,option2=value2,...]]"
12
15 corosync-qnetd is a daemon running outside of the cluster with the pur‐
16 pose of providing a vote to the corosync-qdevice model net. It's
17 designed to support multiple clusters and be almost configuration and
18 state free. New clusters are handled dynamically and no configuration
19 file exists. It's also able to run as non-root user - which is recom‐
20 mended. Connection between the corosync-qdevice model net client can be
21 optionally configured with TLS client certificate checking. The commu‐
22 nication protocol between server and client is designed to be very sim‐
23 ple and allow backwards compatibility.
24
26 -4 and its counterpart -6 are used to force IPv4 or IPv6 communica‐
27 tion. The default is to listen on both address families.
28 -d Turn on debug logging. By default the messages sent to syslog
30 are purely operational, this option sends additional debug mes‐
31 sages. For even more detail use the -d parameter twice.
32 -f Do not daemonize, run in the foreground.
34 -h Show short help text
36 -v Show version and supported communication protocol mes‐
38 sages/options.
39 -l IP address to listen on. By default the daemon listens on all
41 addresses (wildcard).
42 -p TCP port to listen on. Default port is 5403.
44 -s Determines if TLS should be used and can be one of
46 on/off/required (the default is on ). on means TLS is enabled
47 but the client is not required to start TLS, off means TLS is
48 completely disabled, and required means TLS is required. on and
49 required require the NSS database to be properly initialized by
50 running the corosync-qnetd-certutil command.
51 -c can be set to on/off. This option only makes sense if TLS is
53 enabled. When -c is on a client is required to send its client
54 certificate (default).
55 -m Maximum simultaneous clients. The default is 0 which means no
57 limit.
58 -S Set advanced settings described in its own section below. This
60 option shouldn't be generally used because most of the options
61 are not safe to change.
62
64 It's generally recommended to run corosync-qnetd as a non root user. If
65 you get a package from a distribution its highly possible that the
66 packager has done all the hard work for you. If the installation is
67 performed from source code, a few steps have to be taken.
68 First it's necessary to create an unprivileged user/group. The follow‐
70 ing commands can be used (executed as root):
71 # groupadd -r coroqnetd
73 # useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd
74 The next step is to set the correct owner and group on
76 /etc/corosync/qnetd and /var/run/corosync-qnetd directories.
77 # chown -R coroqnetd:coroqnetd /etc/corosync/qnetd /var/run/corosync-qnetd
79 Some systems have the /var/run directory on a tmpfs file system which
81 gets discarded after a reboot. The solution is to use an initscript
82 which takes care of the /var/run/corosync-qnetd creation and sets the
83 correct owner and permissions. For systems with systemd it's possible
84 to use a tmpfile.d configuration file (installed by default if systemd
85 is enabled during corosync compilation).
86 The last step is to make sure corosync-qnetd is really executed as an
88 unprivileged user. For initscript systems it's enough to set the line
89 COROSYNC_QNETD_RUNAS in /etc/(sysconfig|default)/corosync-qnetd file.
90 If the file is not already installed then use the one provided in the
91 corosync source code (init/corosync-qnetd.sysconfig.example). For sys‐
92 temd, overwrite/copy the corosync-qnetd.service unit file and uncom‐
93 ment/change the "User=" directive.
94
97 For TLS to work its necessary to create the NSS database. If pcs is
98 used then the following steps are not needed because pcs does them
99 automatically.
100 corosync-qnetd-certutil is the tool to perform required actions. Just
102 run:
103 # corosync-qnetd-certutil -i
105 If TLS is not required then simply edit /etc/(syscon‐
107 fig|default)/corosync-qnetd or systemd unit file and add the parameter
108 -s off in the proper place.
109
112 Set by the -S option. The default value is shown in parantheses.
113 listen_backlog
115 Parameter passed to the listen syscall on the network socket.
116 (10)
117 max_client_send_buffers
119 Maximum number of send buffers for one client. (32)
120 max_client_send_size
122 Maximum size of one send buffer (message) to be sent to a
123 client. (32768)
124 max_client_receive_size
126 Maximum size of the receive buffer for a client message (maximum
127 allowed message size received by client). (32768)
128 nss_db_dir
130 NSS database directory. (/etc/corosync/qnetd/nssdb)
131 cert_nickname
133 NSS nickname of qnetd server certificate. (QNetd Cert)
134 heartbeat_interval_min
136 Minimum heartbeat timeout accepted by server in ms. (1000)
137 heartbeat_interval_max
139 Maximum heartbeat timeout accepted by server in ms. (120000)
140 dpd_enabled
142 Dead peer detection enabled. (on)
143 dpd_interval
145 How often the DPD algorithm detects dead peers in ms. (10000)
146 lock_file
148 Lock file location. (/var/run/corosync-qnetd/corosync-qnetd.pid)
149 local_socket_file
151 Internal IPC socket file location. (/var/run/corosync-
152 qnetd/corosync-qnetd.sock)
153 local_socket_backlog
155 Parameter passed to listen syscall on the local socket. (10)
156 ipc_max_clients
158 Maximum allowed simultaneous IPC clients. (10)
159 ipc_max_receive_size
161 Maximum size of a message received by IPC client. (4096)
162 ipc_max_send_size
164 Maximum size of a message sent to an IPC client. (10485760)
165
167 corosync-qnetd-tool(8) corosync-qnetd-certutil(8) corosync-qdevice(8)
168
170 Jan Friesse
171 2016-06-29 COROSYNC-QNETD(8)