1COROSYNC-QNETD(8)           System Manager's Manual          COROSYNC-QNETD(8)
2
3
4

NAME

6       corosync-qnetd - QNet daemon
7

SYNOPSIS

9       corosync-qnetd [-46dfhv] [-l listen_addr] [-p listen_port] [-s tls] [-c
10       client_cert_required]          [-m           max_clients]           [-S
11       option=value[,option2=value2,...]]"
12
13

DESCRIPTION

15       corosync-qnetd is a daemon running outside of the cluster with the pur‐
16       pose of providing a  vote  to  the  corosync-qdevice  model  net.  It's
17       designed  to  support multiple clusters and be almost configuration and
18       state free. New clusters are handled dynamically and  no  configuration
19       file  exists.  It's also able to run as non-root user - which is recom‐
20       mended. Connection between the corosync-qdevice model net client can be
21       optionally configured with TLS client certificate checking.  The commu‐
22       nication protocol between server and client is designed to be very sim‐
23       ple and allow backwards compatibility.
24

OPTIONS

26       -4     and its counterpart -6 are used to force IPv4 or IPv6 communica‐
27              tion. The default is to listen on both address families.
28
29       -d     Turn on debug logging. By default the messages  sent  to  syslog
30              are  purely operational, this option sends additional debug mes‐
31              sages. For even more detail use the -d parameter twice.
32
33       -f     Do not daemonize, run in the foreground.
34
35       -h     Show short help text
36
37       -v     Show  version  and   supported   communication   protocol   mes‐
38              sages/options.
39
40       -l     IP  address  to  listen on. By default the daemon listens on all
41              addresses (wildcard).
42
43       -p     TCP port to listen on. Default port is 5403.
44
45       -s     Determines  if  TLS  should  be  used  and   can   be   one   of
46              on/off/required  (the  default is on ).  on means TLS is enabled
47              but the client is not required to start TLS, off  means  TLS  is
48              completely disabled, and required means TLS is required.  on and
49              required require the NSS database to be properly initialized  by
50              running the corosync-qnetd-certutil command.
51
52       -c     can  be  set  to on/off.  This option only makes sense if TLS is
53              enabled. When -c is on a client is required to send  its  client
54              certificate (default).
55
56       -m     Maximum  simultaneous  clients.  The default is 0 which means no
57              limit.
58
59       -S     Set advanced settings described in its own section  below.  This
60              option  shouldn't  be generally used because most of the options
61              are not safe to change.
62

UNPRIVILEGED USER CONFIGURATION

64       It's generally recommended to run corosync-qnetd as a non root user. If
65       you  get  a  package  from  a distribution its highly possible that the
66       packager has done all the hard work for you.  If  the  installation  is
67       performed from source code, a few steps have to be taken.
68
69       First  it's necessary to create an unprivileged user/group. The follow‐
70       ing commands can be used (executed as root):
71
72       # groupadd -r coroqnetd
73       # useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd
74
75       The  next  step  is  to  set   the   correct   owner   and   group   on
76       /etc/corosync/qnetd and /var/run/corosync-qnetd directories.
77
78       # chown -R coroqnetd:coroqnetd /etc/corosync/qnetd /var/run/corosync-qnetd
79
80       Some  systems  have the /var/run directory on a tmpfs file system which
81       gets discarded after a reboot. The solution is to use an initscript  or
82       systemd unit, because both of them takes care of the /var/run/corosync-
83       qnetd creation and sets the correct owner and permissions.
84
85       The last step is to make sure corosync-qnetd is really executed  as  an
86       unprivileged  user.  For initscript systems it's enough to set the line
87       COROSYNC_QNETD_RUNAS in  /etc/(sysconfig|default)/corosync-qnetd  file.
88       If  the  file is not already installed then use the one provided in the
89       corosync source code (init/corosync-qnetd.sysconfig.example). For  sys‐
90       temd,  overwrite/copy  the  corosync-qnetd.service unit file and uncom‐
91       ment/change the "User=" directive.
92
93

TLS CONFIGURATION

95       For TLS to work its necessary to create the NSS  database.  If  pcs  is
96       used  then  the  following  steps  are not needed because pcs does them
97       automatically.
98
99       corosync-qnetd-certutil is the tool to perform required  actions.  Just
100       run:
101
102       # corosync-qnetd-certutil -i
103
104       If    TLS    is   not   required   then   simply   edit   /etc/(syscon‐
105       fig|default)/corosync-qnetd or systemd unit file and add the  parameter
106       -s off in the proper place.
107
108       Depending on configuration of NSS (stored in nss.config file usually in
109       /etc/crypto-policies/back-ends/  directory)  disabled  ciphers  or  too
110       short  keys may be rejected. Proper solution is to regenerate NSS data‐
111       bases for both corosync-qnetd and corosync-qdevice daemons. As a  quick
112       workaround   it's   also   possible   to   set   environment   variable
113       NSS_IGNORE_SYSTEM_POLICY=1 before running corosync-qnetd daemon.
114
115       When NSS is updated it may also be needed to upgrade database into  new
116       format. There is no consensus on recommended way, but following command
117       seems to work just fine (if qnetd sysconfdir is set to /etc)
118
119       # certutil -N -d /etc/corosync/qnetd/nssdb -f /etc/corosync/qnetd/nssdb/pwdfile.txt
120
121

ADVANCED SETTINGS

123       Set by the -S option. The default value is shown in parentheses.
124
125       listen_backlog
126              Parameter passed to the listen syscall on  the  network  socket.
127              (10)
128
129       max_client_send_buffers
130              Maximum number of send buffers for one client. (32)
131
132       max_client_send_size
133              Maximum  size  of  one  send  buffer  (message)  to be sent to a
134              client. (32768)
135
136       max_client_receive_size
137              Maximum size of the receive buffer for a client message (maximum
138              allowed message size received by client). (32768)
139
140       nss_db_dir
141              NSS database directory. (/etc/corosync/qnetd/nssdb)
142
143       cert_nickname
144              NSS nickname of qnetd server certificate. (QNetd Cert)
145
146       heartbeat_interval_min
147              Minimum heartbeat timeout accepted by server in ms. (1000)
148
149       heartbeat_interval_max
150              Maximum heartbeat timeout accepted by server in ms. (120000)
151
152       dpd_enabled
153              Dead peer detection enabled. (on)
154
155       dpd_interval
156              How often the DPD algorithm detects dead peers in ms. (10000)
157
158       lock_file
159              Lock file location. (/var/run/corosync-qnetd/corosync-qnetd.pid)
160
161       local_socket_file
162              Internal   IPC   socket   file   location.   (/var/run/corosync-
163              qnetd/corosync-qnetd.sock)
164
165       local_socket_backlog
166              Parameter passed to listen syscall on the local socket. (10)
167
168       ipc_max_clients
169              Maximum allowed simultaneous IPC clients. (10)
170
171       ipc_max_receive_size
172              Maximum size of a message received by IPC client. (4096)
173
174       ipc_max_send_size
175              Maximum size of a message sent to an IPC client. (10485760)
176

SEE ALSO

178       corosync-qnetd-tool(8) corosync-qnetd-certutil(8) corosync-qdevice(8)
179

AUTHOR

181       Jan Friesse
182
183                                  2018-08-09                 COROSYNC-QNETD(8)
Impressum