1COROSYNC-QNETD(8) System Manager's Manual COROSYNC-QNETD(8)
2
6 corosync-qnetd - QNet daemon
7
9 corosync-qnetd [-46dfhv] [-l listen_addr] [-p listen_port] [-s tls] [-c
10 client_cert_required] [-m max_clients] [-S
11 option=value[,option2=value2,...]]"
12
15 corosync-qnetd is a daemon running outside of the cluster with the pur‐
16 pose of providing a vote to the corosync-qdevice model net. It's
17 designed to support multiple clusters and be almost configuration and
18 state free. New clusters are handled dynamically and no configuration
19 file exists. It's also able to run as non-root user - which is recom‐
20 mended. Connection between the corosync-qdevice model net client can be
21 optionally configured with TLS client certificate checking. The commu‐
22 nication protocol between server and client is designed to be very sim‐
23 ple and allow backwards compatibility.
24
26 -4 and its counterpart -6 are used to force IPv4 or IPv6 communica‐
27 tion. The default is to listen on both address families.
28 -d Turn on debug logging. By default the messages sent to syslog
30 are purely operational, this option sends additional debug mes‐
31 sages. For bumping syslog messages priority to info, use the -d
32 parameter twice.
33 -f Do not daemonize, run in the foreground.
35 -h Show short help text
37 -v Show version and supported communication protocol mes‐
39 sages/options.
40 -l IP address to listen on. By default the daemon listens on all
42 addresses (wildcard).
43 -p TCP port to listen on. Default port is 5403.
45 -s Determines if TLS should be used and can be one of
47 on/off/required (the default is on ). on means TLS is enabled
48 but the client is not required to start TLS, off means TLS is
49 completely disabled, and required means TLS is required. on and
50 required require the NSS database to be properly initialized by
51 running the corosync-qnetd-certutil command.
52 -c can be set to on/off. This option only makes sense if TLS is
54 enabled. When -c is on a client is required to send its client
55 certificate (default).
56 -m Maximum simultaneous clients. The default is 0 which means no
58 limit.
59 -S Set advanced settings described in its own section below. This
61 option shouldn't be generally used because most of the options
62 are not safe to change.
63
65 It's generally recommended to run corosync-qnetd as a non root user. If
66 you get a package from a distribution its highly possible that the
67 packager has done all the hard work for you. If the installation is
68 performed from source code, a few steps have to be taken.
69 First it's necessary to create an unprivileged user/group. The follow‐
71 ing commands can be used (executed as root):
72 # groupadd -r coroqnetd
74 # useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd
75 The next step is to set the correct owner and group on
77 /etc/corosync/qnetd and /var/run/corosync-qnetd directories.
78 # chown -R coroqnetd:coroqnetd /etc/corosync/qnetd /var/run/corosync-qnetd
80 Some systems have the /var/run directory on a tmpfs file system which
82 gets discarded after a reboot. The solution is to use an initscript or
83 systemd unit, because both of them takes care of the /var/run/corosync-
84 qnetd creation and sets the correct owner and permissions.
85 The last step is to make sure corosync-qnetd is really executed as an
87 unprivileged user. For initscript systems it's enough to set the line
88 COROSYNC_QNETD_RUNAS in /etc/(sysconfig|default)/corosync-qnetd file.
89 If the file is not already installed then use the one provided in the
90 corosync source code (init/corosync-qnetd.sysconfig.example). For sys‐
91 temd, overwrite/copy the corosync-qnetd.service unit file and uncom‐
92 ment/change the "User=" directive.
93
96 For TLS to work its necessary to create the NSS database. If pcs is
97 used then the following steps are not needed because pcs does them
98 automatically.
99 corosync-qnetd-certutil is the tool to perform required actions. Just
101 run:
102 # corosync-qnetd-certutil -i
104 If TLS is not required then simply edit /etc/(syscon‐
106 fig|default)/corosync-qnetd or systemd unit file and add the parameter
107 -s off in the proper place.
108 Depending on configuration of NSS (stored in nss.config file usually in
110 /etc/crypto-policies/back-ends/ directory) disabled ciphers or too
111 short keys may be rejected. Proper solution is to regenerate NSS data‐
112 bases for both corosync-qnetd and corosync-qdevice daemons. As a quick
113 workaround it's also possible to set environment variable
114 NSS_IGNORE_SYSTEM_POLICY=1 before running corosync-qnetd daemon.
115 When NSS is updated it may also be needed to upgrade database into new
117 format. There is no consensus on recommended way, but following command
118 seems to work just fine (if qnetd sysconfdir is set to /etc)
119 # certutil -N -d /etc/corosync/qnetd/nssdb -f /etc/corosync/qnetd/nssdb/pwdfile.txt
121
124 Set by the -S option. The default value is shown in parentheses.
125 listen_backlog
127 Parameter passed to the listen syscall on the network socket.
128 (10)
129 max_client_send_buffers
131 Maximum number of send buffers for one client. (32)
132 max_client_send_size
134 Maximum size of one send buffer (message) to be sent to a
135 client. (32768)
136 max_client_receive_size
138 Maximum size of the receive buffer for a client message (maximum
139 allowed message size received by client). (32768)
140 nss_db_dir
142 NSS database directory. (/etc/corosync/qnetd/nssdb)
143 cert_nickname
145 NSS nickname of qnetd server certificate. (QNetd Cert)
146 heartbeat_interval_min
148 Minimum heartbeat timeout accepted by server in ms. (1000)
149 heartbeat_interval_max
151 Maximum heartbeat timeout accepted by server in ms. (120000)
152 dpd_enabled
154 Dead peer detection enabled. (on)
155 dpd_interval_coefficient
157 Value is multiplied with heartbeat interval sent by qdevice
158 client and used as a timeout for dead peer detection. (1.5)
159 lock_file
161 Lock file location. (/var/run/corosync-qnetd/corosync-qnetd.pid)
162 local_socket_file
164 Internal IPC socket file location. (/var/run/corosync-
165 qnetd/corosync-qnetd.sock)
166 local_socket_backlog
168 Parameter passed to listen syscall on the local socket. (10)
169 ipc_max_clients
171 Maximum allowed simultaneous IPC clients. (10)
172 ipc_max_receive_size
174 Maximum size of a message received by IPC client. (4096)
175 ipc_max_send_size
177 Maximum size of a message sent to an IPC client. (10485760)
178 keep_active_partition_tie_breaker
180 When tie happens prefer partition with members of previously
181 active (quorate) partition. This is hard-coded behavior of LMS
182 algorithm so this setting affects only FFSplit algorithm. (off)
183
185 corosync-qnetd-tool(8) corosync-qnetd-certutil(8) corosync-qdevice(8)
186
188 Jan Friesse
189 2020-11-18 COROSYNC-QNETD(8)