jammy (5) fence_virt.conf.5.gz
NAME
fence_virt.conf - configuration file for fence_virtd
DESCRIPTION
The fence_virt.conf file contains configuration information for fence_virtd, a fencing request routing daemon for clusters of virtual machines. The file is tree-structured. There are parent/child relationships and sibling relationships between the nodes. foo { bar { baz = "1"; } } There are three primary sections of fence_virt.conf.
SECTIONS
fence_virtd This section contains global information about how fence_virtd is to operate. The most important pieces of information are as follows: listener the listener plugin for receiving fencing requests from clients backend the plugin to be used to carry out fencing requests foreground do not fork into the background. wait_for_init wait for the frontend and backends to become available rather than giving up immediately. This replaces wait_for_backend in 0.2.x. module_path the module path to search for plugins listeners This section contains listener-specific configuration information; see the section about listeners below. backends This section contains listener-specific configuration information; see the section about listeners below. groups This section contains static maps of which virtual machines may fence which other virtual machines; see the section about groups below.
LISTENERS
There are various listeners available for fence_virtd, each one handles decoding and authentication of a given fencing request. The following configuration blocks belong in the listeners section of fence_virt.conf multicast key_file the shared key file to use (default: /etc/cluster/fence_xvm.key). hash the weakest hashing algorithm allowed for client requests. Clients may send packets with stronger hashes than the one specified, but not weaker ones. (default: sha256, but could be sha1, sha512, or none) auth the hashing algorithm to use for the simplistic challenge-response authentication (default: sha256, but could be sha1, sha512, or none) family the IP family to use (default: ipv4, but may be ipv6) address the multicast address to listen on (default: 225.0.0.12) port the multicast port to listen on (default: 1229) interface interface to listen on. By default, fence_virtd listens on all interfaces. However, this causes problems in some environments where the host computer is used as a gateway. serial The serial listener plugin utilizes libvirt's serial (or VMChannel) mapping to listen for requests. When using the serial listener, it is necessary to add a serial port (preferably pointing to /dev/ttyS1) or a channel (preferably pointing to 10.0.2.179:1229) to the libvirt domain description. Note that only type unix , mode bind serial ports and channels are supported. Example libvirt XML: <serial type='unix'> <source mode='bind' path='/sandbox/guests/fence_socket_molly'/> <target port='1'/> </serial> <channel type='unix'> <source mode='bind' path='/sandbox/guests/fence_molly_vmchannel'/> <target type='guestfwd' address='10.0.2.179' port='1229'/> </channel> uri the URI to use when connecting to libvirt by the serial plugin. path The same directory that is defined for the domain serial port path (From example above: /sandbox/guests). Sockets must reside in this directory in order to be considered valid. This can be used to prevent fence_virtd from using the wrong sockets. mode This selects the type of sockets to register. Valid values are "serial" (default) and "vmchannel". tcp The tcp listener operates similarly to the multicast listener but uses TCP sockets for communication instead of using multicast packets. key_file the shared key file to use (default: /etc/cluster/fence_xvm.key). hash the hashing algorithm to use for packet signing (default: sha256, but could be sha1, sha512, or none) auth the hashing algorithm to use for the simplistic challenge-response authentication (default: sha256, but could be sha1, sha512, or none) family the IP family to use (default: ipv4, but may be ipv6) address the IP address to listen on (default: 127.0.0.1 for IPv4, ::1 for IPv6) port the TCP port to listen on (default: 1229) vsock The vsock listener operates similarly to the multicast listener but uses virtual machine sockets (AF_VSOCK) for communication instead of using multicast packets. key_file the shared key file to use (default: /etc/cluster/fence_xvm.key). hash the hashing algorithm to use for packet signing (default: sha256, but could be sha1, sha512, or none) auth the hashing algorithm to use for the simplistic challenge-response authentication (default: sha256, but could be sha1, sha512, or none) port the vsock port to listen on (default: 1229)
BACKENDS
There are various backends available for fence_virtd, each one handles routing a fencing request to a hypervisor or management tool. The following configuration blocks belong in the backends section of fence_virt.conf libvirt The libvirt plugin is the simplest plugin. It is used in environments where routing fencing requests between multiple hosts is not required, for example by a user running a cluster of virtual machines on a single desktop computer. uri the URI to use when connecting to libvirt. libvirt-qmf The libvirt-qmf plugin acts as a QMFv2 Console to the libvirt-qmf daemon in order to route fencing requests over AMQP to the appropriate computer. host host or IP address of qpid broker. Defaults to 127.0.0.1. port IP port of qpid broker. Defaults to 5672. username Username for GSSAPI, if configured. service Qpid service to connect to. gssapi If set to 1, have fence_virtd use GSSAPI for authentication when communicating with the Qpid broker. Default is 0 (off). cpg The cpg plugin uses corosync CPG and libvirt to track virtual machines and route fencing requests to the appropriate computer. uri the URI to use when connecting to libvirt by the cpg plugin. name_mode The cpg plugin, in order to retain compatibility with fence_xvm, stores virtual machines in a certain way. The default was to use 'name' when using fence_xvm and fence_xvmd, and so this is still the default. However, it is strongly recommended to use 'uuid' instead of 'name' in all cluster environments involving more than one physical host in order to avoid the potential for name collisions.
GROUPS
Fence_virtd supports static maps which allow grouping of VMs. The groups are arbitrary and are checked at fence time. Any member of a group may fence any other member. Hosts may be assigned to multiple groups if desired. group This defines a group. uuid defines UUID as a member of a group. ip defines an IP which is allowed to send fencing requests for members of this group (e.g. for multicast). It is highly recommended that this be used in conjunction with a key file.
EXAMPLE
fence_virtd { listener = "multicast"; backend = "cpg"; } # this is the listeners section listeners { multicast { key_file = "/etc/cluster/fence_xvm.key"; } } backends { libvirt { uri = "qemu:///system"; } } groups { group { ip = "192.168.1.1"; uuid = "44179d3f-6c63-474f-a212-20c8b4b25b16"; uuid = "1ce02c4b-dfa1-42cb-b5b1-f0b1091ece60"; } }
SEE ALSO
fence_virtd(8), fence_virt(8), fence_xvm(8), fence(8) fence_virtd.conf(5)