Provided by: corosync-qnetd_3.0.1-1_amd64 bug


       corosync-qnetd - QNet daemon


       corosync-qnetd    [-46dfhv]    [-l    listen_addr]   [-p   listen_port]   [-s   tls]   [-c
       client_cert_required] [-m max_clients] [-S option=value[,option2=value2,...]]"


       corosync-qnetd is a daemon running outside of the cluster with the purpose of providing  a
       vote  to the corosync-qdevice model net. It's designed to support multiple clusters and be
       almost configuration  and  state  free.  New  clusters  are  handled  dynamically  and  no
       configuration file exists.  It's also able to run as non-root user - which is recommended.
       Connection between the corosync-qdevice model net client can be optionally configured with
       TLS  client certificate checking.  The communication protocol between server and client is
       designed to be very simple and allow backwards compatibility.


       -4     and its counterpart -6 are used to force IPv4 or IPv6 communication. The default is
              to listen on both address families.

       -d     Turn  on  debug  logging.  By  default  the  messages  sent  to  syslog  are purely
              operational, this option  sends  additional  debug  messages.  For  bumping  syslog
              messages priority to info, use the -d parameter twice.

       -f     Do not daemonize, run in the foreground.

       -h     Show short help text

       -v     Show version and supported communication protocol messages/options.

       -l     IP address to listen on. By default the daemon listens on all addresses (wildcard).

       -p     TCP port to listen on. Default port is 5403.

       -s     Determines  if TLS should be used and can be one of on/off/required (the default is
              on ).  on means TLS is enabled but the client is not required  to  start  TLS,  off
              means  TLS  is  completely  disabled,  and  required means TLS is required.  on and
              required require the NSS  database  to  be  properly  initialized  by  running  the
              corosync-qnetd-certutil command.

       -c     can  be  set to on/off.  This option only makes sense if TLS is enabled. When -c is
              on a client is required to send its client certificate (default).

       -m     Maximum simultaneous clients. The default is 0 which means no limit.

       -S     Set advanced settings described in its own section below. This option shouldn't  be
              generally used because most of the options are not safe to change.


       It's  generally recommended to run corosync-qnetd as a non root user. If you get a package
       from a distribution its highly possible that the packager has done all the hard  work  for
       you. If the installation is performed from source code, a few steps have to be taken.

       First  it's  necessary to create an unprivileged user/group. The following commands can be
       used (executed as root):

       # groupadd -r coroqnetd
       # useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd

       The next  step  is  to  set  the  correct  owner  and  group  on  /etc/corosync/qnetd  and
       /var/run/corosync-qnetd directories.

       # chown -R coroqnetd:coroqnetd /etc/corosync/qnetd /var/run/corosync-qnetd

       Some systems have the /var/run directory on a tmpfs file system which gets discarded after
       a reboot. The solution is to use an initscript or systemd unit, because both of them takes
       care of the /var/run/corosync-qnetd creation and sets the correct owner and permissions.

       The  last  step is to make sure corosync-qnetd is really executed as an unprivileged user.
       For  initscript  systems  it's  enough   to   set   the   line   COROSYNC_QNETD_RUNAS   in
       /etc/(sysconfig|default)/corosync-qnetd  file.  If  the file is not already installed then
       use the one provided in the corosync source code  (init/corosync-qnetd.sysconfig.example).
       For  systemd, overwrite/copy the corosync-qnetd.service unit file and uncomment/change the
       "User=" directive.


       For TLS to work its necessary to create  the  NSS  database.  If  pcs  is  used  then  the
       following steps are not needed because pcs does them automatically.

       corosync-qnetd-certutil is the tool to perform required actions. Just run:

       # corosync-qnetd-certutil -i

       If TLS is not required then simply edit /etc/(sysconfig|default)/corosync-qnetd or systemd
       unit file and add the parameter -s off in the proper place.

       Depending on configuration of NSS (stored  in  nss.config  file  usually  in  /etc/crypto-
       policies/back-ends/  directory) disabled ciphers or too short keys may be rejected. Proper
       solution is to regenerate NSS  databases  for  both  corosync-qnetd  and  corosync-qdevice
       daemons.   As   a  quick  workaround  it's  also  possible  to  set  environment  variable
       NSS_IGNORE_SYSTEM_POLICY=1 before running corosync-qnetd daemon.

       When NSS is updated it may also be needed to upgrade database into new format. There is no
       consensus  on  recommended  way,  but  following command seems to work just fine (if qnetd
       sysconfdir is set to /etc)

       # certutil -N -d /etc/corosync/qnetd/nssdb -f /etc/corosync/qnetd/nssdb/pwdfile.txt


       Set by the -S option. The default value is shown in parentheses.

              Parameter passed to the listen syscall on the network socket. (10)

              Maximum number of send buffers for one client. (32)

              Maximum size of one send buffer (message) to be sent to a client. (32768)

              Maximum size of the receive buffer for a client message  (maximum  allowed  message
              size received by client). (32768)

              NSS database directory. (/etc/corosync/qnetd/nssdb)

              NSS nickname of qnetd server certificate. (QNetd Cert)

              Minimum heartbeat timeout accepted by server in ms. (1000)

              Maximum heartbeat timeout accepted by server in ms. (120000)

              Dead peer detection enabled. (on)

              Value  is  multiplied  with heartbeat interval sent by qdevice client and used as a
              timeout for dead peer detection. (1.5)

              Lock file location. (/var/run/corosync-qnetd/

              Internal IPC socket file location. (/var/run/corosync-qnetd/corosync-qnetd.sock)

              Parameter passed to listen syscall on the local socket. (10)

              Maximum allowed simultaneous IPC clients. (10)

              Maximum size of a message received by IPC client. (4096)

              Maximum size of a message sent to an IPC client. (10485760)

              When tie happens prefer partition  with  members  of  previously  active  (quorate)
              partition.   This  is  hard-coded behavior of LMS algorithm so this setting affects
              only FFSplit algorithm. (off)


       corosync-qnetd-tool(8) corosync-qnetd-certutil(8) corosync-qdevice(8)


       Jan Friesse

                                            2020-11-18                          COROSYNC-QNETD(8)