Provided by: corosync-qnetd_3.0.3-1_amd64 bug

NAME
       corosync-qnetd - QNet daemon


SYNOPSIS
       corosync-qnetd  [-46dfhv]  [-l  listen_addr]  [-p  listen_port]  [-s  tls]  [-c client_cert_required] [-m
       max_clients] [-S option=value[,option2=value2,...]]"


DESCRIPTION
       corosync-qnetd is a daemon running outside of the cluster with the purpose of providing  a  vote  to  the
       corosync-qdevice  model  net.  It's designed to support multiple clusters and be almost configuration and
       state free. New clusters are handled dynamically and no configuration file exists.  It's also able to run
       as  non-root user - which is recommended. Connection between the corosync-qdevice model net client can be
       optionally configured with TLS client certificate checking.  The communication  protocol  between  server
       and client is designed to be very simple and allow backwards compatibility.


OPTIONS
       -4     and  its  counterpart -6 are used to force IPv4 or IPv6 communication. The default is to listen on
              both address families.

       -d     Turn on debug logging. By default the messages sent to syslog are purely operational, this  option
              sends  additional  debug  messages.  For  bumping  syslog  messages  priority  to info, use the -d
              parameter twice.

       -f     Do not daemonize, run in the foreground.

       -h     Show short help text

       -v     Show version and supported communication protocol messages/options.

       -l     IP address to listen on. By default the daemon listens on all addresses (wildcard).

       -p     TCP port to listen on. Default port is 5403.

       -s     Determines if TLS should be used and can be one of on/off/required (the default is on ).  on means
              TLS  is enabled but the client is not required to start TLS, off means TLS is completely disabled,
              and required means TLS is required.  on and required require  the  NSS  database  to  be  properly
              initialized by running the corosync-qnetd-certutil command.

       -c     can  be  set to on/off.  This option only makes sense if TLS is enabled. When -c is on a client is
              required to send its client certificate (default).

       -m     Maximum simultaneous clients. The default is 0 which means no limit.

       -S     Set advanced settings described in its own section below. This option shouldn't be generally  used
              because most of the options are not safe to change.


UNPRIVILEGED USER CONFIGURATION
       It's  generally  recommended  to  run  corosync-qnetd  as  a  non  root user. If you get a package from a
       distribution its highly possible that  the  packager  has  done  all  the  hard  work  for  you.  If  the
       installation is performed from source code, a few steps have to be taken.

       First  it's  necessary to create an unprivileged user/group. The following commands can be used (executed
       as root):

       # groupadd -r coroqnetd
       # useradd -r -g coroqnetd -d / -s /sbin/nologin -c "User for corosync-qnetd" coroqnetd

       The next step is to set the correct owner and group on  /etc/corosync/qnetd  and  /var/run/corosync-qnetd
       directories.

       # chown -R coroqnetd:coroqnetd /etc/corosync/qnetd /var/run/corosync-qnetd

       Some  systems have the /var/run directory on a tmpfs file system which gets discarded after a reboot. The
       solution  is  to  use  an  initscript  or  systemd  unit,  because  both  of  them  takes  care  of   the
       /var/run/corosync-qnetd creation and sets the correct owner and permissions.

       The  last  step is to make sure corosync-qnetd is really executed as an unprivileged user. For initscript
       systems it's enough to set the line COROSYNC_QNETD_RUNAS in /etc/(sysconfig|default)/corosync-qnetd file.
       If  the  file  is  not  already  installed  then  use  the  one  provided  in  the  corosync  source code
       (init/corosync-qnetd.sysconfig.example). For systemd, overwrite/copy the corosync-qnetd.service unit file
       and uncomment/change the "User=" directive.


TLS CONFIGURATION
       For TLS to work its necessary to create the NSS database. If pcs is used then the following steps are not
       needed because pcs does them automatically.

       corosync-qnetd-certutil is the tool to perform required actions. Just run:

       # corosync-qnetd-certutil -i

       If TLS is not required then simply edit /etc/(sysconfig|default)/corosync-qnetd or systemd unit file  and
       add the parameter -s off in the proper place.

       Depending  on  configuration of NSS (stored in nss.config file usually in /etc/crypto-policies/back-ends/
       directory) disabled ciphers or too short keys may be rejected.  Proper  solution  is  to  regenerate  NSS
       databases  for both corosync-qnetd and corosync-qdevice daemons. As a quick workaround it's also possible
       to set environment variable NSS_IGNORE_SYSTEM_POLICY=1 before running corosync-qnetd daemon.

       When NSS is updated it may also be needed to upgrade database into new format. There is no  consensus  on
       recommended way, but following command seems to work just fine (if qnetd sysconfdir is set to /etc)

       # certutil -N -d /etc/corosync/qnetd/nssdb -f /etc/corosync/qnetd/nssdb/pwdfile.txt


ADVANCED SETTINGS
       Set by the -S option. The default value is shown in parentheses.

       listen_backlog
              Parameter passed to the listen syscall on the network socket. (10)

       max_client_send_buffers
              Maximum number of send buffers for one client. (32)

       max_client_send_size
              Maximum size of one send buffer (message) to be sent to a client. (32768)

       max_client_receive_size
              Maximum  size of the receive buffer for a client message (maximum allowed message size received by
              client). (32768)

       nss_db_dir
              NSS database directory. (/etc/corosync/qnetd/nssdb)

       cert_nickname
              NSS nickname of qnetd server certificate. (QNetd Cert)

       heartbeat_interval_min
              Minimum heartbeat timeout accepted by server in ms. (1000)

       heartbeat_interval_max
              Maximum heartbeat timeout accepted by server in ms. (120000)

       dpd_enabled
              Dead peer detection enabled. (on)

       dpd_interval_coefficient
              Value is multiplied with heartbeat interval sent by qdevice client and used as a timeout for  dead
              peer detection. (1.5)

       lock_file
              Lock file location. (/var/run/corosync-qnetd/corosync-qnetd.pid)

       local_socket_file
              Internal IPC socket file location. (/var/run/corosync-qnetd/corosync-qnetd.sock)

       local_socket_backlog
              Parameter passed to listen syscall on the local socket. (10)

       ipc_max_clients
              Maximum allowed simultaneous IPC clients. (10)

       ipc_max_receive_size
              Maximum size of a message received by IPC client. (4096)

       ipc_max_send_size
              Maximum size of a message sent to an IPC client. (10485760)

       keep_active_partition_tie_breaker
              When  tie happens prefer partition with members of previously active (quorate) partition.  This is
              hard-coded behavior of LMS algorithm so this setting affects only FFSplit algorithm. (off)


SEE ALSO
       corosync-qnetd-tool(8) corosync-qnetd-certutil(8) corosync-qdevice(8)


AUTHOR
       Jan Friesse

                                                   2020-11-18                                  COROSYNC-QNETD(8)