ha_cluster
An Ansible role for managing High Availability Clustering.
Limitations
-
Supported OS: RHEL 8.3+, Fedora 31+
-
Systems running RHEL are expected to be registered and have High-Availability repositories accessible.
-
The role replaces the configuration of HA Cluster on specified nodes. Any settings not specified in the role variables will be lost.
-
For now, the role is only capable of configuring a basic corosync cluster.
Role Variables
Defined in +defaults/main.yml+
+ha_cluster_enable_repos+
boolean, default: +yes+
RHEL and CentOS only, enable repositories contaning needed packages
+ha_cluster_cluster_present+
boolean, default: +yes+
If set to +yes+
, HA cluster will be configured on the hosts according
to other variables. If set to +no+
, all HA Cluster configuration will
be purged from target hosts.
+ha_cluster_start_on_boot+
boolean, default: +yes+
If set to +yes+
, cluster services will be configured to start on boot.
If set to +no+
, cluster services will be configured not to start on
boot.
+ha_cluster_fence_agent_packages+
list of fence agent packages to install, default: fence-agents-all, fence-virt
+ha_cluster_hacluster_password+
string, no default - must be specified
Password of the +hacluster+
user. This user has full access to a
cluster. It is recommended to vault encrypt the value, see
https://docs.ansible.com/ansible/latest/user_guide/vault.html for
details.
+ha_cluster_corosync_key_src+
path to corosync authkey file, default: +null+
Authentication and encryption key for Corosync communication. It is highly recommended to have a unique value for each cluster. The key should be 256 bytes of random data.
If value is provided, it is recommended to vault encrypt it. See https://docs.ansible.com/ansible/latest/user_guide/vault.html for details.
If no key is specified, a key already present on the nodes will be used. If nodes don’t have the same key, a key from one node will be distributed to other nodes so that all nodes have the same key. If no node has a key, a new key will be generated and distributed to the nodes.
If this variable is set, +ha_cluster_regenerate_keys+
is ignored for
this key.
+ha_cluster_pacemaker_key_src+
path to pacemaker authkey file, default: +null+
Authentication and encryption key for Pacemaker communication. It is highly recommended to have a unique value for each cluster. The key should be 256 bytes of random data.
If value is provided, it is recommended to vault encrypt it. See https://docs.ansible.com/ansible/latest/user_guide/vault.html for details.
If no key is specified, a key already present on the nodes will be used. If nodes don’t have the same key, a key from one node will be distributed to other nodes so that all nodes have the same key. If no node has a key, a new key will be generated and distributed to the nodes.
If this variable is set, +ha_cluster_regenerate_keys+
is ignored for
this key.
+ha_cluster_fence_virt_key_src+
path to fence-virt or fence-xvm pre-shared key file, default: +null+
Authentication key for fence-virt or fence-xvm fence agent.
If value is provided, it is recommended to vault encrypt it. See https://docs.ansible.com/ansible/latest/user_guide/vault.html for details.
If no key is specified, a key already present on the nodes will be used. If nodes don’t have the same key, a key from one node will be distributed to other nodes so that all nodes have the same key. If no node has a key, a new key will be generated and distributed to the nodes.
If this variable is set, +ha_cluster_regenerate_keys+
is ignored for
this key.
If you let the role to generate new key, you are supposed to copy the key to your nodes' hypervisor to ensure that fencing works.
+ha_cluster_pcsd_public_key_src+
, +ha_cluster_pcsd_private_key_src+
path to pcsd TLS certificate and key, default: +null+
TLS certificate and private key for pcsd. If this is not specified, a certificate - key pair already present on the nodes will be used. If certificate - key pair is not present, a random new one will be generated.
If private key value is provided, it is recommended to vault encrypt it. See https://docs.ansible.com/ansible/latest/user_guide/vault.html for details.
If these variables are set, +ha_cluster_regenerate_keys+
is ignored
for this certificate - key pair.
+ha_cluster_regenerate_keys+
boolean, default: +no+
If this is set to +yes+
, pre-shared keys and TLS certificates will be
regenerated. See also:
+ha_cluster_corosync_key_src+
,
+ha_cluster_pacemaker_key_src+
,
+ha_cluster_fence_virt_key_src+
,
+ha_cluster_pcsd_public_key_src+
,
+ha_cluster_pcsd_private_key_src+
+ha_cluster_pcs_permission_list+
Structure and default value:
ha_cluster_pcs_permission_list:
- type: "group"
name: "hacluster"
allow_list:
- "grant"
- "read"
- "write"
This configures permissions to manage a cluster using pcsd. The items are as follows:
-
+type+
-+user+
or+group+
-
+name+
- user or group name -
+allow_list+
- Allowed actions for the specified user or group:+read+
- allows to view cluster status and settings,+write+
- allows to modify cluster settings except permissions and ACLs,+grant+
-
allows to modify cluster permissions and ACLs,
+full+
- allows unrestricted access to a cluster including adding and removing nodes and access to keys and certificates
-
+ha_cluster_cluster_name+
string, default: +my-cluster+
Name of the cluster.
Inventory
Nodes' names and addresses can be configured in inventory. This is optional. If no names or addresses are configured, play’s targets will be used.
Example inventory with targets +node1+
and +node2+
:
all:
hosts:
node1:
ha_cluster:
node_name: node-A
pcs_address: node1-address
corosync_addresses:
- 192.168.1.11
- 192.168.2.11
node2:
ha_cluster:
node_name: node-B
pcs_address: node2-address:2224
corosync_addresses:
- 192.168.1.12
- 192.168.2.12
-
+node_name+
- the name of a node in a cluster -
+pcs_address+
- an address used by pcs to communicate with the node, it can be a name, FQDN or an IP address and it can contain port -
+corosync_addresses+
- list of addresses used by Corosync, all nodes must have the same number of addresses and the order of the addresses matters
Example Playbook
Minimalistic example to create a cluster running no resources:
- hosts: node1 node2
vars:
ha_cluster_cluster_name: "my-new-cluster"
ha_cluster_hacluster_password: "password"
roles:
- linux-system-roles.ha_cluster
To purge all cluster configuration, run this:
- hosts: node1 node2
vars:
ha_cluster_cluster_present: no
roles:
- linux-system-roles.ha_cluster
License
MIT
Author Information
Tomas Jelinek