fence_virtd

This section contains global information about how fence_virtd is to operate. The most important pieces of information are as follows:

listener

the listener plugin for receiving fencing requests from clients

backend

the plugin to be used to carry out fencing requests

foreground

do not fork into the background.

wait_for_init

wait for the frontend and backends to become available rather than giving up immediately. This replaces wait_for_backend in 0.2.x.

module_path

the module path to search for plugins

listeners

This section contains listener-specific configuration information; see the section about listeners below.

backends

This section contains listener-specific configuration information; see the section about listeners below.

groups

This section contains static maps of which virtual machines may fence which other virtual machines; see the section about groups below.

multicast

key_file

the shared key file to use (default: /etc/cluster/fence_xvm.key).

hash

the weakest hashing algorithm allowed for client requests. Clients may send packets with stronger hashes than the one specified, but not weaker ones. (default: sha256, but could be sha1, sha512, or none)

auth

the hashing algorithm to use for the simplistic challenge-response authentication (default: sha256, but could be sha1, sha512, or none)

family

the IP family to use (default: ipv4, but may be ipv6)

address

the multicast address to listen on (default: 225.0.0.12)

port

the multicast port to listen on (default: 1229)

interface

interface to listen on. By default, fence_virtd listens on all interfaces. However, this causes problems in some environments where the host computer is used as a gateway.

serial

The serial listener plugin utilizes libvirt's serial (or VMChannel) mapping to listen for requests. When using the serial listener, it is necessary to add a serial port (preferably pointing to /dev/ttyS1) or a channel (preferably pointing to 10.0.2.179:1229) to the libvirt domain description. Note that only type unix , mode bind serial ports and channels are supported and each VM should have a separate unique socket. Example libvirt XML:

<serial type='unix'>
<source mode='bind' path='/sandbox/guests/fence_socket_molly'/>
<target port='1'/>
</serial>
<channel type='unix'>
<source mode='bind' path='/sandbox/guests/fence_molly_vmchannel'/>
<target type='guestfwd' address='10.0.2.179' port='1229'/>
</channel>

uri

the URI to use when connecting to libvirt by the serial plugin (optional).

path

The same directory that is defined for the domain serial port path (From example above: /sandbox/guests). Sockets must reside in this directory in order to be considered valid. This can be used to prevent fence_virtd from using the wrong sockets.

mode

This selects the type of sockets to register. Valid values are "serial" (default) and "vmchannel".

tcp

The tcp listener operates similarly to the multicast listener but uses TCP sockets for communication instead of using multicast packets.

key_file

the shared key file to use (default: /etc/cluster/fence_xvm.key).

hash

the hashing algorithm to use for packet signing (default: sha256, but could be sha1, sha512, or none)

auth

the hashing algorithm to use for the simplistic challenge-response authentication (default: sha256, but could be sha1, sha512, or none)

family

the IP family to use (default: ipv4, but may be ipv6)

address

the IP address to listen on (default: 127.0.0.1 for IPv4, ::1 for IPv6)

port

the TCP port to listen on (default: 1229)

vsock

The vsock listener operates similarly to the multicast listener but uses virtual machine sockets (AF_VSOCK) for communication instead of using multicast packets.

key_file

the shared key file to use (default: /etc/cluster/fence_xvm.key).

hash

the hashing algorithm to use for packet signing (default: sha256, but could be sha1, sha512, or none)

auth

the hashing algorithm to use for the simplistic challenge-response authentication (default: sha256, but could be sha1, sha512, or none)

port

the vsock port to listen on (default: 1229)

libvirt

The libvirt plugin is the simplest plugin. It is used in environments where routing fencing requests between multiple hosts is not required, for example by a user running a cluster of virtual machines on a single desktop computer.

uri

the URI to use when connecting to libvirt.

All libvirt URIs are accepted and passed as-is.

See https://libvirt.org/uri.html#remote-uris for examples.

NOTE: When VMs are run as non-root user the socket path must be set as part of the URI.

Example: qemu:///session?socket=/run/user/<UID>/libvirt/virtqemud-sock

cpg

The cpg plugin uses corosync CPG and libvirt to track virtual machines and route fencing requests to the appropriate computer.

uri

the URI to use when connecting to libvirt by the cpg plugin.

name_mode

The cpg plugin, in order to retain compatibility with fence_xvm, stores virtual machines in a certain way. The default was to use 'name' when using fence_xvm and fence_xvmd, and so this is still the default. However, it is strongly recommended to use 'uuid' instead of 'name' in all cluster environments involving more than one physical host in order to avoid the potential for name collisions.

group

This defines a group.

name

Optionally define the name of the group. Useful only for configuration readability and debugging of configuration parsing.

uuid

Defines UUID as a member of a group. It can be used multiple times to specify both node name and UUID values that can be fenced. When using the serial listener, the vm uuid is required and it is recommended to add also the vm name.

ip

Defines an IP which is allowed to send fencing requests for members of this group (e.g. for multicast). It can be used multiple times to allow more than 1 IP to send fencing requests to the group. It is highly recommended that this be used in conjunction with a key file. When using the vsock listener, ip should contain the CID value assigned by libvirt to the vm. When using the serial listener, ip value is not used and can be omitted.