Managing HP Serviceguard A.11.20.00 for Linux, June 2012

ManualsBrandsHP ManualsSoftwareHP Serviceguard for Linux Cluster

121

122

123

124

125

126

127

128

129

130

# Serviceguard will not consult this file.

###########################################################

The format for entries in cmclnodelist is as follows:

[hostname] [user] [#Comment]

For example:

gryf root #cluster1, node1

sly root #cluster1, node2

bit root #cluster1, node3

This example grants root access to the node on which this cmclnodelist file resides to root users

on the nodes gryf, sly, and bit.

Serviceguard also accepts the use of a “+” in the cmclnodelist file; this indicates that the root

user on any Serviceguard node can configure Serviceguard on this node.

IMPORTANT: If $SGCONF/cmclnodelist does not exist, Serviceguard will look at ~/.rhosts.

HP strongly recommends that you use cmclnodelist.

NOTE: When you upgrade a cluster from Version A.11.15 or earlier, entries in

$SGCONF/cmclnodelist are automatically updated to Access Control Policies in the cluster

configuration file. All non-root user-hostname pairs are assigned the role of Monitor.

Ensuring that the Root User on Another Node Is Recognized

The Linux root user on any cluster node can configure the cluster. This requires that Serviceguard

on one node be able to recognize the root user on another.

Serviceguard uses the identd daemon to verify user names, and, in the case of a root user,

verification succeeds only if identd returns the username root. Because identd may return the

username for the first match on UID 0, you must check /etc/passwd on each node you intend

to configure into the cluster, and ensure that the entry for the root user comes before any other

entry with a UID of 0.

About identd

HP strongly recommends that you use identd for user verification, so you should make sure that

each prospective cluster node is configured to run it. identd is usually started from /etc/init.d/

xinetd.

(It is possible to disable identd, though HP recommends against doing so. If for some reason

you have to disable identd, see “Disabling identd” (page 151)).

For more information about identd, see the white paper Securing Serviceguard at http://

www.hp.com/go/hpux-serviceguard-docs -> HP Serviceguard -> White Papers,

and the identd manpage.

Configuring Name Resolution

Serviceguard uses the name resolution services built into Linux.

Serviceguard nodes can communicate over any of the cluster’s shared networks, so the network

resolution service you are using (such as DNS, NIS, or LDAP) must be able to resolve each of their

primary addresses on each of those networks to the primary hostname of the node in question.

In addition, HP recommends that you define name resolution in each node’s /etc/hosts file,

rather than rely solely on a service such as DNS. Configure the name service switch to consult the

/etc/hosts file before other services. See “Safeguarding against Loss of Name Resolution

Services” (page 125) for instructions.

Preparing Your Systems 123