Managing Serviceguard 12th Edition, March 2006
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5198
# Policy 3:
USER_NAME ANY_USER
USER_HOST ANY_SERVICEGUARD_NODE
USER_ROLE MONITOR
In the above example, the configuration would fail, user john is assigned
two roles. Policy 2 is redundant because PACKAGE_ADMIN already
includes the role of MONITOR.
Policy 3 does not conflict with any other policies, even though the
wildcard ANY_USER includes the individual user john.
Plan the clusterās roles and validate them as soon as possible. Depending
on the organizationās security policy, it may be easiest to create group
logins. For example, you could create a MONITOR role for user operator1
from ANY_CLUSTER_NODE. Then you could give this login name and
password to everyone who will need to monitor your clusters.
Use caution when defining access to ANY_SERVICEGUARD_NODE. This will
allow access from any node on the subnet.
Defining Name Resolution Services
It is important to understand how Serviceguard uses name resolution
services. When you employ any user-level Serviceguard command
(including cmviewcl), the command uses name lookup to obtain the
addresses of all the cluster nodes. If name services are not available, the
command could hang or return an unexpected networking error
message. In Serviceguard Manager, cluster or package operations also
will return an error if name services are not available.
NOTE If such a hang or error occurs, Serviceguard and all protected
applications will continue working even though the command you issued
does not. That is, only the Serviceguard configuration commands and
Serviceguard Manager functions are impacted, not the cluster daemon or
package services.
To avoid this problem, you can use the /etc/hosts file on all cluster
nodes in addition to DNS or NIS. It is also recommended to make DNS
highly available either by using multiple DNS servers or by configuring
DNS into a Serviceguard package.