Managing Serviceguard 14th Edition, June 2007
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5 205
NOTE When you upgrade a cluster from Version A.11.15 or earlier, entries in
$SGCONF/cmclnodelist are automatically updated into Access Control
Policies in the cluster configuration file. All non-root user-hostname
pairs are assigned the role of Monitor (view only).
Package versus Cluster Roles
Package configuration will fail if there is any conflict in roles between
the package configuration and the cluster configuration, so it is a good
idea to have the cluster configuration file in front of you when you create
roles for a package; use cmgetconf to get a listing of the cluster
configuration file.
If a role is configured for a username/hostname in the cluster
configuration file, do not specify a role for the same username/hostname
in the package configuration file; and note that there is no point in
assigning a package administration role to a cluster root user, who
already has complete control over the administration of the cluster and
its packages.
Serviceguard uses different mechanisms for access control depending on
whether the node is configured into a cluster or not. The following two
subsections discuss how to configure access control policies in these two
cases.
Setting Controls for an Unconfigured Node
When Serviceguard is first installed on a system, no access control
policies are defined. To enable this system to be included in a cluster, you
must allow root access to the node for the root user of every other
potential cluster node. The mechanism for doing this is
$SGCONF/cmclnodelist. This file does not exist by default, but you
should create it, as described in the following subsection.
Using the cmclnodelist File
The cmclnodelist file is not created by default in new installations.
When you create it, you may want to add a comment such as the
following at the top of the file: