Fence_aws: Proxy configurations not picked when used with STONITH

ClusterLabs / fence-agents

Fence agents

104 stars 157 forks source link

Fence_aws: Proxy configurations not picked when used with STONITH #528

Open samsat22 opened 1 year ago

samsat22 commented 1 year ago

Hi,

fence_aws agent able to fence the EC2 instances when ran with “fence_aws -o off ” but when STONITH tries to fence instance the proxies set in environment variables are not picked and end in timeout.

oalbrigt commented 1 year ago

The agent doesnt currently support proxies.

samsat22 commented 1 year ago

Thanks for the information, will that be enabled anytime soon? Or is there any other workaround?

gguifelixamz commented 1 year ago

@samsat22 can you explain how did you set the proxy configuration?

samsat22 commented 1 year ago

Set as Environment variable HTTP_PROXY, HTTPS_PROXY and also under /etc/profile.d/proxy.sh

gguifelixamz commented 1 year ago

@samsat22 I recommend you to set the env vars inside /etc/sysconfig/pacemaker, which is the right place to set it for the any pacemaker resource agent. After adding the entries you will need to restart your cluster.

For AWS, you will also include the EC2 instance metadata (169.254.169.254) in the no_proxy env var.

gguifelixamz commented 1 year ago

@samsat22 updates?

samsat22 commented 1 year ago

@gguifelixamz Not sure what is the variable value to be set in pacemaker config file like pcmk_host. I was able to resolve this timeout error by creating VPC endpoint.

The EC2 instance uses IAM role and the ~/.aws/credentials is created with below content, but still I get the error “Failed: Incorrect Access Key or Secret Key”

[default] region=us-east-1

Fencing status is success if the below command:

“fence_aws -o status -n -v

gguifelixamz commented 1 year ago

Example - the /etc/sysconfig/pacemaker file will look like this:

http_proxy=http://<proxy>:<proxy_port>
https_proxy=http://<proxy>:<proxy_port>
no_proxy="localhost,169.254.169.254"

Do you have an IAM Role attached to your EC2 instance? You either need an IAM role or IAM Access Keys configured in your fencing agent for it to work.

samsat22 commented 1 year ago

Thanks! I will try the proxy modification.

Yes, I’ve the IAM role attached to EC2.

This is successful - fence_aws -o status -n -v

but stonith auto fencing fails with invalid access key and secret key.

gguifelixamz commented 1 year ago

What RHEL version are you using?

samsat22 commented 1 year ago

RHEL8 @gguifelixamz