Documentation says: "Csync2 automatically ignores all groups which do not contain the local hostname in the host list. This way you can use one big Csync2 configuration file for the entire cluster.", but in fact csync2 reads all the groups, and requires all the keys on all hosts.
This makes stated use case insecure: if all the hosts knows all the keys, then whats the point of having different keys for different groups?
Its even impossible to make zero-sized stubs for missing keys: they are not accepted either.
Detailed setup:
Shared config file for all hosts:
group somegroup01
{
host srv01 (srv02);
key /etc/csync2/somegroup01.key;
...
}
group somegroup02
{
host srv01 (srv03);
key /etc/csync2/somegroup02.key;
...
}
Syncing from srv01 to srv03:
$ csync2 -xv -G somegroup02
Connecting to host srv03 (SSL) ...
Connect to 10.0.0.3:30865 (srv03).
Config command failed.
ERROR: Connection to remote host `srv03' failed.
Host stays in dirty state. Try again later...
Documentation says: "Csync2 automatically ignores all groups which do not contain the local hostname in the host list. This way you can use one big Csync2 configuration file for the entire cluster.", but in fact csync2 reads all the groups, and requires all the keys on all hosts.
This makes stated use case insecure: if all the hosts knows all the keys, then whats the point of having different keys for different groups?
Its even impossible to make zero-sized stubs for missing keys: they are not accepted either.
Detailed setup:
Shared config file for all hosts:
Syncing from srv01 to srv03:
Logs on srv03 are following:
So host srv03 requires key for somegroup01 group, despite not being listed there.