You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-machines/workloads/sap/high-availability-guide-rhel-pacemaker.md
+58-11Lines changed: 58 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.topic: article
13
13
ms.tgt_pltfrm: vm-windows
14
14
ms.workload: infrastructure-services
15
15
ms.custom: subject-rbac-steps
16
-
ms.date: 08/16/2022
16
+
ms.date: 08/29/2022
17
17
ms.author: radeltch
18
18
19
19
---
@@ -115,6 +115,13 @@ The following items are prefixed with either **[A]** - applicable to all nodes,
115
115
> RHEL 7.4: fence-agents-4.0.11-66.el7_4.12
116
116
> For more information, see [Azure VM running as a RHEL High Availability cluster member take a very long time to be fenced, or fencing fails / times-out before the VM shuts down](https://access.redhat.com/solutions/3408711).
117
117
118
+
> [!IMPORTANT]
119
+
> We recommend the following versions of Azure Fence agent (or later) for customers wishing to use Managed Identities for Azure resources instead of service principal names for the fence agent.
120
+
> RHEL 8.4: fence-agents-4.2.1-54.el8
121
+
> RHEL 8.2: fence-agents-4.2.1-41.el8_2.4
122
+
> RHEL 8.1: fence-agents-4.2.1-30.el8_1.4
123
+
> RHEL 7.9: fence-agents-4.2.1-41.el7_9.4.
124
+
118
125
Check the version of the Azure fence agent. If necessary, update it to a version equal to or later than the stated above.
119
126
120
127
<pre><code># Check the version of the Azure Fence Agent
@@ -222,7 +229,13 @@ The following items are prefixed with either **[A]** - applicable to all nodes,
222
229
223
230
## Create STONITH device
224
231
225
-
The STONITH device uses a Service Principal to authorize against Microsoft Azure. Follow these steps to create a Service Principal.
232
+
The STONITH device uses either a managed identity for Azure resource or service principal to authorize against Microsoft Azure.
233
+
234
+
### Using Managed Identity
235
+
To create a managed identity (MSI), [create a system-assigned](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity) managed identity for each VM in the cluster. Should a system-assigned managed identity already exist, it will be used. User assigned managed identities should not be used with Pacemaker at this time.
236
+
237
+
### Using Service Principal
238
+
Follow these steps to create a service principal, if not using managed identity.
226
239
227
240
1. Go to the [Azure portal](https://portal.azure.com).
228
241
1. Open the Azure Active Directory blade
@@ -234,12 +247,12 @@ The STONITH device uses a Service Principal to authorize against Microsoft Azure
234
247
The sign-on URL is not used and can be any valid URL
235
248
1. Select Certificates and Secrets, then click New client secret
236
249
1. Enter a description for a new key, select "Never expires" and click Add
237
-
1. Make a node the Value. It is used as the **password** for the Service Principal
238
-
1. Select Overview. Make a note the Application ID. It is used as the username (**login ID** in the steps below) of the Service Principal
250
+
1. Make a node the Value. It is used as the **password** for the service principal
251
+
1. Select Overview. Make a note the Application ID. It is used as the username (**login ID** in the steps below) of the service principal
239
252
240
253
### **[1]** Create a custom role for the fence agent
241
254
242
-
The Service Principal does not have permissions to access your Azure resources by default. You need to give the Service Principal permissions to start and stop (power-off) all virtual machines of the cluster. If you did not already create the custom role, you can create it using [PowerShell](../../../role-based-access-control/custom-roles-powershell.md) or [Azure CLI](../../../role-based-access-control/custom-roles-cli.md)
255
+
Neither managed identity nor service principal have permissions to access your Azure resources by default. You need to give the managed identity or service principal permissions to start and stop (power-off) all virtual machines of the cluster. If you did not already create the custom role, you can create it using [PowerShell](../../../role-based-access-control/custom-roles-powershell.md) or [Azure CLI](../../../role-based-access-control/custom-roles-cli.md)
243
256
244
257
Use the following content for the input file. You need to adapt the content to your subscriptions that is, replace *xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx* and *yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy* with the Ids of your subscription. If you only have one subscription, remove the second entry in AssignableScopes.
245
258
@@ -262,11 +275,20 @@ Use the following content for the input file. You need to adapt the content to y
262
275
}
263
276
```
264
277
265
-
### **[A]** Assign the custom role to the Service Principal
278
+
### **[A]** Assign the custom role
279
+
280
+
#### Using Managed Identity
281
+
282
+
Assign the custom role "Linux Fence Agent Role" that was created in the last chapter to each managed identity of the cluster VMs. Each VM system-assigned managed identity needs the role assigned for every cluster VM's resource. For detailed steps, see [Assign a managed identity access to a resource by using the Azure portal](/azure/active-directory/managed-identities-azure-resources/howto-assign-access-portal). Verify each VM's managed identity role assignment contains all cluster VMs.
283
+
284
+
> [!IMPORTANT]
285
+
> Be aware assignment and removal of authorization with managed identities [can be delayed](/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations#limitation-of-using-managed-identities-for-authorization) until effective.
286
+
287
+
#### Using Service Principal
288
+
289
+
Assign the custom role "Linux Fence Agent Role" that was created in the last chapter to the service principal. Do not use the Owner role anymore! For detailed steps, see [Assign Azure roles using the Azure portal](../../../role-based-access-control/role-assignments-portal.md).
290
+
Make sure to assign the role for both cluster nodes.
266
291
267
-
Assign the custom role "Linux Fence Agent Role" that was created in the last chapter to the Service Principal. Do not use the Owner role anymore! For detailed steps, see [Assign Azure roles using the Azure portal](../../../role-based-access-control/role-assignments-portal.md).
268
-
Make sure to assign the custom role to the service principal at all VM (cluster node) scopes.
269
-
270
292
### **[1]** Create the STONITH devices
271
293
272
294
After you edited the permissions for the virtual machines, you can configure the STONITH devices in the cluster.
@@ -279,18 +301,43 @@ sudo pcs property set stonith-timeout=900
279
301
> Option 'pcmk_host_map' is ONLY required in the command, if the RHEL host names and the Azure VM names are NOT identical. Specify the mapping in the format **hostname:vm-name**.
280
302
> Refer to the bold section in the command. For more information, see [What format should I use to specify node mappings to stonith devices in pcmk_host_map](https://access.redhat.com/solutions/2619961)
281
303
304
+
305
+
#### [Managed Identity](#tab/msi)
306
+
282
307
For RHEL **7.X**, use the following command to configure the fence device:
> Only configure the `pcmk_delay_max` attribute in two node Pacemaker clusters. For more information on preventing fence races in a two node Pacemaker cluster, see [Delaying fencing in a two node cluster to prevent fence races of "fence death" scenarios](https://access.redhat.com/solutions/54829).
Copy file name to clipboardExpand all lines: articles/virtual-machines/workloads/sap/high-availability-guide-suse-pacemaker.md
+40-9Lines changed: 40 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.topic: article
13
13
ms.tgt_pltfrm: vm-windows
14
14
ms.workload: infrastructure-services
15
15
ms.custom: subject-rbac-steps
16
-
ms.date: 08/16/2022
16
+
ms.date: 08/30/2022
17
17
ms.author: radeltch
18
18
19
19
---
@@ -74,7 +74,7 @@ You can configure the SBD device by using either of two options:
74
74
- For more information about limitations for Azure shared disks, carefully review the "Limitations" section of [Azure shared disk documentation](../../disks-shared.md#limitations).
75
75
76
76
### Use an Azure fence agent
77
-
You can set up STONITH by using an Azure fence agent. Azure fence agents require a service principal that manages restarting failed nodes via Azure APIs. Azure fence agents don't require the deployment of additional virtual machines.
77
+
You can set up STONITH by using an Azure fence agent. Azure fence agent require managed identities for the cluster VMs or a service principal, that manages restarting failed nodes via Azure APIs. Azure fence agent doesn't require the deployment of additional virtual machines.
78
78
79
79
## SBD with an iSCSI target server
80
80
@@ -468,7 +468,14 @@ This section applies only if you want to use a STONITH device with an Azure fenc
468
468
469
469
### Create an Azure fence agent STONITH device
470
470
471
-
This section applies only if you're using a STONITH device that's based on an Azure fence agent. The STONITH device uses a service principal to authorize against Microsoft Azure. To create a service principal, do the following:
471
+
This section applies only if you're using a STONITH device that's based on an Azure fence agent. The STONITH device uses either a managed identity or a service principal to authorize against Microsoft Azure.
472
+
473
+
#### Using managed identity
474
+
To create a managed identity (MSI), [create a system-assigned](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity) managed identity for each VM in the cluster. Should a system-assigned managed identity already exist, it will be used. User assigned managed identities should not be used with Pacemaker at this time.
475
+
476
+
#### Using service principal
477
+
478
+
To create a service principal, do the following:
472
479
473
480
1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory** > **Properties**, and then write down the Directory ID. This is the **tenant ID**.
474
481
1. Select **App registrations**.
@@ -483,7 +490,7 @@ This section applies only if you're using a STONITH device that's based on an Az
483
490
484
491
### **[1]** Create a custom role for the fence agent
485
492
486
-
By default, the service principal doesn't have permissions to access your Azure resources. You need to give the service principal permissions to start and stop (deallocate) all virtual machines in the cluster. If you didn't already create the custom role, you can do so by using [PowerShell](../../../role-based-access-control/custom-roles-powershell.md#create-a-custom-role) or the [Azure CLI](../../../role-based-access-control/custom-roles-cli.md).
493
+
By default, neither managed identity norservice principal have permissions to access your Azure resources. You need to give the managed identity or service principal permissions to start and stop (deallocate) all virtual machines in the cluster. If you didn't already create the custom role, you can do so by using [PowerShell](../../../role-based-access-control/custom-roles-powershell.md#create-a-custom-role) or the [Azure CLI](../../../role-based-access-control/custom-roles-cli.md).
487
494
488
495
Use the following content for the input file. You need to adapt the content to your subscriptions. That is, replace *xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx* and *yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy* with your own subscription IDs. If you have only one subscription, remove the second entry under AssignableScopes.
489
496
@@ -506,7 +513,16 @@ Use the following content for the input file. You need to adapt the content to y
506
513
}
507
514
```
508
515
509
-
### **[A]** Assign the custom role to the service principal
516
+
### **[A]** Assign the custom role
517
+
518
+
#### Using Managed Identity
519
+
520
+
Assign the custom role "Linux Fence Agent Role" that was created in the last chapter to each managed identity of the cluster VMs. Each VM system-assigned managed identity needs the role assigned for every cluster VM's resource. For detailed steps, see [Assign a managed identity access to a resource by using the Azure portal](/azure/active-directory/managed-identities-azure-resources/howto-assign-access-portal). Verify each VM's managed identity role assignment contains all cluster VMs.
521
+
522
+
> [!IMPORTANT]
523
+
> Be aware assignment and removal of authorization with managed identities [can be delayed](/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations#limitation-of-using-managed-identities-for-authorization) until effective.
524
+
525
+
#### Using Service Principal
510
526
511
527
Assign the custom role *Linux fence agent Role* that you already created to the service principal. Do *not* use the *Owner* role anymore. For more information, see [Assign Azure roles by using the Azure portal](../../../role-based-access-control/role-assignments-portal.md).
512
528
@@ -768,15 +784,30 @@ Make sure to assign the custom role to the service principal at all VM (cluster
768
784
</code></pre>
769
785
770
786
1.**[1]** If you're using an Azure fence agent as STONITH, run the following commands. After you've assigned roles to both cluster nodes, you can configure the STONITH devices in the cluster.
> The 'pcmk_host_map' option is required in the command only if the hostnames and the Azure VM names are *not* identical. Specify the mapping in the format *hostname:vm-name*.
774
794
> Refer to the bold section in the following command.
0 commit comments