Merge pull request #263876 from dennispadia/dp-slespacemakerupdate

prmerger-automator[bot] · web-flow · commit 63612f73ca41 · 2024-01-22T22:40:06.000Z
SLES pacemaker document formatting
diff --git a/articles/sap/workloads/high-availability-guide-suse-pacemaker.md b/articles/sap/workloads/high-availability-guide-suse-pacemaker.md
@@ -10,7 +10,7 @@ ms.subservice: sap-vm-workloads
 ms.topic: article
 ms.workload: infrastructure-services
 ms.custom: devx-track-azurepowershell
-ms.date: 10/09/2023
+ms.date: 01/22/2024
 ms.author: radeltch
 ---
 
@@ -596,18 +596,22 @@ Use the following content for the input file. You need to adapt the content to y
 
 ### **[A]** Assign the custom role
 
-#### Using Managed Identity
+Use managed identity or service principal.
+
+#### [Managed identity](#tab/msi)
 
 Assign the custom role "Linux Fence Agent Role" that was created in the last chapter to each managed identity of the cluster VMs. Each VM system-assigned managed identity needs the role assigned for every cluster VM's resource. For detailed steps, see [Assign a managed identity access to a resource by using the Azure portal](../../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). Verify each VM's managed identity role assignment contains all cluster VMs.
 
 > [!IMPORTANT]
 > Be aware assignment and removal of authorization with managed identities [can be delayed](../../active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization) until effective.
 
-#### Using Service Principal
+#### [Service principal](#tab/spn)
 
 Assign the custom role *Linux fence agent Role* that you already created to the service principal. Do *not* use the *Owner* role anymore. For more information, see [Assign Azure roles by using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
 
-Make sure to assign the custom role to the service principal at all VM (cluster node) scopes.  
+Make sure to assign the custom role to the service principal at all VM (cluster node) scopes.
+
+---
 
 ## Install the cluster
 
@@ -929,39 +933,41 @@ Make sure to assign the custom role to the service principal at all VM (cluster
    > The 'pcmk_host_map' option is required in the command only if the hostnames and the Azure VM names are *not* identical. Specify the mapping in the format *hostname:vm-name*.
    > Refer to the bold section in the following command.
 
-   If using **managed identity** for your fence agent, run the following command
+    #### [Managed identity](#tab/msi)
 
-   ```bash
-   # replace the bold strings with your subscription ID and resource group of the VM
+    ```bash
+    # replace the bold strings with your subscription ID and resource group of the VM
    
-   sudo crm configure primitive rsc_st_azure stonith:fence_azure_arm \
-   params msi=true subscriptionId="subscription ID" resourceGroup="resource group" \
-   pcmk_monitor_retries=4 pcmk_action_limit=3 power_timeout=240 pcmk_reboot_timeout=900 pcmk_delay_max=15 pcmk_host_map="prod-cl1-0:prod-cl1-0-vm-name;prod-cl1-1:prod-cl1-1-vm-name" \
-   op monitor interval=3600 timeout=120
+    sudo crm configure primitive rsc_st_azure stonith:fence_azure_arm \
+    params msi=true subscriptionId="subscription ID" resourceGroup="resource group" \
+    pcmk_monitor_retries=4 pcmk_action_limit=3 power_timeout=240 pcmk_reboot_timeout=900 pcmk_delay_max=15 pcmk_host_map="prod-cl1-0:prod-cl1-0-vm-name;prod-cl1-1:prod-cl1-1-vm-name" \
+    op monitor interval=3600 timeout=120
    
-   sudo crm configure property stonith-timeout=900
-   ```
+    sudo crm configure property stonith-timeout=900
+    ```
 
-   If using **service principal** for your fence agent, run the following command
+    #### [Service principal](#tab/spn)
 
-   ```bash
-   # replace the bold strings with your subscription ID, resource group of the VM, tenant ID, service principal application ID and password
+    ```bash
+    # replace the bold strings with your subscription ID, resource group of the VM, tenant ID, service principal application ID and password
    
-   sudo crm configure primitive rsc_st_azure stonith:fence_azure_arm \
-   params subscriptionId="subscription ID" resourceGroup="resource group" tenantId="tenant ID" login="application ID" passwd="password" \
-   pcmk_monitor_retries=4 pcmk_action_limit=3 power_timeout=240 pcmk_reboot_timeout=900 pcmk_delay_max=15 pcmk_host_map="prod-cl1-0:prod-cl1-0-vm-name;prod-cl1-1:prod-cl1-1-vm-name" \
-   op monitor interval=3600 timeout=120
+    sudo crm configure primitive rsc_st_azure stonith:fence_azure_arm \
+    params subscriptionId="subscription ID" resourceGroup="resource group" tenantId="tenant ID" login="application ID" passwd="password" \
+    pcmk_monitor_retries=4 pcmk_action_limit=3 power_timeout=240 pcmk_reboot_timeout=900 pcmk_delay_max=15 pcmk_host_map="prod-cl1-0:prod-cl1-0-vm-name;prod-cl1-1:prod-cl1-1-vm-name" \
+    op monitor interval=3600 timeout=120
    
-   sudo crm configure property stonith-timeout=900
-   ```
+    sudo crm configure property stonith-timeout=900
+    ```
+   
+    ---
 
-   If you're using fencing device, based on service principal configuration, read [Change from SPN to MSI for Pacemaker clusters using Azure fencing](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-high-availability-change-from-spn-to-msi-for/ba-p/3609278) and learn how to convert to managed identity configuration.
+    If you're using fencing device, based on service principal configuration, read [Change from SPN to MSI for Pacemaker clusters using Azure fencing](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-high-availability-change-from-spn-to-msi-for/ba-p/3609278) and learn how to convert to managed identity configuration.
 
-   > [!IMPORTANT]
-   > The monitoring and fencing operations are deserialized. As a result, if there's a longer-running monitoring operation and simultaneous fencing event, there's no delay to the cluster failover because the monitoring operation is already running.
+    > [!IMPORTANT]
+    > The monitoring and fencing operations are deserialized. As a result, if there's a longer-running monitoring operation and simultaneous fencing event, there's no delay to the cluster failover because the monitoring operation is already running.
 
-   > [!TIP]
-   >The Azure fence agent requires outbound connectivity to the public endpoints, as documented, along with possible solutions, in [Public endpoint connectivity for VMs using standard ILB](./high-availability-guide-standard-load-balancer-outbound-connections.md).  
+    > [!TIP]
+    >The Azure fence agent requires outbound connectivity to the public endpoints, as documented, along with possible solutions, in [Public endpoint connectivity for VMs using standard ILB](./high-availability-guide-standard-load-balancer-outbound-connections.md).  
 
 ## Configure Pacemaker for Azure scheduled events
 
