Managing HP Serviceguard for Linux, Seventh Edition, July 2007
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5146
— Full Admin: These users can administer the cluster. They users
can issue these commands in their cluster: cmruncl, cmhaltcl,
cmrunnode, and cmhaltnode. Full Admins can not configure or
create a cluster. Full Admin includes the privileges of the
Package Admin role.
NOTE When you upgrade a cluster from Version A.11.15 or earlier, entries in
$SGCONF/cmclnodelist are automatically updated into Access Control
Policies in the cluster configuration file. All non-root user-hostname
pairs are assigned the role of Monitor (view only).
Package versus Cluster Roles
Package configuration will fail if there is any conflict in roles between
the package configuration and the cluster configuration, so it is a good
idea to have the cluster configuration file in front of you when you create
roles for a package; use cmgetconf to get a listing of the cluster
configuration file.
If a role is configured for a username/hostname in the cluster
configuration file, do not specify a role for the same username/hostname
in the package configuration file; and note that there is no point in
assigning a package administration role to a cluster root user, who
already has complete control over the administration of the cluster and
its packages.
Serviceguard uses different mechanisms for access control depending on
whether the node is configured into a cluster or not. The following two
subsections discuss how to configure access control policies in these two
cases.
Setting Controls for an Unconfigured Node
When Serviceguard is first installed on a system, no access control
policies are defined. To enable this system to be included in a cluster, you
must allow root access to the node for the root user of every other
potential cluster node. The mechanism for doing this is
$SGCONF/cmclnodelist. This file does not exist by default, but you
should create it, as described in the following subsection.