Managing HP Serviceguard for Linux, Sixth Edition, August 2006
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5124
Editing Security Files
Serviceguard daemons grant access to commands by matching incoming
hostname and username against defined access control policies. To
understand how to properly configure these policies, administrators need
to understand how Serviceguard handles hostnames, IP addresses,
usernames and the relevant configuration files.
For redundancy, Serviceguard utilizes all available IPv4 networks for
communication. If a Serviceguard node is able to communicate with
another node on that interface, the access control policy needs to include
the primary IP address for that interface.
IP Address Resolution
Access control policies for Serviceguard are name-based. IP addresses for
incoming connections must be resolved into hostnames to match against
access control policies.
Communication between two Serviceguard nodes could be received over
any of their shared networks. Therefore, all of their primary addresses
on each of those networks needs to be identified.
Serviceguard supports using aliases. An IP address may resolve into
multiple hostnames, one of those should match the name defined in the
policy.
Configuring IP Address Resolution
Serviceguard uses the operating system’s built in name resolution
services. It is recommended that name resolutions are defined in the
node's /etc/hosts file first rather than rely on DNS or NIS services for
the proper functioning of the cluster.
For example, consider a two node cluster (gryf and sly) with two private
subnets and a public subnet. They will be granting permission to a
non-cluster node (bit) who does not share the private subnets. The
/etc/hosts file on both cluster nodes should contain:
15.145.162.131 gryf.uksr.hp.com gryf
10.8.0.131 gryf.uksr.hp.com gryf
10.8.1.131 gryf.uksr.hp.com gryf
15.145.162.132 sly.uksr.hp.com sly
10.8.0.132 sly.uksr.hp.com sly