fence_agentに含まれるfence_vmare_soapではESXi5への接続はどうなのか確認してみました。
ESXは、少し前のバージョンの5.5系です。
fence_vmare_soapでは、external/libvirtを利用する場合と異なり、接続先指定(esx/vpx指定によるESXi接続か、vCenter接続かの区別)が不要なのが便利ですが、若干、soap処理に時間がかかるようで、external/libvirtよりは動作が遅いようです。
また、/etc/libvirt/auth.confの編集も不要です。
環境
- vCenter : xxx.xxx.xx.62
- ESXi5 : xxx.xxx.xx.33
- 実際には、vCenter配下にこの他に2台のESXi5サーバが存在し、HA構成を取っています。
- RHEL7.3 : rh73-01 - 接続先のESXi5内のゲスト
- fence_agent 4.0.25
内容
とりあえず、RHEL7系で利用する場合、insecure指定が必要なようです。
下記の例ではユーザ名、パスワードはコマンドラインでの確認ですので、ベタで指定していますが実際にPacemakerにStonithリソースとして取り込む場合などは、cibsecretによるマスク化の利用が必要と思います。
リスト取得
ESXi5ホストのゲストのリストを取得してみます。
[rh73-01]# fence_vmware_soap -o list -a "xxx.xxx.xx.33" -l "userid" -p "password" -z --ssl-insecure
(snip)
web-srv,564dac69-59b8-7967-7617-c29a6cfbfd2c
rh73-01,564d7267-8fad-56e9-609d-ae8f13c3d44f
db01-srv,564d550f-2fa4-7227-2377-f2a64076caaa
接続先にvCenterを指定して、vCenter配下のESXiホストのゲストのリストを取得してみます。
libvirt利用では、vpx指定が必要でしたが、ユーザ名、パスワードがvCenterで共通であれば、ipアドレスをvCenterに変更するだけで、取得が可能です。
全てのESXiホストに配置されたゲストのリストが取得出来ます。
[rh73-01]# fence_vmware_soap -o list -a "xxx.xxx.xx.62" -l "userid" -p "password" -z --ssl-insecure
(snip)
web-srv,564dac69-59b8-7967-7617-c29a6cfbfd2c
rh73-01,564d7267-8fad-56e9-609d-ae8f13c3d44f
db01-srv,564d550f-2fa4-7227-2377-f2a64076caaa
(snip)
ap02-srv,564d7267-8fad-56e9-609d-1e8f13c3d44f
db02-srv,564d550f-2fa4-7227-2377-32a64076caaa
ゲストの状態取得
nオプションで対象ゲストを指定しますが、ゲスト名指定とUUID指定が可能です。
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.33" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: OFF
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.33" -l "userid" -p "password" -z --ssl-insecure -n 564dac69-59b8-7967-7617-c29a6cfbfd2c
Status: OFF
接続先にvCenterサーバを指定した場合にも同様に状態取得が可能です。
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.62" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: OFF
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.62" -l "userid" -p "password" -z --ssl-insecure -n 564dac69-59b8-7967-7617-c29a6cfbfd2c
Status: OFF
ゲストの電源OFF
Stonithを想定して、ゲストの電源を落としてみます。
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.33" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: ON
[rh73-01]# fence_vmware_soap -o off -a "xxx.xxx.xx.33" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Success: Powered OFF
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.33" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: OFF
接続先にvCenterサーバを指定した場合にも同様に電源OFFが可能です。
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.62" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: ON
[rh73-01]# fence_vmware_soap -o off -a "xxx.xxx.xx.62" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Success: Powered OFF
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.62" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: OFF
ゲストの電源on
Stonithを想定して、ゲストの電源を入れてみます。
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.33" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: OFF
[rh73-01]# fence_vmware_soap -o on -a "xxx.xxx.xx.33" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Success: Powered ON
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.33" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: ON
接続先にvCenterサーバを指定した場合にも同様に電源ONが可能です。
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.62" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: OFF
[rh73-01]# fence_vmware_soap -o on -a "xxx.xxx.xx.62" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Success: Powered ON
[rh73-01]# fence_vmware_soap -o status -a "xxx.xxx.xx.62" -l "userid" -p "password" -z --ssl-insecure -n web-srv
Status: ON
その他
ヘルプ
[rh73-01]# fence_vmware_soap --help
Usage:
fence_vmware_soap [options]
Options:
-a, --ip=[ip] IP address or hostname of fencing device
-l, --username=[name] Login name
-p, --password=[password] Login password or passphrase
-z, --ssl Use SSL connection with verifying certificate
-t, --notls Disable TLS negotiation and force SSL3.0. This
should only be used for devices that do not
support TLS1.0 and up.
-n, --plug=[id] Physical plug number on device, UUID or
identification of machine
-u, --ipport=[port] TCP/UDP port to use
(default 80, 443 if --ssl option is used)
-4, --inet4-only Forces agent to use IPv4 addresses only
-6, --inet6-only Forces agent to use IPv6 addresses only
-S, --password-script=[script] Script to run to retrieve password
--ssl-secure Use SSL connection with verifying certificate
--ssl-insecure Use SSL connection without verifying certificate
-o, --action=[action] Action: on, off, reboot (default), status, list,
list-status, monitor, metadata or
validate-all
-q, --quiet Disable logging to stderr. Does not affect
--verbose or --debug logging to syslog.
-v, --verbose Verbose mode
-D, --debug-file=[debugfile] Debugging to output file
-V, --version Display version information and exit
-h, --help Display this help and exit
-C, --separator=[char] Separator for CSV created by 'list' operation
--power-timeout=[seconds] Test X seconds for status change after ON/OFF
--shell-timeout=[seconds] Wait X seconds for cmd prompt after issuing command
--login-timeout=[seconds] Wait X seconds for cmd prompt after login
--power-wait=[seconds] Wait X seconds after issuing ON/OFF
--delay=[seconds] Wait X seconds before fencing is started
--retry-on=[attempts] Count of attempts to retry power on
--gnutlscli-path=[path] Path to gnutls-cli binary
メタデータの取得
実際にPacemakerで利用する場合に設定するパラメータなどが確認出来ます。
[rh73-01]# stonith_admin -M -a fence_vmware_soap
<resource-agent name="fence_vmware_soap" shortdesc="Fence agent for VMWare over SOAP API">
<longdesc>
fence_vmware_soap is an I/O Fencing agent which can be used with the virtual machines managed by VMWare products that have SOAP API v4.1+.
.P
Name of virtual machine (-n / port) has to be used in inventory path format (e.g. /datacenter/vm/Discovered virtual machine/myMachine). In the cases when name of yours VM is unique you can use it instead. Alternatively you can always use UUID to access virtual machine.
</longdesc>
<vendor-url>
http://www.vmware.com
</vendor-url>
<parameters>
<parameter name="action" unique="0" required="1">
<getopt mixed="-o, --action=[action]"/>
<content type="string" default="reboot"/>
<shortdesc lang="en">
Fencing action
</shortdesc>
</parameter>
<parameter name="inet4_only" unique="0" required="0">
<getopt mixed="-4, --inet4-only"/>
<content type="boolean"/>
<shortdesc lang="en">
Forces agent to use IPv4 addresses only
</shortdesc>
</parameter>
<parameter name="inet6_only" unique="0" required="0">
<getopt mixed="-6, --inet6-only"/>
<content type="boolean"/>
<shortdesc lang="en">
Forces agent to use IPv6 addresses only
</shortdesc>
</parameter>
<parameter name="ipaddr" unique="0" required="1">
<getopt mixed="-a, --ip=[ip]"/>
<content type="string"/>
<shortdesc lang="en">
IP address or hostname of fencing device
</shortdesc>
</parameter>
<parameter name="ipport" unique="0" required="0">
<getopt mixed="-u, --ipport=[port]"/>
<content type="integer" default="80"/>
<shortdesc lang="en">
TCP/UDP port to use for connection with device
</shortdesc>
</parameter>
<parameter name="login" unique="0" required="1">
<getopt mixed="-l, --username=[name]"/>
<content type="string"/>
<shortdesc lang="en">
Login name
</shortdesc>
</parameter>
<parameter name="notls" unique="0" required="0">
<getopt mixed="-t, --notls"/>
<content type="boolean"/>
<shortdesc lang="en">
Disable TLS negotiation and force SSL3.0. This should only be used for devices that do not support TLS1.0 and up.
</shortdesc>
</parameter>
<parameter name="passwd" unique="0" required="0">
<getopt mixed="-p, --password=[password]"/>
<content type="string"/>
<shortdesc lang="en">
Login password or passphrase
</shortdesc>
</parameter>
<parameter name="passwd_script" unique="0" required="0">
<getopt mixed="-S, --password-script=[script]"/>
<content type="string"/>
<shortdesc lang="en">
Script to run to retrieve password
</shortdesc>
</parameter>
<parameter name="port" unique="0" required="0">
<getopt mixed="-n, --plug=[id]"/>
<content type="string"/>
<shortdesc lang="en">
Physical plug number on device, UUID or identification of machine
</shortdesc>
</parameter>
<parameter name="ssl" unique="0" required="0">
<getopt mixed="-z, --ssl"/>
<content type="boolean"/>
<shortdesc lang="en">
Use SSL connection with verifying certificate
</shortdesc>
</parameter>
<parameter name="ssl_insecure" unique="0" required="0">
<getopt mixed="--ssl-insecure"/>
<content type="boolean"/>
<shortdesc lang="en">
Use SSL connection without verifying certificate
</shortdesc>
</parameter>
<parameter name="ssl_secure" unique="0" required="0">
<getopt mixed="--ssl-secure"/>
<content type="boolean"/>
<shortdesc lang="en">
Use SSL connection with verifying certificate
</shortdesc>
</parameter>
<parameter name="quiet" unique="0" required="0">
<getopt mixed="-q, --quiet"/>
<content type="boolean"/>
<shortdesc lang="en">
Disable logging to stderr. Does not affect --verbose or --debug logging to syslog.
</shortdesc>
</parameter>
<parameter name="verbose" unique="0" required="0">
<getopt mixed="-v, --verbose"/>
<content type="boolean"/>
<shortdesc lang="en">
Verbose mode
</shortdesc>
</parameter>
<parameter name="debug" unique="0" required="0">
<getopt mixed="-D, --debug-file=[debugfile]"/>
<content type="string"/>
<shortdesc lang="en">
Write debug information to given file
</shortdesc>
</parameter>
<parameter name="version" unique="0" required="0">
<getopt mixed="-V, --version"/>
<content type="boolean"/>
<shortdesc lang="en">
Display version information and exit
</shortdesc>
</parameter>
<parameter name="help" unique="0" required="0">
<getopt mixed="-h, --help"/>
<content type="boolean"/>
<shortdesc lang="en">
Display help and exit
</shortdesc>
</parameter>
<parameter name="separator" unique="0" required="0">
<getopt mixed="-C, --separator=[char]"/>
<content type="string" default=","/>
<shortdesc lang="en">
Separator for CSV created by 'list' operation
</shortdesc>
</parameter>
<parameter name="delay" unique="0" required="0">
<getopt mixed="--delay=[seconds]"/>
<content type="second" default="0"/>
<shortdesc lang="en">
Wait X seconds before fencing is started
</shortdesc>
</parameter>
<parameter name="login_timeout" unique="0" required="0">
<getopt mixed="--login-timeout=[seconds]"/>
<content type="second" default="5"/>
<shortdesc lang="en">
Wait X seconds for cmd prompt after login
</shortdesc>
</parameter>
<parameter name="power_timeout" unique="0" required="0">
<getopt mixed="--power-timeout=[seconds]"/>
<content type="second" default="20"/>
<shortdesc lang="en">
Test X seconds for status change after ON/OFF
</shortdesc>
</parameter>
<parameter name="power_wait" unique="0" required="0">
<getopt mixed="--power-wait=[seconds]"/>
<content type="second" default="0"/>
<shortdesc lang="en">
Wait X seconds after issuing ON/OFF
</shortdesc>
</parameter>
<parameter name="shell_timeout" unique="0" required="0">
<getopt mixed="--shell-timeout=[seconds]"/>
<content type="second" default="3"/>
<shortdesc lang="en">
Wait X seconds for cmd prompt after issuing command
</shortdesc>
</parameter>
<parameter name="retry_on" unique="0" required="0">
<getopt mixed="--retry-on=[attempts]"/>
<content type="integer" default="1"/>
<shortdesc lang="en">
Count of attempts to retry power on
</shortdesc>
</parameter>
<parameter name="gnutlscli_path" unique="0" required="0">
<getopt mixed="--gnutlscli-path=[path]"/>
<content type="string" default="/usr/bin/gnutls-cli"/>
<shortdesc lang="en">
Path to gnutls-cli binary
</shortdesc>
</parameter>
</parameters>
<actions>
<action name="on" automatic="0"/>
<action name="off"/>
<action name="reboot"/>
<action name="status"/>
<action name="list"/>
<action name="list-status"/>
<action name="monitor"/>
<action name="metadata"/>
<action name="validate-all"/>
<action name="stop" timeout="20s"/>
<action name="start" timeout="20s"/>
</actions>
</resource-agent>
以上です。