Mailing List Archive

On Sun, Apr 03, 2011 at 10:15:50AM +0200, Nhan Ngo Dinh wrote:
> Hello all,
>
> Please find the attached plugin.
>
> It requires vSphere SDK for Perl:
> http://www.vmware.com/support/developer/viperltoolkit/
>
> Parameters:
>
> hostlist (e.g. hostname1=VMNAME;hostname2=VMNAME2), ip (vCenter IP),
> username, password
>
> Tested with 4.1

I don't know too much about vCenter, I'll assume that the interactions
with it are "correct", whatever that means.

But I know my share of perl and pacemaker.
So here are a few comments.


> #!/usr/bin/perl
> #
> # External STONITH module for VMWare vCenter
> #
> # Author: Nhan Ngo Dinh
> # License: GNU General Public License (GPL)
> #
>
> use strict;
> use warnings;
> use Switch;

I don't like that Switch.pm thingy ;-)
But never mind...

> use VMware::VIRuntime;
>
> my $command = $ARGV[0];
> my $targetHost;
> if ( defined $ARGV[1] ) {
> $targetHost = $ARGV[1];
> }

This end result of this is still the same as just writing
my $targetHost = $ARGV[1];


> if (defined($ENV{'ip'})) {

If you mean to test for existence of hash elements, please always use
"exists". The above will create an empty but from now on exported 'ip'
variable into to environment.
You likely want to say

if (exists $ENV{ip}) {

(and yes, you can give it more line noise,
if you feel more comfortable that way)

If you actually want to say "if defined",
then you could also just do away with the if,
and assign directly.

> $ENV{'VI_PORTNUMBER'} = 443;
> $ENV{'VI_PROTOCOL'} = "https";
> $ENV{'VI_SERVER'} = $ENV{'ip'};


Why would you only override VI_PORTNUMBER and VI_PROTOCOL
if the ip is defined?

Why would you want to have your own "ip" environment,
and not expose VI_SERVER directly?


> }
>
> if (defined($ENV{'username'})) {
> $ENV{'VI_USERNAME'} = $ENV{'username'};
> $ENV{'VI_PASSWORD'} = $ENV{'password'};
> Opts::parse();
> Opts::validate();
> } else {
> Opts::parse();

No validate here? Why not?

> }

I suppose the Opts::validate() is supposed to throw an error (aka die()),
if there is insufficient information to contact the management entity?
If so, please document that.

Probably you want to catch that via eval {},
and log the error message with some context information
about where it comes from, before propagating the error.

>
> my $ret = 255;
> my $hosts = {};
> my $realTarget;
>
> if ( defined $ENV{'hostlist'} ) {
> my @lines;
> my $line;
> @lines = split(/;/, $ENV{'hostlist'});
> foreach $line (@lines) {
> my @config = split(/=/, $line);
> $hosts->{$config[0]} = $config[1];
> }
> if (defined $targetHost) { $realTarget = $hosts->{$targetHost}; }
> }

Please add a comment what this is supposed to do, and why.
Not what it does, that's clear ;-)

Also: clearly document that no whitespace is allowed, nowhere,
and hostname=VMNAME; is a hard requirement, even if hostname and VMNAME
should match.
Or change the code to allow that special case to be written as just
"hostname;" in the hostlist.

Since you later do the reverse mapping in nested loops,
how about constructing both forward and backward mapping hashes here?
%host_to_vm = ();
%vm_to_host = ();
...

> sub getvms {
> Util::connect();
> my $regex = "";
> for (keys %$hosts) {
> if (length($regex) > 0) { $regex .= "|"; }
> $regex .= $hosts->{$_};
> }
> my $vms = Vim::find_entity_views(view_type => "VirtualMachine", filter => { 'name' => qr/^($regex)/ });

I'm not sure if you really mean what you wrote there.

My guess would be that you actually meant to say
my $regex = join "|" map { qr/\Q$_\E/ } values %$hosts;
my $vms = Vim::find_entity_views(view_type => "VirtualMachine", filter => { 'name' => qr/^($regex)$/i });

What's the difference?
So it is written differently.
So what. You can also write that as a for (keys ...) {} no problem.

Then, it does a case insensitive match (I'm not sure, but I assume
VMNAME is supposed to be matched case insensitive?)

It does not omit the trailing $,
so VMNAM would not match both VMNAM and VMNAME ;-)

Most importantly, it \Q-ot-\E-s the VMNAMEs, so VM.NA.ME won't match
VMxNAyME, but only VM.NA.ME.

> Util::disconnect();
> return $vms;
> }
>
> switch ($command) {
> case "reset" {

Bah. Did I mention that I dislike switch statements in Perl?
Ah, never you mind ;)

> Util::connect();
> my $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => $realTarget });

Unless this filter thing has a special mode where it internally does a
"$x eq $y" for scalars and "$x =~ $y" for explicitly designated qr//
Regexp objects, I'd suggest to here also do
filter => { name => qr/^\Q$realTarget\E$/i }

> my $hostname = Vim::get_view(mo_ref => $vm->{"runtime"}->{"host"})->name;

What is the hostname used for, now?

> $vm->ResetVM();

Hm. Apparently the filter thingy did something different,
the return value seems to be a reference to some "manageable" VM object,
previously it was supposed to be a reference to an array of such objects?

> Util::disconnect();

Do the Util::connect(), disconnect() once, not within each case.

I suggest doing
Util::connect();
eval {
...
}
if ($@) {
my $error = $@;

log the error in a suitable way

....
$ret = 1; # or 255, or 42 or whatever feels "right".
} else {
$ret = 0;
}
Util::disconnect();


> $ret = 0;
> }
>
> case "off" {
> Util::connect();
> my $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => $realTarget });
> my $hostname = Vim::get_view(mo_ref => $vm->{"runtime"}->{"host"})->name;

Again, useless (?) use of $hostname.

> $vm->PowerOffVM();
> Util::disconnect();
> $ret = 0;
> }
>
> case "on" {
> Util::connect();
> my $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => $realTarget });
> my $hostname = Vim::get_view(mo_ref => $vm->{"runtime"}->{"host"})->name;
> $vm->PowerOnVM();
> Util::disconnect();
> $ret = 0;
> }
>
> case "gethosts" {
> my $vms = getvms();
> foreach my $vm (@$vms) {
> while (my ($k, $v) = each %$hosts) {
> if ($vm->name eq $v) {
> print $k . "\n";
> }
> }
> }

I'd always write "$k\n" instead of $k . "\n";
I'd use the previously created vm_to_host hash.

So that would become
foreach my $vm (@$vms) { print "$vm_to_host{$vm->name}\n" };


> $ret = 0;
> }
>
> case "status" {
> $ret = system("ping -c1 $ENV{'ip'}");
> #Util::connect();
> #Util::disconnect();
> #$ret = 0;

Hm.
You I'd like some sort of "no-op" that actually excercises the
connection to the "VM manager" level, instead of pinging some ip,
which may even be misspelled accidentally (10.0.0.23 instead of
10.0.0.32 ;-)

So rather actually do an Util::connect(), so something with the Vim::
blahfoo (e.g. chose a random hostname from the hostlist, and query it's
vms "power" status)

> }
>
> case "getconfignames" {
> print "hostlist\nip\nusername\npassword\n";
> $ret = 0;
> }
>
> case "getinfo-devid" {
> print "VMware vCenter STONITH device\n";
> $ret = 0;
> }
>
> case "getinfo-devname" {
> print "VMware vCenter STONITH device\n";
> $ret = 0;
> }
>
> case "getinfo-devdescr" {
> print "VMWare vCenter STONITH device\n";
> $ret = 0;
> }
>
> case "getinfo-devurl" {
> print "http://www.vmware.com/\n";
> $ret = 0;
> }
>
> case "getinfo-xml" {
> print "<parameters>
> <parameter name=\"hostlist\" unique=\"1\">

Did you know:
print q{blafoo <lala/> x="unquoted double quotes" possible here.};
(mind the difference between q{} and qq{};
also, there are "HERE" documents in perl as well...)

If there are two ways to express something,
I tend to use the one with less line noise,
so I'd try to avoid all those \"\"

(btw, I did not validate the xml).

print q{<parameters>
<parameter name="hostlist" unique="1">

Is it unique? Why?
I think it would be legit to be able to stonith the same hosts
from more than one instance of stonith plugins.

<content type="string"/>
<shortdesc lang="en">hostlist</shortdesc>
<longdesc lang="en">
The list of hosts that the VMware vCenter STONITH device controls.
Format is "hostname1=VirtualMachineName1;hostname2=VirtualMachineName2"

No whitespace allowed.
hostname is supposed to be "uname -n", which is what is passed
in as STONITH victim on the command line.

[if I understood correctly]

</longdesc>
</parameter>
<parameter name="ip" unique="1">

Again, why would that be unique?
Same for parameters below.

<content type="string"/>
<shortdesc lang="en">ip</shortdesc>
<longdesc lang="en">
The VMware vCenter IP address
</longdesc>
</parameter>
<parameter name="username" unique="1">
<content type="string"/>
<shortdesc lang="en">username</shortdesc>
<longdesc lang="en">
The username to access VMware vCenter
</longdesc>
</parameter>
<parameter name="password" unique="1">
<content type="string"/>
<shortdesc lang="en">password</shortdesc>
<longdesc lang="en">
The password to access VMware vCenter

You probably want to mention that it would be a good idea to
secure all pacemaker communication paths against the potential
of sniffing, and lock down the permissions on any location that
could end up containing copies of the cib in either xml or plain
text, or risk funny DoS attacks ;-)
Then again, may that is obvious.

That's a problem for all STONITH devices, though, unless they
somehow stored their credentials somewhere else.

I think there is some bugzilla on that issue (protecting
sensitive information in the cib from appearing in logs,
or rather keep them out of the cib completely).

Dejan?

</longdesc>
</parameter>
</parameters>
};

> $ret = 0;
> }
>
> else {
> $ret = 1;
> }
>
> }
>
> exit($ret);

Enough for today.

Thank you for this contribution.

If we now can have a few other "Reviewed-by:" or "Tested-by:" signatures,
that would be great.


--
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Hi,

On Mon, Apr 04, 2011 at 09:23:17PM +0200, Lars Ellenberg wrote:
> On Sun, Apr 03, 2011 at 10:15:50AM +0200, Nhan Ngo Dinh wrote:
> > Hello all,
> >
> > Please find the attached plugin.
> >
> > It requires vSphere SDK for Perl:
> > http://www.vmware.com/support/developer/viperltoolkit/
> >
> > Parameters:
> >
> > hostlist (e.g. hostname1=VMNAME;hostname2=VMNAME2), ip (vCenter IP),
> > username, password
> >
> > Tested with 4.1
>
> I don't know too much about vCenter, I'll assume that the interactions
> with it are "correct", whatever that means.
>
> But I know my share of perl and pacemaker.
> So here are a few comments.
>
>
> > #!/usr/bin/perl
> > #
> > # External STONITH module for VMWare vCenter
> > #
> > # Author: Nhan Ngo Dinh
> > # License: GNU General Public License (GPL)
> > #
> >
> > use strict;
> > use warnings;
> > use Switch;
>
> I don't like that Switch.pm thingy ;-)
> But never mind...
>
> > use VMware::VIRuntime;
> >
> > my $command = $ARGV[0];
> > my $targetHost;
> > if ( defined $ARGV[1] ) {
> > $targetHost = $ARGV[1];
> > }
>
> This end result of this is still the same as just writing
> my $targetHost = $ARGV[1];
>
>
> > if (defined($ENV{'ip'})) {
>
> If you mean to test for existence of hash elements, please always use
> "exists". The above will create an empty but from now on exported 'ip'
> variable into to environment.
> You likely want to say
>
> if (exists $ENV{ip}) {
>
> (and yes, you can give it more line noise,
> if you feel more comfortable that way)
>
> If you actually want to say "if defined",
> then you could also just do away with the if,
> and assign directly.
>
> > $ENV{'VI_PORTNUMBER'} = 443;
> > $ENV{'VI_PROTOCOL'} = "https";
> > $ENV{'VI_SERVER'} = $ENV{'ip'};
>
>
> Why would you only override VI_PORTNUMBER and VI_PROTOCOL
> if the ip is defined?
>
> Why would you want to have your own "ip" environment,
> and not expose VI_SERVER directly?
>
>
> > }
> >
> > if (defined($ENV{'username'})) {
> > $ENV{'VI_USERNAME'} = $ENV{'username'};
> > $ENV{'VI_PASSWORD'} = $ENV{'password'};
> > Opts::parse();
> > Opts::validate();
> > } else {
> > Opts::parse();
>
> No validate here? Why not?
>
> > }
>
> I suppose the Opts::validate() is supposed to throw an error (aka die()),
> if there is insufficient information to contact the management entity?
> If so, please document that.
>
> Probably you want to catch that via eval {},
> and log the error message with some context information
> about where it comes from, before propagating the error.
>
> >
> > my $ret = 255;
> > my $hosts = {};
> > my $realTarget;
> >
> > if ( defined $ENV{'hostlist'} ) {
> > my @lines;
> > my $line;
> > @lines = split(/;/, $ENV{'hostlist'});
> > foreach $line (@lines) {
> > my @config = split(/=/, $line);
> > $hosts->{$config[0]} = $config[1];
> > }
> > if (defined $targetHost) { $realTarget = $hosts->{$targetHost}; }
> > }
>
> Please add a comment what this is supposed to do, and why.
> Not what it does, that's clear ;-)
>
> Also: clearly document that no whitespace is allowed, nowhere,
> and hostname=VMNAME; is a hard requirement, even if hostname and VMNAME
> should match.
> Or change the code to allow that special case to be written as just
> "hostname;" in the hostlist.
>
> Since you later do the reverse mapping in nested loops,
> how about constructing both forward and backward mapping hashes here?
> %host_to_vm = ();
> %vm_to_host = ();
> ...
>
> > sub getvms {
> > Util::connect();
> > my $regex = "";
> > for (keys %$hosts) {
> > if (length($regex) > 0) { $regex .= "|"; }
> > $regex .= $hosts->{$_};
> > }
> > my $vms = Vim::find_entity_views(view_type => "VirtualMachine", filter => { 'name' => qr/^($regex)/ });
>
> I'm not sure if you really mean what you wrote there.
>
> My guess would be that you actually meant to say
> my $regex = join "|" map { qr/\Q$_\E/ } values %$hosts;
> my $vms = Vim::find_entity_views(view_type => "VirtualMachine", filter => { 'name' => qr/^($regex)$/i });
>
> What's the difference?
> So it is written differently.
> So what. You can also write that as a for (keys ...) {} no problem.
>
> Then, it does a case insensitive match (I'm not sure, but I assume
> VMNAME is supposed to be matched case insensitive?)
>
> It does not omit the trailing $,
> so VMNAM would not match both VMNAM and VMNAME ;-)
>
> Most importantly, it \Q-ot-\E-s the VMNAMEs, so VM.NA.ME won't match
> VMxNAyME, but only VM.NA.ME.
>
> > Util::disconnect();
> > return $vms;
> > }
> >
> > switch ($command) {
> > case "reset" {
>
> Bah. Did I mention that I dislike switch statements in Perl?
> Ah, never you mind ;)
>
> > Util::connect();
> > my $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => $realTarget });
>
> Unless this filter thing has a special mode where it internally does a
> "$x eq $y" for scalars and "$x =~ $y" for explicitly designated qr//
> Regexp objects, I'd suggest to here also do
> filter => { name => qr/^\Q$realTarget\E$/i }
>
> > my $hostname = Vim::get_view(mo_ref => $vm->{"runtime"}->{"host"})->name;
>
> What is the hostname used for, now?
>
> > $vm->ResetVM();
>
> Hm. Apparently the filter thingy did something different,
> the return value seems to be a reference to some "manageable" VM object,
> previously it was supposed to be a reference to an array of such objects?
>
> > Util::disconnect();
>
> Do the Util::connect(), disconnect() once, not within each case.

There's otherwise a lot of code repetition for the on, off, and
reset cases.

Did you check that doing a reset on a VM which is off does the
right thing, i.e. turns the VM on? Also, if doing off on a VM
which is off doesn't exit with error.

> I suggest doing
> Util::connect();
> eval {
> ...
> }
> if ($@) {
> my $error = $@;
>
> log the error in a suitable way
>
> ....
> $ret = 1; # or 255, or 42 or whatever feels "right".
> } else {
> $ret = 0;
> }
> Util::disconnect();
>
>
> > $ret = 0;
> > }
> >
> > case "off" {
> > Util::connect();
> > my $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => $realTarget });
> > my $hostname = Vim::get_view(mo_ref => $vm->{"runtime"}->{"host"})->name;
>
> Again, useless (?) use of $hostname.
>
> > $vm->PowerOffVM();
> > Util::disconnect();
> > $ret = 0;
> > }
> >
> > case "on" {
> > Util::connect();
> > my $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => $realTarget });
> > my $hostname = Vim::get_view(mo_ref => $vm->{"runtime"}->{"host"})->name;
> > $vm->PowerOnVM();
> > Util::disconnect();
> > $ret = 0;
> > }
> >
> > case "gethosts" {
> > my $vms = getvms();
> > foreach my $vm (@$vms) {
> > while (my ($k, $v) = each %$hosts) {
> > if ($vm->name eq $v) {
> > print $k . "\n";
> > }
> > }
> > }
>
> I'd always write "$k\n" instead of $k . "\n";
> I'd use the previously created vm_to_host hash.
>
> So that would become
> foreach my $vm (@$vms) { print "$vm_to_host{$vm->name}\n" };
>
>
> > $ret = 0;
> > }
> >
> > case "status" {
> > $ret = system("ping -c1 $ENV{'ip'}");
> > #Util::connect();
> > #Util::disconnect();
> > #$ret = 0;
>
> Hm.
> You I'd like some sort of "no-op" that actually excercises the
> connection to the "VM manager" level, instead of pinging some ip,
> which may even be misspelled accidentally (10.0.0.23 instead of
> 10.0.0.32 ;-)
>
> So rather actually do an Util::connect(), so something with the Vim::
> blahfoo (e.g. chose a random hostname from the hostlist, and query it's
> vms "power" status)

A good idea.

> > }
> >
> > case "getconfignames" {
> > print "hostlist\nip\nusername\npassword\n";
> > $ret = 0;
> > }
> >
> > case "getinfo-devid" {
> > print "VMware vCenter STONITH device\n";
> > $ret = 0;
> > }
> >
> > case "getinfo-devname" {
> > print "VMware vCenter STONITH device\n";
> > $ret = 0;
> > }
> >
> > case "getinfo-devdescr" {
> > print "VMWare vCenter STONITH device\n";
> > $ret = 0;
> > }
> >
> > case "getinfo-devurl" {
> > print "http://www.vmware.com/\n";
> > $ret = 0;
> > }
> >
> > case "getinfo-xml" {
> > print "<parameters>
> > <parameter name=\"hostlist\" unique=\"1\">
>
> Did you know:
> print q{blafoo <lala/> x="unquoted double quotes" possible here.};
> (mind the difference between q{} and qq{};
> also, there are "HERE" documents in perl as well...)
>
> If there are two ways to express something,
> I tend to use the one with less line noise,
> so I'd try to avoid all those \"\"
>
> (btw, I did not validate the xml).
>
> print q{<parameters>
> <parameter name="hostlist" unique="1">
>
> Is it unique? Why?
> I think it would be legit to be able to stonith the same hosts
> from more than one instance of stonith plugins.
>
> <content type="string"/>
> <shortdesc lang="en">hostlist</shortdesc>
> <longdesc lang="en">
> The list of hosts that the VMware vCenter STONITH device controls.
> Format is "hostname1=VirtualMachineName1;hostname2=VirtualMachineName2"
>
> No whitespace allowed.
> hostname is supposed to be "uname -n", which is what is passed
> in as STONITH victim on the command line.
>
> [if I understood correctly]
>
> </longdesc>
> </parameter>
> <parameter name="ip" unique="1">
>
> Again, why would that be unique?
> Same for parameters below.
>
> <content type="string"/>
> <shortdesc lang="en">ip</shortdesc>
> <longdesc lang="en">
> The VMware vCenter IP address
> </longdesc>
> </parameter>
> <parameter name="username" unique="1">
> <content type="string"/>
> <shortdesc lang="en">username</shortdesc>
> <longdesc lang="en">
> The username to access VMware vCenter
> </longdesc>
> </parameter>
> <parameter name="password" unique="1">
> <content type="string"/>
> <shortdesc lang="en">password</shortdesc>
> <longdesc lang="en">
> The password to access VMware vCenter
>
> You probably want to mention that it would be a good idea to
> secure all pacemaker communication paths against the potential
> of sniffing, and lock down the permissions on any location that
> could end up containing copies of the cib in either xml or plain
> text, or risk funny DoS attacks ;-)
> Then again, may that is obvious.
>
> That's a problem for all STONITH devices, though, unless they
> somehow stored their credentials somewhere else.
>
> I think there is some bugzilla on that issue (protecting
> sensitive information in the cib from appearing in logs,
> or rather keep them out of the cib completely).
>
> Dejan?

Yes, there is going to be a way to move parts of CIB to local
files.

> </longdesc>
> </parameter>
> </parameters>
> };
>
> > $ret = 0;
> > }
> >
> > else {
> > $ret = 1;
> > }
> >
> > }
> >
> > exit($ret);
>
> Enough for today.
>
> Thank you for this contribution.
>
> If we now can have a few other "Reviewed-by:" or "Tested-by:" signatures,
> that would be great.

The latter in particular :)

Cheers,

Dejan


>
> --
> : Lars Ellenberg
> : LINBIT | Your Way to High Availability
> : DRBD/HA support and consulting http://www.linbit.com
> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Hi,

> I don't know too much about vCenter, I'll assume that the interactions
> with it are "correct", whatever that means.
As Dejan stated after, there is still something that has to be fixed: if
a VM is off, the reset won't work. I'll fix this.

As you probably noticed :), the code has not been revised, this is
mainly why there are so unclean and redundant sections. BTW I do not
want to hide my perl ignorance! Many tricky statement (e.g. the use of defined)
are mainly a result of a debugging phase not well cleaned up.

> > use Switch;
>
> I don't like that Switch.pm thingy ;-)
> But never mind...
Yes, it sounded a little bit tricky to me, but... you know... I thought it was
perl-addicted stuff... It seems that I was wrong :)

> > my $command = $ARGV[0];
> > my $targetHost;
> > if ( defined $ARGV[1] ) {
> > $targetHost = $ARGV[1];
> > }
>
> This end result of this is still the same as just writing
> my $targetHost = $ARGV[1];
Absolutely yes.

> > if (defined($ENV{'ip'})) {
>
> If you mean to test for existence of hash elements, please always use
> "exists". The above will create an empty but from now on exported 'ip'
> variable into to environment.
> You likely want to say
>
> if (exists $ENV{ip}) {
>
> (and yes, you can give it more line noise,
> if you feel more comfortable that way)
>
> If you actually want to say "if defined",
> then you could also just do away with the if,
> and assign directly.
>
> > $ENV{'VI_PORTNUMBER'} = 443;
> > $ENV{'VI_PROTOCOL'} = "https";
> > $ENV{'VI_SERVER'} = $ENV{'ip'};
>
>
> Why would you only override VI_PORTNUMBER and VI_PROTOCOL
> if the ip is defined?
VI_PORTNUMBER and VI_PROTOCOL are optional parameters but they're
needed when "ip" is set.

It doesn't make any difference.

> Why would you want to have your own "ip" environment,
> and not expose VI_SERVER directly?
> > if (defined($ENV{'username'})) {
> > $ENV{'VI_USERNAME'} = $ENV{'username'};
> > $ENV{'VI_PASSWORD'} = $ENV{'password'};
> > Opts::parse();
> > Opts::validate();
> > } else {
> > Opts::parse();
>
> No validate here? Why not?

I understand that there are better ways to do it.

validate() triggers interactive authentication if VI_USERNAME/VI_PASSWORD
are not set and this should be avoided (the script should be also callable
without parameters)

I should add remarks on that.

> >
> > my $ret = 255;
> > my $hosts = {};
> > my $realTarget;
> >
> > if ( defined $ENV{'hostlist'} ) {
> > my @lines;
> > my $line;
> > @lines = split(/;/, $ENV{'hostlist'});
> > foreach $line (@lines) {
> > my @config = split(/=/, $line);
> > $hosts->{$config[0]} = $config[1];
> > }
> > if (defined $targetHost) { $realTarget = $hosts->{$targetHost}; }
> > }
>
> Please add a comment what this is supposed to do, and why.
> Not what it does, that's clear ;-)
>
> Also: clearly document that no whitespace is allowed, nowhere,
> and hostname=VMNAME; is a hard requirement, even if hostname and VMNAME
> should match.
> Or change the code to allow that special case to be written as just
> "hostname;" in the hostlist.
>
> Since you later do the reverse mapping in nested loops,
> how about constructing both forward and backward mapping hashes here?
> %host_to_vm = ();
> %vm_to_host = ();
> ...
Yes, that mapping hashes would be better

> > sub getvms {
> > Util::connect();
> > my $regex = "";
> > for (keys %$hosts) {
> > if (length($regex) > 0) { $regex .= "|"; }
> > $regex .= $hosts->{$_};
> > }
> > my $vms = Vim::find_entity_views(view_type => "VirtualMachine", filter => { 'name' => qr/^($regex)/ });
>
> I'm not sure if you really mean what you wrote there.
>
> My guess would be that you actually meant to say
> my $regex = join "|" map { qr/\Q$_\E/ } values %$hosts;
> my $vms = Vim::find_entity_views(view_type => "VirtualMachine", filter => { 'name' => qr/^($regex)$/i });
>
> What's the difference?
> So it is written differently.
> So what. You can also write that as a for (keys ...) {} no problem.
>
> Then, it does a case insensitive match (I'm not sure, but I assume
> VMNAME is supposed to be matched case insensitive?)
>
> It does not omit the trailing $,
> so VMNAM would not match both VMNAM and VMNAME ;-)
>
> Most importantly, it \Q-ot-\E-s the VMNAMEs, so VM.NA.ME won't match
> VMxNAyME, but only VM.NA.ME.
>
Yes, this includes also regex escapes, it should be better. However I'm
not sure about case insensitive matching, I would prefer leaving it so.
The missing trailing $ is something that was left behind during the
evolution of the code (at the beginning my VMs were named with the same
prefix and with a number suffix).

> > Util::disconnect();
> > return $vms;
> > }
> >
> > switch ($command) {
> > case "reset" {
>
> Bah. Did I mention that I dislike switch statements in Perl?
> Ah, never you mind ;)
C'mon I come from C...

> > Util::connect();
> > my $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => $realTarget });
>
> Unless this filter thing has a special mode where it internally does a
> "$x eq $y" for scalars and "$x =~ $y" for explicitly designated qr//
> Regexp objects, I'd suggest to here also do
> filter => { name => qr/^\Q$realTarget\E$/i }
I agree with you, except that I don't have anything about that from the (poor)
official VMware perl documentation (see regular expression vs plain queries).
I'll test it.

> > my $hostname = Vim::get_view(mo_ref => $vm->{"runtime"}->{"host"})->name;
>
> What is the hostname used for, now?
>
> > $vm->ResetVM();
>
> Hm. Apparently the filter thingy did something different,
> the return value seems to be a reference to some "manageable" VM object,
> previously it was supposed to be a reference to an array of such objects?
This is something that disagrees with the VMware documentation. The
suggested method is:

$vm->ResetVM(host => $hostname);

Sadly, it doesn't work. However if I call Vim::get_view with the
HostSystem manageable VM object before ResetVM, it works, but I have to strip off
"host" from the parameters. In vCenter, reset/off/on can be issued only if the
HostSystem is explicited. Here's how.

> > Util::disconnect();
>
> Do the Util::connect(), disconnect() once, not within each case.
Yes, I agree with you. Since there are commands that are executed without environment
variables (e.g. getconfignames), we cannot issue validate, connect and disconnect. It
is better to write two code sections (with and without connection).

> I suggest doing
> Util::connect();
> eval {
> ...
> }
> if ($@) {
> my $error = $@;
>
> log the error in a suitable way
>
> ....
> $ret = 1; # or 255, or 42 or whatever feels "right".
> } else {
> $ret = 0;
> }
> Util::disconnect();
I think that this should be done in any case.

> > $ret = 0;
> > }
> >
> > case "off" {
> > Util::connect();
> > my $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => $realTarget });
> > my $hostname = Vim::get_view(mo_ref => $vm->{"runtime"}->{"host"})->name;
>
> Again, useless (?) use of $hostname.
>
> > $vm->PowerOffVM();
> > Util::disconnect();
> > $ret = 0;
> > }
> >
> > case "on" {
> > Util::connect();
> > my $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => $realTarget });
> > my $hostname = Vim::get_view(mo_ref => $vm->{"runtime"}->{"host"})->name;
> > $vm->PowerOnVM();
> > Util::disconnect();
> > $ret = 0;
> > }
> >
> > case "gethosts" {
> > my $vms = getvms();
> > foreach my $vm (@$vms) {
> > while (my ($k, $v) = each %$hosts) {
> > if ($vm->name eq $v) {
> > print $k . "\n";
> > }
> > }
> > }
>
> I'd always write "$k\n" instead of $k . "\n";
> I'd use the previously created vm_to_host hash.
>
> So that would become
> foreach my $vm (@$vms) { print "$vm_to_host{$vm->name}\n" };
>
>
> > $ret = 0;
> > }
> >
> > case "status" {
> > $ret = system("ping -c1 $ENV{'ip'}");
> > #Util::connect();
> > #Util::disconnect();
> > #$ret = 0;
>
> Hm.
> You I'd like some sort of "no-op" that actually excercises the
> connection to the "VM manager" level, instead of pinging some ip,
> which may even be misspelled accidentally (10.0.0.23 instead of
> 10.0.0.32 ;-)
>
> So rather actually do an Util::connect(), so something with the Vim::
> blahfoo (e.g. chose a random hostname from the hostlist, and query it's
> vms "power" status)
Yes, I agree. I came up to use this because I've seen something similar in
external/vmware.

> > case "getinfo-xml" {
> > print "<parameters>
> > <parameter name=\"hostlist\" unique=\"1\">
>
> Did you know:
> print q{blafoo <lala/> x="unquoted double quotes" possible here.};
> (mind the difference between q{} and qq{};
> also, there are "HERE" documents in perl as well...)
I want to continue feeling the pain of backslashes :)

> If there are two ways to express something,
> I tend to use the one with less line noise,
> so I'd try to avoid all those \"\"
>
> (btw, I did not validate the xml).
I did.

> print q{<parameters>
> <parameter name="hostlist" unique="1">
>
> Is it unique? Why?
> I think it would be legit to be able to stonith the same hosts
> from more than one instance of stonith plugins.
I used it with clone, but may be I didn't catch the meaning of unique.

> <content type="string"/>
> <shortdesc lang="en">hostlist</shortdesc>
> <longdesc lang="en">
> The list of hosts that the VMware vCenter STONITH device controls.
> Format is "hostname1=VirtualMachineName1;hostname2=VirtualMachineName2"
>
> No whitespace allowed.
> hostname is supposed to be "uname -n", which is what is passed
> in as STONITH victim on the command line.
>
> [if I understood correctly]
Yes, no whitespaces.

> </longdesc>
> </parameter>
> <parameter name="ip" unique="1">
>
> Again, why would that be unique?
> Same for parameters below.
>
> <content type="string"/>
> <shortdesc lang="en">ip</shortdesc>
> <longdesc lang="en">
> The VMware vCenter IP address
> </longdesc>
> </parameter>
> <parameter name="username" unique="1">
> <content type="string"/>
> <shortdesc lang="en">username</shortdesc>
> <longdesc lang="en">
> The username to access VMware vCenter
> </longdesc>
> </parameter>
> <parameter name="password" unique="1">
> <content type="string"/>
> <shortdesc lang="en">password</shortdesc>
> <longdesc lang="en">
> The password to access VMware vCenter
>
> You probably want to mention that it would be a good idea to
> secure all pacemaker communication paths against the potential
> of sniffing, and lock down the permissions on any location that
> could end up containing copies of the cib in either xml or plain
> text, or risk funny DoS attacks ;-)
> Then again, may that is obvious.
>
> That's a problem for all STONITH devices, though, unless they
> somehow stored their credentials somewhere else.
>
> I think there is some bugzilla on that issue (protecting
> sensitive information in the cib from appearing in logs,
> or rather keep them out of the cib completely).
>
> Dejan?
VMware perl library allows to use a .vimrc file in the user home, I wanted to use that
one but finally I preferred explicit configuration, even if less secure (of course,
I've also assessed the security of the cluster network), because the corosync init
script that launches pacemaker is run as root but doesn't have $HOME set.

Thank you very much for the revision.

Nhan


_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

On Tue, Apr 05, 2011 at 06:27:19PM +0200, Nhan Ngo Dinh wrote:
> VMware perl library allows to use a .vimrc file in the user home,

Ouch.

I guess they all use emacs, then.
Or notepad ;-)

--
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Sorry, I was confusing :)
.visdkrc

In the attached external/vcenter I've hopefully merged all the hints.
Dejan, I've also considered your notes.

Just few comments:

1) you proposed:

my $regex = join "|" map { qr/\Q$_\E/ } values %$hosts;
my $vms = Vim::find_entity_views(view_type => "VirtualMachine", filter

But I didn't succeed to make it working, instead I had to replace it
with:

my $regex = join "|" map { qr/\Q$_\E/i } values %$hosts;
my $vms = Vim::find_entity_views(view_type => "VirtualMachine", filter

Is it right?

2) I've performed an lc on the keys of the virtual machine hash and on
whatever needed to make it working with VMware case insensitive virtual
machine matching

3) I've used VMware credstore to allow improve security by using
VI_CREDSTORE parameter.

4) I've managed runtime.powerState to prevent from doing anything when a
cluster node is suspended

5) I've added RESETPOWERON to control whether or not sending a PowerOnVM
when the node is found off on reset. This is also needed because,
differently from what specified on the docs, ResetVM on a closed virtual
machine gives out an exception. However, may be that cluster admins
would like to have the opportunity to shut down nodes and to prevent crm
from making them on again (of course they can rename VMs, but... you
know).

6) To make everyone happier, I did not change to given/when :)

I've tested it again i a 2-node cluster, crm stonith configuration is:

===
primitive vfencing stonith:external/vcenter \
params VI_SERVER="10.1.1.1" VI_CREDSTORE="/etc/vicredentials.xml"
HOSTLIST="vm1;vm2" RESETPOWERON="1" \
op monitor interval="60s"
clone Fencing vfencing
===

Best regards,

On Wed, 2011-04-06 at 16:41 +0200, Lars Ellenberg wrote:

> On Tue, Apr 05, 2011 at 06:27:19PM +0200, Nhan Ngo Dinh wrote:
> > VMware perl library allows to use a .vimrc file in the user home,
>
> Ouch.
>
> I guess they all use emacs, then.
> Or notepad ;-)
>

To help people testing it, here is what to do in each cluster node.
You can test it with ESX/ESXi or vCenter: it should work in both cases.

1) install VMware vSphere CLI, which includes Perl SDK and
administrative tools for generating the credentials XML file:
http://www.vmware.com/download/download.do?downloadGroup=VCLI41 ,

2) put vcenter script attached previously
in /usr/lib/stonith/plugins/external/ or wherever the external stonith
plugins are.

3) create the credentials file with credstore_admin.pl:

/usr/lib/vmware-vcli/apps/general/credstore_admin.pl -s 10.1.1.1 -u
myuser -p mypass

This should create $HOME/.vmware/credstore/vicredentials.xml . I suggest
to copy it at least to /etc

cp -p $HOME/.vmware/credstore/vicredentials.xml /etc

4) do the very first testing:

VI_SERVER=10.1.1.1 VI_CREDSTORE=/etc/vicredentials.xml
HOSTLIST="hostname1=vmname1;hostname2=vmname2"
RESETPOWERON=0 /usr/lib/stonith/plugins/external/vcenter gethosts

If everything works correctly you should get:

hostname1
hostname2

You can even test "reset", "off" and "on" commands, to test (carefully!)
the full chain. E.g.

VI_SERVER=10.1.1.1 VI_CREDSTORE=/etc/vicredentials.xml
HOSTLIST="hostname1=vmname1;hostname2=vmname2"
RESETPOWERON=0 /usr/lib/stonith/plugins/external/vcenter reset hostname2

5) test if stonith can see the script:

stonith -t external/vcenter -n

6) configure crm. In a 2-node configuration, with no previous stonith
entry and with stonith-enabled set to false:

crm configure primitive vfencing stonith::external/vcenter params
VI_SERVER="10.1.1.1" VI_CREDSTORE="/etc/vicredentials.xml"
HOSTLIST="hostname1=vmname1;hostname2=vmname2" RESETPOWERON="0" op
monitor interval="60s"

crm configure clone Fencing vfencing

crm configure property stonith-enabled="true"

===
I've tested it with VMware vCenter 4.1, the cluster is a 2-node cluster
based on Debian 6.0 "Squeeze" with distribution clustering stack:
CoroSync 1.2.1 / Pacemaker 1.0.9.1 . Cluster nodes are on different ESXi
4.1 servers.

Nhan

Hi,

On Thu, Apr 07, 2011 at 10:36:11AM +0200, Nhan Ngo Dinh wrote:
> To help people testing it, here is what to do in each cluster node.
> You can test it with ESX/ESXi or vCenter: it should work in both cases.
>
> 1) install VMware vSphere CLI, which includes Perl SDK and
> administrative tools for generating the credentials XML file:
> http://www.vmware.com/download/download.do?downloadGroup=VCLI41 ,
>
> 2) put vcenter script attached previously
> in /usr/lib/stonith/plugins/external/ or wherever the external stonith
> plugins are.
>
> 3) create the credentials file with credstore_admin.pl:
>
> /usr/lib/vmware-vcli/apps/general/credstore_admin.pl -s 10.1.1.1 -u
> myuser -p mypass
>
> This should create $HOME/.vmware/credstore/vicredentials.xml . I suggest
> to copy it at least to /etc
>
> cp -p $HOME/.vmware/credstore/vicredentials.xml /etc
>
> 4) do the very first testing:
>
> VI_SERVER=10.1.1.1 VI_CREDSTORE=/etc/vicredentials.xml
> HOSTLIST="hostname1=vmname1;hostname2=vmname2"
> RESETPOWERON=0 /usr/lib/stonith/plugins/external/vcenter gethosts
>
> If everything works correctly you should get:
>
> hostname1
> hostname2
>
> You can even test "reset", "off" and "on" commands, to test (carefully!)
> the full chain. E.g.
>
> VI_SERVER=10.1.1.1 VI_CREDSTORE=/etc/vicredentials.xml
> HOSTLIST="hostname1=vmname1;hostname2=vmname2"
> RESETPOWERON=0 /usr/lib/stonith/plugins/external/vcenter reset hostname2
>
> 5) test if stonith can see the script:
>
> stonith -t external/vcenter -n
>
> 6) configure crm. In a 2-node configuration, with no previous stonith
> entry and with stonith-enabled set to false:
>
> crm configure primitive vfencing stonith::external/vcenter params
> VI_SERVER="10.1.1.1" VI_CREDSTORE="/etc/vicredentials.xml"
> HOSTLIST="hostname1=vmname1;hostname2=vmname2" RESETPOWERON="0" op
> monitor interval="60s"
>
> crm configure clone Fencing vfencing
>
> crm configure property stonith-enabled="true"
>
> ===
> I've tested it with VMware vCenter 4.1, the cluster is a 2-node cluster
> based on Debian 6.0 "Squeeze" with distribution clustering stack:
> CoroSync 1.2.1 / Pacemaker 1.0.9.1 . Cluster nodes are on different ESXi
> 4.1 servers.

You could actually reformat this slightly and we add that as
README.vcenter to the repository.

Cheers,

Dejan

> Nhan
>
>

> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/

_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Hi,

please find it attached.
Best regards,
Nhan

On Thu, 2011-04-07 at 12:37 +0200, Dejan Muhamedagic wrote:

> Hi,
>
> On Thu, Apr 07, 2011 at 10:36:11AM +0200, Nhan Ngo Dinh wrote:
> > To help people testing it, here is what to do in each cluster node.
> > You can test it with ESX/ESXi or vCenter: it should work in both cases.
> >
> > 1) install VMware vSphere CLI, which includes Perl SDK and
> > administrative tools for generating the credentials XML file:
> > http://www.vmware.com/download/download.do?downloadGroup=VCLI41 ,
> >
> > 2) put vcenter script attached previously
> > in /usr/lib/stonith/plugins/external/ or wherever the external stonith
> > plugins are.
> >
> > 3) create the credentials file with credstore_admin.pl:
> >
> > /usr/lib/vmware-vcli/apps/general/credstore_admin.pl -s 10.1.1.1 -u
> > myuser -p mypass
> >
> > This should create $HOME/.vmware/credstore/vicredentials.xml . I suggest
> > to copy it at least to /etc
> >
> > cp -p $HOME/.vmware/credstore/vicredentials.xml /etc
> >
> > 4) do the very first testing:
> >
> > VI_SERVER=10.1.1.1 VI_CREDSTORE=/etc/vicredentials.xml
> > HOSTLIST="hostname1=vmname1;hostname2=vmname2"
> > RESETPOWERON=0 /usr/lib/stonith/plugins/external/vcenter gethosts
> >
> > If everything works correctly you should get:
> >
> > hostname1
> > hostname2
> >
> > You can even test "reset", "off" and "on" commands, to test (carefully!)
> > the full chain. E.g.
> >
> > VI_SERVER=10.1.1.1 VI_CREDSTORE=/etc/vicredentials.xml
> > HOSTLIST="hostname1=vmname1;hostname2=vmname2"
> > RESETPOWERON=0 /usr/lib/stonith/plugins/external/vcenter reset hostname2
> >
> > 5) test if stonith can see the script:
> >
> > stonith -t external/vcenter -n
> >
> > 6) configure crm. In a 2-node configuration, with no previous stonith
> > entry and with stonith-enabled set to false:
> >
> > crm configure primitive vfencing stonith::external/vcenter params
> > VI_SERVER="10.1.1.1" VI_CREDSTORE="/etc/vicredentials.xml"
> > HOSTLIST="hostname1=vmname1;hostname2=vmname2" RESETPOWERON="0" op
> > monitor interval="60s"
> >
> > crm configure clone Fencing vfencing
> >
> > crm configure property stonith-enabled="true"
> >
> > ===
> > I've tested it with VMware vCenter 4.1, the cluster is a 2-node cluster
> > based on Debian 6.0 "Squeeze" with distribution clustering stack:
> > CoroSync 1.2.1 / Pacemaker 1.0.9.1 . Cluster nodes are on different ESXi
> > 4.1 servers.
>
> You could actually reformat this slightly and we add that as
> README.vcenter to the repository.
>
> Cheers,
>
> Dejan
>
> > Nhan
> >
> >
>
> > _______________________________________________________
> > Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> > http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> > Home Page: http://linux-ha.org/
>
> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/
>

Hi,

On Thu, Apr 07, 2011 at 01:54:59PM +0200, Nhan Ngo Dinh wrote:
> Hi,
>
> please find it attached.

Great!

A few notes below.

> Best regards,
> Nhan
>
> VMware vCenter/ESX STONITH Module
> =================================
>
> 1. Intro
> --------
>
> VMware vCenter/ESX STONITH Module is intended to provide STONITH support to
> clusters in VMware Virtual Infrastructures. It is able to deal with virtual
> machines running on physically different HostSystems (e.g. ESX/ESXi) by using
> VMware vSphere Web Services SDK http://www.vmware.com/support/developer/vc-sdk/
> and connecting directly on each HostSystem or through a VMware vCenter: in this
> last case the module locates the specified virtual machine in the Virtual
> Infrastructure and performs actions required by cluster policies.
>
> 2. Software requirements
> ------------------------
>
> VMware vSphere CLI, which includes both CLI tools and Perl SDK
> http://www.vmware.com/support/developer/vcli/ . The plugin has been tested with
> version 4.1 http://www.vmware.com/download/download.do?downloadGroup=VCLI41
>
>
> 3. vCenter/ESX authentication settings
> --------------------------------------
>
> Create the credentials file with credstore_admin.pl:
>
> /usr/lib/vmware-vcli/apps/general/credstore_admin.pl \
> -s 10.1.1.1 -u myuser -p mypass
>
> This should create $HOME/.vmware/credstore/vicredentials.xml
> Copy it to a system folder, e.g. /etc
>
> cp -p $HOME/.vmware/credstore/vicredentials.xml /etc
>
>
> 4. Testing
> ----------
>
> The plugin can be invoked directly to perform a very first connection test
> (replace all the provided sample values):
>
> VI_SERVER=10.1.1.1 \
> VI_CREDSTORE=/etc/vicredentials.xml \
> HOSTLIST="hostname1=vmname1;hostname2=vmname2" \
> RESETPOWERON=0 \
> /usr/lib/stonith/plugins/external/vcenter gethosts

This is not the right way to test manually. Best to use
stonith(8):

stonith -t external/vcenter VI_SERVER=10.1.1.1 \
VI_CREDSTORE=/etc/vicredentials.xml \
HOSTLIST="hostname1=vmname1;hostname2=vmname2" \
RESETPOWERON=0 -lS

or

# export VI_SERVER=10.1.1.1 \
VI_CREDSTORE=/etc/vicredentials.xml \
HOSTLIST="hostname1=vmname1;hostname2=vmname2" \
RESETPOWERON=0
# stonith -t external/vcenter -E -lS

Another thing, there's an external program ha_log.sh, guaranteed
to be in the path, which can be used for logging. Though I can't
recall seeing any logging in the plugin, perhaps you should do
some. If you use stonith(8) it will print log messages to
stdout/stderr.

> If everything works correctly you should get:
>
> hostname1
> hostname2
>
> When invoked in this way, the plugin connects to VI_SERVER, authenticates with
> credentials stored in VI_CREDSTORE and tries to retrieve the list of virtual
> machines (case insensitive) matching vmname1 and vmname2 (and any other listed).
> When finished, it reports the list back by mapping virtual machine names to
> hostnames as provided in HOSTLIST. If you see the full list of hostnames as a
> result, then everything is going well. If otherwise you are having a partial or
> empty list, you have to check parameters.
>
> You can even test "reset", "off" and "on" commands, to test (carefully!) the
> full chain. E.g.
>
> VI_SERVER=10.1.1.1 \
> VI_CREDSTORE=/etc/vicredentials.xml \
> HOSTLIST="hostname1=vmname1;hostname2=vmname2" \
> RESETPOWERON=0 \
> /usr/lib/stonith/plugins/external/vcenter reset hostname2

Ditto, use stonith ... -T reset/on/off node

> In the above examples the referring infrastructure is a vCenter with several
> ESXi nodes. Server IP and credentials are referred to vCenter.
>
> 5. CRM configuration
> --------------------
>
> The following is a sample procedure to setup STONITH for an HA 2-node cluster
> (replace all the provided sample values):
>
> crm configure primitive vfencing stonith::external/vcenter params \
> VI_SERVER="10.1.1.1" VI_CREDSTORE="/etc/vicredentials.xml" \
> HOSTLIST="hostname1=vmname1;hostname2=vmname2" RESETPOWERON="0" \
> op monitor interval="60s"
>
> crm configure clone Fencing vfencing
>
> crm configure property stonith-enabled="true"

BTW, didn't notice this earlier, could you make parameters lower
case. All or at least most other stonith plugins use lower case
parameter names.

Cheers,

Dejan

> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/

_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Hi,

On Thu, 2011-04-07 at 15:35 +0200, Dejan Muhamedagic wrote:
> > 4. Testing
> > ----------
> >
> > The plugin can be invoked directly to perform a very first connection test
> > (replace all the provided sample values):
> >
> > VI_SERVER=10.1.1.1 \
> > VI_CREDSTORE=/etc/vicredentials.xml \
> > HOSTLIST="hostname1=vmname1;hostname2=vmname2" \
> > RESETPOWERON=0 \
> > /usr/lib/stonith/plugins/external/vcenter gethosts
>
> This is not the right way to test manually. Best to use
> stonith(8):
>
> stonith -t external/vcenter VI_SERVER=10.1.1.1 \
> VI_CREDSTORE=/etc/vicredentials.xml \
> HOSTLIST="hostname1=vmname1;hostname2=vmname2" \
> RESETPOWERON=0 -lS
>
> or
>
> # export VI_SERVER=10.1.1.1 \
> VI_CREDSTORE=/etc/vicredentials.xml \
> HOSTLIST="hostname1=vmname1;hostname2=vmname2" \
> RESETPOWERON=0
> # stonith -t external/vcenter -E -lS

This is definitely better, I'll update README (see attached).

> In external program ha_log.sh, guaranteed
> to be in the path, which can be used for logging. Though I can't
> recall seeing any logging in the plugin, perhaps you should do
> some. If you use stonith(8) it will print log messages to
> stdout/stderr.

I saw that any stonith stdout/stderr is logged as well, perhaps this is
because of my corosync settings... I'll take a look to this.

> > VI_SERVER=10.1.1.1 \
> > VI_CREDSTORE=/etc/vicredentials.xml \
> > HOSTLIST="hostname1=vmname1;hostname2=vmname2" \
> > RESETPOWERON=0 \
> > /usr/lib/stonith/plugins/external/vcenter reset hostname2
>
> Ditto, use stonith ... -T reset/on/off node

Updated as well.

> BTW, didn't notice this earlier, could you make parameters lower
> case. All or at least most other stonith plugins use lower case
> parameter names.

I've used some of the vSphere Perl SDK environment variables as
pass-through (as also Lars suggested), that's the reason of using
uppercase parameter names. HOSTLIST and RESETPOWERON are uppercase too
essentially to be similar to VI_* tokens. I can put them lowercase but I
think that mixing cases can be confusing somehow. On the other hand I
can map vi_* to VI_*, but it sounds to me a little bit tricky especially
because I would like to leave the possibility to include more parameters
than the ones listed as far as they'll become available in the vSphere
Perl SDK (may be there are some others right now): I feel that a case
converter may be annoying...

Nhan

Logging added
Regards,
Nhan

Hi,

On Fri, Apr 08, 2011 at 11:38:23AM +0200, Nhan Ngo Dinh wrote:
> Logging added

Many thanks. Please see below for a few more comments, mainly
about the meta-data.

Lars, any more comments on from you?

Cheers,

Dejan

> Regards,
> Nhan

> #!/usr/bin/perl
> #
> # External STONITH module for VMWare vCenter/ESX
> #
> # Author: Nhan Ngo Dinh
> # License: GNU General Public License (GPL)
> #
>
> require 5.010;
>
> use strict;
> use warnings;
> use VMware::VIRuntime;
>
> sub dielog {
> my $msg = "[";
> $msg .= "$ARGV[0]" if defined($ARGV[0]);
> $msg .= " $ARGV[1]" if defined($ARGV[1]);
> $msg .= "]";
> ( $_ ) = @_;
> $msg .= " $_";
> system("ha_log.sh", "err", "$msg");
> die();
> }
>
> # Define command groups
> my @configCommands = qw{getconfignames getinfo-devid getinfo-devname getinfo-devdescr getinfo-devurl getinfo-xml};
> my @actionCommands = qw{reset on off};
> my @netCommands = (@actionCommands, qw{status gethosts});
>
> # Process command line arguments
> my $command = $ARGV[0] || dielog("No command specified\n");
>
> # Command belongs to the group of commands that do not require any connection to VMware vCenter
> if ($command ~~ @configCommands) {
> if ($command eq "getconfignames") {
> print "VI_SERVER\nVI_PORTNUMBER\nVI_PROTOCOL\nVI_SERVICEPATH\nVI_CREDSTORE\nHOSTLIST\nRESETPOWERON\n";
> }
> elsif ($command eq "getinfo-devid") {
> print "VMware vCenter STONITH device\n";
> }
> elsif ($command eq "getinfo-devname") {
> print "VMware vCenter STONITH device\n";
> }
> elsif ($command eq "getinfo-devdescr") {
> print "VMWare vCenter STONITH device\n";
> }
> elsif ($command eq "getinfo-devurl") {
> print "http://www.vmware.com/\n";
> }
> elsif ($command eq "getinfo-xml") {
> print q{<parameters>
> <parameter name="HOSTLIST" required="1">
> <content type="string"/>
> <shortdesc lang="en">List of hosts and virtual machines (required)</shortdesc>
> <longdesc lang="en">
> The list of hosts that the VMware vCenter STONITH device controls.
> Syntax is:
> hostname1[=VirtualMachineName1];hostname2[=VirtualMachineName2]
>
> NOTE: omit =VirtualMachineName if hostname and virtual machine names are identical
>
> Example:
> cluster1=VMCL1;cluster2=VMCL2
> </longdesc>
> </parameter>
> <parameter name="VI_SERVER">
> <content type="string"/>
> <shortdesc lang="en">VMware vCenter address</shortdesc>
> <longdesc lang="en">
> The VMware vCenter address (default: localhost)

The defaults should go into the content element (see other
stonith plugins, e.g. external/ipmi).

> </longdesc>
> </parameter>
> <parameter name="VI_PROTOCOL">
> <content type="string"/>
> <shortdesc lang="en">VMware vCenter protocol</shortdesc>
> <longdesc lang="en">
> The VMware vCenter protocol (default: https)
> </longdesc>
> </parameter>
> <parameter name="VI_PORTNUMBER">
> <content type="string"/>
> <shortdesc lang="en">VMware vCenter port number</shortdesc>
> <longdesc lang="en">
> The VMware vCenter port number (default: 443)
> </longdesc>
> </parameter>
> <parameter name="VI_SERVICEPATH">
> <content type="string"/>
> <shortdesc lang="en">VMware vCenter service path</shortdesc>
> <longdesc lang="en">
> The VMware vCenter services path (default: /sdk)
> </longdesc>
> </parameter>
> <parameter name="VI_CREDSTORE" required="1">
> <content type="string"/>
> <shortdesc lang="en">VMware vCenter credentials store file</shortdesc>
> <longdesc lang="en">
> VMware vCenter credentials store file
> </longdesc>
> </parameter>
> <parameter name="RESETPOWERON">
> <content type="string"/>
> <shortdesc lang="en">PowerOnVM on reset</shortdesc>
> <longdesc lang="en">
> Enable/disable a PowerOnVM on reset when the target virtual machine is off
> Allowed values: 0, 1

This should default to 1. For better or worse, that's what
stonith prescribes and other plugins adhere to.

> </longdesc>
> </parameter>
> </parameters>} . "\n";
> }
> else { dielog("Invalid command specified: $command\n"); }
> }
>
> # Command belongs to the group of commands that require connecting to VMware vCenter
> elsif ($command ~~ @netCommands) {
>
> # A valid VI_CREDSTORE is required to avoid interactive prompt
> ( exists $ENV{'VI_CREDSTORE'} ) || dielog("VI_CREDSTORE not specified\n");
>
> # HOSTLIST is mandatory
> exists $ENV{'HOSTLIST'} || dielog("HOSTLIST not specified\n");
>
> # Parse HOSTLIST to %host_to_vm and %vm_to_host
> my @hostlist = split(';', $ENV{'HOSTLIST'});
> my %host_to_vm = ();
> my %vm_to_host = ();
> foreach my $host (@hostlist) {
> my @config = split(/=/, $host);
> my $key = $config[0]; my $value = $config[1];
> if (!defined($value)) { $value = $config[0]; }
> $host_to_vm{$key} = $value;
> $vm_to_host{(lc $value)} = $key;
> }
>
> eval {
> # VI API: reads options from the environment variables into appropriate data structures for validation.
> Opts::parse();
> # VI API: ensures that input values from environment variable are complete, consistent and valid.
> Opts::validate();
> # VI API: establishes a session with the VirtualCenter Management Server or ESX Server Web service
> Util::connect();
> };
> if ($@) {
> # This is just a placeholder for any error handling procedure
> dielog($@);
> }
>
> # Command belongs to the group of commands that performs actions on Virtual Machines
> if ($command ~~ @actionCommands) {
>
> my $targetHost = $ARGV[1] || dielog("No target specified\n");
>
> # Require that specified target host exists in the specified HOSTLIST
> if (exists $host_to_vm{$targetHost}) {
>
> my $vm;
> my $esx;
> eval {
> # VI API: searches the inventory tree for a VirtualMachine managed entity whose name matches
> # the name of the virtual machine assigned to the target host in HOSTLIST
> $vm = Vim::find_entity_view(view_type => "VirtualMachine", filter => { name => qr/\Q$host_to_vm{$targetHost}\E/i });
>
> # VI API: retrieves the properties of the managed object reference runtime.host of the VirtualMachine
> # managed entity obtained by the previous command
> # NOTE: This is essentially a workaround to vSphere Perl SDK
> # to allow pointing to the right HostSystem. This is probably
> # done by changing the current HostSystem in the Web Service
> # session context. WARNING: Do not use the same session for any
> # other concurrent operation.
> $esx = Vim::get_view(mo_ref => $vm->{"runtime"}{"host"})->name;
> };
> if ($@) {
> if (ref($@) eq "SoapFault") { dielog("$@->detail\n"); }
> }
>
> my $powerState = $vm->get_property('runtime.powerState')->val;
> if ($powerState eq "suspended") {
> # This implementation assumes that suspending a cluster node can cause
> # severe failures on shared resources, thus any failover operation should
> # be blocked.
> dielog("Machine is in a suspended state\n");
> }
>
> eval {
> if ($command eq "reset") {
> if ($powerState eq "poweredOn") {
> $vm->ResetVM();
> system("ha_log.sh", "info", "Machine $esx:$vm->{'name'} has been reset");
> } else {
> system("ha_log.sh", "warn", "Tried to ResetVM $esx:$vm->{'name'} that was $powerState");
> # Start a virtual machine on reset only if explicitly allowed by RESETPOWERON
> if ($powerState eq "poweredOff" && exists $ENV{'RESETPOWERON'} && $ENV{'RESETPOWERON'} eq 1) {
> $vm->PowerOnVM();
> system("ha_log.sh", "info", "Machine $esx:$vm->{'name'} has been powered on");
> }
> }
> }
> elsif ($command eq "off") {
> if ($powerState eq "poweredOn") {
> $vm->PowerOffVM();
> system("ha_log.sh", "info", "Machine $esx:$vm->{'name'} has been powered off");
> } else {
> system("ha_log.sh", "warn", "Tried to PowerOffVM $esx:$vm->{'name'} that was $powerState");
>
> }
> }
> elsif ($command eq "on") {
> if ($powerState eq "poweredOff") {
> $vm->PowerOnVM();
> system("ha_log.sh", "info", "Machine $esx:$vm->{'name'} has been powered on");
> } else {
> system("ha_log.sh", "warn", "Tried to PowerOnVM $esx:$vm->{'name'} that was $powerState");
> }
> }
> else { dielog("Invalid command specified: $command\n"); }
> };
> if ($@) {
> if (ref($@) eq "SoapFault") { dielog("$@->detail\n"); }
> }
>
> } else { dielog("Invalid target specified\n"); }
> } else {
> # Command belongs to the group of commands that lookup the status of VMware vCenter and/or virtual machines
> if ($command eq "status") {
> eval {
> # VI API: Searches the inventory tree for all VirtualMachine managed objects
> my $vms = Vim::find_entity_views(view_type => "VirtualMachine");
> };
> if ($@) {
> if (ref($@) eq "SoapFault") { dielog("$@->detail\n"); }

Is this the only error which can happen? If not, then no error
will be logged in that case. Ditto for another occurence below.

> }
> }
> elsif ($command eq "gethosts") {
> # Create a regular expression to make vCenter find all the virtual machine matching
> # mirtual machine names specified in HOSTLIST

# virtual ...

> # NOTE: this implementation make "gethosts" check that entries in HOSTLIST are consistent with VMware vCenter VM directory
> my $regex = join "|", map { qr/\Q$_\E/i } values %host_to_vm;
> eval {
> my $vms = Vim::find_entity_views(view_type => "VirtualMachine", filter => { name => qr/^($regex)$/ });
> foreach my $vm (@$vms) { print "$vm_to_host{(lc $vm->name)}\n" if exists $vm_to_host{(lc $vm->name)}; }
> };
> if ($@) {
> if (ref($@) eq "SoapFault") { dielog("$@->detail\n"); }
> }
> }
> else { dielog("Invalid command specified: $command\n"); }
> }
> eval {
> Util::disconnect();
> };
> if ($@) {
> # This is just a placeholder for any error handling procedure
> dielog($@);
> }
> }
> else { dielog("Invalid command specified: $command\n"); }
>
> exit(0);
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

On Tue, Apr 19, 2011 at 02:21:38PM +0200, Dejan Muhamedagic wrote:
> Hi,
>
> On Fri, Apr 08, 2011 at 11:38:23AM +0200, Nhan Ngo Dinh wrote:
> > Logging added
>
> Many thanks. Please see below for a few more comments, mainly
> about the meta-data.
>
> Lars, any more comments on from you?

No time right now.

I'd say take it and let users complain about whatever they find.

Lars
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Hi,

On Tue, 2011-04-19 at 14:21 +0200, Dejan Muhamedagic wrote:
> > <longdesc lang="en">
> > The VMware vCenter address (default: localhost)
>
> The defaults should go into the content element (see other
> stonith plugins, e.g. external/ipmi).

These defaults come from the vSphere Perl SDK, they are not handled
inside this code. Does it make any difference? Anyway I've changed as
you said.

> > Enable/disable a PowerOnVM on reset when the target virtual machine is off
> > Allowed values: 0, 1
>
> This should default to 1. For better or worse, that's what
> stonith prescribes and other plugins adhere to.

Ok. I've also added an error if RESETPOWERON is set and machine is
powered off.

> Is this the only error which can happen? If not, then no error
> will be logged in that case. Ditto for another occurence below.

This is what happens according to SDK, however I've added also a generic
error handling procedure to die() if anything other fails.

Best regards,
Nhan

Hi,

On Thu, Apr 21, 2011 at 11:08:08AM +0200, Nhan Ngo Dinh wrote:
> Hi,
>
> On Tue, 2011-04-19 at 14:21 +0200, Dejan Muhamedagic wrote:
> > > <longdesc lang="en">
> > > The VMware vCenter address (default: localhost)
> >
> > The defaults should go into the content element (see other
> > stonith plugins, e.g. external/ipmi).
>
> These defaults come from the vSphere Perl SDK, they are not handled
> inside this code. Does it make any difference? Anyway I've changed as
> you said.
>
> > > Enable/disable a PowerOnVM on reset when the target virtual machine is off
> > > Allowed values: 0, 1
> >
> > This should default to 1. For better or worse, that's what
> > stonith prescribes and other plugins adhere to.
>
> Ok. I've also added an error if RESETPOWERON is set and machine is
> powered off.

OK.

> > Is this the only error which can happen? If not, then no error
> > will be logged in that case. Ditto for another occurence below.
>
> This is what happens according to SDK, however I've added also a generic
> error handling procedure to die() if anything other fails.

Good. One (probably) never knows future.

I'll push the plugin now to the public repository.

We just need one more thing to fix. The info commands such as
getinfo-xml have to work without software which would otherwise
be required for the plugin's operation, in this case it's the
VMware::VIRuntime module. I guess that you need to use the eval
command.

Many thanks for the contribution. Not least for the
documentation!

Cheers,

Dejan

> Best regards,
> Nhan
>
>


> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/

_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Hi,

I just moved the "use" function in the network commands block.
Best regards,
Nhan

On Tue, 2011-04-26 at 18:22 +0200, Dejan Muhamedagic wrote:
> Hi,
>
> On Thu, Apr 21, 2011 at 11:08:08AM +0200, Nhan Ngo Dinh wrote:
> > Hi,
> >
> > On Tue, 2011-04-19 at 14:21 +0200, Dejan Muhamedagic wrote:
> > > > <longdesc lang="en">
> > > > The VMware vCenter address (default: localhost)
> > >
> > > The defaults should go into the content element (see other
> > > stonith plugins, e.g. external/ipmi).
> >
> > These defaults come from the vSphere Perl SDK, they are not handled
> > inside this code. Does it make any difference? Anyway I've changed as
> > you said.
> >
> > > > Enable/disable a PowerOnVM on reset when the target virtual machine is off
> > > > Allowed values: 0, 1
> > >
> > > This should default to 1. For better or worse, that's what
> > > stonith prescribes and other plugins adhere to.
> >
> > Ok. I've also added an error if RESETPOWERON is set and machine is
> > powered off.
>
> OK.
>
> > > Is this the only error which can happen? If not, then no error
> > > will be logged in that case. Ditto for another occurence below.
> >
> > This is what happens according to SDK, however I've added also a generic
> > error handling procedure to die() if anything other fails.
>
> Good. One (probably) never knows future.
>
> I'll push the plugin now to the public repository.
>
> We just need one more thing to fix. The info commands such as
> getinfo-xml have to work without software which would otherwise
> be required for the plugin's operation, in this case it's the
> VMware::VIRuntime module. I guess that you need to use the eval
> command.
>
> Many thanks for the contribution. Not least for the
> documentation!
>
> Cheers,
>
> Dejan
>
> > Best regards,
> > Nhan
> >
> >
>
>
> > _______________________________________________________
> > Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> > http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> > Home Page: http://linux-ha.org/
>
> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/
>

Hi,

On Wed, Apr 27, 2011 at 09:01:24AM +0200, Nhan Ngo Dinh wrote:
> Hi,
>
> I just moved the "use" function in the network commands block.

Thanks. Please update from the repository in future and provide
patches instead.

Cheers,

Dejan

> Best regards,
> Nhan
>
> On Tue, 2011-04-26 at 18:22 +0200, Dejan Muhamedagic wrote:
> > Hi,
> >
> > On Thu, Apr 21, 2011 at 11:08:08AM +0200, Nhan Ngo Dinh wrote:
> > > Hi,
> > >
> > > On Tue, 2011-04-19 at 14:21 +0200, Dejan Muhamedagic wrote:
> > > > > <longdesc lang="en">
> > > > > The VMware vCenter address (default: localhost)
> > > >
> > > > The defaults should go into the content element (see other
> > > > stonith plugins, e.g. external/ipmi).
> > >
> > > These defaults come from the vSphere Perl SDK, they are not handled
> > > inside this code. Does it make any difference? Anyway I've changed as
> > > you said.
> > >
> > > > > Enable/disable a PowerOnVM on reset when the target virtual machine is off
> > > > > Allowed values: 0, 1
> > > >
> > > > This should default to 1. For better or worse, that's what
> > > > stonith prescribes and other plugins adhere to.
> > >
> > > Ok. I've also added an error if RESETPOWERON is set and machine is
> > > powered off.
> >
> > OK.
> >
> > > > Is this the only error which can happen? If not, then no error
> > > > will be logged in that case. Ditto for another occurence below.
> > >
> > > This is what happens according to SDK, however I've added also a generic
> > > error handling procedure to die() if anything other fails.
> >
> > Good. One (probably) never knows future.
> >
> > I'll push the plugin now to the public repository.
> >
> > We just need one more thing to fix. The info commands such as
> > getinfo-xml have to work without software which would otherwise
> > be required for the plugin's operation, in this case it's the
> > VMware::VIRuntime module. I guess that you need to use the eval
> > command.
> >
> > Many thanks for the contribution. Not least for the
> > documentation!
> >
> > Cheers,
> >
> > Dejan
> >
> > > Best regards,
> > > Nhan
> > >
> > >
> >
> >
> > > _______________________________________________________
> > > Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> > > http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> > > Home Page: http://linux-ha.org/
> >
> > _______________________________________________________
> > Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> > http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> > Home Page: http://linux-ha.org/
> >
>


> _______________________________________________________
> Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
> Home Page: http://linux-ha.org/

_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Hi Phuc,

Are you using the latest vcenter script?

Download it from
http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2"]http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2

And get the vcenter plugin in lib/plugins/stonith/external

Nhan

On 01/13/2013 05:35 PM, Phuc Hoang Ngo wrote:

Dear Nhan NGO,



Thanks to your guideline at http://lists.community.tummy.com/pipermail/linux-ha-dev/2011-April/018404.html"]http://lists.community.tummy.com/pipermail/linux-ha-dev/2011-April/018404.html, I could do some tests with the STONITH plugin on a VMware ESX/ESXi that is hosting 2 nodes. But I had to modify some following environment variables to make it runs:



export PERL_LWP_SSL_VERIFY_HOSTNAME=0

export PERL_NET_HTTPS_SSL_SOCKET_CLASS="Net::SSL"

unset https_proxy



However, the vcenter command always asks me to input username and password although I think that the credentials should be stored and reused from the file vicredentials.xml when I finished the steps (2) and (3) in the guideline without exceptions.



Moreover, I also cannot test with the stonith command (stonith -t external/vcenter &#8230;. -iS) because it is hang too long and when I pressed the Ctrl-C, I saw the error message said the username or password is not valid.



Could you please tell me that it is still OK if I configure the CRM as like as the step (6) in your guideline?



PS: I&#8217;ve just tested on the VMware cluster inside our intranet network, using IPs with cluster nodes.

Best regards,

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
PHUC NGO
ICT/BA#1 Department
Global CyberSoft (Vietnam) JSC
Helios Building, Quang Trung Software City
Tan Chanh Hiep, District 12th, HCMC, Vietnam
Phone: +84-8-5437-1199 (ext 315)
Email: phucnh@gcs-vn.com
Website: https://www.cybersoft-vn.com/"] https://www.globalcybersoft.com
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

-- Nhan

Hi Nhan,

Sorry that I didn't mention it in my last mail. I already used this version in my testing last time.
I used the following commands and configurations when I installed glue-1.0.9,

wget http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2
tar -xvjf glue-1.0.9.tar.bz2
cd glue-1.0.9
./autogen.sh
./configure --localstatedir=/var
make && make install

And I also got the stonith runs with the command: stonith -t external/vcenter -n
Could you please help me to find out the missing?

Best regards,
Phuc Ngo

From: Nhan Ngo Dinh [mailto:nngodinh@tiscali.it]
Sent: Monday, January 14, 2013 3:22 PM
To: Phuc Hoang Ngo
Cc: linux-ha-dev@lists.linux-ha.org
Subject: Re: [Linux-ha-dev] STONITH plugin for VMware vCenter

Hi Phuc,

Are you using the latest vcenter script?

Download it from
http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2

And get the vcenter plugin in lib/plugins/stonith/external

Nhan
On 01/13/2013 05:35 PM, Phuc Hoang Ngo wrote:
Dear Nhan NGO,

Thanks to your guideline at http://lists.community.tummy.com/pipermail/linux-ha-dev/2011-April/018404.html, I could do some tests with the STONITH plugin on a VMware ESX/ESXi that is hosting 2 nodes. But I had to modify some following environment variables to make it runs:

export PERL_LWP_SSL_VERIFY_HOSTNAME=0
export PERL_NET_HTTPS_SSL_SOCKET_CLASS="Net::SSL"<Net::SSL>
unset https_proxy

However, the vcenter command always asks me to input username and password although I think that the credentials should be stored and reused from the file vicredentials.xml when I finished the steps (2) and (3) in the guideline without exceptions.

Moreover, I also cannot test with the stonith command (stonith -t external/vcenter .... -iS) because it is hang too long and when I pressed the Ctrl-C, I saw the error message said the username or password is not valid.

Could you please tell me that it is still OK if I configure the CRM as like as the step (6) in your guideline?

PS: I've just tested on the VMware cluster inside our intranet network, using IPs with cluster nodes.
Best regards,
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
PHUC NGO
ICT/BA#1 Department
Global CyberSoft (Vietnam) JSC
Helios Building, Quang Trung Software City
Tan Chanh Hiep, District 12th, HCMC, Vietnam
Phone: +84-8-5437-1199 (ext 315)
Email: phucnh@gcs-vn.com<mailto:phucnh@cybersoft-vn.com>
Website: https://www.globalcybersoft.com<https://www.cybersoft-vn.com/>
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/




--

Nhan

There is something that is not working properly. Here is the output from my reference configuration:

stonith -t external/vcenter VI_SERVER=10.1.1.1 VI_CREDSTORE="/etc/vicredentials.xml" HOSTLIST="hostname1;hostname2" RESETPOWERON="0" -S
** INFO: Cannot get parameter VI_PORTNUMBER from StonithNVpair
** INFO: Cannot get parameter VI_PROTOCOL from StonithNVpair
** INFO: Cannot get parameter VI_SERVICEPATH from StonithNVpair
stonith: external/vcenter device OK.

And there is no password prompt: everything is taken from vicredentials.xml.
Did you try to use vicredentials.xml with VMware tools to see if authentication is working properly?

Nhan

On 01/14/2013 09:40 AM, Phuc Hoang Ngo wrote:

Hi Nhan,



Sorry that I didn&#8217;t mention it in my last mail. I already used this version in my testing last time.

I used the following commands and configurations when I installed glue-1.0.9,



wget http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2"]http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2

tar -xvjf glue-1.0.9.tar.bz2

cd glue-1.0.9

./autogen.sh

./configure --localstatedir=/var

make && make install



And I also got the stonith runs with the command: stonith -t external/vcenter -n

Could you please help me to find out the missing?



Best regards,

Phuc Ngo



From: Nhan Ngo Dinh [mailto:nngodinh@tiscali.it]
Sent: Monday, January 14, 2013 3:22 PM
To: Phuc Hoang Ngo
Cc: linux-ha-dev@lists.linux-ha.org
Subject: Re: [Linux-ha-dev] STONITH plugin for VMware vCenter



Hi Phuc,

Are you using the latest vcenter script?

Download it from
http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2"]http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2

And get the vcenter plugin in lib/plugins/stonith/external

Nhan

On 01/13/2013 05:35 PM, Phuc Hoang Ngo wrote:

Dear Nhan NGO,



Thanks to your guideline at http://lists.community.tummy.com/pipermail/linux-ha-dev/2011-April/018404.html"]http://lists.community.tummy.com/pipermail/linux-ha-dev/2011-April/018404.html, I could do some tests with the STONITH plugin on a VMware ESX/ESXi that is hosting 2 nodes. But I had to modify some following environment variables to make it runs:



export PERL_LWP_SSL_VERIFY_HOSTNAME=0

export PERL_NET_HTTPS_SSL_SOCKET_CLASS="Net::SSL"

unset https_proxy



However, the vcenter command always asks me to input username and password although I think that the credentials should be stored and reused from the file vicredentials.xml when I finished the steps (2) and (3) in the guideline without exceptions.



Moreover, I also cannot test with the stonith command (stonith -t external/vcenter &#8230;. -iS) because it is hang too long and when I pressed the Ctrl-C, I saw the error message said the username or password is not valid.



Could you please tell me that it is still OK if I configure the CRM as like as the step (6) in your guideline?



PS: I&#8217;ve just tested on the VMware cluster inside our intranet network, using IPs with cluster nodes.

Best regards,

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
PHUC NGO
ICT/BA#1 Department
Global CyberSoft (Vietnam) JSC
Helios Building, Quang Trung Software City
Tan Chanh Hiep, District 12th, HCMC, Vietnam
Phone: +84-8-5437-1199 (ext 315)
Email: phucnh@gcs-vn.com
Website: https://www.cybersoft-vn.com/"] https://www.globalcybersoft.com
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

-- Nhan

-- Nhan

Hi Nhan,

Thank you very much for your create support.
I successfully executed the stonith command without reentering password anymore.
I followed some instructions from internet to upgrade the libwww-perl to version 5.837 and unset the https_proxy. Then everything works fine as your instructions.

Best regards,
Phuc Ngo

From: Nhan Ngo Dinh [mailto:nngodinh@tiscali.it]
Sent: Tuesday, January 15, 2013 3:21 PM
To: Phuc Hoang Ngo
Cc: linux-ha-dev@lists.linux-ha.org
Subject: Re: [Linux-ha-dev] STONITH plugin for VMware vCenter

There is something that is not working properly. Here is the output from my reference configuration:

stonith -t external/vcenter VI_SERVER=10.1.1.1 VI_CREDSTORE="/etc/vicredentials.xml" HOSTLIST="hostname1;hostname2" RESETPOWERON="0" -S
** INFO: Cannot get parameter VI_PORTNUMBER from StonithNVpair
** INFO: Cannot get parameter VI_PROTOCOL from StonithNVpair
** INFO: Cannot get parameter VI_SERVICEPATH from StonithNVpair
stonith: external/vcenter device OK.

And there is no password prompt: everything is taken from vicredentials.xml.
Did you try to use vicredentials.xml with VMware tools to see if authentication is working properly?

Nhan
On 01/14/2013 09:40 AM, Phuc Hoang Ngo wrote:
Hi Nhan,

Sorry that I didn't mention it in my last mail. I already used this version in my testing last time.
I used the following commands and configurations when I installed glue-1.0.9,

wget http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2
tar -xvjf glue-1.0.9.tar.bz2
cd glue-1.0.9
./autogen.sh
./configure --localstatedir=/var
make && make install

And I also got the stonith runs with the command: stonith -t external/vcenter -n
Could you please help me to find out the missing?

Best regards,
Phuc Ngo

From: Nhan Ngo Dinh [mailto:nngodinh@tiscali.it]
Sent: Monday, January 14, 2013 3:22 PM
To: Phuc Hoang Ngo
Cc: linux-ha-dev@lists.linux-ha.org<mailto:linux-ha-dev@lists.linux-ha.org>
Subject: Re: [Linux-ha-dev] STONITH plugin for VMware vCenter

Hi Phuc,

Are you using the latest vcenter script?

Download it from
http://hg.linux-ha.org/glue/archive/glue-1.0.9.tar.bz2

And get the vcenter plugin in lib/plugins/stonith/external

Nhan
On 01/13/2013 05:35 PM, Phuc Hoang Ngo wrote:
Dear Nhan NGO,

Thanks to your guideline at http://lists.community.tummy.com/pipermail/linux-ha-dev/2011-April/018404.html, I could do some tests with the STONITH plugin on a VMware ESX/ESXi that is hosting 2 nodes. But I had to modify some following environment variables to make it runs:

export PERL_LWP_SSL_VERIFY_HOSTNAME=0
export PERL_NET_HTTPS_SSL_SOCKET_CLASS="Net::SSL"<Net::SSL>
unset https_proxy

However, the vcenter command always asks me to input username and password although I think that the credentials should be stored and reused from the file vicredentials.xml when I finished the steps (2) and (3) in the guideline without exceptions.

Moreover, I also cannot test with the stonith command (stonith -t external/vcenter .... -iS) because it is hang too long and when I pressed the Ctrl-C, I saw the error message said the username or password is not valid.

Could you please tell me that it is still OK if I configure the CRM as like as the step (6) in your guideline?

PS: I've just tested on the VMware cluster inside our intranet network, using IPs with cluster nodes.
Best regards,
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
PHUC NGO
ICT/BA#1 Department
Global CyberSoft (Vietnam) JSC
Helios Building, Quang Trung Software City
Tan Chanh Hiep, District 12th, HCMC, Vietnam
Phone: +84-8-5437-1199 (ext 315)
Email: phucnh@gcs-vn.com<mailto:phucnh@cybersoft-vn.com>
Website: https://www.globalcybersoft.com<https://www.cybersoft-vn.com/>
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/





--

Nhan



--

Nhan