No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
OceanStor Dorado 6.0.0 HyperMetro Feature Guide
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Third-Party Server Running SUSE

Third-Party Server Running SUSE

This section describes how to configure the quorum server software on a third-party quorum server running SUSE.

Context

The quorum server software must be configured by the same user account used to install it.

Procedure

  1. Prepare for the configuration.

    Before the configuration, make sure that service IP addresses and a firewall have been configured for the quorum server.

    1. Configure service IP addresses for the quorum server.

      If the two ports on the quorum server are not bonded, they must use IP addresses on different network segments for arbitration. If they are bonded, you only need to configure a virtual IP address.

      • If you deploy the quorum server software on a VM, you must create virtual network adapters and switches for it. Table 9-6 describes the configuration requirements.
        Figure 9-1 Virtual network adapter configuration
        Table 9-6 Configuration requirements

        Item

        Configuration Requirement

        Example

        Network adapter 2

        vmnic0 connects to controller A of the local and remote storage systems in the HyperMetro pair.
        • Virtual switch name: vSwitch 1
        • Physical adapter name: vmnic0
        • Physical adapter IP address and mask: 192.168.6.31 and 255.255.255.0

        Network adapter 3

        vmnic1 connects to controller B of the local and remote storage systems in the HyperMetro pair.
        • Virtual switch name: vSwitch 2
        • Physical adapter name: vmnic1
        • Physical adapter IP address and mask: 192.168.7.31 and 255.255.255.0
      • If you deploy the quorum server software on a physical machine, it is recommended that you configure two IP addresses on different network segments for the ports on the quorum server. Table 9-7 provides an example.
        Table 9-7 Service IP address configuration

        Quorum Port

        Service IP Address

        Mask

        Quorum port 1

        192.168.6.31

        255.255.255.0

        Quorum port 2

        192.168.7.31

        255.255.255.0

        Run the vi command to open the configuration file of the network adapters used by the quorum server. The following example uses quorum ports on network adapters eth1 and eth2. Modify IPADDR and then save the file.

        The STARTMODE parameter must be set to auto.

        XXX@Linux:~# vi /etc/sysconfig/network/ifcfg-eth1 
BOOTPROTO='static' 
BROADCAST='' 
ETHTOOL_OPTIONS='' 
IPADDR='192.168.6.31/24' 
MTU='' 
NAME='82540EM Gigabit Ethernet Controller' 
NETWORK='' 
REMOTE_IPADDR='' 
STARTMODE='auto' 
USERCONTROL='no'     
XXX@Linux:~# vi /etc/sysconfig/network/ifcfg-eth2 
BOOTPROTO='static' 
BROADCAST='' 
ETHTOOL_OPTIONS='' 
IPADDR='192.168.7.31/24' 
MTU='' 
NAME='82540EM Gigabit Ethernet Controller' 
NETWORK='' 
REMOTE_IPADDR='' 
STARTMODE='auto' 
USERCONTROL='no'
      • If you deploy the quorum server software on a physical machine and want to bond the ports, you must configure a virtual IP address.
        The operations for bonding ports vary with the Linux versions and host network adapters. The following is for reference only. For more details, see the documentation of your operating system.
        1. Check whether the system supports port bonding.

          Run the #cat /boot/config-kernel-version |grep -i bonding command.

          If CONFIG_BONDING=m is returned, the system supports port bonding. Otherwise, you are advised to configure an IP address for each physical port.

        2. Create a configuration file for the bond port.

          The following provides the configuration file for bond0 as an example.

          # vi  /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0 
ONBOOT=yes 
BOOTPROTO=static 
IPADDR=192.168.1.202 
NETMASK=255.255.255.0 
GATEWAY=192.168.1.1 
USERCTL=no 
BONDING_OPTS="mode=0 miimon=100"

          In the configuration file, mode indicates the bonding mode and miimon indicates the interval (in milliseconds) for monitoring network links.

        3. Modify the configuration files for the physical ports that are bonded.

          For example, to bond physical ports eth0 and eth1, modify their configuration files as follows:

          #cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0  
BOOTPROTO=none 
ONBOOT=yes 
USERCTL=no 
MASTER=bond0  //bond0 represents the name of the configuration file for the bond port.
SLAVE=yes

          In the configuration file, set MASTER to the name of the configuration file for the bond port created in 1.a.ii.

        4. Load the bond port.
          #vi /etc/modprobe.d/dist.conf
alias bond0 bonding

          bond0 represents the name of the configuration file for the bond port created in 1.a.ii.

        5. Set the startup items.
          #ifenslave bond0 eth0 eth1 >> /etc/rc.d/rc.local
        6. Restart the network service.
          # service network restart
    2. Verify that the service IP addresses for the quorum server have taken effect.

      Enter the CLI of the quorum server and run the service network restart command in any directory for the IP address settings to take effect. Then run the ifconfig command to check whether the configurations for eth1 and eth2 have taken effect. If the IP addresses that you configured are displayed in the command output, the configurations have taken effect.

      XXX@Linux:~#ifconfig 
eth1      Link encap:Ethernet  HWaddr 08:00:27:45:7A:E2 
          inet addr: 192.168.6.31  Bcast:192.168.6.255  Mask:255.255.255.0 
          inet6 addr: fe80::a00:27ff:fe2e:fba6/64 Scope:Link 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1 
          RX packets:43285954 errors:0 dropped:5051127 overruns:0 frame:0 
          TX packets:5819 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:1000 
           RX bytes:2916916679 (2781.7 Mb)  TX bytes:720809 (703.9 Kb) 
 
eth2      Link encap:Ethernet  HWaddr 08:00:27:45:7A:EB 
          inet addr: 192.168.7.31  Bcast:192.168.7.255  Mask:255.255.255.0 
          inet6 addr: fe80::a00:27ff:fe2e:fba7/64 Scope:Link 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1 
          RX packets:43285954 errors:0 dropped:5051127 overruns:0 frame:0 
          TX packets:5819 errors:0 dropped:0 overruns:0 carrier:0 
          collisions:0 txqueuelen:1000  
          RX bytes:2916916679 (2781.7 Mb)  TX bytes:720809 (703.9 Kb)
    3. Configure a port ID for the firewall of the quorum server.

      Enter the CLI of the quorum server and run the vi /etc/sysconfig/SuSEfirewall2 command in any directory to open the firewall configuration file. Then, enter FW_SERVICES_EXT_TCP="30002" to enable port 30002.

      • If you want to enable other ports for the firewall, add the port IDs to the FW_SERVICES_EXT_TCP configuration item. For example, if you want to enable port 22, type FW_SERVICES_EXT_TCP="30002 22".
      • If you deploy the quorum server software on a VM, enable the firewall port of the physical machine where the VM is deployed.
      XXX@Linux:~# ## Type:        string 
# 
# 9.) 
# Which TCP services _on the firewall_ should be accessible from 
# untrusted networks? 
# 
# Format: space separated list of ports, port ranges or well known 
#         service names (see /etc/services) 
# 
# Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514" 
# 
# Note: this setting has precedence over FW_SERVICES_ACCEPT_* 
# 
FW_SERVICES_EXT_TCP="30002"
    4. Verify that the firewall configuration has taken effect.

      Enter the CLI of the quorum server and run the rcSuSEfirewall2 restart command in any directory to restart the firewall. Then run the iptables -L command to check whether the firewall configuration has taken effect. If ACCEPT tcp -- anywhere anywhere tcp dpt:pago-services2 is displayed in the command output, the firewall configuration has taken effect.

      XXX@Linux:~# iptables -L 
                            . 
                            . 
                            . 
                            . 
                            . 
                            . 
ACCEPT     tcp  --  anywhere     anywhere    tcp dpt:pago-services2 
                            . 
                            . 
                            . 
                            . 
                            . 
                            .

  2. Open the CLI of the quorum server software.

    In any directory of the quorum server's operating system, run the qsadmin command to open the quorum server software. The quorum server software page is displayed.

    XXX@Linux:~# qsadmin 
start main! 
Waiting for connecting to server... 
admin:/>

    After you open the quorum server software, run the help command for information and to learn about the commands that are required during the configuration process.

  3. Add the service IP addresses and port ID of the quorum server to the quorum server software.

    In the CLI of the quorum server software, run the add server_ip command to add the service IP addresses and port ID of the quorum server to the quorum server software for management.

    admin:/>add server_ip ip=192.168.6.31 port=30002 
Command executed succesfully.
admin:/>add server_ip ip=192.168.7.31 port=30002 
Command executed succesfully.
    • The quorum server uses these service IP addresses to communicate with the storage systems.
      • If the two quorum ports on the quorum server are not bonded, the IP addresses on different network segments must be configured for the two quorum ports.
      • If the two quorum ports on the quorum server are bonded, you can only configure a virtual IP address for arbitration.
    • The ID of the quorum server software's listening port must be the same as that enabled on the firewall.

    After configuration is complete, run the show server_ip command. If the command output shows the IP addresses and port ID that you add, the configuration is successful.

    admin:/>show server_ip 
Index      Server IP       Server Port 
-----      ------------    ------------------ 
1          192.168.6.31    30002 
2          192.168.7.31    30002 
Index      Local IP       Local Port      Remote IP     Remote Port    State
-----      ------------    ---------       --------     ---------      -----

  4. (Optional) Replace the original certificates of the quorum server with new ones.

    The storage systems and quorum server have default security certificates and private keys. To enhance security, replace them with your own.

    1. Export the certificate request file of the quorum server.

      In the CLI of the quorum server software, run the export tls_cert command to export the device information. The qs_certreq.csr file is generated in the /opt/quorum_server/export_import directory of the quorum server.

      admin:/>export tls_cert 
Command executed successfully.
      • The certificates must be replaced in user mode.
      • The certificate request file of the quorum server is used to generate certificates in a third-party Certificate Authority (CA). You can then copy these certificates to the /opt/quorum_server/export_import directory of the quorum server to enhance security.
      • After installing the quorum server software, you are advised to grant the Secure File Transfer Protocol (SFTP) permission only to the /opt/quorum_server/export_import/ directory. This allows the security certificates to be imported and exported.
    2. Use the certificate request file to generate certificates.

      Send the qs_certreq.csr file to a third-party CA to generate certificates.

    3. Copy the certificates to the quorum server.

      After the certificates are generated, copy the quorum server certificate (for example, qs_cert.crt) and CA certificate (for example, qs_cacert.crt) to the /opt/quorum_server/export_import directory.

    4. Change the owning user and user group of the quorum server certificate (for example, qs_cert.crt) and CA certificate (for example, qs_cacert.crt) to the user and user group used to install the quorum server software.
      chown quorumsvr:quorumsvr qs_cacert.crt
chown quorumsvr:quorumsvr qs_cert.crt

      In this example, quorumsvr is the default installation user of the quorum server software. Change it to the actual user and user group you use to install the quorum server software.

    5. Import the certificates to the quorum server software.

      In the CLI of the quorum server software, run the import tls_cert ca=qs_cacert.crt cert=qs_cert.crt command to import the certificates to the quorum server software.

      admin:/>import tls_cert ca=qs_cacert.crt cert=qs_cert.crt 
Command executed successfully.
    6. After replacing the certificates on the quorum server, replace the certificates on the local and remote storage systems. For details, see Replacing Certificates on Storage Systems.

  5. (Optional) Configure a whitelist.

    The first time you replace the certificates, you must configure a whitelist.

    The quorum server software allows a storage system to connect to the quorum server only after you have added the SN of storage system to the whitelist. You do not need to configure a whitelist again when replacing certificates.

    1. In the CLI of the storage system, run the show system general command to query the storage system SN.
      admin:/>show system general 
 
System Name : XXXXXX  
Health Status : Normal  
Running Status : Normal  
Total Capacity : X.XXXTB  
SN : XXXXXXXXXXXXXXXXXXXX  
Location :  
Product Model : XXXXX  
Product Version : VX00R00XC00  
High Water Level(%) : XX  
Low Water Level(%) : XX  
WWN : XXXXXXXXXXXXXXX  
Time : XXXX-XX-XX/15:11:15 UTC+08:00
    2. In the CLI of the quorum server software, run the add white_list sn=? command to add the storage system SN to the quorum server software for management.
      admin:/>add white_list sn=xxxxxxxxxxxxxxx 
 
Command executed successfully.
    3. (Optional) Run the change white_list enable_switch=no command to close the whitelist if you do not need to configure it.

Download
Updated: 2021-11-25

Document ID: EDOC1100112636

Views: 212066

Downloads: 1849

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :