Chapter 26. Clustering

PCS is able to find a token and connect to a node with upper case characters in its node name

Previously, PCS was unable to find a token for any node name with upper case characters, and it would report an error that the node is not authenticated. This occurred because the pcs cluster auth command would lowercase all node names before storing them to the PCS token file. With this fix, PCS does not lowercase node names before storing them to the PCS token file. (BZ#1590533)

pcs now shows correct value for failcount

Starting with the Red Hat Enterprise Linux 7.5 release, the pcs resource failcount show command always showed a failcount of zero, even when this was not the correct value. This occurred because the format of resource failcounts was changed in Pacemaker. With this fix, the pcs utility is able to parse the new failcount format and it displays the correct value. (BZ#1588667)

At cluster startup, corosync starts on each node with a small delay to reduce the risk of JOIN flood

Starting corosync on all nodes at the same time may cause a JOIN flood, which may result in some nodes not joining the cluster. With this update, each node starts corosync with a small delay to reduce the risk of this happening. (BZ#1572886)

New /etc/sysconfig/pcsd option to reject client-initiated SSL/TLS renegotiation

When TLS renegotiation is enabled on the server, a client is allowed to send a renegotiation request, which initiates a new handshake. Computational requirements of a handshake are higher on a server than on a client. This makes the server vulnerable to DoS attacks. With this fix, a new option has been added to the /etc/sysconfig/pcsd configuration file to reject renegotiations. Note that the client can still open multiple connections to a server with a handshake performed for all of the connections. (BZ#1566382)