Add info on using --use-ssh-agent

[tahliar]

PR creator: Description

Added a section on logging in, and other bits and pieces.

PR creator: Are there any relevant issues/feature requests?

• jsc#PED-7399

PR creator: Which product versions do the changes apply to?

When opening a PR, check all versions of the documentation that your PR applies to.

• SLE-HA 15
  • 15 next (current main, no backport necessary)
  • 15 SP5
  • 15 SP4
  • 15 SP3
  • 15 SP2
  • 15 SP1
• SLE-HA 12
  • 12 SP5
  • 12 SP4

PR reviewer only: Have all backports been applied?

The doc team member merging your PR will take care of backporting to older documents.
When opening a PR, do not set the following check box.

• all necessary backports are done

[tahliar]

Admin guide: I removed the user privileges note (https://documentation.suse.com/sle-ha/15-SP5/html/SLE-HA-all/cha-ha-config-basics.html#cha-ha-manual-config) and replaced it with this:

[nicholasyang2022]

It is great to group crmsh operations into 2 categories. However, I think

full privileges for SSH operations such as crm cluster init, crm cluster join, crm report.

is not so accuracy. The real privileges needed are read/write access to low-level configurations files, such as corosync.conf, and to control system-wide systemd instance to start/stop cluster components such as corosync and pacemaker.

And SSH operations are needed for crmsh to perform the above actions among different cluster nodes.

On the contrary, cib is owned by hacluster user, and is synchronized across the cluster by pacemaker. So hacluster can operates it and not ssh operations are needed.

Loop in @liangxin1300 and @zzhou1 here. Please review the above description, and see whether it is necessary to include these details in documents.

---

If you initialize the cluster manually instead of using the crm clsuter scripts, to allow SSH agent forwarding you must create the file /root/.config/crm/crm.conf

I think creating crm.conf manually is error-prone, and is not enough when the public key has not been installed to authorized_keys. How about guide to use crm cluster init ssh --use-ssh-agent and crm cluster join ssh --use-ssh-agent here?

And similarly in Section 4.8 Bring the cluster online, crm cluster start --all is used. However, this requires SSH operations, which is not available if the cluster is configured using yast2-cluster.

[zzhou1]

It is great to group crmsh operations into 2 categories. However, I think

full privileges for SSH operations such as crm cluster init, crm cluster join, crm report.

is not so accuracy. The real privileges needed are read/write access to low-level configurations files, such as corosync.conf, and to control system-wide systemd instance to start/stop cluster components such as corosync and pacemaker.

And SSH operations are needed for crmsh to perform the above actions among different cluster nodes.

On the contrary, cib is owned by hacluster user, and is synchronized across the cluster by pacemaker. So hacluster can operates it and not ssh operations are needed.

Loop in @liangxin1300 and @zzhou1 here. Please review the above description, and see whether it is necessary to include these details in documents.

Yeah. Could be something like as below in my language,

"""
These users has full privileges on all cluster nodes by leveraging SSH for crmsh operations such as crm cluster init, crm cluster join, crm report
"""

If you initialize the cluster manually instead of using the crm clsuter scripts, to allow SSH agent forwarding you must create the file /root/.config/crm/crm.conf

I think creating crm.conf manually is error-prone, and is not enough when the public key has not been installed to authorized_keys. How about guide to use crm cluster init ssh --use-ssh-agent and crm cluster join ssh --use-ssh-agent here?

And similarly in Section 4.8 Bring the cluster online, crm cluster start --all is used. However, this requires SSH operations, which is not available if the cluster is configured using yast2-cluster.

Yes, use the "ssh" stage is a better and safer approach.

[tahliar]

Thanks @zzhou1 and @nicholasyang2022! I've made some changes that hopefully address all your feedback.
(I'm still working on changing Appendix D, so that's still to come.)

1. Added some detail about the crm cluster start command in 4.8 Bringing the cluster online

I think it's fine to leave in --all as long as that clarification is there, because the requirements in chapter 2 already mention that passwordless SSH is required. On that topic:

2. Added some detail to the SSH requirement in 2.4 Other requirements and recommendations

3. Updated the new section 5.5.1 Logging in based on your feedback. It now looks like this:

[tahliar]

I've now also updated Appendix D. Here's what I did:

1. Removed D.1 Creating a local user account and D.2 Configuring a passwordless SSH account, as they weren't HA-specific and/or are covered elsewhere

2. Removed D.4 Generating a cluster report as the content is already included elsewhere, and moved the custom SSH port procedure to the crm report section in the Troubleshooting chapter:

3. Consolidated Appendix D down to just the sudo privileges part (PDF because it's a whole section):

• app-crmreport-nonroot_en.pdf

4. Updated the regulatory requirements note (again) to (re)include a link to the Appendix:

[nicholasyang2022]

LGTM 👍

[zzhou1]

Great effort! Only one minor change request.

3. Consolidated Appendix D down to just the sudo privileges part (PDF because it's a whole section):

Only one comment:

It's better to remove the space before the asterisk as below.
Cmnd_Alias HA_ALLOWED = /bin/su, /usr/sbin/crm report*

Otherwise, I get the following confusing error message and spend a couple of hours to figure it out

hareport@15sp6-1:~> sudo crm report                                                                          
[sudo] password for hareport: 
Sorry, user hareport is not allowed to execute '/usr/sbin/crm report' as root on 15sp6-1.

[tahliar]

Thanks @nicholasyang2022 and @zzhou1! I've fixed the extra space and will move this on to editorial review now 👍

[dariavladykina]

LGTM, just one minor nit. Thanks!