The fencing agent fence_ilo2 fails to fence a cluster node on RHEL7

Solution Unverified - Updated 5 Aug 2024

Environment

Red Hat Enterprise Linux Server 7 (with the High Availability Add Ons)

Issue

The fencing agent fence_ilo2 fails to fence a cluster node on RHEL7.

Resolution

Add the following options to your fencing agent's configuration and see the man page for fence_ilo2 for more information about these options:

--ssl-insecure
--notls

For example the following command will get the status of an ilo2 fence device:

# fence_ilo2 --ssl-insecure --notls -a <hostname> -l <username> -p <password> -o status
Status: ON

Root Cause

In RHEL6 we have used NSS library for creating SSL connection and we have ignored validity of SSL certificates on fence device.

In RHEL7 TLS 1.x is used provided by the package gnutls instead of SSL 3.0 by default. If you want to use SSL 3.0 instead (e.g. case of HP iLO2 which do not properly support TLS), you can use --notls (or notls on STDIN).

The second problem is that as we check validity of SSL certificates in RHEL 7 and they are usually invalid causing the fence agent to fail. If the SSL certificate is invalid, then add the option --ssl-insecure instead of --ssl to not check the validity of the certificate.

Please note in RHEL7 there should be no difference between the options --ssl-secure and --ssl because --ssl-secure enables ssl, and --ssl assumes secure.

SBR

Clusterha

Product(s)

Red Hat Enterprise Linux

Components

cluster

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.