Fencing agent "fence_idrac" fails to work with iDRAC7

Solution Verified - Updated 6 Aug 2024

Environment

Red Hat Enterprise Linux Server 6 (with the High Availability or Resilient Storage Add Ons)

Issue

On Dell server with iDRAC7 interface the fence_idrac fails. In the file /etc/cluster.cong the devices are configured with drac5 agents:

<fencedevice agent="fence_drac5" cmd_prompt="\/-&gt;" secure="1" ipaddr="AAA.BBB.CCC.DDD" login="<login>" name="<name>" passwd="***"/>
<fencedevice agent="fence_drac5" cmd_prompt="\/-&gt;" secure="1" ipaddr="AAA.BBB.CCC.DDD" login="<login>" name="<name>" passwd="***"/>
<fencedevice agent="fence_drac5" cmd_prompt="\/-&gt;" secure="1" ipaddr="AAA.BBB.CCC.DDD" login="<login>" name="<name>" passwd="***"/>

Resolution

Use fence_device type "ipmilan" in your /etc/cluster/cluster.conf and IPMI priviledge level "operator" instead of "user". The fence_ipmilan agent has been updated to support the -L option of the ipmilan daemon, thus supporting fencing with user session privileges level. Without the -L option the Privilege Level is set to ADMINISTRATOR. As the ipmifence account does not have this privilege, the command fails. When using the '-L operator' fencing works on a server with iDRAC7 interface.
Please be aware that there is issue when using Dell OpenManage repository. Dell repository will overwrite IPMItool with a version that does not support the LanPlus protocol. This will lead to fencing failing if the fence_agent is configured to use encryption.
As a workaround please remove the systems from the Dell OM channel after installing the OM tools.

Root Cause

Wrong IPMI privileges for fencing device.
From ipmitool documentation:

-L <privlvl>
              Force session privilege level.  Can be CALLBACK, USER, OPERATOR,
              ADMINISTRATOR. Default is ADMINISTRATOR.

Diagnostic Steps

The report reveals following error:

Jul 30 14:13:44 node1 dlm_controld[28315]: dlm_join_lockspace no fence domain
Jul 30 14:26:20 node1 dlm_controld[28315]: dlm_join_lockspace no fence domain
Jul 30 14:27:38 node1 fence_node[30206]: unfence node1 failed
Jul 30 14:36:01 node1 fenced[31404]: fenced 3.0.12.1 started
Jul 30 14:36:10 node1 fence_node[31489]: unfence node1 failed
Jul 30 14:36:53 node1 fence_node[31576]: unfence node1 failed

Fencing devices are configured with drac5 agents:

<fencedevice agent="fence_drac5" cmd_prompt="\/-&gt;" secure="1" ipaddr="AAA.BBB.CCC.DDD" login="<login>" name="<name>" passwd="***"/>
<fencedevice agent="fence_drac5" cmd_prompt="\/-&gt;" secure="1" ipaddr="AAA.BBB.CCC.DDD" login="<login>" name="<name>" passwd="***"/>
<fencedevice agent="fence_drac5" cmd_prompt="\/-&gt;" secure="1" ipaddr="AAA.BBB.CCC.DDD" login="<login>" name="<name>" passwd="***"/>

When using the ipmilan with privlvl=user:

# fence_node -vv node1
fence node1 dev 0.0 agent fence_ipmilan result: error from agent
agent args: action=off nodename=node1 agent=fence_ipmilan ipaddr=AAA.BBB.CCC.DDD lanplus=1 login=<login> passwd=######## privlvl=user 
fence node1 failed

SBR

Clusterha

Product(s)

Red Hat Enterprise Linux

Components

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.