How do I hide the fence device password specified in the cluster configuration?

Solution Verified - Updated 17 Jun 2025

Environment

Red Hat Enterprise Linux Server 5, 6, 7, 8, 9 (with the High Availability or Resilient Storage Add Ons)
Red Hat Cluster Suite

Issue

How to hide the fence device password
- specified in the cluster configuration file, /etc/cluster/cluster.conf?
- in the pcs cluster cib or pcs stonith show --full outputs?
Can I use an external file for fence device passwords?

Resolution

If using RHEL 8.3 or later, then there is a feature to allow for storing attribute values as secrets (instead of plaintext) with the pacemaker cib file: Is there a way to store secrets in pacemaker?

To hide the fence device password specified in /etc/cluster/cluster.conf or visible in outputs of pcs cluster cib or pcs stonith show --full, you need to use the passwd_script attribute of the fencing agent instead of the password attribute . Most of the fence device agents will accept the passwd_script attribute.

Below is an example configuration for one of fence agents, specifying that the password for the fence device is in the file /usr/local/bin/hide-pw.sh.

Create the file /usr/local/bin/hide-pw.sh with the following entries and place it on each cluster node:
```
#!/bin/bash
echo 'PASSWORD'
exit 0
```
Set the file permissions to limit access to password file. For example:
```
# chmod 700 /usr/local/bin/hide-pw.sh
```
Update the cluster configuration
RHEL 5, RHEL 6 - rgmanager
Update the /etc/cluster/cluster.conf to use the passwd_script attribute pointing to script that will output the password and synchronize the /etc/cluster/cluster.conf to other nodes in cluster.
```
### /etc/cluster/cluster.conf
...
<fencedevice agent="fence_apc" ipaddr="1.2.3.4" login="xxx" name="apc" passwd_script="/usr/local/bin/hide-pw.sh"/>
...
```
RHEL 6, RHEL 7 - pacemaker
Update stonith device definition by adding the passwd_script attribute and removing the passwd attribute.
```
# pcs stonith update apc passwd_script=/usr/local/bin/hide-pw.sh passwd=
```

For information on enabling encryption, please refer to How to use the encrypted password for fence devices in the cluster configuration file?

Diagnostic Steps

In rgmanager-style clusters (RHEL 5, RHEL 6) the password for fencing devices is seen in the /etc/cluster/cluster.conf file

### /etc/cluster/cluster.conf
...
<fencedevice agent="fence_apc" ipaddr="1.2.3.4" login="xxx" name="apc" passwd="PASSWORD"/>
...

In pacemaker-style clusters (RHEL 6, RHEL 7) the password for fencing devices can be seen in outputs of below commands

# pcs cluster cib
...
 <primitive class="stonith" id="apc" type="fence_apc">
   <instance_attributes id="apc_attributes">
     <nvpair id="apc-instance_attributes-ipaddr" name="ipaddr" value="1.2.3.4"/>
     <nvpair id="apc-instance_attributes-login" name="login" value="xxx"/>
     <nvpair id="apc-instance_attributes-passwd" name="passwd" value="PASSWORD"/>
   </instance_attributes>
 </primitive>
...

# pcs stonith show --full
 Resource: apc (class=stonith type=fence_apc)
  Attributes: ipaddr=1.2.3.4 login=xxx passwd=PASSWORD 
...

SBR

Clusterha

Product(s)

Red Hat Enterprise Linux

Components

cluster

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.