How to setup fencing for Cisco UCS blades with the fence agent fence_cisco_ucs?

Solution Verified - Updated 7 Aug 2024

---

Environment

• Red Hat Enterprise Linux Server 5 (with the High Availability or Resilient Storage Add On)
• Red Hat Enterprise Linux Server 6 (with the High Availability or Resilient Storage Add On)
• Red Hat Enterprise Linux Server 7 (with the High Availability or Resilient Storage Add On)
• Red Hat Enterprise Linux Server 8 (with the High Availability or Resilient Storage Add On)
• Cisco UCS blades

Issue

• How to setup fencing for Cisco UCS blades with the fence agent fence_cisco_ucs?
• Need UCS-specific fencing agent for Cisco UCS systems. We can use ipmilan to do UCS fencing today, but there is currently no way to tie the BMC IP address to a UCS Service Profile. Therefore, there is no way to permanently guarantee that we know the IMPI address of a UCS blade for fencing.

Resolution

The fencing agent for Cisco UCS called fence_cisco_ucs is included in the package cman-2.0.115-68.el5 for RHEL 5 and is included in RHEL6 and RHEL 7.

Test that the fencing agent can login to the fencing agent and get the status of a specific port used by a specific cluster node correctly.

# fence_cisco_ucs --ip="a.b.c.d" --username="admin" --password="XXXXX" --plug="UCSPROFILE2" --suborg="/org-RHEL/" --ssl-insecure -o status -v

• --ip: The UCS Manager IP address

• --username: The login name for the fencing user in UCS

  • This user should have "Admin" and "Server-equipment" roles assigned.
  • If a user is created under a domain, then it should be specified as domain\username in the configuration, or as 'domain\username' on the command line to prevent the shell from processing the / character specially.
  • A local user may need to be specified as ucs-local\<username>.

• --password: The password for the fencing user in UCS

• --plug (--port in older releases): The UCS service profile name, as found in the service profile listing

• --suborg [optional]: The sub-organization for the UCS service profile

  • You can find the suborg for a node by running fence_cisco_ucs with the list action, searching for the service profile name, and removing org-root. In the below example, suborg could be /org-RHEL_DEV, /org-RHEL_UAT, or /org-RHEL_PRD.
    NOTE: If there is nothing between org-root and ls-<service_profile>, then you do not need to specify a suborg.

# fence_cisco_ucs --ip='1.2.3.4' --username='fence_user' --password='S3cr3t_p4ss' -o list
org-root/org-RHEL_DEV/ls-dev-node-01,
org-root/org-RHEL_DEV/ls-dev-node-02,
org-root/org-RHEL_UAT/ls-uat-node-01,
org-root/org-RHEL_UAT/ls-uat-node-02,
org-root/org-RHEL_PRD/ls-prd-node-01,
org-root/org-RHEL_PRD/ls-prd-node-02

• -z [optional]: Use SSL connection

• --ssl-insecure [optional]: Use SSL connection without verifying certificate

  • In many cases when using SSL, it will be necessary to set the --ssl-insecure flag in order to avoid an "Unable to connect/login to fencing device" error.

RHEL 5 and RHEL 6

This fencing agent `fence_cisco_ucs` can be configured from the `luci` interface or by editing `/etc/cluster/cluster.conf` with a text editor such as `vim` on RHEL 5 and RHEL 6. All the options for the fence device are listed in our [Cluster Administration Guide fencing section](https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Cluster_Administration/index.html#tb-software-fence-ciscoucs-CA).

Below is a sample fence device section for fence_cisco_ucs for cman based clusters:

<fencedevices>
   <fencedevice agent="fence_cisco_ucs" ipaddr="x.x.x.x" login="admin" name="ucs" passwd="some_password" suborg="/org-RHEL/" ssl="1"/>
</fencedevice>

RHEL 7

Consult the following documentation for RHEL 7: [High Availability Add-On Reference - Fencing](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/High_Availability_Add-On_Reference/index.html#ch-fencing-HAAR). See the command line example above for more information on what the options mean. Here is an example:

# pcs stonith create <resource-id> fence_cisco_ucs pcmk_host_map="<host1:port1>;<host2:port2>;<host3:port3>" ipaddr="<ucs_ip>" login="<login name>" passwd="<password>" suborg="<suborg>" ssl="1" ssl_insecure="1"

In the fence_cisco_ucs configuration, the "port" can be used to identify the host as it is seen from the ucs. In other words, that name used for the node in the stdout of the following command:

# fence_cisco_ucs --ip="<ip address>" --username="<username>" --password="<password>" -o list --ssl-insecure

SBR

• Clusterha

Product(s)

• Red Hat Enterprise Linux

Components

• cluster

Category

• Configure

Tags

• cluster ha high availability
• clustering
• clusters
• fence_agent
• fencing
• rhel_5
• rhel_6
• rhel_7
• rhel_8

---

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.