Do I need to escape special characters in my fence device username or password in a RHEL high availability cluster?
Environment
- Red Hat Enterprise Linux (RHEL) 5, 6, or 7 with the High Availability Add On
cman,cman+pacemaker, orpacemakerclusters- A fence device whose username or password contains special characters (like '#', '', ';', '<', '>', etc.)
Issue
- My fence device password has special characters. Do I need to use an escape sequence?
- We use Active Directory authentication on our fence device, and so the username also includes the domain, which requires a
'\'. Do I need to escape this in the configuration? - How should I handle special characters in the fence device options?
Resolution
In each of the different cluster types listed above, the only characters that need special consideration are those that may be interpreted by the shell, such as bash (the default), and only when executing commands from the command line.
cman-based clusters
Running the fence agent from the command line
If the fence device username or password contains a special character that will be interpreted by the shell, then simply specify the string in single quotes (`'
# ### username: user\domain password: myPassword;
# fence_ipmilan -a 10.10.10.10 -l 'user\domain' -p 'myPassword;' -P -o reboot
# ### username: user\domain password: sT2z#x!;7
# fence_vmware_soap -a 10.10.10.11 -l "user\\domain" -p "sT2z\#x\!\;7" -z -U 4223927c-5bb1-a968-5aa6-990384437b05
Configuring fence devices with the ccs command (RHEL 6 only)
Special characters for the shell in use need to be enclosed in single quotes or escaped when configuring devices through `ccs`, to ensure it passes them through to the configuration correctly. Examples, using the `bash` shell:
# ### username: user\domain password: myPassword;
# ccs -h node1.example.com --addfencedev myIPMI agent='fence_ipmilan' ipaddr='10.10.10.10' login='user\domain' passwd='myPassword;' lanplus='1'
# ### username: user\domain password: sT2z#x!;7
# ccs -h node1.example.com --addfencedev myVmware agent="fence_vmware_soap" ipaddr="10.10.10.11" login="user\\domain" passwd="sT2z\#x\!\;7" ssl="1"
Configuring fence devices with Conga or directly in
/etc/cluster/cluster.conf
Because there is no shell involved, there is nothing that can misinterpret special characters. Simply enter the username and password exactly as the device accepts them. Examples of the end result:
<!-- username: user\domain password: myPassword; -->
<fencedevice name="myIPMI" agent="fence_ipmilan" ipaddr="10.10.10.10" login="user\domain" passwd="myPassword;" lanplus="1"/>
<!-- username: user\domain password: sT2z#x!;7 -->
<fencedevice name="myVmware" agent="fence_vmware_soap" ipaddr="10.10.10.11" login="user\domain" passwd="sT2z#x!;7" ssl="1"/>
pacemaker-based clusters
Configuring stonith devices via
pcs stonith
Special characters for the shell in use need to be enclosed in single quotes or escaped when configuring devices through pcs, to ensure it passes them through to the configuration correctly. Examples, using the bash shell:
# ### username: user\domain password: myPassword;
# pcs stonith create myIPMI fence_ipmilan ipaddr='10.10.10.10' login='user\domain' passwd='myPassword;' lanplus="1"
# ### username: user\domain password: sT2z#x!;7
# pcs stonith create myVmware fence_vmware_soap ipaddr="10.10.10.11" login="user\\domain" passwd="St2z\#x\!\;7" ssl="1"
Configuring stonith devices via pcs cluster edit or by modifying a CIB file in a text editor
Because there is no shell involved, there is nothing that can misinterpret special characters. Simply enter the username and password exactly as the device accepts them. Examples of the end result:
<!-- username: user\domain password: myPassword; -->
<primitive class="stonith" id="myIPMI" type="fence_ipmilan">
<instance_attributes id="myIPMI-instance_attributes">
<nvpair id="myIPMI-instance_attributes-ipaddr" name="ipaddr" value="10.10.10.10"/>
<nvpair id="myIPMI-instance_attributes-login" name="login" value="user\domain"/>
<nvpair id="myIPMI-instance_attributes-passwd" name="passwd" value="myPassword;"/>
<nvpair id="myIPMI-instance_attributes-lanplus" name="lanplus" value="1"/>
</instance_attributes>
<operations>
<op id="myIPMI-monitor-interval-60s" interval="60s" name="monitor"/>
</operations>
</primitive>
<!-- username: user\domain password: sT2z#x!;7 -->
<primitive class="stonith" id="myVmware" type="fence_vmware_soap">
<instance_attributes id="myVmware-instance_attributes">
<nvpair id="myVmware-instance_attributes-ipaddr" name="ipaddr" value="10.10.10.11"/>
<nvpair id="myVmware-instance_attributes-login" name="login" value="user\domain"/>
<nvpair id="myVmware-instance_attributes-passwd" name="passwd" value="St2z#x!;7"/>
<nvpair id="myVmware-instance_attributes-ssl" name="ssl" value="1"/>
</instance_attributes>
<operations>
<op id="myVmware-monitor-interval-60s" interval="60s" name="monitor"/>
</operations>
</primitive>
Root Cause
The escaping of special characters is a common source of confusion, and can easily result in settings that work on the command line but fail when configured directly in the cluster, or vice versa. It is important to remember that the cluster software has no concept of "special characters", so it is only the shell that has to be accounted for. As such, characters only need to be escaped when they could be interpreted by the shell, which would prevent them from being passed to the fence agent properly.
In bash, special characters can be escaped by either enclosing the string in single quotes ('<string>'), or by using \.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.