summaryrefslogtreecommitdiffstats
path: root/doc/sphinx/Pacemaker_Administration/configuring.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/sphinx/Pacemaker_Administration/configuring.rst')
-rw-r--r--doc/sphinx/Pacemaker_Administration/configuring.rst109
1 files changed, 48 insertions, 61 deletions
diff --git a/doc/sphinx/Pacemaker_Administration/configuring.rst b/doc/sphinx/Pacemaker_Administration/configuring.rst
index 415dd81..295c96a 100644
--- a/doc/sphinx/Pacemaker_Administration/configuring.rst
+++ b/doc/sphinx/Pacemaker_Administration/configuring.rst
@@ -189,48 +189,53 @@ cluster even if the machine itself is not in the same cluster. To do this, one
simply sets up a number of environment variables and runs the same commands as
when working on a cluster node.
-.. table:: **Environment Variables Used to Connect to Remote Instances of the CIB**
-
- +----------------------+-----------+------------------------------------------------+
- | Environment Variable | Default | Description |
- +======================+===========+================================================+
- | CIB_user | $USER | .. index:: |
- | | | single: CIB_user |
- | | | single: environment variable; CIB_user |
- | | | |
- | | | The user to connect as. Needs to be |
- | | | part of the ``haclient`` group on |
- | | | the target host. |
- +----------------------+-----------+------------------------------------------------+
- | CIB_passwd | | .. index:: |
- | | | single: CIB_passwd |
- | | | single: environment variable; CIB_passwd |
- | | | |
- | | | The user's password. Read from the |
- | | | command line if unset. |
- +----------------------+-----------+------------------------------------------------+
- | CIB_server | localhost | .. index:: |
- | | | single: CIB_server |
- | | | single: environment variable; CIB_server |
- | | | |
- | | | The host to contact |
- +----------------------+-----------+------------------------------------------------+
- | CIB_port | | .. index:: |
- | | | single: CIB_port |
- | | | single: environment variable; CIB_port |
- | | | |
- | | | The port on which to contact the server; |
- | | | required. |
- +----------------------+-----------+------------------------------------------------+
- | CIB_encrypted | TRUE | .. index:: |
- | | | single: CIB_encrypted |
- | | | single: environment variable; CIB_encrypted |
- | | | |
- | | | Whether to encrypt network traffic |
- +----------------------+-----------+------------------------------------------------+
+.. list-table:: **Environment Variables Used to Connect to Remote Instances of the CIB**
+ :class: longtable
+ :widths: 2 2 5
+ :header-rows: 1
+
+ * - Environment Variable
+ - Default
+ - Description
+ * - .. index::
+ single: CIB_user
+ single: environment variable; CIB_user
+
+ CIB_user
+ - |CRM_DAEMON_USER_RAW|
+ - The user to connect as. Needs to be part of the |CRM_DAEMON_GROUP| group
+ on the target host.
+ * - .. index::
+ single: CIB_passwd
+ single: environment variable; CIB_passwd
+
+ CIB_passwd
+ -
+ - The user's password. Read from the command line if unset.
+ * - .. index::
+ single: CIB_server
+ single: environment variable; CIB_server
+
+ CIB_server
+ - localhost
+ - The host to contact
+ * - .. index::
+ single: CIB_port
+ single: environment variable; CIB_port
+
+ CIB_port
+ -
+ - The port on which to contact the server; required
+ * - .. index::
+ single: CIB_encrypted
+ single: environment variable; CIB_encrypted
+
+ CIB_encrypted
+ - true
+ - Whether to encrypt network traffic
So, if **c001n01** is an active cluster node and is listening on port 1234
-for connections, and **someuser** is a member of the **haclient** group,
+for connections, and **someuser** is a member of the |CRM_DAEMON_GROUP| group,
then the following would prompt for **someuser**'s password and return
the cluster's current configuration:
@@ -243,27 +248,9 @@ For security reasons, the cluster does not listen for remote connections by
default. If you wish to allow remote access, you need to set the
``remote-tls-port`` (encrypted) or ``remote-clear-port`` (unencrypted) CIB
properties (i.e., those kept in the ``cib`` tag, like ``num_updates`` and
-``epoch``).
-
-.. table:: **Extra top-level CIB properties for remote access**
-
- +----------------------+-----------+------------------------------------------------------+
- | CIB Property | Default | Description |
- +======================+===========+======================================================+
- | remote-tls-port | | .. index:: |
- | | | single: remote-tls-port |
- | | | single: CIB property; remote-tls-port |
- | | | |
- | | | Listen for encrypted remote connections |
- | | | on this port. |
- +----------------------+-----------+------------------------------------------------------+
- | remote-clear-port | | .. index:: |
- | | | single: remote-clear-port |
- | | | single: CIB property; remote-clear-port |
- | | | |
- | | | Listen for plaintext remote connections |
- | | | on this port. |
- +----------------------+-----------+------------------------------------------------------+
+``epoch``). Encrypted communication is keyless, which makes it subject to
+man-in-the-middle attacks, and thus either option should be used only on
+protected networks.
.. important::