fence_azure_arm agent requires the powerOff permission
This document (000019730) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server 12 SP4
SUSE Linux Enterprise Server in Microsoft Azure Cloud
SUSE Linux Enterprise Server 12 SP4
SUSE Linux Enterprise Server in Microsoft Azure Cloud
Situation
After updating to fence-agents-4.4.0, the fence_azure_arm agent requires the powerOff permission in Azure Compute instead of the deallocate permission.
This can result in a failed fence operation if the Azure service principal that a fence_azure_arm resource is configured to use does not have a permission to perform the powerOff action.
This can result in a failed fence operation if the Azure service principal that a fence_azure_arm resource is configured to use does not have a permission to perform the powerOff action.
Resolution
The Azure service principal that a fence_azure_arm resource is configured to use
needs to be adjusted to have the following permission:
needs to be adjusted to have the following permission:
``` Microsoft.Compute/virtualMachines/powerOff/action ```The deallocate permission is no longer needed by the fence_azure_arm agent.
Cause
The fence_azure_arm resource agent was improved in fence-agents-4.4.0 to use the forced powerOff operation to fence a node in Azure Compute instead of using the deallocate operation.
Additional Information
SLES12-SP4 first shipped with fence-agents-4.2.1+git.1537269352.7b1fd536-1.7 and the current MU is fence-agents-4.4.0+git.1558595666.5f79f9e9-3.14.1.
The former package implements the off action using the deallocate operation, while the latter uses the powerOff operation. Specifically, the change occurred in package version fence-agents-4.4.0+git.1558595666.5f79f9e9-3.5.1.
This means that when updating from previous SLES 12 versions, to SLES12-SP4 using fence-agents-4.4.0, the user also needs to *manually* update the Linux Fence Agent Role in Azure that they use with the fence_azure_arm agent. As such, the deallocate permission needs to be changed to powerOff.
For more details, see also :
[1] https://github.com/ClusterLabs/fence-agents/commit/5dbf45e6ef73e2e0e2385ada8e82693d5c8c3a64#diff-0ed12d9d0ef3ad74c9cff3663f146f97R55
[2] https://github.com/ClusterLabs/fence-agents/commit/ab0fffafb95dea5b24e756d9e76c7af0510bb4a6#diff-0ed12d9d0ef3ad74c9cff3663f146f97L58
[3] https://github.com/ClusterLabs/fence-agents/commit/1b3e548fcc0bd427dade178fa260567047ff3a0e#diff-2152d0c15318269250a880f328fe5402L117
[4] https://github.com/Azure/azure-sdk-for-python/blob/2f3e214f5c9344d3e0842b1d7435ccd006ceda0b/azure-mgmt-compute/azure/mgmt/compute/v2018_10_01/operations/virtual_machines_operations.py#L1093
[5] https://github.com/Azure/azure-sdk-for-python/blob/2f3e214f5c9344d3e0842b1d7435ccd006ceda0b/azure-mgmt-compute/azure/mgmt/compute/v2019_03_01/operations/virtual_machines_operations.py#L1095
[6] https://docs.microsoft.com/en-us/azure/virtual-machines/workloads/sap/high-availability-guide-suse-pacemaker
The former package implements the off action using the deallocate operation, while the latter uses the powerOff operation. Specifically, the change occurred in package version fence-agents-4.4.0+git.1558595666.5f79f9e9-3.5.1.
This means that when updating from previous SLES 12 versions, to SLES12-SP4 using fence-agents-4.4.0, the user also needs to *manually* update the Linux Fence Agent Role in Azure that they use with the fence_azure_arm agent. As such, the deallocate permission needs to be changed to powerOff.
For more details, see also :
[1] https://github.com/ClusterLabs/fence-agents/commit/5dbf45e6ef73e2e0e2385ada8e82693d5c8c3a64#diff-0ed12d9d0ef3ad74c9cff3663f146f97R55
[2] https://github.com/ClusterLabs/fence-agents/commit/ab0fffafb95dea5b24e756d9e76c7af0510bb4a6#diff-0ed12d9d0ef3ad74c9cff3663f146f97L58
[3] https://github.com/ClusterLabs/fence-agents/commit/1b3e548fcc0bd427dade178fa260567047ff3a0e#diff-2152d0c15318269250a880f328fe5402L117
[4] https://github.com/Azure/azure-sdk-for-python/blob/2f3e214f5c9344d3e0842b1d7435ccd006ceda0b/azure-mgmt-compute/azure/mgmt/compute/v2018_10_01/operations/virtual_machines_operations.py#L1093
[5] https://github.com/Azure/azure-sdk-for-python/blob/2f3e214f5c9344d3e0842b1d7435ccd006ceda0b/azure-mgmt-compute/azure/mgmt/compute/v2019_03_01/operations/virtual_machines_operations.py#L1095
[6] https://docs.microsoft.com/en-us/azure/virtual-machines/workloads/sap/high-availability-guide-suse-pacemaker
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019730
- Creation Date: 09-Oct-2020
- Modified Date:12-Oct-2020
-
- SUSE Linux Enterprise High Availability Extension
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
