EC2 Instance Configuration
Amazon EC2 instance settings can be applied using Infrastructure as Code or manually using AWS Command Line Interface or AWS Console. We recommend Infrastructure as Code automation to reduce manual steps, and ensure consistency.
Topics
Important
The following configurations must be performed on all cluster nodes. Ensure consistency across nodes to prevent cluster issues.
Assign or Review Pacemaker IAM Role
The two cluster resource IAM policies must be assigned to an IAM role associated with your Amazon EC2 instance. If an IAM role is not associated to your instance, create a new IAM role for cluster operations.
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
Select one of your cluster nodes.
-
In the navigation pane, choose Actions → Security → Modify IAM role.
-
Choose the IAM role that contains the policies created in Create IAM Roles and Policies for Pacemaker.
-
Choose Update IAM role.
-
Repeat these steps for all nodes in the cluster.
Assign or Review Security Groups
The security group rules created in the AWS Modify Security Groups for Cluster Communication section must be assigned to your Amazon EC2 instances. If a security group is not associated with your instance, or if the required rules are not present in the assigned security group, add the security group or update the rules.
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
Select one of your cluster nodes.
-
In the Security tab, review the security groups, ports, and source of traffic.
-
If required, choose Actions → Security → Change security groups.
-
Under Associated security groups, search for and select the required groups.
-
Choose Save.
-
Repeat these steps for all nodes in the cluster.
You can verify the security group rules on your instances using the AWS CLI:
$ aws ec2 describe-instance-attribute --instance-id <instance_id> --attribute groupSet
Assign Secondary IP Addresses
Secondary IP addresses are used to create a redundant communication channel (secondary ring) in corosync for clusters. The cluster nodes can use the secondary ring to communicate in case of underlying network disruptions.
These IPs are only used in cluster configurations. The secondary IPs provide the same fault tolerance as a secondary Elastic Network Interface (ENI). For more information, see Secondary IP addresses for your EC2 Instance.
You can verify the secondary IP configuration on your instances using the AWS CLI:
$ aws ec2 describe-instances --instance-id <instance_id> \ --query 'Reservations[*].Instances[*].NetworkInterfaces[*].PrivateIpAddresses[*].PrivateIpAddress' \ --output text
Verify that:
-
Each instance returns two IP addresses from the same subnet
-
The primary network interface (eth0) has both IPs assigned
-
The secondary IPs will be used later for ring0_addr and ring1_addr in corosync.conf
Disable Source/Destination Check
Amazon EC2 instances perform source/destination checks by default, requiring that an instance is either the source or the destination of any traffic it sends or receives. In the pacemaker cluster, source/destination check must be disabled on both instances receiving traffic from the Overlay IP.
The following AWS Console or AWS CLI commands can be used to modify the attribute.
To confirm the value of an attribute for a particular instance, use the following command. The value false means source/destination checking is disabled
$ aws ec2 describe-instance-attribute --instance-id <instance_id> --attribute sourceDestCheck
The output
{ "InstanceId": "i-xxxxinstidforhost1", "SourceDestCheck": { "Value": false } }
Review Stop Protection
To ensure that STONITH actions can be executed, you must ensure that stop protection is disabled for Amazon EC2 instances that are part of a pacemaker cluster. If the default settings have been modified, use the following commands for both instances to disable stop protection via AWS CLI.
The following AWS Console or CLI commands can be used to modify the attribute.
To confirm the value of an attribute for a particular instance, use the following command. The value false means it is possible to stop the instance using an AWS CLI.
$ aws ec2 describe-instance-attribute --instance-id <instance_id> --attribute disableApiStop
The output
{ "InstanceId": "i-xxxxinstidforhost1", "DisableApiStop": { "Value": false } }
Review Automatic Recovery
After a failure, cluster-controlled operations must be resumed in a coordinated way. This helps ensure that the cause of failure is known and addressed, and the status of the cluster is as expected. For example, verifying that there are no pending fencing actions.
The following AWS Console or CLI commands can be used to modify the attribute.
To confirm the value of an attribute for a particular instance, use the following command. The value disabled means autorecovery will not be attempted.
$ aws ec2 describe-instances --instance-ids <instance_id> --query 'Reservations[*].Instances[*].MaintenanceOptions.AutoRecovery'
The output:
[ [ "disabled" ] ]
Create Amazon EC2 Resource Tags Used by Amazon EC2 STONITH Agent
Amazon EC2 STONITH agent uses AWS resource tags to identify Amazon EC2 instances. Create tag for the primary and secondary Amazon EC2 instances via AWS Console or AWS CLI. For more information, see Using Tags.
Use the same tag key and the local hostname returned using the command hostname across instances. For example, a configuration with the values defined in Global AWS parameters would require the tags shown in the following table.
| Amazon EC2 | Key example | Value example |
|---|---|---|
|
<instance_id> |
<cluster_tag> |
<hostname> |
|
Instance 1 |
pacemaker |
hanahost1 |
|
Instance 2 |
pacemaker |
hanahost2 |
You can run the following command locally to validate the tag values and IAM permissions to describe the tags. Run this command on all instances in the cluster, for all instances in the cluster.
$ aws ec2 describe-tags --filters "Name=resource-id,Values=<instance_id>" "Name=key,Values=<cluster_tag>" --region=<region> --output=text | cut -f5
