I previously blogged about how to create a STONITH resource for a pacemaker cluster in VMWare virtual machines.
Ok, I have a confession…you need to specify credentials when creating the resource to connect to vSphere, and the credentials I used had admin rights.
Not great…I shouldn’t have done that (yes yes, it’s a lab but still).
So, how can we create a user in vSphere that only has the required permissions that the STONITH resource needs (it needs to be able to power on/off the machines in the pacemaker cluster).
First thing to do is create a user in vSphere: –
Then we create a role that only has permissions to power on/off machines: –
Then we assign that role and user to the VMs in the cluster. Go to the virtual machine > permissions > add > select the user and the role we just created.
Now we can test!
sudo crm node fence <<SERVERNAME>>
We should now see the server reboot in vSphere…all is working!
To make sure that the user can only reboot the machines in the cluster, remove the user from one machine in the cluster and try the test again.
The machine should not reboot in vSphere and we should see a failed fencing action in the cluster: –
N.B. – in order to remove the failed notification run: –
stonith_admin --cleanup --history=<<SERVERNAME>>
Including that as trying to work that out drove me mad! 
OK, so that’s how to configure a user for a STONITH resource so we don’t have to use admin credentials.
Thanks for reading!