fence_azure_arm agent requires the powerOff permission

This document (000019730) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server 12 SP4
SUSE Linux Enterprise Server in Microsoft Azure Cloud

Situation

After updating to fence-agents-4.4.0, the fence_azure_arm agent requires the powerOff permission in Azure Compute instead of the deallocate permission.

This can result in a failed fence operation if the Azure service principal that a fence_azure_arm resource is configured to use does not have a permission to perform the powerOff action.

Resolution

The Azure service principal that a fence_azure_arm resource is configured to use
needs to be adjusted to have the following permission:
```
Microsoft.Compute/virtualMachines/powerOff/action
```
The deallocate permission is no longer needed by the fence_azure_arm agent.

Cause

The fence_azure_arm resource agent was improved in fence-agents-4.4.0 to use the forced powerOff operation to fence a node in Azure Compute instead of using the deallocate operation.

Additional Information

SLES12-SP4 first shipped with fence-agents-4.2.1+git.1537269352.7b1fd536-1.7 and the current MU is fence-agents-4.4.0+git.1558595666.5f79f9e9-3.14.1. 

The former package implements the off action using the deallocate operation, while the latter uses the powerOff operation. Specifically, the change occurred in package version fence-agents-4.4.0+git.1558595666.5f79f9e9-3.5.1.

This means that when updating from previous SLES 12 versions, to SLES12-SP4 using fence-agents-4.4.0, the user also needs to *manually* update the Linux Fence Agent Role in Azure that they use with the fence_azure_arm agent. As such, the deallocate permission needs to be changed to powerOff.

For more details, see also :

[1] https://github.com/ClusterLabs/fence-agents/commit/5dbf45e6ef73e2e0e2385ada8e82693d5c8c3a64#diff-0ed12d9d0ef3ad74c9cff3663f146f97R55
[2] https://github.com/ClusterLabs/fence-agents/commit/ab0fffafb95dea5b24e756d9e76c7af0510bb4a6#diff-0ed12d9d0ef3ad74c9cff3663f146f97L58
[3] https://github.com/ClusterLabs/fence-agents/commit/1b3e548fcc0bd427dade178fa260567047ff3a0e#diff-2152d0c15318269250a880f328fe5402L117
[4] https://github.com/Azure/azure-sdk-for-python/blob/2f3e214f5c9344d3e0842b1d7435ccd006ceda0b/azure-mgmt-compute/azure/mgmt/compute/v2018_10_01/operations/virtual_machines_operations.py#L1093
[5] https://github.com/Azure/azure-sdk-for-python/blob/2f3e214f5c9344d3e0842b1d7435ccd006ceda0b/azure-mgmt-compute/azure/mgmt/compute/v2019_03_01/operations/virtual_machines_operations.py#L1095
[6] https://docs.microsoft.com/en-us/azure/virtual-machines/workloads/sap/high-availability-guide-suse-pacemaker

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000019730
  • Creation Date: 09-Oct-2020
  • Modified Date:12-Oct-2020
    • SUSE Linux Enterprise High Availability Extension
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center