The Oracle Solaris ZFS snapshot replication uses SSH authentication to transfer ZFS snapshot streams on to the remote replication target host and to execute commands on the remote host. The replication user on each cluster node must be able to SSH as remote cluster's replication user to each remote cluster node. Therefore, you must set up SSH authentication for the replication users to enable communication between the local and remote cluster. You must use the remote logical hostname as the SSH target.
You must set up the SSH authentication before creating the protection group for Oracle Solaris ZFS snapshot replication. This example uses UNIX users and groups. The UNIX user zfsuser1 is the replication user on the paris cluster. The UNIX user zfsuser2 is the replication user on the newyork cluster. This example describes how to set up SSH configuration between the two replication users on the partner clusters. The host keys are stored in .ssh/known_hosts file of the user's home directory. The SSH keys are generated and stored in .ssh directory in the user's home directory. The authorized public keys are stored in the .ssh/authorized_keys file in the home directory. This example uses the default SSH private key file on paris, and a non-default file on newyork.
The replication user and the SSH setup are all created in the global zones of the partner clusters, even if a partner cluster is a zone cluster. All the commands shown below must be executed in the global zone of the partner clusters, as mentioned in the steps.
This procedure describes the steps to setup SSH for replication between paris and newyork partner clusters. All the commands must be executed in the global zone of the partner clusters.
Assume the root role in the global zone on both the nodes in the primary cluster paris.
Type the following commands in the global zone on both the nodes in the primary cluster paris to create the replication user zfsuser1.
# groupadd -g 101 user1grp # useradd -u 1234 -g 101 -d /export/home/zfsuser1 zfsuser1 # mkdir /export/home/zfsuser1 # chown zfsuser1 /export/home/zfsuser1 # chgrp user1grp /export/home/zfsuser1 # passwd zfsuser1
Log in as the replication user zfsuser1 in the global zone on both the nodes of the primary cluster.
Create SSH keys in the global zone on both the nodes in the primary cluster paris.
$ mkdir ~/.ssh $ ssh-keygen -t rsa
Assume that the default file used by ssh-keygen to store the key is ~/.ssh/id_rsa. Ensure that you specify the same passphrase to protect the private key in the global zone on both the nodes.
Assume the root role in the global zone on both the nodes in the secondary cluster newyork.
Create the replication user zfsuser2 in the global zone on both the nodes in the secondary cluster newyork.
# groupadd -g 102 user2grp # useradd -u 5678 -g 102 -d /export/home/zfsuser2 zfsuser2 # mkdir /export/home/zfsuser2 # chown zfsuser2 /export/home/zfsuser2 # chgrp user2grp /export/home/zfsuser2 # passwd zfsuser2
Log in as the replication user zfsuser2 in the global zone on both the nodes of the secondary cluster.
Create SSH keys in a non-default file ~/.ssh/zfsrep1 on both the nodes in the secondary cluster newyork.
$ mkdir ~/.ssh $ ssh-keygen -t rsa -f ~/.ssh/zfsrep1
Ensure that you specify the same passphrase to protect the private key in the global zone on both the nodes.
Copy SSH public key of replication user from the global zone of each node of the primary cluster to the global zone of each node of the secondary cluster and vice versa. Use the passwords of the users to perform authentication when using scp.
Copy the SSH public key from the global zone of the primary cluster node paris-node-1 to the global zone of the secondary cluster node newyork-node-1. Type the following command as zfsuser1 in the global zone of paris-node-1:
$ scp ~/.ssh/id_rsa.pub zfsuser2@global-zone-of-newyork-node-1:~/.ssh/paris-node-1
Type the following commands as zfsuser2 in the global zone of newyork-node-1:
$ cat ~/.ssh/paris-node-1 >>~/.ssh/authorized_keys $ rm ~/.ssh/paris-node-1
Copy the SSH public key from the global zone of the primary cluster node paris-node-2 to the global zone of the secondary cluster node newyork-node-1. Type the following commands as zfsuser1 in the global zone of paris-node-2:
$ scp ~/.ssh/id_rsa.pub zfsuser2@global-zone-of-newyork-node-1:~/.ssh/paris-node-2
Type the following commands as zfsuser2 in the global zone of newyork-node-1:
$ cat ~/.ssh/paris-node-2 >>~/.ssh/authorized_keys $ rm ~/.ssh/paris-node-2
Copy the SSH public key from the global zone of the primary cluster node paris-node-1 to the global zone of the secondary cluster node newyork-node-2. Type the following command as zfsuser1 in the global zone of paris-node-1:
$ scp ~/.ssh/id_rsa.pub zfsuser2@global-zone-of-newyork-node-2:~/.ssh/paris-node-1
Type the following commands as zfsuser2 in the global zone of newyork-node-2:
$ cat ~/.ssh/paris-node-1 >>~/.ssh/authorized_keys $ rm ~/.ssh/paris-node-1
Copy the SSH public key from the global zone of the primary cluster node paris-node-2 to the global zone of the secondary cluster node newyork-node-2. Type the following commands as zfsuser1 in the global zone of paris-node-2:
$ scp ~/.ssh/id_rsa.pub zfsuser2@global-zone-of-newyork-node-2:~/.ssh/paris-node-2
Type the following commands as zfsuser2 in the global zone of newyork-node-2:
$ cat ~/.ssh/paris-node-2 >>~/.ssh/authorized_keys $ rm ~/.ssh/paris-node-2
Copy the SSH public key from the global zone of the secondary cluster node newyork-node-1 to the global zone of the primary cluster node paris-node-1. Type the following commands as zfsuser2 in the global zone of newyork-node-1:
$ scp ~/.ssh/zfsrep1.pub zfsuser1@global-zone-of-paris-node-1:~/.ssh/newyork-node-1
Type the following command as zfsuser1 in the global zone of paris-node-1:
$ cat ~/.ssh/newyork-node-1 >>~/.ssh/authorized_keys $ rm ~/.ssh/newyork-node-1
Copy the SSH public key from the global zone of the secondary cluster node newyork-node-2 to the global zone of the primary cluster node paris-node-1. Type the following commands as zfsuser2 in the global zone of newyork-node-2:
$ scp ~/.ssh/zfsrep1.pub zfsuser1@global-zone-of-paris-node-1:~/.ssh/newyork-node-2
Type the following commands as zfsuser1 in the global zone of paris-node-1:
$ cat ~/.ssh/newyork-node-2 >>~/.ssh/authorized_keys $ rm ~/.ssh/newyork-node-2
Copy the SSH public key from the global zone of the secondary cluster node newyork-node-1 to the global zone of the primary cluster node paris-node-2. Type the following commands as zfsuser2 in the global zone of newyork-node-1:
$ scp ~/.ssh/zfsrep1.pub zfsuser1@global-zone-of-paris-node-2:~/.ssh/newyork-node-1
Type the following command as zfsuser1 in the global zone of paris-node-2:
$ cat ~/.ssh/newyork-node-1 >>~/.ssh/authorized_keys $ rm ~/.ssh/newyork-node-1
Copy the SSH public key from the global zone of the secondary cluster node newyork-node-2 to the global zone of the primary cluster node paris-node-2. Type the following commands as zfsuser2 in the global zone of newyork-node-2:
$ scp ~/.ssh/zfsrep1.pub zfsuser1@global-zone-of-paris-node-2:~/.ssh/newyork-node-2
Type the following commands as zfsuser1 in the global zone of paris-node-2:
$ cat ~/.ssh/newyork-node-2 >>~/.ssh/authorized_keys $ rm ~/.ssh/newyork-node-2
Add the entries for paris-lh in the /etc/hosts file in the global zone on all nodes of the primary and secondary cluster. Similarly, add the entries for newyork-lh in the /etc/hosts file in the global zone on all nodes of the primary and secondary cluster.
Each replication user's .ssh/known_hosts requires multiple entries for remote cluster's replication logical hostname, which means that there is one logical hostname entry corresponding to the host key of each remote cluster node. Since the SSH will use logical hostname as target, so it is required to add the entries for remote cluster's logical hostname on to each local cluster's node. Assume that the IP address for the logical hostname paris-lh is 172.16.2.75. Assume that the IP address for the logical hostname newyork-lh is 192.168.15.125. Perform the following steps to add logical host key entries to known_hosts SSH file:
Login to the global zone on each node on paris as the zfsuser1 user and edit the ~/.ssh/known_hosts file in the home directory. Duplicate each entry relevant to global zone of newyork cluster nodes, and change each such duplicate entry with newyork-lh,192.168.15.125.
The known_hosts file for the replication user zfsuser1 on each node paris-node-M must contain the following entries:
$ cat ~/.ssh/known_hosts global-zone-of-newyork-node-1,global-zone-IP-of-newyork-node-1 ssh-rsa big key for global zone of newyork-node-1 newyork-lh,192.168.15.125 ssh-rsa same big key for global zone of newyork-node-1 global-zone-of-newyork-node-2,global-zone-IP-of-newyork-node-2 ssh-rsa big key for global zone of newyork-node-2 newyork-lh,192.168.15.125 ssh-rsa same big key for global zone of newyork-node-2
Login to the global zone on each node on newyork as the zfsuser2 user and edit the .ssh/known_hosts file in the home directory. Duplicate each entry relevant to global zone of paris cluster nodes and change each of the duplicate entries for paris with paris-lh,172.16.2.75.
$ cat ~/.ssh/known_hosts global-zone-of-paris-node-1,global-zone-IP-of-paris-node-1 ssh-rsa big key for global zone of paris-node-1 paris-lh,172.16.2.75 ssh-rsa same big key for global zone of paris-node-1 global-zone-of-paris-node-2,global-zone-IP-of-paris-node-2 ssh-rsa big key for global zone of paris-node-2 paris-lh,172.16.2.75 ssh-rsa same big key for global zone of paris-node-2
The replication feature requires that the entries for replication logical hostname are available in the known_hosts file used by SSH. Replication does not require these entries for cluster node names in such file. Hence, you can remove these entries after above actions.
Verify whether the replication user in the global zone on each cluster node of one partner cluster can connect using SSH to the replication-related logical hostname in the global zone on each node of the other partner cluster as the remote cluster's replication user. You can perform the following actions to verify that the SSH connection from global zone of paris to global zone of newyork is working correctly:
Perform the following steps to check the SSH connection from paris to newyork.
Create a logical hostname resource group and resource to host newyork-lh in the global zone of the secondary cluster newyork and bring it online. Type the following commands from the global zone of any one node of newyork cluster:
# /usr/cluster/bin/clrt register SUNW.LogicalHostname # /usr/cluster/bin/clrg create repl-lh-rg # /usr/cluster/bin/clrslh create -g repl-lh-rg \ -h newyork-lh repl-lh-rs # /usr/cluster/bin/clrg online -eM repl-lh-rg
Verify whether the SSH connection works from the global zone of each node of paris cluster to the logical hostname hosted on the global zone of newyork-node-1.
Type the following command in the global zone of any one node of the newyork cluster to switch the logical hostname to the global zone of newyork-node-1.
# clrg switch -n global-zone-of-newyork-node-1 repl-lh-rg
Type the following command to check that zfsuser1 in the global zone of paris-node-1 can SSH as zfsuser2 to the global zone of newyork-node-1 where newyork-lh is hosted currently.
$ ssh zfsuser2@newyork-lh
When prompted, enter the passphrase to connect to the remote system.
Type the following command to check that zfsuser1 in the global zone of paris-node-2 can SSH as zfsuser2 to the global zone of newyork-node-1 where newyork-lh is hosted currently.
$ ssh zfsuser2@newyork-lh
When prompted, enter the passphrase to connect to the remote system.
Verify whether the SSH connection works from the global zone of each node of paris cluster to the logical hostname hosted on the global zone of newyork-node-2.
Type the following command in the global zone of any one node of the newyork cluster to switch the logical hostname to the global zone of newyork-node-2.
# clrg switch -n global-zone-of-newyork-node-2 repl-lh-rg
Type the following command to check that zfsuser1 in the global zone of paris-node-1 can SSH as zfsuser2 to the global zone of newyork-node-2 where newyork-lh is hosted currently.
$ ssh zfsuser2@newyork-lh
When prompted, enter the passphrase to connect to the remote system.
Type the following command to check that zfsuser1 in the global zone of paris-node-2 can SSH as zfsuser2 to the global zone of newyork-node-2 where newyork-lh is hosted currently.
$ ssh zfsuser2@newyork-lh
When prompted, enter the passphrase to connect to the remote system.
Remove the logical hostname test setup from the secondary cluster. Type the following commands from the global zone of any one node of newyork cluster.
# /usr/cluster/bin/clrg offline repl-lh-rg # /usr/cluster/bin/clrs disable repl-lh-rs # /usr/cluster/bin/clrs delete repl-lh-rs # /usr/cluster/bin/clrg delete repl-lh-rg
Perform the following steps to check the SSH connection from newyork to paris.
Create a logical hostname resource group and resource to host paris-lh in the global zone of the primary cluster paris and bring it online. Type the following commands from the global zone of any one node of the paris cluster.
# /usr/cluster/bin/clrt register SUNW.LogicalHostname # /usr/cluster/bin/clrg create repl-lh-rg # /usr/cluster/bin/clrslh create -g repl-lh-rg \ -h paris-lh repl-lh-rs # /usr/cluster/bin/clrg online -eM repl-lh-rg
Verify whether the SSH connection works from the global zone of each node of newyork cluster to the logical hostname hosted on the global zone of paris-node-1.
Type the following command in the global zone of any one node of the paris cluster to switch the logical hostname to the global zone of paris-node-1.
# clrg switch -n global-zone-of-paris-node-1 repl-lh-rg
Type the following command to check that zfsuser2 in the global zone of newyork-node-1 can SSH as zfsuser1 to the global zone of paris-node-1 where paris-lh is hosted currently.
$ ssh zfsuser1@paris-lh
When prompted, enter the passphrase to connect to the remote system.
Type the following command to check that zfsuser2 in the global zone of newyork-node-2 can SSH as zfsuser1 to the global zone of paris-node-1 where paris-lh is hosted currently.
$ ssh zfsuser1@paris-lh
When prompted, enter the passphrase to connect to the remote system.
Verify whether the SSH connection works from the global zone of each node of newyork cluster to the logical hostname hosted on the global zone of paris-node-2.
Type the following command in the global zone of any one node of the paris cluster to switch the logical hostname to the global zone of paris-node-2.
# clrg switch -n global-zone-of-paris-node-2 repl-lh-rg
Type the following command to check that zfsuser2 in the global zone of newyork-node-1 can SSH as zfsuser1 to the global zone of paris-node-2 where paris-lh is hosted currently.
$ ssh zfsuser1@paris-lh
When prompted, enter the passphrase to connect to the remote system.
Type the following command to check that zfsuser2 in the global zone of newyork-node-2 can SSH as zfsuser1 to the global zone of paris-node-2 where paris-lh is hosted currently.
$ ssh zfsuser1@paris-lh
When prompted, enter the passphrase to connect to the remote system.
Remove the logical hostname test setup from the primary cluster. Type the following commands from the global zone of any one node of paris cluster.
# /usr/cluster/bin/clrg offline repl-lh-rg # /usr/cluster/bin/clrs disable repl-lh-rs # /usr/cluster/bin/clrs delete repl-lh-rs # /usr/cluster/bin/clrg delete repl-lh-rg