Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup
Disable the LDT GuardPoint with Pacemaker setup:
-
Stop the SQL server, type:
# sudo systemctl stop mssql-server
-
Delete the existing resource constraints from LDT and the colocation from the Pacemaker setup.
Example
A. If it exists, get the ID of the PCS constraint co-location. In the example below the, ID is:
co-location_set_msmsmt
# sudo pcs constraint show --full . . . Resource Sets: set mssql_fs mssql_gpfs mssql_gpldt sequential=false (id:co-location_set_msmsmt_set) setoptions score=INFINITY (id:co-location_set_msmsmt)
B. Remove the PCS constraint co-location and PCS resource, type:
# sudo pcs constraint remove co-location_set_msmsmt # sudo pcs resource delete mssql-ldtmgp
Expected Result: Current LDT GuardPoint status should be now be:
unguarded
.Example
# secfsd -status guard
Response
GuardPoint Policy Type ConfigState Status Reason ---------- ------ ---- ----------- ------ ------ /var/opt/mssql/LDT LDT_clear_to_CS1_aes256_onhost manual unguarded not guarded Inactive
-
Disable the LDT GuardPoint from the Cluster Host Group in CipherTrust Manager.
Expected Result: The LDT GuardPoint should no longer be displayed when
secfsd -status guard
is executed.
Perform CTE maintenance
Now you can perform CipherTrust Transparent Encryption maintenance tasks that require stopping secfs such as:
-
Stop CipherTrust Transparent Encryption
-
Upgrade CipherTrust Transparent Encryption
-
Uninstall CipherTrust Transparent Encryption
-
Create a new baseline database for LDT on the same LDT &{gp}
See CTE Agent for Linux Advanced Configuration for more information.
Before creating a new baseline database for CTE-LDT: Ensure that your target LDT GuardPoint path does not have an ldt xattr
value on it so that the directory can trigger the initial rekey at the start of guarding. If it does have an ldt xattr
value from a previous setup, then use the command voradmin ldt xattr delete <LDT GuardPoint>
to remove the old xattr value.
Re-Enable LDT GuardPoint with Pacemaker Setup
-
Re-enable the LDT GuardPoint from the Cluster Host Group in CipherTrust Manager. Wait until the GuardPoint is visible again and in the
unguarded
state before moving to the next step below.Example
# secfsd -status guard
Response
GuardPoint Policy Type ConfigState Status Reason ---------- ------ ---- ----------- ------ ------ /var/opt/mssql/LDT LDT_clear_to_CS1_aes256_onhost manual unguarded not guarded Inactive
-
Add the resource
mssql-ldtmgp
back into the Pacemaker setting and verify that it has started:Example
# sudo pcs resource create mssql-ldtmgp ocf:heartbeat:mgp mgpdir=/var/opt/mssql/LDT --group Apache_Grp-fs
The LDT GuardPoint should now be automatically active again in Pacemaker.
# secfsd -status guard
Response
GuardPoint Policy Type ConfigState Status Reason ---------- ------ ---- ----------- ------ ------ /var/opt/mssql/LDT LDT_clear_to_CS1_aes256_onhost manual guarded guarded N/A
-
Start SQL server, type:
# sudo systemctl start mssql-server
-
Add the LDT resource constraints and co-location back into the Pacemaker setting.
Example
A. Add failover resource constraints back:
# sudo pcs constraint order start mssql_gpldt then start mssql-ldtmgp # sudo pcs constraint order stop mssql-ldtmgp then stop mssql_gpldt
B. If constraint co-location was used, add it back:
# sudo pcs constraint co-location set mssql_fs mssql_gpfs mssql_gpldt sequential=false
-
Restart Pacemaker so that it can pick up the newly created resource configurations.
A. Stop SQL server, type:
# sudo systemctl stop mssql-server
B. Reboot Pacemaker, type:
# sudo systemctl restart pacemaker
C. Re-start SQL server, type:
# sudo systemctl start mssql-server