Blog Post

Running SAP Applications on the Microsoft Platform
10 MIN READ

SAP on Azure high availability – change from SPN to MSI for Pacemaker clusters using Azure fencing

RobertBiro's avatar
RobertBiro
Icon for Microsoft rankMicrosoft
Sep 06, 2022
For high availability architecture of SAP systems in Azure using Pacemaker, options exist on how to implement the fencing mechanism. For SuSE Enterprise Linux (SLES) only, SBD device(s) can be used f...
Updated Sep 23, 2022
Version 2.0
exodus-35's avatar
exodus-35
Copper Contributor
Dec 08, 2023

I added the Linux Fence Agent Role to the VM and fence_azure_arm command works from the command line.

Note that you do not need to add the subscription id or any other info from the command line.  So, when you add the Role to allow fencing in the VM, it simplifies the usage.  This is on a RHEL 9.3 OS image.

 

AZ_GRP_ID=`az group show -n ${MYGRP} --query id --output tsv 2>/dev/null`

VM_MSI_ID=`az vm identity show --name ${VM_HOSTNAME} -g ${MYGRP} --query 'principalId' --output tsv 2>/dev/null`

az role assignment create --role "Linux Fence Agent Role" --assignee-object-id "${VM_MSI_ID}" --scope ${AZ_GRP_ID}

 

[root@r9p2clazpn1 azureuser]# fence_azure_arm --resourceGroup MYGRP -msi -n r9p2clazpn1 -o list
r9p2clazpn1,
r9p2clazpn2,
[root@r9p2clazpn1 azureuser]# fence_azure_arm --resourceGroup MYGRP --msi -n r9p2clazpn2 -o list
r9p2clazpn1,
r9p2clazpn2,

[azureuser@r9p2clazpn1 ~]$ sudo pcs stonith config vmfence1
Resource: vmfence1 (class=stonith type=fence_azure_arm)
Attributes: vmfence1-instance_attributes
msi=true
pcmk_action_limit=3
pcmk_delay_max=15
pcmk_host_list=r9p2clazpn1
pcmk_host_map=r9p2clazpn1:
pcmk_monitor_retries=4
pcmk_monitor_timeout=120
pcmk_reboot_timeout=900
power_timeout=240
resourceGroup=MYGRP
Operations:
monitor: vmfence1-monitor-interval-3600
interval=3600

[azureuser@r9p2clazpn1 ~]$ sudo pcs status
Cluster name: r9p2clazp
Cluster Summary:
* Stack: corosync (Pacemaker is running)
* Current DC: r9p2clazpn1 (version 2.1.6-9.el9-6fdc9deea29) - partition with quorum
* Last updated: Fri Dec 8 07:06:59 2023 on r9p2clazpn1
* Last change: Fri Dec 8 07:04:55 2023 by root via cibadmin on r9p2clazpn1
* 2 nodes configured
* 13 resource instances configured

Node List:
* Online: [ r9p2clazpn1 r9p2clazpn2 ]

Full List of Resources:
* vmfence1 (stonith:fence_azure_arm): Started r9p2clazpn1
* vmfence2 (stonith:fence_azure_arm): Started r9p2clazpn2
* Clone Set: locking-clone [locking]:
* Started: [ r9p2clazpn1 r9p2clazpn2 ]
* Resource Group: mydisk:
* myvolLVM (ocf:heartbeat:LVM-activate): Started r9p2clazpn1
* myvolFS (ocf:heartbeat:Filesystem): Started r9p2clazpn1
* Resource Group: MYGRP:
* myvip (ocf:heartbeat:IPaddr2): Started r9p2clazpn1

Daemon Status:
corosync: active/enabled
pacemaker: active/enabled
pcsd: active/enabled

 

[azureuser@r9p2clazpn1 ~]$ rpm -qa|grep fence|sort
fence-agents-azure-arm-4.10.0-55.el9.x86_64
fence-agents-common-4.10.0-55.el9.noarch