DRBD + TLS on EL9 (9.4)

Simply, is DRBD with TLS supposed to work on EL9.4? Prior to EL9.4, the kernel did not have the support needed for tlshd. Tlshd appears to operate on the EL9.4 kernel however DRBD fails when attempting to bring up a resource.

Yes, it is supposed to work. We even provide backwards-compatibility for the handshake part, so you can use RHEL 9.3 or even 8.9.

Could you share the your kernel logs (dmesg) from an attempt to connect with TLS enabled, and perhaps also the tlshd logs?

1 Like

Logs don’t show much

dmesg:
[153912.621819] drbd data: Starting worker thread (from drbdsetup [717383])
[153912.627427] drbd data tcp:(efault): TLS not supported

tlshd:
DBG<4> lib/object.c:73 nl_object_alloc: Allocated new object 0x55afa9be9ee0
DBG<2> lib/msg.c:285 __nlmsg_alloc: msg 0x55afa9be9f60: Allocated new message, maxlen=4096
DBG<2> lib/msg.c:525 nlmsg_put: msg 0x55afa9be9f60: Added netlink header type=16, flags=0, pid=0, seq=0
DBG<2> lib/msg.c:432 nlmsg_reserve: msg 0x55afa9be9f60: Reserved 4 (4) bytes, pad=4, nlmsg_len=20
DBG<2> lib/genl/genl.c:361 genlmsg_put: msg 0x55afa9be9f60: Added generic netlink header cmd=3 version=1
DBG<2> lib/attr.c:478 nla_reserve: msg 0x55afa9be9f60: attr <0x55afa9be7814> 2: Reserved 16 (10) bytes at offset +4 nlmsg_len=36
DBG<2> lib/attr.c:515 nla_put: msg 0x55afa9be9f60: attr <0x55afa9be7814> 2: Wrote 10 bytes at offset +4
DBG<4> lib/nl.c:348 nl_sendmsg: sent 36 bytes
DBG<3> lib/nl.c:841 recvmsgs: Attempting to read from 0x55afa9be9e90
DBG<3> lib/nl.c:850 recvmsgs: recvmsgs(0x55afa9be9e90): Read 164 bytes
DBG<3> lib/nl.c:854 recvmsgs: recvmsgs(0x55afa9be9e90): Processing valid message…
DBG<2> lib/msg.c:285 __nlmsg_alloc: msg 0x55afa9be8900: Allocated new message, maxlen=164
DBG<4> lib/msg.c:572 nlmsg_free: Returned message reference 0x55afa9be8900, 0 remaining
DBG<2> lib/msg.c:580 nlmsg_free: msg 0x55afa9be8900: Freed
DBG<3> lib/nl.c:841 recvmsgs: Attempting to read from 0x55afa9be9e90
DBG<3> lib/nl.c:850 recvmsgs: recvmsgs(0x55afa9be9e90): Read 36 bytes
DBG<3> lib/nl.c:854 recvmsgs: recvmsgs(0x55afa9be9e90): Processing valid message…
DBG<2> lib/msg.c:285 __nlmsg_alloc: msg 0x55afa9be8b70: Allocated new message, maxlen=36
DBG<3> lib/nl.c:900 recvmsgs: recvmsgs(0x55afa9be9e90): Increased expected sequence number to -1715723819
DBG<4> lib/msg.c:572 nlmsg_free: Returned message reference 0x55afa9be8b70, 0 remaining
DBG<2> lib/msg.c:580 nlmsg_free: msg 0x55afa9be8b70: Freed
DBG<4> lib/msg.c:572 nlmsg_free: Returned message reference 0x55afa9be9f60, 0 remaining
DBG<2> lib/msg.c:580 nlmsg_free: msg 0x55afa9be9f60: Freed
DBG<4> lib/object.c:227 nl_object_put: Returned object reference 0x55afa9be9ee0, 0 remaining
DBG<4> lib/object.c:194 nl_object_free: Freed object 0x55afa9be9ee0
DBG<3> lib/nl.c:841 recvmsgs: Attempting to read from 0x55afa9be9e90

The tlshd log does not change/update during the drbdadm up command

Well, DRBD thinks TLS is not supported. What DRBD version are you using? It needs to be at least 9.2.6.

1 Like

rpm -qa | grep drbd
selinux-policy-drbd-aux-1.0.0-1.el9.noarch
kmod-drbd9x-9.1.19-2.el9_4.elrepo.x86_64
drbd9x-utils-9.28.0-1.el9.elrepo.x86_64

drbdadm up data
data: Failure: (162) Invalid configuration request
additional info from kernel:
transport net_conf_change failed: -22
Command ‘drbdsetup new-peer data 1 --_name=web-el9-phx.localdomain --rcvbuf-size=2048k --sndbuf-size=1024k --max-buffers=36k --tls=yes --verify-alg=sha256 --fencing=resource-and-stonith --allow-two-primaries=yes --protocol=C’ terminated with exit code 10

I see the issue - I was miss reading drbd vs drbd-utils. I need a newer kernel modules.

How embarrassing for me.