How do I configure a stonith device using agent fence_nutanix_ahv in a Red Hat High Availability cluster with pacemaker?

Solution Verified - Updated

Environment

  • Nutanix VMs running Red Hat Enterprise Linux 8 and newer and a RHEL Pacemaker cluster.

Issue

  • How to configure fencing for the cluster using the fence_nutanix_ahv agent.

Resolution

Verify your systems meet the software requirements for the setup to be supported

Check our related support policies on this note from our documentation.

At the Nutanix level, create the user for fencing and verify it can list and fence VMs
Verify there is connectivity between all the cluster nodes and your nutanix infrastructure
# ping -c 3 nutanix.example.com
# telnet nutanix.example.com 80
# telnet nutanix.example.com 443
Verify that the fence agent is able to login into the hypervisor
[root@node-01 ~]# fence_nutanix_ahv -a nutanix.example.com -l fence_user -p 'password' --ssl-insecure -o list | grep 'myRHEL9-node-0[1-2]'
myRHEL9-node-01,d40ffa4a-64ae-4325-4bd7-2d75c7c8e07f
myRHEL9-node-02,421fc8d1-2b4b-4d51-4e9d-874ad63bc5af
Verify the hypervisor user has permissions to get the VMs status
[root@node-01 ~]# fence_nutanix_ahv -a nutanix.example.com -l fence_user -p 'password' --ssl-insecure -o status -n myRHEL9-node-01
Status: ON
[root@node-01 ~]# fence_nutanix_ahv -a nutanix.example.com -l fence_user -p 'password' --ssl-insecure -o status -n d40ffa4a-64ae-4325-4bd7-2d75c7c8e07f
Status: ON
[root@node-01 ~]#
Create the stonith device
# pcs stonith create fence_nutanix fence_nutanix_ahv ip=<nutanix-infrastructure> username=<username> password=<password> pcmk_host_map="<node1-name>:<node1-VM-Name>;<node2-name>:<node2-VM-Name>"
Verify fencing works
# pcs stonith fence <node_name>

Additional information regarding testing fencing is available on this note from our documentation.

Known errors
  • Using wrong credentials (user/password) will log an error like the following.
2025-11-05 06:15:19,364 ERROR: API call failed: {"message": "Invalid Credentials"}
2025-11-05 06:15:19,364 ERROR: Error message: 401 Client Error: UNAUTHORIZED for url: https://nutanix.example.com:9440/api/vmm/v4.0/ahv/config/vms?$limit=1
2025-11-05 06:15:19,364 ERROR: Unable to retrieve VM info
  • Using the wrong hypervisor endpoint will log an error like the following.
2025-11-05 06:19:46,528 DEBUG: Starting new HTTPS connection (1): wrong-nutanix.example.com:9440
2025-11-05 06:19:46,535 DEBUG: Incremented Retry for (url='/api/vmm/v4.0/ahv/config/vms?$limit=1'): Retry(total=4, connect=None, read=None, redirect=None, status=None)
2025-11-05 06:19:46,535 WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f03bafd0a40>: Failed to establish a new connection: [Errno -2] Name or service not known')': /api/vmm/v4.0/ahv/config/vms?$limit=1

Diagnostic Steps

# fence_nutanix_ahv -h
...
   -a, --ip=[ip]                  IP address or hostname of fencing device
   -l, --username=[name]          Login name
   -p, --password=[password]      Login password or passphrase
   -z, --ssl                      Use SSL connection with verifying certificate
   -t, --notls                    Disable TLS negotiation and force SSL3.0. This
                                        should only be used for devices that do not
                                        support TLS1.0 and up.
   -n, --plug=[id]                Physical plug number on device, UUID or
                                        identification of machine
   -m, --method=[method]          Method to fence (onoff|cycle) (Default: onoff)
   -u, --ipport=[port]            TCP/UDP port to use
...                                        (default 80, 443 if --ssl option is used)

# pcs stonith describe fence_nutanix_ahv
...
  ip (required)
    Description: IP address or hostname of fencing device
    Type: string
  ipport
    Description: TCP/UDP port to use for connection with device
    Type: integer
    Default: 80
  method
    Description: Method to fence
    Allowed values: 'cycle', 'onoff'
    Default: onoff
  notls
    Description: Disable TLS negotiation and force SSL3.0. This should only be used for devices that do not support TLS1.0 and up.
    Type: boolean
  password
    Description: Login password or passphrase
    Type: string
  password_script
    Description: Script to run to retrieve password
    Type: string
...
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.