= Access =

One of the hurdles of setting up a cluster has up to this point been
_access management_, making sure that `crmsh` and other cluster
management tools can communicate between nodes.

Ensuring that appropriate firewall rules are created and that SSH keys
and agents are configured correctly is complicated and
distribution-specific, and most tutorials or guides to configuring a
cluster tend to skip over this part or, `$DIETY` forbid, recommend
disabling firewalls completely or the use of password-less SSH keys.

One of the goals of `crmsh 2` is to make access management easier.

Here is how it works.

== SSH ==

== Firewalls ==

In general, `crmsh` cannot configure your firewall for you
footnote:[On SUSE Linux Enterprise 12, crmsh can actually configure your firewall for you.].
It can, however, detect that necessary ports are blocked and make
recommendations for which port should be opened to allow the cluster
to function. `crmsh` will also detect certain network configurations
that may prevent the cluster from functioning, such as switches that
do not permit multicast traffic between nodes, or high ping times
between nodes.

Firewall detection is done as part of the `cluster init` script, and
also as part of the `cluster health` script.

