With 14 years’ experience in the industry and an additional 14 years’ programming previously, computing and mathematics have long been core interests of mine. During the past decade, I’ve mostly focussed on big data architecture, distributed parallel processing, high-availability systems, containers, security, and entrepreneurship.

Interim/Fractional CTO · VP of Engineering · Big Data Architect · DevOps Engineer · Senior Engineer

Hetzner Cloud fence agent accepted in open-source ClusterLabs project

22 October 2025 / Nicolas Williams

My open-source implementation of a fence agent for Hetzner Cloud has just been accepted into the ClusterLabs project. This brings modern support for integrating with Hetzner Cloud, transmitting power off and power on events via Hetzner’s API. When used with Pacemaker, it allows a high-availability cluster of servers to STONITH a misbehaving server, typically allowing the cluster to heal automatically. The fence agent is written in Python, and utilises the ClusterLabs fencing library. The fence agent should gradually become available within package managers, such as the High Availability repository within AlmaLinux, CentOS, etc., or it can be used directly.

To use the fence agent, first create an API token within Hetzner Cloud. Since Hetzner Cloud unfortunately doesn’t allow for narrow scoping of tokens, this will need to apply to the whole cloud project. Read-write permissions are needed, so the fence agent can cut the power to a server.

For a fresh cluster, create a user and authorise the hosts:

pcs host auth \
    xx-prd1-tmp1-data-1 addr=xx-prd1-tmp1-data-1.example.com \
    xx-prd1-tmp1-data-2 addr=xx-prd1-tmp1-data-2.example.com \
    xx-prd1-tmp1-data-3 addr=xx-prd1-tmp1-data-3.example.com \
    -u hacluster

Ensure network connectivity between the nodes, and create the cluster:

pcs cluster setup xx-prd1-tmp1 \
    xx-prd1-tmp1-data-1 addr=xx-prd1-tmp1-data-1.example.com \
    xx-prd1-tmp1-data-2 addr=xx-prd1-tmp1-data-2.example.com \
    xx-prd1-tmp1-data-3 addr=xx-prd1-tmp1-data-3.example.com \
    --enable \
    --start

Now create the fence agent, specifying the Hetzner API token:

echo -n "Hetzner Cloud API token: "
read api_token

pcs stonith create fence_hetzner_cloud \
    fence_hetzner_cloud \
    api_token=$api_token \
    meta \
        failure-timeout=60s \
        resource-stickiness=0

Watch the progress using crm_mon. If all goes well, after a minute or so you should see:

Cluster Summary:
  * Stack: corosync (Pacemaker is running)
  * Current DC: xx-prd1-tmp1-data-1 (version 2.1.9-1.2.el9_6-49aab9983) - partition with quorum
  * Last updated: Wed Oct 22 12:44:17 2025 on xx-prd1-tmp1-data-1
  * Last change:  Tue Oct 14 17:34:08 2025 by root via root on xx-prd1-tmp1-data-1
  * 3 nodes configured
  * 1 resource instance configured

Node List:
  * Online: [ xx-prd1-tmp1-data-1 xx-prd1-tmp1-data-2 xx-prd1-tmp1-data-3 ]

Active Resources:
  * fence_hetzner_cloud (stonith:fence_hetzner_cloud):   Started xx-prd1-tmp1-data-1

Test fencing each node in the cluster. e.g.

pcs stonith fence xx-prd1-tmp1-data-3

Check the activities log in the Hetzner console. server.stop and server.start events should be reported, and the server should have rebooted and rejoined the cluster.

On top of this base configuration, desired resources can now be added, such as controlling network RAID using DRBD, floating IP addresses between instances, or starting and stopping highly-available services.

Does your business need expert computing advice? Are you investing in innovation? Perhaps I can help you.

Email me