[Pacemaker] Active/active firewall using pacemaker ... and a helluva lot of IP addresses
Roberto Suarez Soto
robe at allenta.com
Wed Jun 23 12:44:44 EDT 2010
Hi,
we've configured several active/active two-node firewalls using
pacemaker and clusterip (an iptables extension; we use Linux), with good
results. We have several IP addresses on the firewall that we use for NAT,
both inbound and outbound, present on both nodes. They load balance traffic
thanks to clusterip's magic. IPaddr2's OCF support for clusterip makes this
easy.
But we've hit a wall with a new setup. This is also a two-node
firewall, but the number of addresses it bears is 500+. And this seems to be
a bit too much for pacemaker: the start time is very slow, a cleanup takes
ages, and the cluster spends a lot of CPU time monitoring resources.
I don't know if there's something that could be done to handle this,
pacemaker-wise. Our configuration right now is 500+ primitives (one for each
IP address), all in one big group, and then this group cloned in both nodes.
We've thought that maybe splitting the IP addresses in small groups everything
is more manageable, but we've not tried yet.
We've also thought about making a LSB script for all the IP/clusterip
stuff, and then use this as a resource. But then we'd lose monitoring of IP
addresses and clusterip related firewall rules. We definitely would like to
use only pacemaker, and not rely on external hacks.
So, the short question is: should we be using pacemaker for this? We
have used keepalived for scenarios like this, but IIRC, it doesn't support
active-active setups (and if it does, please tell :-)).
Thanks in advance,
--
Roberto Suarez Soto Allenta Consulting
robe at allenta.com www.allenta.com
+34 881 922 600
More information about the Pacemaker
mailing list