[Pacemaker] Active/active firewall using pacemaker ... and a helluva lot of IP addresses
Dejan Muhamedagic
dejanmm at fastmail.fm
Thu Jun 24 14:23:11 UTC 2010
Hi,
On Wed, Jun 23, 2010 at 06:44:44PM +0200, Roberto Suarez Soto wrote:
> Hi,
>
> we've configured several active/active two-node firewalls using
> pacemaker and clusterip (an iptables extension; we use Linux), with good
> results. We have several IP addresses on the firewall that we use for NAT,
> both inbound and outbound, present on both nodes. They load balance traffic
> thanks to clusterip's magic. IPaddr2's OCF support for clusterip makes this
> easy.
>
> But we've hit a wall with a new setup. This is also a two-node
> firewall, but the number of addresses it bears is 500+. And this seems to be
> a bit too much for pacemaker: the start time is very slow, a cleanup takes
> ages, and the cluster spends a lot of CPU time monitoring resources.
>
> I don't know if there's something that could be done to handle this,
> pacemaker-wise. Our configuration right now is 500+ primitives (one for each
> IP address), all in one big group, and then this group cloned in both nodes.
> We've thought that maybe splitting the IP addresses in small groups everything
> is more manageable, but we've not tried yet.
>
> We've also thought about making a LSB script for all the IP/clusterip
> stuff, and then use this as a resource. But then we'd lose monitoring of IP
> addresses and clusterip related firewall rules. We definitely would like to
> use only pacemaker, and not rely on external hacks.
>
> So, the short question is: should we be using pacemaker for this? We
> have used keepalived for scenarios like this, but IIRC, it doesn't support
> active-active setups (and if it does, please tell :-)).
You should modify IPaddr2 to read the list of addresses to be
managed from a static file, then handle all of them in a loop in
the start, stop, and monitor actions. I suppose that it
shouldn't be too complicated.
Thanks,
Dejan
> Thanks in advance,
>
> --
> Roberto Suarez Soto Allenta Consulting
> robe at allenta.com www.allenta.com
> +34 881 922 600
>
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://developerbugs.linux-foundation.org/enter_bug.cgi?product=Pacemaker
More information about the Pacemaker
mailing list