[Pacemaker] How SuSEfirewall2 affects on openais startup?
Aleksey Zholdak
aleksey at zholdak.com
Thu May 13 09:48:15 EDT 2010
>> firewall should let through the UDP multicast traffic on
>>>>> ports mcastport and mcastport+1.
>>>>
>>>> As I wrote above: all interfaces in SuSEfirewall2 is set to "Internal
>>>> zone". So, how can I "open" these ports if it already opened?
>>>
>>> Just to double check, I assume "Internal zone" does not have any
>>> firewall rules applied to it? If you go to "Allowed Services" in the
>>> YaST2 firewall config app, it should show everything greyed-out or
>>> allowed for Internal Zone.
>>
>> Yes, exactly, everything greyed-out and allowed for "Internal Zone".
>> "Internal zone is unprotected. All ports are open."
>
> OK, that sounds fine.
>
>>> You said earlier that openais starts OK if you have the firewall on,
>>> but resources do not run. What does the output of "crm_mon -r1" show
>>> in this case?
>> sles2:~ # crm_mon -r1
>> ============
>> Last updated: Thu May 13 12:21:21 2010
>> Stack: openais
>> Current DC: NONE
>> 2 Nodes configured, 2 expected votes
>> 10 Resources configured.
>> ============
>>
>> Node sles2: UNCLEAN (offline)
>> Node sles1: UNCLEAN (offline)
>
> The above is normal for while the cluster is starting up. This may sound
> a little silly, but I would have expected everything to come online if
> you just wait a few minutes. You can watch status changes (if any) as
> they occur, with "crm_mon -r". It's worth checking /var/log/messages etc.
> on each node too, to see if anything is obviously screaming in pain.
In such state node are unchanged for hours.
Analysis of logs in this situation does not say anything ...
I must remind you that we are talking about a running one node of the two.
The second node is turned off (burned, stolen, etc.)
>> Clone Set: sbd-clone
>> Stopped: [ sbd_fense:0 sbd_fense:1 ]
>
> Don't clone the SBD stonith resource, you only need a single primitive
> here (not that this should be causing your startup trouble).
sbd fence must be on each node.
When the firewall is off or run both of nodes - no problem.
--
Aleksey
More information about the Pacemaker
mailing list