[Pacemaker] How SuSEfirewall2 affects on openais startup?

Tim Serong tserong at novell.com
Thu May 13 21:18:06 EDT 2010 

On 5/13/2010 at 11:48 PM, Aleksey Zholdak <aleksey at zholdak.com> wrote: 
> firewall should let through the UDP multicast traffic on 
>>>>>> ports mcastport and mcastport+1. 
>>>>> 
>>>>> As I wrote above: all interfaces in SuSEfirewall2 is set to "Internal 
>>>>> zone". So, how can I "open" these ports if it already opened? 
>>>> 
>>>> Just to double check, I assume "Internal zone" does not have any 
>>>> firewall rules applied to it?  If you go to "Allowed Services" in the 
>>>> YaST2 firewall config app, it should show everything greyed-out or 
>>>> allowed for Internal Zone. 
> >> 
> >> Yes, exactly, everything greyed-out and allowed for "Internal Zone". 
> >> "Internal zone is unprotected. All ports are open." 
> > 
> > OK, that sounds fine. 
> > 
> >>> You said earlier that openais starts OK if you have the firewall on, 
> >>> but resources do not run.  What does the output of "crm_mon -r1" show 
> >>> in this case? 
>  
> >> sles2:~ # crm_mon -r1 
> >> ============ 
> >> Last updated: Thu May 13 12:21:21 2010 
> >> Stack: openais 
> >> Current DC: NONE 
> >> 2 Nodes configured, 2 expected votes 
> >> 10 Resources configured. 
> >> ============ 
> >> 
> >> Node sles2: UNCLEAN (offline) 
> >> Node sles1: UNCLEAN (offline) 
> > 
> > The above is normal for while the cluster is starting up.  This may sound 
> > a little silly, but I would have expected everything to come online if 
> > you just wait a few minutes.  You can watch status changes (if any) as 
> > they occur, with "crm_mon -r".  It's worth checking /var/log/messages etc. 
> > on each node too, to see if anything is obviously screaming in pain. 
>  
> In such state node are unchanged for hours. 

OK, I had to ask.

> Analysis of logs in this situation does not say anything ... 

If the firewall is blocking anything, it'll be making noise in
/var/log/firewall and/or dmesg.  Another thing to try is set "debug: on"
in the openais/corosync config file, then look at /var/log/messages.
This should give you more log info...

>  
> I must remind you that we are talking about a running one node of the two.  
> The second node is turned off (burned, stolen, etc.) 
>  
> >>    Clone Set: sbd-clone 
> >>        Stopped: [ sbd_fense:0 sbd_fense:1 ] 
> > 
> > Don't clone the SBD stonith resource, you only need a single primitive 
> > here (not that this should be causing your startup trouble). 
>  
> sbd fence must be on each node. 

The sbd daemon needs to be running on both nodes (the openais init script
should take care of that on SLES), but there only needs to be one sbd
primitive, it does not need to be cloned.  Pacemaker will make sure it
is running somewhere, which is enough.

> When the firewall is off or run both of nodes - no problem. 

So, one node running, with the firewall off, is OK?

Two nodes running, with the firewall on, is OK?

I think I'm becoming confused...

Regards,

Tim


-- 
Tim Serong <tserong at novell.com>
Senior Clustering Engineer, OPS Engineering, Novell Inc.

More information about the Pacemaker mailing list