[Pacemaker] How SuSEfirewall2 affects on openais startup?
Aleksey Zholdak
aleksey at zholdak.com
Fri May 14 02:40:28 EDT 2010
>> firewall should let through the UDP multicast traffic on
>>>>>>> ports mcastport and mcastport+1.
>>>>>>
>>>>>> As I wrote above: all interfaces in SuSEfirewall2 is set to "Internal
>>>>>> zone". So, how can I "open" these ports if it already opened?
>>>>>
>>>>> Just to double check, I assume "Internal zone" does not have any
>>>>> firewall rules applied to it? If you go to "Allowed Services" in the
>>>>> YaST2 firewall config app, it should show everything greyed-out or
>>>>> allowed for Internal Zone.
>>>>
>>>> Yes, exactly, everything greyed-out and allowed for "Internal Zone".
>>>> "Internal zone is unprotected. All ports are open."
>>>
>>> OK, that sounds fine.
>>>
>>>>> You said earlier that openais starts OK if you have the firewall on,
>>>>> but resources do not run. What does the output of "crm_mon -r1" show
>>>>> in this case?
>>
>>>> sles2:~ # crm_mon -r1
>>>> ============
>>>> Last updated: Thu May 13 12:21:21 2010
>>>> Stack: openais
>>>> Current DC: NONE
>>>> 2 Nodes configured, 2 expected votes
>>>> 10 Resources configured.
>>>> ============
>>>>
>>>> Node sles2: UNCLEAN (offline)
>>>> Node sles1: UNCLEAN (offline)
>>>
>>> The above is normal for while the cluster is starting up. This may sound
>>> a little silly, but I would have expected everything to come online if
>>> you just wait a few minutes. You can watch status changes (if any) as
>>> they occur, with "crm_mon -r". It's worth checking /var/log/messages etc.
>>> on each node too, to see if anything is obviously screaming in pain.
>>
>> In such state node are unchanged for hours.
>
> OK, I had to ask.
>
>> Analysis of logs in this situation does not say anything ...
>
> If the firewall is blocking anything, it'll be making noise in
> /var/log/firewall and/or dmesg. Another thing to try is set "debug: on"
> in the openais/corosync config file, then look at /var/log/messages.
> This should give you more log info...
/var/log/firewall is empty
dmesg contains nothing about firewall and openais
In /var/log/messages I see a lot of messages that tells me nothing :(
>> I must remind you that we are talking about a running one node of the two.
>> The second node is turned off (burned, stolen, etc.)
>>
>>>> Clone Set: sbd-clone
>>>> Stopped: [ sbd_fense:0 sbd_fense:1 ]
>>>
>>> Don't clone the SBD stonith resource, you only need a single primitive
>>> here (not that this should be causing your startup trouble).
>>
>> sbd fence must be on each node.
>
> The sbd daemon needs to be running on both nodes (the openais init script
> should take care of that on SLES), but there only needs to be one sbd
> primitive, it does not need to be cloned. Pacemaker will make sure it
> is running somewhere, which is enough.
What you tell about? sbd must be running on _each_ node, not "somewhere"!
>> When the firewall is off or run both of nodes - no problem.
>
> So, one node running, with the firewall off, is OK?
Yes.
> Two nodes running, with the firewall on, is OK?
Yes again.
> I think I'm becoming confused...
I am too...
--
Aleksey
More information about the Pacemaker
mailing list