[Pacemaker] iptables cluster
Karlis Kisis
karlis.kisis at gmail.com
Mon Feb 13 10:02:23 UTC 2012
I found the descriptions of resource agents here:
http://doc.opensuse.org/products/draft/SLE-HA/SLE-ha-guide_sd_draft/app.agents.details.html
Thanks,
Karlis
2012/2/13 Karlis Kisis <karlis.kisis at gmail.com>:
> Hi,
>
> In most cluster tutorials, for simplicity, iptables is turned off.
> Funny thing is that iptables is what I want to configure in HA cluster
> (as redundant firewalls).
>
> While reading the documentation I did not understand fully how IpAddr2
> resource is configured. Let me explain:
>
> I have 2 cluster nodes with following network config:
> NIC1 - External Internet - 80.80.80.80 (81 for node2)
> NIC2 - Internal LAN - 10.0.0.80 (81 for node2)
> NIC3 - Heartbeat - 192.168.0.80 (81 for node2)
> NIC4 - Storage Net - 172.16.0.80 (81 for node2)
>
> I want 2 addresses to fail over:
> 80.80.80.1 VIP in External segment
> 10.0.0.1 VIP in LAN segment
>
> Question #1:
> When I configure IpAddr2 resource, how does it work? Especially if I
> want to use external address that are public. The network adapter goes
> in PROMISCUOUS mode and listens to all traffic, while filtering its IP
> and VIP? Does it load the routers?
>
> What I need to add another address from a different IP subnet, let's
> say 180.180.180.180, since I don't have any adapters configures in
> this IP subnet, will it work? Can I somehow assign this IpAddr2 to be
> routed through NIC1 (static routes on both nodes?)
>
> Question #2:
> The whole clustering thingy works by stopping the service on one node
> and starting it on the other. In my case, I would not want iptables to
> be stopped but instead restarted with a "passive" config, like block
> all traffic from outside (instead of dropping firewall entirely). How
> would I go about it? Custom scripts?
>
> Is there any extensive documentation on cluster networking somewhere?
> How do the VIPs technically work?
>
> Best regards,
> Karlis
More information about the Pacemaker
mailing list