[Pacemaker] create 2-node Active/Passive firewall cluster
Jeff Weber
jwamsc at gmail.com
Wed Sep 18 21:12:59 UTC 2013
On Wed, Sep 18, 2013 at 3:10 PM, Michael Schwartzkopff <misch at clusterbau.com
> wrote:
> > I'm still a bit unclear on how the cluster monitors the VIP resources.
>
> > Do I have exactly one stanza of totem interface, and set the bindnetaddr
> to
>
> > the heartbeat net?
>
> > How does the cluster monitor for a VIP on a dead interface?
>
>
>
> The monitoring operation of a IP address resource issues a "ip a l dev
> (...)" command and looks if the IP address is still bound to the interface.
> Any failure (i.e. interface down, IP address vanished) results in an error
> of the monitoring operation and a reaction of the cluster.
>
That's what I expected, but not quite what I'm seeing. For a test I
brought down the resident interface for a VIP. The monitor noticed a
problem with the VIP, but did not move the VIP to the other node.
Specifically, I create a cluster with ha-node2, ha-node3; each with an
Internal and External interface. I created a VIP "InternalIP" and bound it
to the Internal interfaces. I determined which Interface the VIP was bound
to, and brought the interface down via "ifdown". My cluster now reports
an error:
# pcs status
Last updated: Wed Sep 18 07:35:34 2013
Last change: Wed Sep 18 06:58:19 2013 via cibadmin on ha-node2
Stack: classic openais (with plugin)
Current DC: ha-node3 - partition with quorum
Version: 1.1.8-1.tos2-394e906
2 Nodes configured, 2 expected votes
2 Resources configured.
Online: [ ha-node2 ha-node3 ]
Full list of resources:
InternalIP (ocf::heartbeat:IPaddr2): Started ha-node2
ExternalIP (ocf::heartbeat:IPaddr2): Started ha-node2
Failed actions:
InternalIP_monitor_30000 (node=ha-node2, call=19, rc=7,
status=complete): not running
<end of pcs status output>
and ifconfig reveals the interface I brought down is now back up, and the
IP has changed to the VIP IP. I expected the IpAddr monitor to detect the
interface was down, and move the VIP to the other node. The cluster did not
move the VIP.
Any idea what happened? Did I misconfigure?
>
>
> Additionally use a ping resource. That resoruce sends a ping to an IP
> address outside of the cluster. If the node receives the answer it can be
> pretty sure that the attached network works.
>
A ping resource is starting to sound more attractive.
thanks again,
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20130918/f4045a48/attachment.htm>
More information about the Pacemaker
mailing list