[Pacemaker] Active-Passive firewall with conntrackd and ip colocation
Benjamin Kiessling
mittagessen at l.unchti.me
Mon Feb 27 07:04:17 EST 2012
Hi,
I've set up a small two node cluster using Debian squeeze to act as a
active-passive firewall using conntrackd and IPaddr2 resource agent. My
configuration looks like this:
node node1
node node2
primitive conntrackd ocf:heartbeat:conntrackd \
op monitor interval="20" role="Slave" timeout="20" \
op monitor interval="10" role="Master" timeout="20"
primitive routerIP ocf:heartbeat:IPaddr2 \
params ip="172.22.92.84" cidr_netmask="28" \
op monitor interval="1s" timeout="4s"
ms ms_conntrackd conntrackd \
meta notify="true" interleave="true"
location prefer-node1 routerIP 50: node1
colocation conntrack-with-routerIP inf: ms_conntrackd:Master routerIP
property $id="cib-bootstrap-options" \
dc-version="1.0.9-74392a28b7f31d7ddc86689598bd23114f58978b" \
cluster-infrastructure="openais" \
expected-quorum-votes="2" \
stonith-enabled="false" \
no-quorum-policy="ignore"
The setup I'm trying to achieve is that conntrackd (as Master role) has
to run with routerIP preferentially on node1. This configuration moves
conntrackd and routerIP from node1 to node2 when I simulate a failover
but after node1 is operational again conntrackd's Master is not moved
back to node1 while routerIP is.
I couldn't find any documentation about multi-state resources apart from
the most basis examples so I don't know if this configuration is even
remotely sensible. Could you point me in the right direction on this
issue?
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.clusterlabs.org/pipermail/pacemaker/attachments/20120227/f629615d/attachment-0002.sig>
More information about the Pacemaker
mailing list