[Pacemaker] create 2-node Active/Passive firewall cluster

Michael Schwartzkopff misch at clusterbau.com
Wed Sep 18 15:09:59 EDT 2013 

Am Mittwoch, 18. September 2013, 13:34:55 schrieb Jeff Weber:
> I am looking to create a  2-node Active/Passive firewall cluster.  I am an
> experienced Linux user, but new to HA clusters. I have scanned "Clusters
> From Scratch" and "Pacemaker Explained".  I found these docs helpful, but a
> bit overwhelming, being new to HA clusters.
> 
> My goals:
> * create 2-node Active/Passive firewall cluster
> * Each FW node has an external, and internal interface
> * Cluster software presents external, internal VIPs
> * VIPs must be co-located on same node
> * One node is preferred for VIP locations
> * If any interface fails on node currently hosting VIPs, VIPs move to other
> node
> 
> For simplicity sake, I'll start by creating VIPs, and add firewall plumbing
> to the VIPs in the future.
> 
> My config:
> CentOS-6.3 based distro +
> corosync-1.4.1-1
> pacemaker-1.1.8-1
> pcs-0.9.26-1
> resource-agents-3.9.2-12
> and all required dependencies
> 
> My questions:
> 
> This sounds like a common use case, but I could not find an example/HOWTO.
>  Did I miss it?

I once wrote a HOWTO. But it is outdated.
Anyway: It should work pretty straight forward. Make a group of the VIPs.

> Do I have the correct HA cluster packages, versions to start work?
Should do.

> Do I also need the cman?, ccs packages?

No. I suggest using fwbuilder as a GUI, if you like.
 
> How many interfaces should each cluster node have?
>     2 interfaces: internal, external
>     or
>     3 interfaces: internal, external, monitor

3. external, internal, heartbeat.

> 
> Do I need to configure corosync.conf/totem/interface/bindnetaddr, and if
> so, bind to what net?

as it says: bindnetaddr. The NETWOK addr of the interface. For 
192.168.100.1/24 you configure 192.168.100.0

> $1M question:
> How to configure cluster to monitor all internal, external cluster
> interfaces, and perform
> failover?  Here's my estimate:

Monitor operations on all resoures and some ping resources to check the 
availability of external hosts.

> * create external VIP as IpAddr2 and bind to external interfaces
> * create internal VIP as IpAddr2 and bind to internal interfaces
> * co-locate both VIPs together
> * specify a location constraint for preferred node

You also can add a sync daemon to keep the state tables of iptables in sync on 
the active and passive node. Works like a charm for me.

> Any help would be appreciated,

No problem. That is why the mailing list exists.

And: I earn money with consulting ;-)

-- 
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München

Tel: (0163) 172 50 98
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20130918/dd13e505/attachment-0003.html>

More information about the Pacemaker mailing list