[Pacemaker] create 2-node Active/Passive firewall cluster

Jeff Weber jwamsc at gmail.com
Wed Sep 18 17:12:59 EDT 2013 

On Wed, Sep 18, 2013 at 3:10 PM, Michael Schwartzkopff <misch at clusterbau.com
> wrote:

> > I'm still a bit unclear on how the cluster monitors the VIP resources.
>
> > Do I have exactly one stanza of totem interface, and set the bindnetaddr
> to
>
> > the heartbeat net?
>
> > How does the cluster monitor for a VIP on a dead interface?
>
>
>
> The monitoring operation of a IP address resource issues a "ip a l dev
> (...)" command and looks if the IP address is still bound to the interface.
> Any failure (i.e. interface down, IP address vanished) results in an error
> of the monitoring operation and a reaction of the cluster.
>

That's what I expected, but not quite what I'm seeing.  For a test I
brought down the resident interface for a VIP. The monitor noticed a
problem with the VIP, but did not move the VIP to the other node.
 Specifically, I create a cluster with ha-node2, ha-node3; each with an
Internal and External interface.  I created a VIP "InternalIP" and bound it
to the Internal interfaces.  I determined which Interface the VIP was bound
to, and brought the interface down  via "ifdown".  My cluster now reports
an error:

# pcs status
Last updated: Wed Sep 18 07:35:34 2013
Last change: Wed Sep 18 06:58:19 2013 via cibadmin on ha-node2
Stack: classic openais (with plugin)
Current DC: ha-node3 - partition with quorum
Version: 1.1.8-1.tos2-394e906
2 Nodes configured, 2 expected votes
2 Resources configured.


Online: [ ha-node2 ha-node3 ]

Full list of resources:

 InternalIP (ocf::heartbeat:IPaddr2): Started ha-node2
 ExternalIP (ocf::heartbeat:IPaddr2): Started ha-node2

Failed actions:
    InternalIP_monitor_30000 (node=ha-node2, call=19, rc=7,
status=complete): not running

<end of pcs status output>

and ifconfig reveals the interface I brought down is now back up, and the
IP has changed to the VIP IP.  I expected the IpAddr monitor to detect the
interface was down, and move the VIP to the other node. The cluster did not
move the VIP.

Any idea what happened?  Did I misconfigure?


>
>
> Additionally use a ping resource. That resoruce sends a ping to an IP
> address outside of the cluster. If the node receives the answer it can be
> pretty sure that the attached network works.
>

A ping resource is starting to sound more attractive.

thanks again,
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20130918/f4045a48/attachment-0003.html>

More information about the Pacemaker mailing list