[Pacemaker] Active/active firewall using pacemaker ... and a helluva lot of IP addresses

Dejan Muhamedagic dejanmm at fastmail.fm
Thu Jun 24 10:23:11 EDT 2010 

Hi,

On Wed, Jun 23, 2010 at 06:44:44PM +0200, Roberto Suarez Soto wrote:
> Hi,
> 
> 	we've configured several active/active two-node firewalls using
> pacemaker and clusterip (an iptables extension; we use Linux), with good
> results. We have several IP addresses on the firewall that we use for NAT,
> both inbound and outbound, present on both nodes. They load balance traffic
> thanks to clusterip's magic. IPaddr2's OCF support for clusterip makes this
> easy.
> 
> 	But we've hit a wall with a new setup. This is also a two-node
> firewall, but the number of addresses it bears is 500+. And this seems to be
> a bit too much for pacemaker: the start time is very slow, a cleanup takes
> ages, and the cluster spends a lot of CPU time monitoring resources.
> 
> 	I don't know if there's something that could be done to handle this,
> pacemaker-wise. Our configuration right now is 500+ primitives (one for each
> IP address), all in one big group, and then this group cloned in both nodes.
> We've thought that maybe splitting the IP addresses in small groups everything
> is more manageable, but we've not tried yet.
> 
> 	We've also thought about making a LSB script for all the IP/clusterip
> stuff, and then use this as a resource. But then we'd lose monitoring of IP
> addresses and clusterip related firewall rules. We definitely would like to
> use only pacemaker, and not rely on external hacks.
> 
> 	So, the short question is: should we be using pacemaker for this? We
> have used keepalived for scenarios like this, but IIRC, it doesn't support
> active-active setups (and if it does, please tell :-)).

You should modify IPaddr2 to read the list of addresses to be
managed from a static file, then handle all of them in a loop in
the start, stop, and monitor actions. I suppose that it
shouldn't be too complicated.

Thanks,

Dejan


> 	Thanks in advance,
> 
> -- 
>         Roberto Suarez Soto                             Allenta Consulting
>         robe at allenta.com                                   www.allenta.com
>                                                            +34 881 922 600
> 
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://developerbugs.linux-foundation.org/enter_bug.cgi?product=Pacemaker

More information about the Pacemaker mailing list