[Pacemaker] two active-active service processes, but only one vIP

Sat Sep 6 12:00:10 EDT 2014

On 9/5/14 11:23 PM, David Magda wrote:
> I have two nodes that I wish to run OpenLDAP slapd on. I want Pacemaker / CRM to check the health of the OpenLDAP daemon, and if it's healthy, I want that node to be a candidate for having a vIP live on it. If OpenLDAP's slapd is not healthy (process is down, incorrect query results, etc.) then I want the vIP to fail over to the other (presumably healthy) node.
>
> (I also want to do something similar with BIND named, but we'll use OpenLDAP as the working case for now.)
>
> The main thing is that I want the daemon to run on each node in active-active configuration (so Nagios can keep tabs on things), and only have the vIP for the LDAP service fail-over.
>
> The vIP is straight forward enough:
>
> 	sudo crm configure primitive vip_ldap2 \
> 		 ocf:heartbeat:IPaddr2 params ip="10.0.0.89" cidr_netmask="32"
>
> The following line creates a resource where slapd only runs on one of the nodes at a time, but I want it running on both:
>
> 	sudo crm configure primitive srv_slapd \
> 		ocf:heartbeat:slapd op monitor interval="30s"
>
> I'm using Debian 7 with default pacemaker 1.1.7-1 package, with the following resource agent:
>
> 	https://github.com/ClusterLabs/resource-agents/blob/master/heartbeat/slapd
>
> The slapd process can be either managed or unmanaged, but I think I would prefer unmanaged so that we can fiddle with it using the regular OS-level service commands. We don't use HA / clustering in a lot of places, and so it will probably be easy to forget that CRM is there, and so could lead to frustration if it's doing behind our backs.
>
>  From what I could tell, I want to create a primitive (is-managed=false) and make an anonymous clone, which can then be run on multiple nodes. Somehow? Maybe?

Hi David,

We do something very similar: two nodes running stock wheezy, bind and 
slapd on both, and two virtual IPs (one for DNS and one for LDAP) that 
can bounce back and forth between the nodes. This type of setup allows 
for DNS/LDAP resolution lists of the form virtual-ip, node1-ip, node2-ip.

If you're really set on not having slapd managed, Alex Samad's solution 
of customizing the IPaddr2 resource agent will likely perform better 
than trying to have pacemaker monitor an unmanaged resource.

We have bind and slapd as managed resources. You do have to remember not 
to use the init script for restarts, but other than that, all the usual 
commands work fine. (Even "rndc reload" doesn't bother pacemaker.)

The LDAP portion of our crm config (with additional comments) is:

# ocf:gleim:slapd is the unmodified slapd resource agent,
# from a later version of resource-agents than is available
# with wheezy
primitive ldap-daemon ocf:gleim:slapd \
         params config="/etc/ldap/slapd.d" \
                 user="openldap" group="openldap" \
                 services="ldap:/// ldapi:///" \
         op monitor interval="60" timeout="20" \
         op start interval="0" timeout="20" \
         op stop interval="0" timeout="20"

# This allows slapd to run on both hosts.
clone ldap-daemon-clone ldap-daemon meta globally-unique="false" 
interleave="true"

# Bring up the virtual IP for LDAP resolution on one node.
# Replace xxx's with your virtual IP and mask.
primitive ldap-ip ocf:heartbeat:IPaddr2 \
         params ip="xxx.xxx.xxx.xxx" cidr_netmask="xxx" \
         op monitor depth="0" timeout="20s" interval="5s" \
         op start interval="0" timeout="20" \
         op stop interval="0" timeout="20"

# Bring up the virtual IP only on a host with a working slapd.
colocation ldap-ip-with-daemon +inf: ldap-ip ldap-daemon-clone

-- Ken Gaillot <kjgaillo at gleim.com>
    Gleim NOC