[ClusterLabs] Configuring booth for multi-site cluster
dejanmm at fastmail.fm
Wed Nov 1 05:20:12 EDT 2017
On Tue, Oct 31, 2017 at 09:31:56AM +0100, Nicolas Huillard wrote:
> Le mardi 31 octobre 2017 à 08:25 +0100, Dejan Muhamedagic a écrit :
> > * is it a good idea to route the booth plain UDP/9929 traffic via
> > > Internet ? (the firewalls are configured to accept only traffic
> > > from/to
> > > the known public addresses, and the booth shared secret
> > > authentication
> > > remains secret)
> > There's nothing particularly interesting in booth traffic.
> Maybe an injection could be bad, but it's apparently taken care of with
> timestamps. I'll try do use this simplest setup without IPsec.
IIRC, there's a description of the authentication process.
> > > * is it possible to use some kind of special syntax in booth.conf
> > > to
> > > declare both the NATted local and the public addresses, say
> > > arbitrator="192.168.1.1 at 188.8.131.52"
> > That never occurred as a possible setup/requirement and I'm not
> > sure if it'd be necessary. Shouldn't it be possible that the
> > arbitrator's internal address is also translated into the public
> > one? Or does booth at the arbitrator complain about it?
> Yes, it does (sorry I forgot that info):
> booth: : ERROR: Cannot find myself in the configuration.
> ...when using the external IP (184.108.40.206)
> This internal NATted IP is know to the arbitrator, but not to the other
> sites, whereas the external IP is reachable from the other sites, but
> not the arbitrator itself.
> Thus the above pseudo-syntax, resembling a bit the ipsec.conf details
> in a NATted setup.
Ah, right. Too bad.
> > > * is IPsec mandatory, and if so, what is the best setup ? (both
> > > sites
> > > have a DMZ and a cluster private network, both use PPPoE to reach
> > > the
> > > internet; each Pacemaker manages a virtual IP in the DMZ and
> > > another in
> > > the internal network, and spawns the pppd daemon which acts as a
> > > gateway to the Internet; there is an existing IPsec tunnel between
> > > the
> > > 2 sites' internal networks)
> > No, IPsec is not mandatory.
> Great... or so. I don't know any other way to make the
> internal/external IPs match.
> I just tried using DNS names (resolving into different IPs depending on
> location), to no avail:
> booth: : ERROR: Address string "address.at.arbitrator.net" is bad
Only numerical addresses were supported, but in the meantime
one can also use names.
> It just occurred to me that I can also try NOT to have the exact same
> booth.conf in all the instances...
Well, in this case that could hopefully help. Otherwise, could
you please open an issue at github, maybe there is an easy way to
> > > * with IPsec, should the booth.conf site= and arbitrator= IPs be
> > > the
> > > internal virtual IPs, or DMZ IPs, or something else entirely ?
> > Well, however the sites address each other ;-)
> Both sites can address each other in a symmetric way (I'll choose the
> exact fashion in time then), but the arbitrator is an outlier with it's
> NAT (that I can't change for various other reasons).
> I understand that my setup is not high-end, as I try to take advantage
> of an existing well-managed home server.
The arbitrator is needed only, well, to arbitrate and by
definition cannot be a SPOF. But it should function reliably when
needed; for instance, you better have a not too flaky provider.
booth is being tested also in (simulated) networks of all kinds,
but it won't be of much use if there's no connection at all.
> Nicolas Huillard
> Users mailing list: Users at clusterlabs.org
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
More information about the Users