[ClusterLabs] Configuring booth for multi-site cluster

Nicolas Huillard nicolas at huillard.net
Mon Oct 30 14:03:28 EDT 2017


Hello all,

I have 2 sites, each with an independent configured cluster
(corosync+pacemaker), and an arbitrator server, which is behind a NAT
connection to the Internet.
I see in the booth.conf templates that each site/arbitrator is only
designated by a single IP address, not taking into account the
potential NAT, ie. the arbitrator identifies itself using its internal
address, but is reached from the outside using the public address of
the NAT device.
IPsec is mentionned in https://www.suse.com/documentation/sle-ha-geo-12
/singlehtml/art-ha-geo-quick-start/art-ha-geo-quick-start.html without
much details.
I'm using booth 1.0 from Debian/strech.

Questions:
* is it a good idea to route the booth plain UDP/9929 traffic via
Internet ? (the firewalls are configured to accept only traffic from/to
the known public addresses, and the booth shared secret authentication
remains secret)
* is it possible to use some kind of special syntax in booth.conf to
declare both the NATted local and the public addresses, say
arbitrator="192.168.1.1 at 81.12.34.56"
* is IPsec mandatory, and if so, what is the best setup ? (both sites
have a DMZ and a cluster private network, both use PPPoE to reach the
internet; each Pacemaker manages a virtual IP in the DMZ and another in
the internal network, and spawns the pppd daemon which acts as a
gateway to the Internet; there is an existing IPsec tunnel between the
2 sites' internal networks)
* with IPsec, should the booth.conf site= and arbitrator= IPs be the
internal virtual IPs, or DMZ IPs, or something else entirely ?

TIA,

-- 
Nicolas Huillard




More information about the Users mailing list