[ClusterLabs] Configuring booth for multi-site cluster

Dejan Muhamedagic dejanmm at fastmail.fm
Tue Oct 31 03:25:09 EDT 2017


Hi,

On Mon, Oct 30, 2017 at 07:03:28PM +0100, Nicolas Huillard wrote:
> Hello all,
> 
> I have 2 sites, each with an independent configured cluster
> (corosync+pacemaker), and an arbitrator server, which is behind a NAT
> connection to the Internet.
> I see in the booth.conf templates that each site/arbitrator is only
> designated by a single IP address, not taking into account the
> potential NAT, ie. the arbitrator identifies itself using its internal
> address, but is reached from the outside using the public address of
> the NAT device.
> IPsec is mentionned in https://www.suse.com/documentation/sle-ha-geo-12
> /singlehtml/art-ha-geo-quick-start/art-ha-geo-quick-start.html without
> much details.
> I'm using booth 1.0 from Debian/strech.
> 
> Questions:
> * is it a good idea to route the booth plain UDP/9929 traffic via
> Internet ? (the firewalls are configured to accept only traffic from/to
> the known public addresses, and the booth shared secret authentication
> remains secret)

There's nothing particularly interesting in booth traffic.

> * is it possible to use some kind of special syntax in booth.conf to
> declare both the NATted local and the public addresses, say
> arbitrator="192.168.1.1 at 81.12.34.56"

That never occurred as a possible setup/requirement and I'm not
sure if it'd be necessary. Shouldn't it be possible that the
arbitrator's internal address is also translated into the public
one? Or does booth at the arbitrator complain about it?

> * is IPsec mandatory, and if so, what is the best setup ? (both sites
> have a DMZ and a cluster private network, both use PPPoE to reach the
> internet; each Pacemaker manages a virtual IP in the DMZ and another in
> the internal network, and spawns the pppd daemon which acts as a
> gateway to the Internet; there is an existing IPsec tunnel between the
> 2 sites' internal networks)

No, IPsec is not mandatory.

> * with IPsec, should the booth.conf site= and arbitrator= IPs be the
> internal virtual IPs, or DMZ IPs, or something else entirely ?

Well, however the sites address each other ;-)

Thanks,

Dejan

> TIA,
> 
> -- 
> Nicolas Huillard
> 
> _______________________________________________
> Users mailing list: Users at clusterlabs.org
> http://lists.clusterlabs.org/mailman/listinfo/users
> 
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org




More information about the Users mailing list