[ClusterLabs] Configuring booth for multi-site cluster

Nicolas Huillard nicolas at huillard.net
Tue Oct 31 04:31:56 EDT 2017 

Le mardi 31 octobre 2017 à 08:25 +0100, Dejan Muhamedagic a écrit :
> * is it a good idea to route the booth plain UDP/9929 traffic via
> > Internet ? (the firewalls are configured to accept only traffic
> > from/to
> > the known public addresses, and the booth shared secret
> > authentication
> > remains secret)
> 
> There's nothing particularly interesting in booth traffic.

Maybe an injection could be bad, but it's apparently taken care of with
timestamps. I'll try do use this simplest setup without IPsec.

> > * is it possible to use some kind of special syntax in booth.conf
> > to
> > declare both the NATted local and the public addresses, say
> > arbitrator="192.168.1.1 at 81.12.34.56"
> 
> That never occurred as a possible setup/requirement and I'm not
> sure if it'd be necessary. Shouldn't it be possible that the
> arbitrator's internal address is also translated into the public
> one? Or does booth at the arbitrator complain about it?

Yes, it does (sorry I forgot that info):
booth: [536]: ERROR: Cannot find myself in the configuration.
...when using the external IP (81.12.34.56)
This internal NATted IP is know to the arbitrator, but not to the other
sites, whereas the external IP is reachable from the other sites, but
not the arbitrator itself.
Thus the above pseudo-syntax, resembling a bit the ipsec.conf details
in a NATted setup.

> > * is IPsec mandatory, and if so, what is the best setup ? (both
> > sites
> > have a DMZ and a cluster private network, both use PPPoE to reach
> > the
> > internet; each Pacemaker manages a virtual IP in the DMZ and
> > another in
> > the internal network, and spawns the pppd daemon which acts as a
> > gateway to the Internet; there is an existing IPsec tunnel between
> > the
> > 2 sites' internal networks)
> 
> No, IPsec is not mandatory.

Great... or so. I don't know any other way to make the
internal/external IPs match.
I just tried using DNS names (resolving into different IPs depending on
location), to no avail:
booth: [5364]: ERROR: Address string "address.at.arbitrator.net" is bad
It just occurred to me that I can also try NOT to have the exact same
booth.conf in all the instances...

> > * with IPsec, should the booth.conf site= and arbitrator= IPs be
> > the
> > internal virtual IPs, or DMZ IPs, or something else entirely ?
> 
> Well, however the sites address each other ;-)

Both sites can address each other in a symmetric way (I'll choose the
exact fashion in time then), but the arbitrator is an outlier with it's
NAT (that I can't change for various other reasons).
I understand that my setup is not high-end, as I try to take advantage
of an existing well-managed home server.

-- 
Nicolas Huillard

More information about the Users mailing list