[ClusterLabs] Support for xt_cluster

Ken Gaillot kgaillot at redhat.com
Thu Dec 19 11:18:49 EST 2019 

On Thu, 2019-12-19 at 15:01 +0000, Marcus Vinicius wrote:
> Hi, 
> 
> As I know, CLUSTERIP is deprecated for some time. Recent
> distributions doesn't have this module on their repositories at all
> (Red Hat 8)
> 
> It seems Pacemaker still use CLUSTERIP for clone an IP address.
> 
> For this reason, I have the following error on an Active/Active
> cluster VIP: 
> 
> Cenario: 
> 
> CentOS 8
> Pacemaker 2.0.1
> Kernel 4.18.0
> Iptables 1.8.2
> 
> # pcs resource create ClusterIP ocf:heartbeat:IPaddr2
> ip=172.18.14.100 nic=ens160 cidr_netmask=24 op monitor interval=2s
> # pcs resource clone ClusterIP
> # pcs status
> ...
> Failed Resource Actions:
> * ClusterIP_start_0 on pcsnode1 'unknown error' (1): call=40,
> status=complete, exitreason='iptables failed',
>     last-rc-change='Thu Dec 19 12:30:40 2019', queued=0ms, exec=172ms
> 
> Logs: 
> 
> Dec 19 12:32:54 pcsnode1 IPaddr2(ClusterIP)[10245]: ERROR: iptables
> failed
> Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice:
> ClusterIP_start_0:10245:stderr [ iptables v1.8.2 (nf_tables): chain
> name not allowed to start with `-' ]
> Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice:
> ClusterIP_start_0:10245:stderr [  ]
> Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice:
> ClusterIP_start_0:10245:stderr [ Try `iptables -h' or 'iptables --
> help' for more information. ]
> Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice:
> ClusterIP_start_0:10245:stderr [ ocf-exit-reason:iptables failed ]
> Dec 19 12:32:54 pcsnode1 pacemaker-controld[1439]: notice: Result of
> start operation for ClusterIP on pcsnode1: 1 (unknown error)
> 
> Any one can simulate the module problem, outside Pacemaker, with this
> command: 
> 
> Perfectly good for CentOS 7 installation with ipt_CLUSTERIP.ko: 
> 
> # iptables -A INPUT -d 172.18.14.100/32 -i ens192 -j CLUSTERIP --new
> --hashmode sourceip-sourceport --clustermac 43:0A:1F:80:58:36 --
> total-nodes 2 --local-node 2 --hash-init 0
> 
> No good for a default CentOS 8 installation: 
> 
> # iptables -A INPUT -d 172.18.14.100/32 -i ens192 -j CLUSTERIP --new
> --hashmode sourceip-sourceport --clustermac 43:0A:1F:80:58:36 --
> total-nodes 2 --local-node 2 --hash-init 0
> iptables v1.8.2 (nf_tables): chain name not allowed to start with `-'
> 
> Try `iptables -h' or 'iptables --help' for more information.
> 
> 
> Is there any intention to abandon CLUSTERIP

yes

>  in favor of xt_cluster.ko? 

no

:)

A recent thread about this:
https://lists.clusterlabs.org/pipermail/users/2019-December/026663.html

resulted in a change to allow IPaddr2 clones to continue working on
newer systems if "iptables-legacy" is available:
https://github.com/ClusterLabs/resource-agents/pull/1439

tl;dr Cloned IPaddr2 is supported only on platforms that support
CLUSTERIP, and can be considered deprecated since CLUSTERIP itself is
deprecated. A pull request with an xt_cluster implementation would be
very welcome, as it's a low priority for available developers.

> Thanks a lot!
> 
> 
> Att,
> 
> Marcus Vinícius
-- 
Ken Gaillot <kgaillot at redhat.com>

More information about the Users mailing list