[ClusterLabs] Still Beginner STONITH Problem

stefan.schmitz at farmpartner-tec.com stefan.schmitz at farmpartner-tec.com
Tue Jul 14 04:06:42 EDT 2020 

Hello,


Am 09.07.2020 um 19:10 Strahil Nikolov wrote:
 >Have  you  run 'fence_virtd  -c' ?
Yes I had run that on both Hosts. The current config looks like that and 
is identical on both.

cat fence_virt.conf
fence_virtd {
         listener = "multicast";
         backend = "libvirt";
         module_path = "/usr/lib64/fence-virt";
}

listeners {
         multicast {
                 key_file = "/etc/cluster/fence_xvm.key";
                 address = "225.0.0.12";
                 interface = "bond0";
                 family = "ipv4";
                 port = "1229";
         }

}

backends {
         libvirt {
                 uri = "qemu:///system";
         }

}


The situation is still that no matter on what host I issue the 
"fence_xvm -a 225.0.0.12 -o list" command, both guest systems receive 
the traffic. The local guest, but also the guest on the other host. I 
reckon that means the traffic is not filtered by any network device, 
like switches or firewalls. Since the guest on the other host receives 
the packages, the traffic must reach te physical server and 
networkdevice and is then routed to the VM on that host.
But still, the traffic is not shown on the host itself.

Further the local firewalls on both hosts are set to let each and every 
traffic pass. Accept to any and everything. Well at least as far as I 
can see.


Am 09.07.2020 um 22:34 Klaus Wenninger wrote:
 > makes me believe that
 > the whole setup doesn't lookas I would have
 > expected (bridges on each host where theguest
 > has a connection to and where ethernet interfaces
 > that connect the 2 hosts are part of as well

On each physical server the networkcards are bonded to achieve failure 
safety (bond0). The guest are connected over a bridge(br0) but 
apparently our virtualization softrware creates an own device named 
after the guest (kvm101.0).
There is no direct connection between the servers, but as I said 
earlier, the multicast traffic does reach the VMs so I assume there is 
no problem with that.


Am 09.07.2020 um 20:18 Vladislav Bogdanov wrote:
 > First, you need to ensure that your switch (or all switches in the
 > path) have igmp snooping enabled on host ports (and probably
 > interconnects along the path between your hosts).
 >
 > Second, you need an igmp querier to be enabled somewhere near (better
 > to have it enabled on a switch itself). Please verify that you see its
 > queries on hosts.
 >
 > Next, you probably need to make your hosts to use IGMPv2 (not 3) as
 > many switches still can not understand v3. This is doable by sysctl,
 > find on internet, there are many articles.


I have send an query to our Data center Techs who are analyzing this and 
were already on it analyzing if multicast Traffic is somewhere blocked 
or hindered. So far the answer is, "multicast ist explictly allowed in 
the local network and no packets are filtered or dropped". I am still 
waiting for a final report though.

In the meantime I have switched IGMPv3 to IGMPv2 on every involved 
server, hosts and guests via the mentioned sysctl. The switching itself 
was successful, according to "cat /proc/net/igmp" but sadly did not 
better the behavior. It actually led to that no VM received the 
multicast traffic anymore too.

kind regards
Stefan Schmitz


Am 09.07.2020 um 22:34 schrieb Klaus Wenninger:
> On 7/9/20 5:17 PM, stefan.schmitz at farmpartner-tec.com wrote:
>> Hello,
>>
>>> Well, theory still holds I would say.
>>>
>>> I guess that the multicast-traffic from the other host
>>> or the guestsdoesn't get to the daemon on the host.
>>> Can't you just simply check if there are any firewall
>>> rules configuredon the host kernel?
>>
>> I hope I did understand you corretcly and you are referring to iptables?
> I didn't say iptables because it might have been
> nftables - but yesthat is what I was referring to.
> Guess to understand the config the output is
> lacking verbositybut it makes me believe that
> the whole setup doesn't lookas I would have
> expected (bridges on each host where theguest
> has a connection to and where ethernet interfaces
> that connect the 2 hosts are part of as well -
> everythingconnected via layer 2 basically).
>> Here is the output of the current rules. Besides the IP of the guest
>> the output is identical on both hosts:
>>
>> # iptables -S
>> -P INPUT ACCEPT
>> -P FORWARD ACCEPT
>> -P OUTPUT ACCEPT
>>
>> # iptables -L
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>> SOLUSVM_TRAFFIC_IN  all  --  anywhere             anywhere
>> SOLUSVM_TRAFFIC_OUT  all  --  anywhere             anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain SOLUSVM_TRAFFIC_IN (1 references)
>> target     prot opt source               destination
>>             all  --  anywhere             192.168.1.14
>>
>> Chain SOLUSVM_TRAFFIC_OUT (1 references)
>> target     prot opt source               destination
>>             all  --  192.168.1.14         anywhere
>>
>> kind regards
>> Stefan Schmitz
>>
>>
>

More information about the Users mailing list