[ClusterLabs] About RA ocf:heartbeat:portblock

Murat Inal mrt_nl at hotmail.com
Fri Oct 18 18:45:48 UTC 2024 

Hi Oyvind,

Probably current portblock has a bug. It CREATES netfilter rule on 
start(), however DOES NOT DELETE the rule on stop().

Here is the configuration of my simple 2 node + 1 qdevice cluster;


node 1: node-a-knet \
     attributes standby=off
node 2: node-b-knet \
     attributes standby=off
primitive r-porttoggle portblock \
     params action=block direction=out ip=172.16.0.1 portno=1234 
protocol=udp \
     op monitor interval=10s timeout=10s \
     op start interval=0s timeout=20s \
     op stop interval=0s timeout=20s
primitive r-vip IPaddr2 \
     params cidr_netmask=24 ip=10.1.6.253 \
     op monitor interval=10s timeout=20s \
     op start interval=0s timeout=20s \
     op stop interval=0s timeout=20s
colocation c1 inf: r-porttoggle r-vip
order o1 r-vip r-porttoggle
property cib-bootstrap-options: \
     have-watchdog=false \
     dc-version=2.1.6-6fdc9deea29 \
     cluster-infrastructure=corosync \
     cluster-name=testcluster \
     stonith-enabled=false \
     last-lrm-refresh=1729272215


- I checked the switchover and observed netfilter chain (watch sudo 
iptables -L OUTPUT) real-time,

- Tried portblock with parameter direction=out & both.

- Checked if the relevant functions IptablesBLOCK() & IptablesUNBLOCK() 
are executing (by inserting syslog mark messages inside). They do run.

However rule is ONLY created, NEVER deleted.

Any suggestions?


On 10/9/24 11:26, Oyvind Albrigtsen wrote:

> Correct. That should block the port when the resource is stopped on a
> node (e.g. if you have it grouped with the service you're using on the
> port).
>
> I would do some testing to ensure it works exactly as you expect. E.g.
> you can telnet to the port, or you can run nc/socat on the port and
> telnet to it from the node it blocks/unblocks. If it doesnt accept
> the connection you know it's blocked.
>
>
> Oyvind Albrigtsen
>
> On 06/10/24 22:46 GMT, Murat Inal wrote:
>> Hello,
>>
>> I'd like to confirm with you the mechanism of ocf:heartbeat:portblock.
>>
>> Given a resource definition;
>>
>> Resource: r41_LIO (class=ocf provider=heartbeat type=portblock)
>>   Attributes: r41_LIO-instance_attributes
>>     action=unblock
>>     ip=10.1.8.194
>>     portno=3260
>>     protocol=tcp
>>
>> - If resource starts, TCP:3260 is UNBLOCKED.
>>
>> - If resource is stopped, TCP:3260 is BLOCKED.
>>
>> Is that correct? If action=block, it will run just the opposite, 
>> correct?
>>
>> To toggle a port, a single portblock resource is enough, correct?
>>
>> Thanks,
>>
>> _______________________________________________
>> Manage your subscription:
>> https://lists.clusterlabs.org/mailman/listinfo/users
>>
>> ClusterLabs home: https://www.clusterlabs.org/
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/

More information about the Users mailing list