[ClusterLabs] About RA ocf:heartbeat:portblock
Oyvind Albrigtsen
oalbrigt at redhat.com
Mon Oct 21 09:25:22 UTC 2024
I would try running "pcs resource debug-stop --full <resource>" to see
what's happening, and try to run the "iptables -D" line manually if it
doesnt show you an error.
Oyvind
On 18/10/24 21:45 +0300, Murat Inal wrote:
>Hi Oyvind,
>
>Probably current portblock has a bug. It CREATES netfilter rule on
>start(), however DOES NOT DELETE the rule on stop().
>
>Here is the configuration of my simple 2 node + 1 qdevice cluster;
>
>
>node 1: node-a-knet \
> attributes standby=off
>node 2: node-b-knet \
> attributes standby=off
>primitive r-porttoggle portblock \
> params action=block direction=out ip=172.16.0.1 portno=1234
>protocol=udp \
> op monitor interval=10s timeout=10s \
> op start interval=0s timeout=20s \
> op stop interval=0s timeout=20s
>primitive r-vip IPaddr2 \
> params cidr_netmask=24 ip=10.1.6.253 \
> op monitor interval=10s timeout=20s \
> op start interval=0s timeout=20s \
> op stop interval=0s timeout=20s
>colocation c1 inf: r-porttoggle r-vip
>order o1 r-vip r-porttoggle
>property cib-bootstrap-options: \
> have-watchdog=false \
> dc-version=2.1.6-6fdc9deea29 \
> cluster-infrastructure=corosync \
> cluster-name=testcluster \
> stonith-enabled=false \
> last-lrm-refresh=1729272215
>
>
>- I checked the switchover and observed netfilter chain (watch sudo
>iptables -L OUTPUT) real-time,
>
>- Tried portblock with parameter direction=out & both.
>
>- Checked if the relevant functions IptablesBLOCK() &
>IptablesUNBLOCK() are executing (by inserting syslog mark messages
>inside). They do run.
>
>However rule is ONLY created, NEVER deleted.
>
>Any suggestions?
>
>
>On 10/9/24 11:26, Oyvind Albrigtsen wrote:
>
>>Correct. That should block the port when the resource is stopped on a
>>node (e.g. if you have it grouped with the service you're using on the
>>port).
>>
>>I would do some testing to ensure it works exactly as you expect. E.g.
>>you can telnet to the port, or you can run nc/socat on the port and
>>telnet to it from the node it blocks/unblocks. If it doesnt accept
>>the connection you know it's blocked.
>>
>>
>>Oyvind Albrigtsen
>>
>>On 06/10/24 22:46 GMT, Murat Inal wrote:
>>>Hello,
>>>
>>>I'd like to confirm with you the mechanism of ocf:heartbeat:portblock.
>>>
>>>Given a resource definition;
>>>
>>>Resource: r41_LIO (class=ocf provider=heartbeat type=portblock)
>>> Attributes: r41_LIO-instance_attributes
>>> action=unblock
>>> ip=10.1.8.194
>>> portno=3260
>>> protocol=tcp
>>>
>>>- If resource starts, TCP:3260 is UNBLOCKED.
>>>
>>>- If resource is stopped, TCP:3260 is BLOCKED.
>>>
>>>Is that correct? If action=block, it will run just the opposite,
>>>correct?
>>>
>>>To toggle a port, a single portblock resource is enough, correct?
>>>
>>>Thanks,
>>>
>>>_______________________________________________
>>>Manage your subscription:
>>>https://lists.clusterlabs.org/mailman/listinfo/users
>>>
>>>ClusterLabs home: https://www.clusterlabs.org/
>>
>>_______________________________________________
>>Manage your subscription:
>>https://lists.clusterlabs.org/mailman/listinfo/users
>>
>>ClusterLabs home: https://www.clusterlabs.org/
>_______________________________________________
>Manage your subscription:
>https://lists.clusterlabs.org/mailman/listinfo/users
>
>ClusterLabs home: https://www.clusterlabs.org/
More information about the Users
mailing list