Re: [ClusterLabs] Clustered LVM with iptables issue

[Vladislav Bogdanov]

Hi Digimer,

Be aware that SCTP support in both kernel and DLM _may_ have issues (as 
long as I remember it was not recommended to use at least in cman's 
version of DLM at least because of the leak of testing).

I believe you can force use of TCP via dlm_controld parameters (or 
config options). Of course that could require some kind of bonding to be 
involved. Btw that is the main reason I prefer bonding over multi-ring 
configurations.

Best,
Vladislav

11.09.2015 02:43, Digimer wrote:
For the record;

   Noel helped me on IRC. The problem was that sctp was now allowed in
the firewall. The clue was:

====
[root@node1 ~]# /etc/init.d/clvmd start
Starting clvmd:
Activating VG(s):                                          [  OK  ]
====

====] syslog
Sep 10 23:30:47 node1 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Sep 10 23:30:47 node1 kernel: nf_conntrack version 0.5.0 (16384 buckets,
65536 max)
*** Sep 10 23:31:02 node1 kernel: dlm: Using SCTP for communications
Sep 10 23:31:03 node1 clvmd: Cluster LVM daemon started - connected to CMAN
====

====
[root@node2 ~]# /etc/init.d/clvmd start
Starting clvmd: clvmd startup timed out
====

====] syslog
Sep 10 23:31:03 node2 kernel: dlm: Using SCTP for communications
Sep 10 23:31:05 node2 corosync[3001]:   [TOTEM ] Incrementing problem
counter for seqid 5644 iface 10.20.10.2 to [1 of 3]
Sep 10 23:31:07 node2 corosync[3001]:   [TOTEM ] ring 0 active with no
faults
====

Adding;

iptables -I INPUT -p sctp -j ACCEPT

Got it working. Obviously, that needs to be tightened up.

digimer

On 10/09/15 07:01 PM, Digimer wrote:
On 10/09/15 06:54 PM, Noel Kuntze wrote:

Hello Digimer,

I initially assumed you were familiar with ss or netstat and simply
forgot about them.
Seems I was wrong.

Check the output of this: `ss -tpn` and `ss -upn`.
Those commands give you the current open TCP and UDP connections,
as well as the program that opened the connection.
Check listening sockets with `ss -tpnl` and `ss -upnl`

I'm not so strong on the network side of things, so I am not very
familiar with ss or netstat.

I have clvmd running:

====
[root@node1 ~]# /etc/init.d/clvmd status
clvmd (pid  3495) is running...
Clustered Volume Groups: (none)
Active clustered Logical Volumes: (none)
====

Thought I don't seem to see anything:

====
[root@node1 ~]# ss -tpnl
State      Recv-Q Send-Q                       Local Address:Port
                   Peer Address:Port
LISTEN     0      5                                       :::11111
                             :::*      users:(("ricci",2482,3))
LISTEN     0      128                              127.0.0.1:199
                              *:*      users:(("snmpd",2020,8))
LISTEN     0      128                                     :::111
                             :::*      users:(("rpcbind",1763,11))
LISTEN     0      128                                      *:111
                              *:*      users:(("rpcbind",1763,8))
LISTEN     0      128                                      *:48976
                              *:*      users:(("rpc.statd",1785,8))
LISTEN     0      5                                       :::16851
                             :::*      users:(("modclusterd",2371,5))
LISTEN     0      128                                     :::55476
                             :::*      users:(("rpc.statd",1785,10))
LISTEN     0      128                                     :::22
                             :::*      users:(("sshd",2037,4))
LISTEN     0      128                                      *:22
                              *:*      users:(("sshd",2037,3))
LISTEN     0      100                                    ::1:25
                             :::*      users:(("master",2142,13))
LISTEN     0      100                              127.0.0.1:25
                              *:*      users:(("master",2142,12))
====

====
[root@node1 ~]# ss -tpn
State      Recv-Q Send-Q                       Local Address:Port
                   Peer Address:Port
ESTAB      0      0                           192.168.122.10:22
                  192.168.122.1:53935  users:(("sshd",2636,3))
ESTAB      0      0                           192.168.122.10:22
                  192.168.122.1:53934  users:(("sshd",2613,3))
ESTAB      0      0                               10.10.10.1:48985
                     10.10.10.2:7788
ESTAB      0      0                               10.10.10.1:7788
                     10.10.10.2:51681
ESTAB      0      0                        ::ffff:10.20.10.1:16851
              ::ffff:10.20.10.2:43553  users:(("modclusterd",2371,6))
====

====
[root@node1 ~]# ss -upn
State      Recv-Q Send-Q                       Local Address:Port
                   Peer Address:Port
====

I ran all three again and routed output to a file, stopped clvmd and
re-ran the three calls to a different file. I diff'ed the resulting
files and saw nothing of interest:

====
[root@node1 ~]# /etc/init.d/clvmd status
clvmd (pid  3495) is running...
Clustered Volume Groups: (none)
Active clustered Logical Volumes: (none)
====

====
[root@node1 ~]# ss -tpnl > tpnl.on
[root@node1 ~]# ss -tpn > tpn.on
[root@node1 ~]# ss -upn > upn.on
====

====[root@node1 ~]# /etc/init.d/clvmd stop
Signaling clvmd to exit                                    [  OK  ]
clvmd terminated                                           [  OK  ]
====

====
[root@node1 ~]# ss -tpnl > tpnl.off
[root@node1 ~]# ss -tpn > tpn.off
[root@node1 ~]# ss -upn > upn.off
[root@node1 ~]# diff -U0 tpnl.on tpnl.off
[root@node1 ~]# diff -U0 tpn.on tpn.off
[root@node1 ~]# diff -U0 upn.on upn.off
====

I'm reading up on 'multiport' now and will adjust my iptables. It does
look a lot cleaner.





_______________________________________________
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org