On 2013-11-13 06:02, Vladislav Bogdanov wrote:
13.11.2013 04:46, Jefferson Ogata wrote:
[snip]
4. "Insufficient privileges" faults in the portblock RA. This was
another race condition that occurred because i was using multiple
targets, meaning that without a mutex, multiple portblock invocations
would be running in parallel during a failover. If you try to run
iptables while another iptables is running, you get "Resource not
available" and this was coming back to pacemaker as "insufficient
privileges". This is simply a bug in the portblock RA; it should have a
mutex to prevent parallel iptables invocations. I fixed this by adding
an ocf_release_lock_on_exit at the top, and adding an ocf_take_lock for
start, stop, monitor, and status operations.
I'm not sure why more people haven't run into these problems before. I
hope it's not that i'm doing things wrong, but rather that few others
haven't earnestly tried to build anything quite like this setup. If
anyone out there has set up a similar cluster and *not* had these
problems, i'd like to know about it. Meanwhile, if others *have* had
these problems, i'd also like to know, especially if they've found
alternate solutions.
Can't say about 1, I use IET, it doesn't seem to have that limitation.
2 - I use alternative home-brew ms RA which blocks (DROP) both input and
output for a specified VIP on demote (targets are configured to be bound
to that VIPs). I also export one big LUN per target and then set up clvm
VG on top of it (all initiators are in the same another cluster).
3 - can't say as well, IET is probably not affected.
4 - That is true, iptables doesn't have atomic rules management, so you
definitely need mutex or dispatcher like firewalld (didn't try it though).
The issue here is not really the lack of atomic rules management (which
you can hack in iptables by defining a new chain for the rules you want
to add and adding a jump to it in the INPUT or OUTPUT chain). The issue
i was encountering is that if the iptables process locks a resource. If
a second iptables process attempts to run concurrently, it can't lock,
and it fails. The RA was feeding this back to pacemaker as a resource
stop/stop failure, when really the RA should have been preventing
concurrent execution of iptables in the first place.
Thanks for the feedback.
_______________________________________________
Linux-HA mailing list
Linux-HA@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
