On 04/06/11 22:46, imnotpc wrote: > On Thursday, June 02, 2011 22:50:58 Tim Serong wrote: > > > On 03/06/11 06:42, imnotpc wrote: > > > > On Thursday, June 02, 2011 16:30:55 Digimer wrote: > > > >> On 06/02/2011 04:23 PM, imnotpc wrote: > > > >>> On Thursday, June 02, 2011 15:59:41 Digimer wrote: > > > >>>> On 06/02/2011 03:55 PM, imnotpc wrote: > > > >>>>> I'm a new user with a simple question which I could not find an > > > >>>>> answer to in the docs. The Clusters from Scratch document tells you > > > >>>>> to disable iptables and I've inadvertantly found out why when I > > > >>>>> loaded my standard firewall script and broke my cluster. My > question > > > >>>>> is: Is the corosync/pacemaker stack inherently incompatible with > > > >>>>> iptables or are there just certain iptables modules or > > > >>>>> configurations that cause problems? > > > >>>>> > > > >>>>> Thanks, Jeff > > > >>>> > > > >>>> You just need to know the ports to open. Here is the list of ones I > > > >>>> know of: > > > >>>> > > > >>>> Port Protocol Component > > > >>>> 5404, 5405 UDP cman > > > >>>> 8084, 5405 TCP luci > > > >>>> 11111 TCP ricci > > > >>>> 14567 TCP gnbd > > > >>>> 16851 TCP modclusterd > > > >>>> 21064 TCP dlm > > > >>>> 50006, 50008, 50009 TCP ccsd > > > >>>> 50007 UDP ccsd > > > >>>> > > > >>>> Note that this is from a RHCS2 (openais) perspective. I may be > missing > > > >>>> pacemaker-specific ones. > > > >>> > > > >>> Appreciate the quick response. It's good to know iptables can work. I > > > >>> can't imagine no firewall even on an internal box. In my > configuration > > > >>> everything (nearly) that gets blocked gets logged so now I need > to find > > > >>> out why I'm not seeing any of these ports show up in my firewall log. > > > >> > > > >> On second though, those are *all* RHCS specific ports. That would > > > >> explain why you are not seeing them. I need more coffee... > > > >> > > > >> In your openais/corosync config, you will have defined an IP > address and > > > >> port for each ring. Check there and make sure those ports are open. > > > > > > > > Don't feel bad, at least you didn't do anything as dumb as I did. > When I > > > > set the port in corosync.conf I also created a rule in my firewall > > > > script... a DROP rule... like I use for annoying MS broadcast traffic. > > > > That's why it never reached my logs or it's destination. aarrgghh!! > > > > > > > > Thanks again... > > > > > > For corosync, you need to open mcastport and mcastport-1 (which is 5405 > > > and 5404 by default, as mentioned in Digimer's list above). That should > > > be all you need in general for corosync+pacemaker, although services you > > > run within the cluster might need other ports open (e.g. if you're using > > > DLM, DRBD, etc.). > > > > > > Regards, > > > > > > Tim > > > Those are only used if you run cman, correct? I tried to start a basic > cman instance using the sample file from Clusters from Scratch and it > failed. I'm still trying to wrap my head around how all these components > relate but it appears from the manual that cman replaces part of > pacemaker and since what I have seems to work I gave up on it and moved > on to fencing configuration. Is it worth it for me to go back and get it > working?
You need those ports open for corosync, but my understanding was that if you use cman, it (cman) is responsible for invoking corosync. So, same ports either way. If you've got corosync+pacemaker running happily, I'd just ignore cman, although someone with more cman/RHCS experience might have a different opinion here :) Regards, Tim -- Tim Serong <tser...@novell.com> Senior Clustering Engineer, OPS Engineering, Novell Inc. _______________________________________________ Openais mailing list Openais@lists.linux-foundation.org https://lists.linux-foundation.org/mailman/listinfo/openais
