Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
>> Or, put differently: is us tracking the supposed state really necessary, >> or can we inquire it from the service somehow? > > From the submitted RA: > >> # You can't query conntrackd whether it is master or slave. It can >> be both at the same time. >> # This RA creates a statefile during promote and enforces >> master-max=1 and clone-node-max=1 > > Knowing Dominik I think it's safe to assume he's done his homework on > this, and hasn't put in this comment without careful consideration. If I knew a way to query the state, believe me, I would use it. I totally understand this seems "ugly" the way it is and I agree 100%. However, having a master/slave RA is what the cluster needs imho to fully support conntrackd. Encouraging people to start conntrackd by init and then have the RA just execute commands for state-shipping seemed and seems odd to me (that's what the first RA did). > But > I'm sure he won't mind if you manage to convince him otherwise. Sure I won't. Maybe a newer version (if exists) includes this. I'll have another look. Regards Dominik ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
Just now found this thread. I will include the suggested changes and
post the new RA soon-ish.
Dominik
On 01/21/2011 08:26 AM, Florian Haas wrote:
> On 01/18/2011 04:21 PM, Florian Haas wrote:
>>> Our site will shortly be deploying a new HA firewall based on Linux,
>>> iptables, pacemaker and conntrackd.
>>> conntrackd[1] is used to maintain connection state of active
>>> connections
>>> across the two firewalls allowing us to failover from one firewall to
>>> the other without dropping any connections.
>>>
>>> In order to achieve this with pacemaker we needed to find a resource
>>> agent for conntrackd. Looking at the mailing list we found a couple of
>>> options although we only fully evaluated the RA produced by Dominik
>>> Klein as it appears to be more feature complete than the alternative.
>>> For a full description of his RA please see his original thread[2].
>>>
>>> So far throughout testing we have been very pleased with it. We can
>>> successfully fail between our nodes and the RA correctly handles the
>>> synchronisation steps required in the background.
>
> Dominik,
>
> it appears that the RA is good to be merged with just a few changes left
> to be done.
>
> * Please fix the initialization to honor $OCF_FUNCTIONS_DIR and ditch
> the redundant locale initialization.
>
> * Please rename the parameters to follow the precendents set by other
> RAs ("binary" instead of "conntrackd", "config" instead of
> "conntrackdconf").
>
> * Please don't require people to set a full path to the conntrackd
> binary, honoring $PATH is expected.
>
> * Please set defaults the way the other RAs do, rather than with your
> "if [ -z "OCF_RESKEY_whatever" ]" logic.
>
> * Please define the default path to your statefile in relative to
> ${HA_RSCTMP}. Also, put ${OCF_RESOURCE_INSTANCE} in the filename.
>
> * Actually, rather than managing your statefile manually, you might be
> able to just use ha_pseudo_resource().
>
> * Please revise your timeouts. Is a 240-second minimum timeout on start
> not a bit excessive?
>
> * Please revise your metadata, specifically your longdescs. The more
> useful information you provide to users, the better. Recall that that
> information is readily available to users via the man pages and "crm ra
> info".
>
> Thanks!
> Cheers,
> Florian
>
>
--
IN-telegence GmbH
Oskar-Jäger-Str. 125
50825 Köln
Registergericht AG Köln - HRB 34038
USt-ID DE210882245
Geschäftsführende Gesellschafter: Christian Plätke und Holger Jansen
___
Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Report on conntrackd RA
Hi thanks for testing and feedback. On 01/27/2011 01:37 PM, "Marjan, BlatnikČŠŽ" wrote: > Conntrackd RA from Dominik Klein works. We can now successfully > migrate/fail from one node to another one. > > At the begining, we have problems with failing. After reboot/fail, the > slave was not synced with master. After some debuging I found, that the > conntrackd must not be started at boot time, but only by pacemaker. Like any other program managed by the cluster. Regards Dominik > My > mistake. After disabling conntrackd boot script, failing works perfectly. > > If conntrackd on slave is started by init script, then master does not > issue > "conntrackd notify" with > "OCF_RESKEY_CRM_meta_notify_type=post" and > "OCF_RESKEY_CRM_meta_notify_operation=start" > and does not send a bulk update to the slave. > Master does issue "conntrackd notify" with > OCF_RESKEY_CRM_meta_notify_type set to "pre", but since conntrackd on > slave is running, there is no "post" phase, which send a bulk update to > the slave. > > OCF_RESKEY_CRM_meta_notify_type may be ignored and send bulk update two > times, but it's better to control conntrackd only by pacemaker. ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
