Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
Thanks for inclusion. While looking through the pushed changes, I spotted two meta-data typos. See trivial patch. Regards Dominik Applied and pushed with two minor edits. Thanks a lot! Cheers, Florian --- conntrackd.orig 2011-02-14 11:43:22.0 +0100 +++ conntrackd 2011-02-14 11:43:42.0 +0100 @@ -57,7 +57,7 @@ longdesc lang=enName of the conntrackd executable. If conntrackd is installed and available in the default PATH, it is sufficient to configure the name of the binary For example my-conntrackd-binary-version-0.9.14 -If conntrackd is installed somehwere else, you may also give a full path +If conntrackd is installed somewhere else, you may also give a full path For example /packages/conntrackd-0.9.14/sbin/conntrackd /longdesc shortdesc lang=enName of the conntrackd executable/shortdesc @@ -66,7 +66,7 @@ parameter name=config longdesc lang=enFull path to the conntrackd.conf file. -For example /packages/conntrackd-0.9.4/etc/conntrackd/conntrackd.conf/longdesc +For example /packages/conntrackd-0.9.14/etc/conntrackd/conntrackd.conf/longdesc shortdesc lang=enPath to conntrackd.conf/shortdesc content type=string default=$OCF_RESKEY_config_default/ /parameter ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
On 2011-02-14 11:46, Dominik Klein wrote: Thanks for inclusion. While looking through the pushed changes, I spotted two meta-data typos. See trivial patch. Also applied and pushed. Thanks! Cheers, Florian signature.asc Description: OpenPGP digital signature ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
Hi Florian it appears that the RA is good to be merged with just a few changes left to be done. Great! * Please fix the initialization to honor $OCF_FUNCTIONS_DIR and ditch the redundant locale initialization. done * Please rename the parameters to follow the precendents set by other RAs (binary instead of conntrackd, config instead of conntrackdconf). done * Please don't require people to set a full path to the conntrackd binary, honoring $PATH is expected. I don't see where I do that. At least code-wise I never did that. Did you mean the meta-data? * Please set defaults the way the other RAs do, rather than with your if [ -z OCF_RESKEY_whatever ] logic. done * Please define the default path to your statefile in relative to ${HA_RSCTMP}. Also, put ${OCF_RESOURCE_INSTANCE} in the filename. done * Actually, rather than managing your statefile manually, you might be able to just use ha_pseudo_resource(). done nice function btw :) * Please revise your timeouts. Is a 240-second minimum timeout on start not a bit excessive? Sure is. Copy and paste leftover. Changed to 30. * Please revise your metadata, specifically your longdescs. The more useful information you provide to users, the better. Recall that that information is readily available to users via the man pages and crm ra info. done Regards Dominik --- conntrackd 2011-02-10 12:23:37.054678924 +0100 +++ conntrackd.fghaas 2011-02-11 09:45:39.721300359 +0100 @@ -4,7 +4,7 @@ # An OCF RA for conntrackd # http://conntrack-tools.netfilter.org/ # -# Copyright (c) 2010 Dominik Klein +# Copyright (c) 2011 Dominik Klein # # This program is free software; you can redistribute it and/or modify # it under the terms of version 2 of the GNU General Public License as @@ -25,11 +25,19 @@ # along with this program; if not, write the Free Software Foundation, # Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA. # + ### # Initialization: -. ${OCF_ROOT}/resource.d/heartbeat/.ocf-shellfuncs -export LANG=C LANGUAGE=C LC_ALL=C +: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/resource.d/heartbeat} +. ${OCF_FUNCTIONS_DIR}/.ocf-shellfuncs + +### + +OCF_RESKEY_binary_default=/usr/sbin/conntrackd +OCF_RESKEY_config_default=/etc/conntrackd/conntrackd.conf +: ${OCF_RESKEY_binary=${OCF_RESKEY_binary_default}} +: ${OCF_RESKEY_config=${OCF_RESKEY_config_default}} meta_data() { cat END @@ -46,30 +54,30 @@ parameters parameter name=conntrackd -longdesc lang=enFull path to conntrackd executable/longdesc -shortdesc lang=enFull path to conntrackd executable/shortdesc -content type=string default=/usr/sbin/conntrackd/ +longdesc lang=enName of the conntrackd executable. +If conntrackd is installed and available in the default PATH, it is sufficient to configure the name of the binary +For example my-conntrackd-binary-version-0.9.14 +If conntrackd is installed somehwere else, you may also give a full path +For example /packages/conntrackd-0.9.14/sbin/conntrackd +/longdesc +shortdesc lang=enName of the conntrackd executable/shortdesc +content type=string default=$OCF_RESKEY_binary_default/ /parameter -parameter name=conntrackdconf -longdesc lang=enFull path to the conntrackd.conf file./longdesc +parameter name=config +longdesc lang=enFull path to the conntrackd.conf file. +For example /packages/conntrackd-0.9.4/etc/conntrackd/conntrackd.conf/longdesc shortdesc lang=enPath to conntrackd.conf/shortdesc -content type=string default=/etc/conntrackd/conntrackd.conf/ -/parameter - -parameter name=statefile -longdesc lang=enFull path to the state file you wish to use./longdesc -shortdesc lang=enFull path to the state file you wish to use./shortdesc -content type=string default=/var/run/conntrackd.master/ +content type=string default=$OCF_RESKEY_config_default/ /parameter /parameters actions -action name=start timeout=240 / -action name=promote timeout=90 / -action name=demote timeout=90 / -action name=notify timeout=90 / -action name=stoptimeout=100 / +action name=start timeout=30 / +action name=promote timeout=30 / +action name=demote timeout=30 / +action name=notify timeout=30 / +action name=stoptimeout=30 / action name=monitor depth=0 timeout=20 interval=20 role=Slave / action name=monitor depth=0 timeout=20 interval=10 role=Master / action name=meta-data timeout=5 / @@ -94,11 +102,7 @@ conntrackd_is_master() { # You can't query conntrackd whether it is master or slave. It can be both at the same time. # This RA creates a statefile during promote and enforces master-max=1 and clone-node-max=1 - if [ -e $STATEFILE ]; then - return $OCF_SUCCESS - else - return $OCF_ERR_GENERIC - fi + ha_pseudo_resource $statefile monitor } conntrackd_set_master_score() { @@ -108,11 +112,11 @@ conntrackd_monitor() { rc=$OCF_NOT_RUNNING # It does not write a PID file, so check
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
On 2011-02-11 09:48, Dominik Klein wrote: Hi Florian it appears that the RA is good to be merged with just a few changes left to be done. Great! [lots of exemplary role-model patch modifications] Regards Dominik Thanks! For some reason the patch does not apply in my checkout. Can you just send me your version? I'll figure it out then. Cheers, Florian signature.asc Description: OpenPGP digital signature ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
Maybe you applied the s/100/$slavescore patch someone sent a couple weeks ago. I used the last version from thread New stateful RA: conntrackd dated october 27th 3:29pm. Anyway, here's my version. Regards Dominik On 02/11/2011 01:36 PM, Florian Haas wrote: On 2011-02-11 09:48, Dominik Klein wrote: Hi Florian it appears that the RA is good to be merged with just a few changes left to be done. Great! [lots of exemplary role-model patch modifications] Regards Dominik Thanks! For some reason the patch does not apply in my checkout. Can you just send me your version? I'll figure it out then. Cheers, Florian #!/bin/bash # # # An OCF RA for conntrackd # http://conntrack-tools.netfilter.org/ # # Copyright (c) 2011 Dominik Klein # # This program is free software; you can redistribute it and/or modify # it under the terms of version 2 of the GNU General Public License as # published by the Free Software Foundation. # # This program is distributed in the hope that it would be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Further, this software is distributed without any warranty that it is # free of the rightful claim of any third person regarding infringement # or the like. Any license provided herein, whether implied or # otherwise, applies only to this software file. Patent licenses, if # any, provided herein do not apply to combinations of this program with # other software, or any other product whatsoever. # # You should have received a copy of the GNU General Public License # along with this program; if not, write the Free Software Foundation, # Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA. # ### # Initialization: : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/resource.d/heartbeat} . ${OCF_FUNCTIONS_DIR}/.ocf-shellfuncs ### OCF_RESKEY_binary_default=/usr/sbin/conntrackd OCF_RESKEY_config_default=/etc/conntrackd/conntrackd.conf : ${OCF_RESKEY_binary=${OCF_RESKEY_binary_default}} : ${OCF_RESKEY_config=${OCF_RESKEY_config_default}} meta_data() { cat END ?xml version=1.0? !DOCTYPE resource-agent SYSTEM ra-api-1.dtd resource-agent name=conntrackd version1.1/version longdesc lang=en Master/Slave OCF Resource Agent for conntrackd /longdesc shortdesc lang=enThis resource agent manages conntrackd/shortdesc parameters parameter name=conntrackd longdesc lang=enName of the conntrackd executable. If conntrackd is installed and available in the default PATH, it is sufficient to configure the name of the binary For example my-conntrackd-binary-version-0.9.14 If conntrackd is installed somehwere else, you may also give a full path For example /packages/conntrackd-0.9.14/sbin/conntrackd /longdesc shortdesc lang=enName of the conntrackd executable/shortdesc content type=string default=$OCF_RESKEY_binary_default/ /parameter parameter name=config longdesc lang=enFull path to the conntrackd.conf file. For example /packages/conntrackd-0.9.4/etc/conntrackd/conntrackd.conf/longdesc shortdesc lang=enPath to conntrackd.conf/shortdesc content type=string default=$OCF_RESKEY_config_default/ /parameter /parameters actions action name=start timeout=30 / action name=promote timeout=30 / action name=demote timeout=30 / action name=notify timeout=30 / action name=stoptimeout=30 / action name=monitor depth=0 timeout=20 interval=20 role=Slave / action name=monitor depth=0 timeout=20 interval=10 role=Master / action name=meta-data timeout=5 / action name=validate-all timeout=30 / /actions /resource-agent END } meta_expect() { local what=$1 whatvar=OCF_RESKEY_CRM_meta_${1//-/_} op=$2 expect=$3 local val=${!whatvar} if [[ -n $val ]]; then # [, not [[, or it won't work ;) [ $val $op $expect ] return fi ocf_log err meta parameter misconfigured, expected $what $op $expect, but found ${val:-unset}. exit $OCF_ERR_CONFIGURED } conntrackd_is_master() { # You can't query conntrackd whether it is master or slave. It can be both at the same time. # This RA creates a statefile during promote and enforces master-max=1 and clone-node-max=1 ha_pseudo_resource $statefile monitor } conntrackd_set_master_score() { ${HA_SBIN_DIR}/crm_master -Q -l reboot -v $1 } conntrackd_monitor() { rc=$OCF_NOT_RUNNING # It does not write a PID file, so check with pgrep pgrep -f $OCF_RESKEY_binary rc=$OCF_SUCCESS if [ $rc -eq $OCF_SUCCESS ]; then # conntrackd is running # now see if it acceppts queries if ! $OCF_RESKEY_binary -C $OCF_RESKEY_config -s /dev/null 21; then rc=$OCF_ERR_GENERIC ocf_log err conntrackd is running but not responding
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
On 02/11/2011 01:41 PM, Dominik Klein wrote: Maybe you applied the s/100/$slavescore patch someone sent a couple weeks ago. I used the last version from thread New stateful RA: conntrackd dated october 27th 3:29pm. Anyway, here's my version. Applied and pushed with two minor edits. Thanks a lot! Cheers, Florian signature.asc Description: OpenPGP digital signature ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
On 2011-01-31 10:06, Dominik Klein wrote: Just now found this thread. I will include the suggested changes and post the new RA soon-ish. Dominik Dominik, any news on this? Cheers, Florian signature.asc Description: OpenPGP digital signature ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
Not yet. That's why I wrote soon_-ish_ ;) Any release coming up you want to include this in? any news on this? Cheers, Florian ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
Just now found this thread. I will include the suggested changes and post the new RA soon-ish. Dominik On 01/21/2011 08:26 AM, Florian Haas wrote: On 01/18/2011 04:21 PM, Florian Haas wrote: Our site will shortly be deploying a new HA firewall based on Linux, iptables, pacemaker and conntrackd. conntrackd[1] is used to maintain connection state of active connections across the two firewalls allowing us to failover from one firewall to the other without dropping any connections. In order to achieve this with pacemaker we needed to find a resource agent for conntrackd. Looking at the mailing list we found a couple of options although we only fully evaluated the RA produced by Dominik Klein as it appears to be more feature complete than the alternative. For a full description of his RA please see his original thread[2]. So far throughout testing we have been very pleased with it. We can successfully fail between our nodes and the RA correctly handles the synchronisation steps required in the background. Dominik, it appears that the RA is good to be merged with just a few changes left to be done. * Please fix the initialization to honor $OCF_FUNCTIONS_DIR and ditch the redundant locale initialization. * Please rename the parameters to follow the precendents set by other RAs (binary instead of conntrackd, config instead of conntrackdconf). * Please don't require people to set a full path to the conntrackd binary, honoring $PATH is expected. * Please set defaults the way the other RAs do, rather than with your if [ -z OCF_RESKEY_whatever ] logic. * Please define the default path to your statefile in relative to ${HA_RSCTMP}. Also, put ${OCF_RESOURCE_INSTANCE} in the filename. * Actually, rather than managing your statefile manually, you might be able to just use ha_pseudo_resource(). * Please revise your timeouts. Is a 240-second minimum timeout on start not a bit excessive? * Please revise your metadata, specifically your longdescs. The more useful information you provide to users, the better. Recall that that information is readily available to users via the man pages and crm ra info. Thanks! Cheers, Florian -- IN-telegence GmbH Oskar-Jäger-Str. 125 50825 Köln Registergericht AG Köln - HRB 34038 USt-ID DE210882245 Geschäftsführende Gesellschafter: Christian Plätke und Holger Jansen ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
Or, put differently: is us tracking the supposed state really necessary, or can we inquire it from the service somehow? From the submitted RA: # You can't query conntrackd whether it is master or slave. It can be both at the same time. # This RA creates a statefile during promote and enforces master-max=1 and clone-node-max=1 Knowing Dominik I think it's safe to assume he's done his homework on this, and hasn't put in this comment without careful consideration. If I knew a way to query the state, believe me, I would use it. I totally understand this seems ugly the way it is and I agree 100%. However, having a master/slave RA is what the cluster needs imho to fully support conntrackd. Encouraging people to start conntrackd by init and then have the RA just execute commands for state-shipping seemed and seems odd to me (that's what the first RA did). But I'm sure he won't mind if you manage to convince him otherwise. Sure I won't. Maybe a newer version (if exists) includes this. I'll have another look. Regards Dominik ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
On 01/21/2011 05:50 PM, Lars Marowsky-Bree wrote: On 2011-01-21T08:26:38, Florian Haas florian.h...@linbit.com wrote: * Actually, rather than managing your statefile manually, you might be able to just use ha_pseudo_resource(). Is there really no record in the conntrack state which mode it is currently in? Or, put differently: is us tracking the supposed state really necessary, or can we inquire it from the service somehow? From the submitted RA: # You can't query conntrackd whether it is master or slave. It can be both at the same time. # This RA creates a statefile during promote and enforces master-max=1 and clone-node-max=1 Knowing Dominik I think it's safe to assume he's done his homework on this, and hasn't put in this comment without careful consideration. But I'm sure he won't mind if you manage to convince him otherwise. Cheers, Florian signature.asc Description: OpenPGP digital signature ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
On 01/18/2011 04:21 PM, Florian Haas wrote: Our site will shortly be deploying a new HA firewall based on Linux, iptables, pacemaker and conntrackd. conntrackd[1] is used to maintain connection state of active connections across the two firewalls allowing us to failover from one firewall to the other without dropping any connections. In order to achieve this with pacemaker we needed to find a resource agent for conntrackd. Looking at the mailing list we found a couple of options although we only fully evaluated the RA produced by Dominik Klein as it appears to be more feature complete than the alternative. For a full description of his RA please see his original thread[2]. So far throughout testing we have been very pleased with it. We can successfully fail between our nodes and the RA correctly handles the synchronisation steps required in the background. Dominik, it appears that the RA is good to be merged with just a few changes left to be done. * Please fix the initialization to honor $OCF_FUNCTIONS_DIR and ditch the redundant locale initialization. * Please rename the parameters to follow the precendents set by other RAs (binary instead of conntrackd, config instead of conntrackdconf). * Please don't require people to set a full path to the conntrackd binary, honoring $PATH is expected. * Please set defaults the way the other RAs do, rather than with your if [ -z OCF_RESKEY_whatever ] logic. * Please define the default path to your statefile in relative to ${HA_RSCTMP}. Also, put ${OCF_RESOURCE_INSTANCE} in the filename. * Actually, rather than managing your statefile manually, you might be able to just use ha_pseudo_resource(). * Please revise your timeouts. Is a 240-second minimum timeout on start not a bit excessive? * Please revise your metadata, specifically your longdescs. The more useful information you provide to users, the better. Recall that that information is readily available to users via the man pages and crm ra info. Thanks! Cheers, Florian ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/
Re: [Linux-ha-dev] Feedback on conntrackd RA by Dominik Klein
Our site will shortly be deploying a new HA firewall based on Linux, iptables, pacemaker and conntrackd. conntrackd[1] is used to maintain connection state of active connections across the two firewalls allowing us to failover from one firewall to the other without dropping any connections. In order to achieve this with pacemaker we needed to find a resource agent for conntrackd. Looking at the mailing list we found a couple of options although we only fully evaluated the RA produced by Dominik Klein as it appears to be more feature complete than the alternative. For a full description of his RA please see his original thread[2]. So far throughout testing we have been very pleased with it. We can successfully fail between our nodes and the RA correctly handles the synchronisation steps required in the background. Hi Paul, that is excellent feedback to get; did you have to make any changes to Dominik's originally submitted version of the RA? If so, please share them so we can apply them post-merge. Thanks! Cheers, Florian ___ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/