Re: [ClusterLabs] Support for xt_cluster

[Ken Gaillot]

On Thu, 2019-12-19 at 15:01 +, Marcus Vinicius wrote:
> Hi, 
> 
> As I know, CLUSTERIP is deprecated for some time. Recent
> distributions doesn't have this module on their repositories at all
> (Red Hat 8)
> 
> It seems Pacemaker still use CLUSTERIP for clone an IP address.
> 
> For this reason, I have the following error on an Active/Active
> cluster VIP: 
> 
> Cenario: 
> 
> CentOS 8
> Pacemaker 2.0.1
> Kernel 4.18.0
> Iptables 1.8.2
> 
> # pcs resource create ClusterIP ocf:heartbeat:IPaddr2
> ip=172.18.14.100 nic=ens160 cidr_netmask=24 op monitor interval=2s
> # pcs resource clone ClusterIP
> # pcs status
> ...
> Failed Resource Actions:
> * ClusterIP_start_0 on pcsnode1 'unknown error' (1): call=40,
> status=complete, exitreason='iptables failed',
> last-rc-change='Thu Dec 19 12:30:40 2019', queued=0ms, exec=172ms
> 
> Logs: 
> 
> Dec 19 12:32:54 pcsnode1 IPaddr2(ClusterIP)[10245]: ERROR: iptables
> failed
> Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice:
> ClusterIP_start_0:10245:stderr [ iptables v1.8.2 (nf_tables): chain
> name not allowed to start with `-' ]
> Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice:
> ClusterIP_start_0:10245:stderr [  ]
> Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice:
> ClusterIP_start_0:10245:stderr [ Try `iptables -h' or 'iptables --
> help' for more information. ]
> Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice:
> ClusterIP_start_0:10245:stderr [ ocf-exit-reason:iptables failed ]
> Dec 19 12:32:54 pcsnode1 pacemaker-controld[1439]: notice: Result of
> start operation for ClusterIP on pcsnode1: 1 (unknown error)
> 
> Any one can simulate the module problem, outside Pacemaker, with this
> command: 
> 
> Perfectly good for CentOS 7 installation with ipt_CLUSTERIP.ko: 
> 
> # iptables -A INPUT -d 172.18.14.100/32 -i ens192 -j CLUSTERIP --new
> --hashmode sourceip-sourceport --clustermac 43:0A:1F:80:58:36 --
> total-nodes 2 --local-node 2 --hash-init 0
> 
> No good for a default CentOS 8 installation: 
> 
> # iptables -A INPUT -d 172.18.14.100/32 -i ens192 -j CLUSTERIP --new
> --hashmode sourceip-sourceport --clustermac 43:0A:1F:80:58:36 --
> total-nodes 2 --local-node 2 --hash-init 0
> iptables v1.8.2 (nf_tables): chain name not allowed to start with `-'
> 
> Try `iptables -h' or 'iptables --help' for more information.
> 
> 
> Is there any intention to abandon CLUSTERIP

yes

>  in favor of xt_cluster.ko? 

no

:)

A recent thread about this:
https://lists.clusterlabs.org/pipermail/users/2019-December/026663.html

resulted in a change to allow IPaddr2 clones to continue working on
newer systems if "iptables-legacy" is available:
https://github.com/ClusterLabs/resource-agents/pull/1439

tl;dr Cloned IPaddr2 is supported only on platforms that support
CLUSTERIP, and can be considered deprecated since CLUSTERIP itself is
deprecated. A pull request with an xt_cluster implementation would be
very welcome, as it's a low priority for available developers.

> Thanks a lot!
> 
> 
> Att,
> 
> Marcus Vinícius
-- 
Ken Gaillot 

___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/

[ClusterLabs] Support for xt_cluster

[Marcus Vinicius]

Hi, 
As I know, CLUSTERIP is deprecated for some time. Recent distributions doesn't 
have this module on their repositories at all (Red Hat 8)
It seems Pacemaker still use CLUSTERIP for clone an IP address.
For this reason, I have the following error on an Active/Active cluster VIP: 
Cenario: 
CentOS 8Pacemaker 2.0.1Kernel 4.18.0Iptables 1.8.2
# pcs resource create ClusterIP ocf:heartbeat:IPaddr2 ip=172.18.14.100 
nic=ens160 cidr_netmask=24 op monitor interval=2s# pcs resource clone 
ClusterIP# pcs status...Failed Resource Actions:* ClusterIP_start_0 on pcsnode1 
'unknown error' (1): call=40, status=complete, exitreason='iptables failed',    
last-rc-change='Thu Dec 19 12:30:40 2019', queued=0ms, exec=172ms
Logs: 
Dec 19 12:32:54 pcsnode1 IPaddr2(ClusterIP)[10245]: ERROR: iptables failedDec 
19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice: 
ClusterIP_start_0:10245:stderr [ iptables v1.8.2 (nf_tables): chain name not 
allowed to start with `-' ]Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: 
notice: ClusterIP_start_0:10245:stderr [  ]Dec 19 12:32:54 pcsnode1 
pacemaker-execd[1436]: notice: ClusterIP_start_0:10245:stderr [ Try `iptables 
-h' or 'iptables --help' for more information. ]Dec 19 12:32:54 pcsnode1 
pacemaker-execd[1436]: notice: ClusterIP_start_0:10245:stderr [ 
ocf-exit-reason:iptables failed ]Dec 19 12:32:54 pcsnode1 
pacemaker-controld[1439]: notice: Result of start operation for ClusterIP on 
pcsnode1: 1 (unknown error)
Any one can simulate the module problem, outside Pacemaker, with this command: 
Perfectly good for CentOS 7 installation with ipt_CLUSTERIP.ko: 
# iptables -A INPUT -d 172.18.14.100/32 -i ens192 -j CLUSTERIP --new --hashmode 
sourceip-sourceport --clustermac 43:0A:1F:80:58:36 --total-nodes 2 --local-node 
2 --hash-init 0
No good for a default CentOS 8 installation: 
# iptables -A INPUT -d 172.18.14.100/32 -i ens192 -j CLUSTERIP --new --hashmode 
sourceip-sourceport --clustermac 43:0A:1F:80:58:36 --total-nodes 2 --local-node 
2 --hash-init 0iptables v1.8.2 (nf_tables): chain name not allowed to start 
with `-'
Try `iptables -h' or 'iptables --help' for more information.

Is there any intention to abandon CLUSTERIP in favor of xt_cluster.ko? 
Thanks a lot!

Att,
Marcus Vinícius___
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users

ClusterLabs home: https://www.clusterlabs.org/