Hi Oyvind,
Probably current portblock has a bug. It CREATES netfilter rule on
start(), however DOES NOT DELETE the rule on stop().
Here is the configuration of my simple 2 node + 1 qdevice cluster;
node 1: node-a-knet \
attributes standby=off
node 2: node-b-knet \
attributes standby=off
primitive r-porttoggle portblock \
params action=block direction=out ip=172.16.0.1 portno=1234
protocol=udp \
op monitor interval=10s timeout=10s \
op start interval=0s timeout=20s \
op stop interval=0s timeout=20s
primitive r-vip IPaddr2 \
params cidr_netmask=24 ip=10.1.6.253 \
op monitor interval=10s timeout=20s \
op start interval=0s timeout=20s \
op stop interval=0s timeout=20s
colocation c1 inf: r-porttoggle r-vip
order o1 r-vip r-porttoggle
property cib-bootstrap-options: \
have-watchdog=false \
dc-version=2.1.6-6fdc9deea29 \
cluster-infrastructure=corosync \
cluster-name=testcluster \
stonith-enabled=false \
last-lrm-refresh=1729272215
- I checked the switchover and observed netfilter chain (watch sudo
iptables -L OUTPUT) real-time,
- Tried portblock with parameter direction=out & both.
- Checked if the relevant functions IptablesBLOCK() & IptablesUNBLOCK()
are executing (by inserting syslog mark messages inside). They do run.
However rule is ONLY created, NEVER deleted.
Any suggestions?
On 10/9/24 11:26, Oyvind Albrigtsen wrote:
Correct. That should block the port when the resource is stopped on a
node (e.g. if you have it grouped with the service you're using on the
port).
I would do some testing to ensure it works exactly as you expect. E.g.
you can telnet to the port, or you can run nc/socat on the port and
telnet to it from the node it blocks/unblocks. If it doesnt accept
the connection you know it's blocked.
Oyvind Albrigtsen
On 06/10/24 22:46 GMT, Murat Inal wrote:
Hello,
I'd like to confirm with you the mechanism of ocf:heartbeat:portblock.
Given a resource definition;
Resource: r41_LIO (class=ocf provider=heartbeat type=portblock)
Attributes: r41_LIO-instance_attributes
action=unblock
ip=10.1.8.194
portno=3260
protocol=tcp
- If resource starts, TCP:3260 is UNBLOCKED.
- If resource is stopped, TCP:3260 is BLOCKED.
Is that correct? If action=block, it will run just the opposite,
correct?
To toggle a port, a single portblock resource is enough, correct?
Thanks,
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
