Re: [Linux-ha-dev] Food for thought: add something like cutter to IPaddr2 (or portblock?) RA

Thu, 23 Oct 2008 07:39:33 -0700 

On Thu, Oct 23, 2008 at 11:57:17AM +0200, Lars Marowsky-Bree wrote:
> On 2008-10-13T17:17:44, Lars Ellenberg <[EMAIL PROTECTED]> wrote:
> 
> > > Yes, really a pretty cool idea - one of those where one wonders how we
> > > failed to come up with it in the past ;-)
> > btw, if we replicate the connection state (using contrackd), we don't
> > need tickle acks, we can send the RST directly using e.g. cutter (minus
> > its sanity check filtering out local addresses). 
> 
> I had a discussion with Harald Welte on this topic on the weekend.
> 
> He recommended to not use conntrackd (unless we really want to fail-over
> complete firewalls), as that is replicating much more state than we
> need, and not as scalable.
> 
> All we really need to track is connections which are successfully
> established and tear-down; not a lot of state.
> 
> With openAIS, that should be really simple, as we have high-performance
> ordered messaging.
> 
> 1. On connection established, track {ips, ports, owner_host}
> 
> 2. On connection tear-down, discard record.
> 
> 3. When owner_host goes down, send tickle-acks for affected connections
> and discard them.
> 
> 4. When owner_host stops serving the IP (cleanly), it can send the
> tickle acks itself and discard the connections. (It would be interesting
> to see how many TCP services don't terminate all connections ;-)

I think this should be combined or integrated with the portblock script,
to avoid "ICMP unreachable" or "Connection refused".

think iSCSI failover.

  HA-IP + target
  *crash*
  fence if applicable.
                        on the takeover node,
                          portblock (drop),
                          get the HA-IP up,
                          get the iSCSI target up,
                          unblock and send out tickle ACKs or tickle FINs.
                        RST should then be done by the normal tcp stack,
                        re-establish will follow.

substitute your favorite tcp based server process for iSCSI target.

does that make sense?

-- 
: Lars Ellenberg
: LINBIT | Your Way to High Availability
: DRBD/HA support and consulting http://www.linbit.com

DRBD® and LINBIT® are registered trademarks of LINBIT, Austria.
_______________________________________________________
Linux-HA-Dev: [email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/

Reply via email to