Hi,
I have done some work woth conntrackd and heartbeat a couple of time ago.
Attached it's one conntrackd OCF script I made but when I finish I
realized that it was not working and would never work.
As you say in your HOWTO, conntrackd work with 2 caches.
In my setup, I had two nodes, this two nodes starts conntrackd on the
startup of the machine, in passive state. Once heartbeat starts
conntrackd ocf script it promotes one of them to active, and start
acting as main firewall and the other node continues to work on passive
state, receiving the connection states and committing them to the
external cache.
When I try to migrate the resource to the other node, the migration
happen without problem and the other node that was passive, becomes
active and acts as main firewall and all the connection state are ok and
committed to the kernel cache. AFTER passive becomes active, I had to
promote the other node to passive, and that was what I don't know how to
do it with heartbeat. Because I had to run on all the other nodes the
stop script, but only after running the start on the new passive, and
heartbeat does the opposite, it does the stop, and only after that does
the start on the newly promoted node.
How do you do that in you configuration? Do you use that advanced mode
in conntrackd you spoke about, in your howto?
Sorry I don't understand too much about conntrackd, maybe my problem
it's stupid and can be solved in conntrackd side.
Cheers,
Michael Schwartzkopff wrote:
> Hi,
>
> I started to write a HOWTO about setting up a high available firewall cluster
> with Linux. iptables, conntrackd for state sync, and fwbuilder to manage it.
>
> Please find it on my webseite:
> http://www.multinet.de/HAFirewall
>
> As you can see on the revision numer (0.1.1) I just started to write. So the
> description is not too detailed, but you get a pretty clear picture of the
> whole setup. As I find time I will go further into the details and describe
> the
> setup with more screenshots. Eventually I also will publish the scripts used
> on the website.
>
> I would like to get feedback from you if it it worth the effort, about
> errors,
> improvments, missing parts, or patches. Thanks.
>
> Greetings,
>
#!/bin/sh
#
# Description: Manages conntrack tables
#
# Author: Igor Neves <igor AT 3gnt DOT net>
# <neves DOT igor AT gmail DOT com>
# License: GNU General Public License (GPL)
#
# Copyright: (C) 2008 3GNTW - Tecnologias de Informacao, Lda
# All Rights Reserved.
#
# OCF parameters:
# * OCF_RESKEY_conntrackdbin
#
#################################################################
# Source ocf shell functions
. ${OCF_ROOT}/resource.d/heartbeat/.ocf-shellfuncs
# Variable configuration
#################################################################
# Path to conntrackdbin
CONNTRACKDBIN="$OCF_RESKEY_conntrackdbin"
#################################################################
# Internal functions
# Check if there is any conntrackd running
conntrackd_running ()
{
# we run conntrackd from init scripts, it should be always running
# this make sure it's running
$CONNTRACKDBIN -s 1> /dev/null 2> /dev/null
if [ "$?" = "0" ]; then
return 1
else
return 0
fi
}
#################################################################
# Main functions
#################################################################
# show how to use this script
_usage ()
{
cat <<END
usage: $0 {start|stop|status|monitor|meta-data|validate-all}
Expects to have a fully populated OCF RA-compliant environment set.
END
}
# All the verifications we need to do
_validate()
{
# i think we just need to check if conntrackd its running
# we run conntrackd from init scripts, it should be always running
if conntrackd_running; then
# if it gets here, everything its ok
return $OCF_SUCCESS
else
ocf_log warn "conntrackd daemon not running, aborting"
exit $OCF_ERR_GENERIC
fi
}
###### start ######
_start()
{
# lets put all external cache on the conntrackd table
$CONNTRACKDBIN -c 1> /dev/null 2> /dev/null
# flush all the caches
$CONNTRACKDBIN -f 1> /dev/null 2> /dev/null
# now lets syncronize with the kernel conntrack table
$CONNTRACKDBIN -R 1> /dev/null 2> /dev/null
# Everything went fine
return $OCF_SUCCESS
}
###### stop ######
_stop()
{
# we reset the kernel timers now
$CONNTRACKDBIN -t 1> /dev/null 2> /dev/null
# resync the external cache with all the other node(s)
$CONNTRACKDBIN -n 1> /dev/null 2> /dev/null
# Everything went fine
return $OCF_SUCCESS
}
# Monitor if conntrackd it's running
_monitor()
{
# check if conntrackd its running and we can run this resource
if conntrackd_running; then
return $OCF_SUCCESS
else
ocf_log warn "conntrackd not running"
return $OCF_NOT_RUNNING
fi
}
# Print metadata informations
_meta_data()
{
cat <<END
<?xml version="1.0"?>
<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
<resource-agent name="conntrackd">
<version>0.1</version>
<longdesc lang="en">
OCF script that control conntrackd daemon, in primary/backup scenario
</longdesc>
<shortdesc lang="en">conntrackd daemon resource script</shortdesc>
<parameters>
<parameter name="conntrackdbin" unique="0" required="1">
<longdesc lang="en">
conntrackd binary path
</longdesc>
<shortdesc lang="en">conntrackd binary path</shortdesc>
<content type="string" default="/usr/sbin/conntrackd"/>
</parameter>
</parameters>
<actions>
<action name="start" timeout="15" />
<action name="stop" timeout="15" />
<action name="meta-data" timeout="5" />
<action name="monitor" timeout="10" interval="300" depth="0"
start-delay="30"/>
</actions>
</resource-agent>
END
}
# See how we were called
#################################################################
case $1 in
meta-data)
_meta_data
exit $OCF_SUCCESS
;;
start)
_validate
_start
;;
stop)
_stop
;;
status|monitor)
_monitor
;;
usage|help)
_usage
exit $OCF_SUCCESS
;;
validate-all)
_validate
;;
*)
_usage
exit $OCF_ERR_UNIMPLEMENTED
;;
esac
exit $?
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
