Il giorno mer, 04/02/2009 alle 16.16 +0100, Michael Schwartzkopff ha scritto: > Am Mittwoch, 4. Februar 2009 12:27:44 schrieb Igor Neves: > > Hi, > > > > I have done some work woth conntrackd and heartbeat a couple of time ago. > > > > Attached it's one conntrackd OCF script I made but when I finish I > > realized that it was not working and would never work. > > As you say in your HOWTO, conntrackd work with 2 caches. > > I do start conntracd outside of heartbeat from init. So setup of sync is > already working before the cluster starts. > Inside heartbeat I only dump the connection table from the cache into the > kernel (firewall starts) or clear the cache (firewall stops) > I've also a 2-node active-standby firewall setup in production. The problem with conntrackd is that it has only one sync connection with the other node. To solve this SPOF I wrote two RA. - the first one starts conntrackd and checks (in the monitor action) if the other node is alive, otherwise, restarts conntrackd with another configuration with another communication media. - the second simply commits the conntrack tables from the other node when it starts. Obviously you must co-locate the second resource to an IP resource (or in my case another custom RA that bridges some interfaces). The two RA are still in a work-for-me status but they proved stable for a while. Maybe in the next days I'll post them here to gather some comments.
> If you want to write a OCF resource for that task to be done inside heartbeat > you need a stateful agent. You agent below is not stateful, i.e. it does not > unterstand promote and demote. > > Re-thinking: Perhaps you also could state a conntrackd clone... In my implementation a clone (one for every node) of the table merging RA is enough. -- Michele Codutti Centro Servizi Informatici e Telematici (CSIT) Universita' degli Studi di Udine via Delle Scienze, 208 - 33100 UDINE tel +39 0432 558928 fax +39 0432 558911 e-mail: michele.codutti at uniud.it _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
