On 3/19/2010 at 02:25 AM, Bruce Leggett <[email protected]> wrote:
> Thanks for all the good stuff.
>
> <<<<If you're on SLES 10, I'm guessing you're using heartbeat 2.1.x. Things
> havemoved on somewhat since then (the CRM part of heartbeat became Pacemaker,
>
> which can run on top of either heartbeat or openais/corosync). A whole lot
> of useful documentation can be found at:
>
> http://www.clusterlabs.org/wiki/Documentation
>
> Note that this focuses on Pacemaker, but principles etc. should all still be
> applicable. There's also links to documentation for previous releases,
> including some useful Novell/SUSE guides.>>>>
>
> I'm considering moving to SLES 11 and was curious if that uses the new
> version natively, if you happen to know? I'd like to be on the same level as
> everyone else to get easier answers to questions and it seems like people are
>
> moving up.
Yes, SLES 11 includes Pacemaker on OpenAIS.
> <<<See above. Another thing you'll need to do is make sure samba's settings
> for "lock directory" and "private dir" are pointing to your shared
> filesystem, otherwise your password/user database will/may vary from node to
> node. Not good >>>
>
> I assume this is for Samba login/authentication? What I did is add the nodes
> to AD as clients. My folders are on the shared filesystem and set with AD
> users and groups. When I access samba from a domain Windows box they just get
>
> access if the user is in the right group etc. Since both nodes are set that
> way when I fail over I reconnect instantly. The only lose I have is during
> the 1 second fail over. Do you see an issue with this? I want to make sure I
> understand.
Because the two nodes have separate configuration for Samba (private dir, etc.),
if you're using samba's automatic UID/GID assignment, it's possible that your
Windows username to UNIX UID/GID mapping may differ on each node, creating file
ownership issues. This can be resolved by using a different mapping scheme
(UID based on Windows SID, or using MS Services for Unix / RFC 2307 mapping),
but you'll need to consult the Samba docs for more detail (it's been a while
since I looked at this).
> << "ping foo" resolves the correct IP address, but gets no response, whereas
> "ping IP" does get a response? Sorry, I don't think I can explain that. >>
>
> Exactly. IP works and DNS name to IP does not for what ever reason. Ping
> node-active resolves to the IP, but no reply ping.
Weird...
> <<<< So you're using Samba... You can join a Samba instance to an Active
> Directory domain ("net ads join" from memory). If you set the "netbios name"
>
> you want in smb.conf, make sure your "private dir" is on shared storage as
> mentioned above, then join the AD domain from whichever node samba is active
> on (refer samba docs for specifics), in theory, the named samba instance
> should be added to the AD domain and DNS (assuming your AD server is also
> your DNS server). You'll want to manually remove the fixed IP address of the
> node from DNS, but once you've done that, the Samba instance should be
> visible to Windows/AD by name regardless of which node it's running on. >>>>>
>
> I'll look into this. I see what you're saying, but to my limited eyes it
> doesn't feel like a true virtual name. I almost want my name to be
> independent of the nodes unless the cluster resource is stationed there.
You mention above that you have added each node separately to the AD domain.
What actually happens when you do this, is that the Samba instance on each
node is separately added to the domain - it looks like two separate machines
to AD.
Try removing the existing nodes from AD, then reconfigure samba to keep its
configuration (private dir etc.) on the shared storage, then when the samba
resource is active on *one* node, add that node to AD. This should result
in that samba instance (with whatever name is specified as "netbios name"
in smb.conf) being added to AD, with the IP address of both the current node
*and* the virtual IP being put in DNS. Then, on the AD server, remove the
node IP address from the DNS, leaving only the virtual IP.
Samba, winbind etc. should only ever be running on one node (whichever node
the Samba resource is active on) - so it's effectively the samba instance
moving around, giving you a name that's bound to your resource, and not to
either machine.
(Unfortunately, I can't really give you much more detail - like I said, it's
been a little while since I last did this)
> <<<< That's because the IP address is an OCF resource agent, whereas Samba is
>
> just a reference to the regular Samba init script. OCF RAs can have
> parameters, init scripts can't (they're not smart enough). >>>>>>
>
> Ahhhhh - so they're just firing the main service up for me. Its going to use
> what ever settings I've set samba or any other component to in the respective
>
> setting or start files? Gotcha.
Yep. Just so long as you've got the regular services chkconfig'd off, the
cluster will start/stop them on whatever node that resource is meant to be
active on.
> <<< Also, someone really needs to publish some
> documentation on effective use of Samba with Linux-HA/Pacemaker clusters
> (having written this email, I have a sinking feeling I will be volunteered
> for the task). >>>>>
>
> I know you said peacemaker was newer and I mention above going to it. Is
> that practical given where documentation is? I'm so happy you've volunteered.
>
> LOL I kid.
>
> Thank you so much for getting me moving again. This is a fun technology.
No problem, hope it all works well for you :)
Regards,
Tim
>
>
> Bruce A Leggett
> Director, IT Systems
> Amscot Financial
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Tim Serong
> Sent: Thursday, March 18, 2010 6:34 AM
> To: '[email protected]'
> Subject: Re: [Linux-HA] Virtual Name and Samba clarification.
>
> Hi,
>
> On 3/18/2010 at 06:59 AM, Bruce Leggett <[email protected]> wrote:
>
> > Hi,
> > I recently setup Heartbeat on two SLES 10.2 boxes. Between yast and hb_gui
> >
>
> > it was simple to get the cluster up and running with a virtual IP in my
> > resource group. I have a couple questions. I've been reading different
> > resources and it's tough to get a grap on all the parts to better
> understand
> > them and google has so many links that assume you have X experience.
> >
> > 1) Does any one have a guide for beginners? Something that's real
> whiz
> > bang and helps a person get the components? I've mostly been using
> > linux-ha.org and google.
>
> If you're on SLES 10, I'm guessing you're using heartbeat 2.1.x. Things
> have
> moved on somewhat since then (the CRM part of heartbeat became Pacemaker,
> which
> can run on top of either heartbeat or openais/corosync). A whole lot of
> useful
> documentation can be found at:
>
> http://www.clusterlabs.org/wiki/Documentation
>
> Note that this focuses on Pacemaker, but principles etc. should all still be
> applicable. There's also links to documentation for previous releases,
> including some useful Novell/SUSE guides.
>
> > Ok, onto my more technical question. I have a two node cluster. Example
> > below.
> >
> > Node-a 10.0.0.5
> > Node-b 10.0.0.6
> >
> > Node-active 10.0.0.10
> >
> > I am setting this lab up to be a HA file server with AD integration. I am
> > using OCFS2 to nix the need for replicating data or moving disk resources.
> I
> > wasn't sure if Linux-HA could handle seamless failover of Samba.
> >
> > 2) Can Linux-HA handle a seamless transition without dropping the
> > connections?
>
> Short answer: No. This is because, if you create an HA resource for samba
> using the smb LSB init script, samba physically gets stopped on the failed
> node (or is killed/dies), then is restarted on the other, so the connections
> can't remain alive.
>
> Long answer: Maybe, but you will need to either use CTDB and/or the tickle
> ACK
> function in the portblock RA, but these are all relatively recent and may
> not
> be available on SLES 10. Some (brief) documentation for this is available
> at
> http://linux-ha.org/wiki/CTDB_%28resource_agent%29
>
> > Anyhow, I have samba running on both nodes and the nodes are part of my AD
> >
>
> > domain. I can access either box from my windows client just like it was a
> > windows box etc etc. Today I can access node-a and on a failover node-b
> > picks
>
> > things up right where the other left off in about 1 or 2 seconds tops.
> > \\10.0.0.10\testshare<file:///\\10.0.0.10\testshare> . The only thing is in
> >
> > this setup any data transferring during the failover dropped. Hence the
> last
> > question about Samba being failed over. I've read all kinds of posts on it
> >
>
> > and I am not sure the answer is clear to me.
>
> See above. Another thing you'll need to do is make sure samba's settings
> for
> "lock directory" and "private dir" are pointing to your shared filesystem,
> otherwise your password/user database will/may vary from node to node.
> Not good.
>
> > I would also like to add a virtual name to my resource group so I can
> access
> > the resource group by name. I tried adding a DNS record so I could do
> > \\node-active\share<file:///\\node-active\share>. However I can not ping
> > the
> > resource group or access it by name. Pinging from linux or windows resolve
> >
>
> > the name to the right IP, but I get no replies or connection using my name.
> >
>
> >
> > 3) Am I missing something to make that work? I'm shocked the resource
> >
>
> > group IP responds via number, but not name.
>
> "ping foo" resolves the correct IP address, but gets no response, whereas
> "ping IP" does get a response? Sorry, I don't think I can explain that.
>
> > 4) Is there a proper resource name I can add like they have with
> MSCS?
>
> So you're using Samba... You can join a Samba instance to an Active
> Directory
> domain ("net ads join" from memory). If you set the "netbios name" you want
> in smb.conf, make sure your "private dir" is on shared storage as mentioned
> above, then join the AD domain from whichever node samba is active on (refer
> samba docs for specifics), in theory, the named samba instance should be
> added
> to the AD domain and DNS (assuming your AD server is also your DNS server).
> You'll want to manually remove the fixed IP address of the node from DNS,
> but
> once you've done that, the Samba instance should be visible to Windows/AD by
> name regardless of which node it's running on.
>
> (Disclaimer: the above should be "about right", but it's been a while since
> I performed that particular bit of magic, so YMMV.)
>
> > Lastly, like I mentioned I am using SLES 10.2 and HB_GUI to drive all this.
> >
>
> > I notice there are a lot of resources items I can add to my cluster to do
> all
> > sort of things. Some have values that need set like ipaddr has ip. A lot of
> >
>
> > them do not like smb has no parameters in the drop down.
> >
> > 5) Is that by design or are we expected to know those values and plug
> >
>
> > them in ourselves? In the gui its just empty, but I can hand type something
> >
>
> > in.
>
> That's because the IP address is an OCF resource agent, whereas Samba is
> just
> a reference to the regular Samba init script. OCF RAs can have parameters,
> init scripts can't (they're not smart enough).
>
> > I really like this as a technology so far, I'd just like to get some of the
> >
>
> > pieces down a little more. I apologize for the basic questions, but there
> is
> > a lot of chatter and terms flying around and I am not up to speed enough to
> >
>
> > search / ask with those terms. Example - I want to add a virtual name to my
> >
>
> > resource group. In the MSCS world that gets hits, but not much with
> Linux-HA.
> > I'm not sure if its there or I have to use Samba in some fashion etc. So it
> >
>
> > blocks me from hitting the right search.
>
> This can be a fairly dense topic :)
>
> There's a lines of responsibility between the various pieces - the HA stack
> does not know or care what type of resource you are running (maybe it's
> Samba,
> maybe it's a database, a web server, whatever). What you need to do is make
> Samba play nice with AD, then get the HA stack to make that Samba instance
> highly available. This is possibly why you haven't found much on virtual
> names and resource groups. Also, someone really needs to publish some
> documentation on effective use of Samba with Linux-HA/Pacemaker clusters
> (having written this email, I have a sinking feeling I will be volunteered
> for the task).
>
> Good luck,
>
> Tim
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
