On Tue, Sep 28, 2010 at 11:13 AM, Dejan Muhamedagic <[email protected]> wrote: > Hi, > > On Tue, Sep 28, 2010 at 06:27:17AM +0200, Michael Schhwartzkopff wrote: >> On Thursday 23 September 2010 13:47:43 Dejan Muhamedagic wrote: >> > Hi, >> > >> > On Wed, Sep 08, 2010 at 09:26:40PM +0200, Jonathan Petersson wrote: >> > > Hi all, >> > > >> > > I haven't been active on this list for quite some time but I recall >> > > conntrack-support for heartbeat/pacemaker has been on the wall a few >> > > times. As I was in the process of installing a couple of new firewalls >> > > I figured I would spend some time actually getting some support for it >> > > now that the resource-based system has been put in place (great work >> > > btw). >> > > >> > > Please notice that the code-set is still work in progress and I'll be >> > > spending the next few days expanding it. >> > >> > Any new developments in the meantime?
There's been some modifications, I'll put it under git during the week. >> > >> > > The code is available at: http://pastebin.com/Bv060JvR >> > > >> > > Feel free to reply with comments and recommended changes. >> > >> > Isn't conntrack supposed to be a master-slave implementation, >> > i.e. where one instance sends updates to other instances? I don't >> > know if migrate can be used instead of demote/promote. >> >> Hi, >> >> A MS RA for conntrackd is not nescessary. conntrack publishes its state table >> via multicast. You start it on all nodes of your firewall cluster as a clone >> resource. The firewall that has the floating IP address sees new entries in >> the >> state table and published it. All other nodes get the new entries. > > So, you could just as well let conntrack start by the boot > process, right? I always wondered on the relative merit of > cloning such resources or starting them via init. I guess it makes sense to leave out starting the daemon using the OCF resource since the resource doesn't really maintain service-state of the daemon, just failover. > >> Passive nodes just do not get traffic and thus do not publish new entries. > > I wonder why then there is migrate_to/from in the RA. > >> Of course, you could write a MS RA. But that would be too much work. > > Well, that doesn't seem to be needed. > > Thanks, > > Dejan > >> Greetings, >> >> -- >> Dr. Michael Schwartzkopff >> Guardinistr. 63 >> 81375 München >> >> Tel: (0163) 172 50 98 >> _______________________________________________ >> Linux-HA mailing list >> [email protected] >> http://lists.linux-ha.org/mailman/listinfo/linux-ha >> See also: http://linux-ha.org/ReportingProblems > _______________________________________________ > Linux-HA mailing list > [email protected] > http://lists.linux-ha.org/mailman/listinfo/linux-ha > See also: http://linux-ha.org/ReportingProblems > _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
