On 03/06/11 06:42, imnotpc wrote: > On Thursday, June 02, 2011 16:30:55 Digimer wrote: >> On 06/02/2011 04:23 PM, imnotpc wrote: >>> On Thursday, June 02, 2011 15:59:41 Digimer wrote: >>>> On 06/02/2011 03:55 PM, imnotpc wrote: >>>>> I'm a new user with a simple question which I could not find an answer >>>>> to in the docs. The Clusters from Scratch document tells you to >>>>> disable iptables and I've inadvertantly found out why when I loaded my >>>>> standard firewall script and broke my cluster. My question is: Is the >>>>> corosync/pacemaker stack inherently incompatible with iptables or are >>>>> there just certain iptables modules or configurations that cause >>>>> problems? >>>>> >>>>> Thanks, Jeff >>>> >>>> You just need to know the ports to open. Here is the list of ones I know >>>> of: >>>> >>>> Port Protocol Component >>>> 5404, 5405 UDP cman >>>> 8084, 5405 TCP luci >>>> 11111 TCP ricci >>>> 14567 TCP gnbd >>>> 16851 TCP modclusterd >>>> 21064 TCP dlm >>>> 50006, 50008, 50009 TCP ccsd >>>> 50007 UDP ccsd >>>> >>>> Note that this is from a RHCS2 (openais) perspective. I may be missing >>>> pacemaker-specific ones. >>> >>> Appreciate the quick response. It's good to know iptables can work. I >>> can't imagine no firewall even on an internal box. In my configuration >>> everything (nearly) that gets blocked gets logged so now I need to find >>> out why I'm not seeing any of these ports show up in my firewall log. >> >> On second though, those are *all* RHCS specific ports. That would >> explain why you are not seeing them. I need more coffee... >> >> In your openais/corosync config, you will have defined an IP address and >> port for each ring. Check there and make sure those ports are open. > > Don't feel bad, at least you didn't do anything as dumb as I did. When I set > the port in corosync.conf I also created a rule in my firewall script... a > DROP > rule... like I use for annoying MS broadcast traffic. That's why it never > reached my logs or it's destination. aarrgghh!! > > Thanks again...
For corosync, you need to open mcastport and mcastport-1 (which is 5405 and 5404 by default, as mentioned in Digimer's list above). That should be all you need in general for corosync+pacemaker, although services you run within the cluster might need other ports open (e.g. if you're using DLM, DRBD, etc.). Regards, Tim -- Tim Serong <[email protected]> Senior Clustering Engineer, OPS Engineering, Novell Inc. _______________________________________________ Openais mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/openais
