On Thursday, June 02, 2011 22:50:58 Tim Serong wrote: > On 03/06/11 06:42, imnotpc wrote: > > On Thursday, June 02, 2011 16:30:55 Digimer wrote: > >> On 06/02/2011 04:23 PM, imnotpc wrote: > >>> On Thursday, June 02, 2011 15:59:41 Digimer wrote: > >>>> On 06/02/2011 03:55 PM, imnotpc wrote: > >>>>> I'm a new user with a simple question which I could not find an > >>>>> answer to in the docs. The Clusters from Scratch document tells you > >>>>> to disable iptables and I've inadvertantly found out why when I > >>>>> loaded my standard firewall script and broke my cluster. My question > >>>>> is: Is the corosync/pacemaker stack inherently incompatible with > >>>>> iptables or are there just certain iptables modules or > >>>>> configurations that cause problems? > >>>>> > >>>>> Thanks, Jeff > >>>> > >>>> You just need to know the ports to open. Here is the list of ones I > >>>> know of: > >>>> > >>>> Port Protocol Component > >>>> 5404, 5405 UDP cman > >>>> 8084, 5405 TCP luci > >>>> 11111 TCP ricci > >>>> 14567 TCP gnbd > >>>> 16851 TCP modclusterd > >>>> 21064 TCP dlm > >>>> 50006, 50008, 50009 TCP ccsd > >>>> 50007 UDP ccsd > >>>> > >>>> Note that this is from a RHCS2 (openais) perspective. I may be missing > >>>> pacemaker-specific ones. > >>> > >>> Appreciate the quick response. It's good to know iptables can work. I > >>> can't imagine no firewall even on an internal box. In my configuration > >>> everything (nearly) that gets blocked gets logged so now I need to find > >>> out why I'm not seeing any of these ports show up in my firewall log. > >> > >> On second though, those are *all* RHCS specific ports. That would > >> explain why you are not seeing them. I need more coffee... > >> > >> In your openais/corosync config, you will have defined an IP address and > >> port for each ring. Check there and make sure those ports are open. > > > > Don't feel bad, at least you didn't do anything as dumb as I did. When I > > set the port in corosync.conf I also created a rule in my firewall > > script... a DROP rule... like I use for annoying MS broadcast traffic. > > That's why it never reached my logs or it's destination. aarrgghh!! > > > > Thanks again... > > For corosync, you need to open mcastport and mcastport-1 (which is 5405 > and 5404 by default, as mentioned in Digimer's list above). That should > be all you need in general for corosync+pacemaker, although services you > run within the cluster might need other ports open (e.g. if you're using > DLM, DRBD, etc.). > > Regards, > > Tim
Those are only used if you run cman, correct? I tried to start a basic cman instance using the sample file from Clusters from Scratch and it failed. I'm still trying to wrap my head around how all these components relate but it appears from the manual that cman replaces part of pacemaker and since what I have seems to work I gave up on it and moved on to fencing configuration. Is it worth it for me to go back and get it working? Jeff
_______________________________________________ Openais mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/openais
