Re: [ClusterLabs] Configuring booth for multi-site cluster
Hi, I was not able to have arbitrator="address.at.arbitrator.net" to work (differing resolution is OK, but booth didn't accept names), and having a different booth.conf on the various sites was not a good idea (and didn't work for other reasons). All in all, I finally replaced some existing direct routing with IPsec tunnels passing through the correct links, and booth works great. My initial idea was to use each site/cluster gateway external IP as the booth.conf site=, but I stumbled upon the NAT hurdle. I changed my mind and now use each site/cluster gateway internal IP as the booth.conf site=, routing the traffic through the external links using IPsec tunnels. These tunnels allow to pass other kind of traffic (Muinin monitoring, etc.) that was not cleanly handled previously. All in all, booth could be NAT-aware, but it's not such a problem if one reviews every need. Thanks all, -- Nicolas Huillard ___ Users mailing list: Users@clusterlabs.org http://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
Re: [ClusterLabs] Configuring booth for multi-site cluster
On Tue, Oct 31, 2017 at 09:31:56AM +0100, Nicolas Huillard wrote: > Le mardi 31 octobre 2017 à 08:25 +0100, Dejan Muhamedagic a écrit : > > * is it a good idea to route the booth plain UDP/9929 traffic via > > > Internet ? (the firewalls are configured to accept only traffic > > > from/to > > > the known public addresses, and the booth shared secret > > > authentication > > > remains secret) > > > > There's nothing particularly interesting in booth traffic. > > Maybe an injection could be bad, but it's apparently taken care of with > timestamps. I'll try do use this simplest setup without IPsec. IIRC, there's a description of the authentication process. > > > * is it possible to use some kind of special syntax in booth.conf > > > to > > > declare both the NATted local and the public addresses, say > > > arbitrator="192.168.1.1@81.12.34.56" > > > > That never occurred as a possible setup/requirement and I'm not > > sure if it'd be necessary. Shouldn't it be possible that the > > arbitrator's internal address is also translated into the public > > one? Or does booth at the arbitrator complain about it? > > Yes, it does (sorry I forgot that info): > booth: [536]: ERROR: Cannot find myself in the configuration. > ...when using the external IP (81.12.34.56) > This internal NATted IP is know to the arbitrator, but not to the other > sites, whereas the external IP is reachable from the other sites, but > not the arbitrator itself. > Thus the above pseudo-syntax, resembling a bit the ipsec.conf details > in a NATted setup. Ah, right. Too bad. > > > * is IPsec mandatory, and if so, what is the best setup ? (both > > > sites > > > have a DMZ and a cluster private network, both use PPPoE to reach > > > the > > > internet; each Pacemaker manages a virtual IP in the DMZ and > > > another in > > > the internal network, and spawns the pppd daemon which acts as a > > > gateway to the Internet; there is an existing IPsec tunnel between > > > the > > > 2 sites' internal networks) > > > > No, IPsec is not mandatory. > > Great... or so. I don't know any other way to make the > internal/external IPs match. > I just tried using DNS names (resolving into different IPs depending on > location), to no avail: > booth: [5364]: ERROR: Address string "address.at.arbitrator.net" is bad Only numerical addresses were supported, but in the meantime one can also use names. > It just occurred to me that I can also try NOT to have the exact same > booth.conf in all the instances... Well, in this case that could hopefully help. Otherwise, could you please open an issue at github, maybe there is an easy way to fix that. > > > * with IPsec, should the booth.conf site= and arbitrator= IPs be > > > the > > > internal virtual IPs, or DMZ IPs, or something else entirely ? > > > > Well, however the sites address each other ;-) > > Both sites can address each other in a symmetric way (I'll choose the > exact fashion in time then), but the arbitrator is an outlier with it's > NAT (that I can't change for various other reasons). > I understand that my setup is not high-end, as I try to take advantage > of an existing well-managed home server. The arbitrator is needed only, well, to arbitrate and by definition cannot be a SPOF. But it should function reliably when needed; for instance, you better have a not too flaky provider. booth is being tested also in (simulated) networks of all kinds, but it won't be of much use if there's no connection at all. Cheers, Dejan > -- > Nicolas Huillard > > ___ > Users mailing list: Users@clusterlabs.org > http://lists.clusterlabs.org/mailman/listinfo/users > > Project Home: http://www.clusterlabs.org > Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf > Bugs: http://bugs.clusterlabs.org ___ Users mailing list: Users@clusterlabs.org http://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
Re: [ClusterLabs] Configuring booth for multi-site cluster
Le mardi 31 octobre 2017 à 08:25 +0100, Dejan Muhamedagic a écrit : > * is it a good idea to route the booth plain UDP/9929 traffic via > > Internet ? (the firewalls are configured to accept only traffic > > from/to > > the known public addresses, and the booth shared secret > > authentication > > remains secret) > > There's nothing particularly interesting in booth traffic. Maybe an injection could be bad, but it's apparently taken care of with timestamps. I'll try do use this simplest setup without IPsec. > > * is it possible to use some kind of special syntax in booth.conf > > to > > declare both the NATted local and the public addresses, say > > arbitrator="192.168.1.1@81.12.34.56" > > That never occurred as a possible setup/requirement and I'm not > sure if it'd be necessary. Shouldn't it be possible that the > arbitrator's internal address is also translated into the public > one? Or does booth at the arbitrator complain about it? Yes, it does (sorry I forgot that info): booth: [536]: ERROR: Cannot find myself in the configuration. ...when using the external IP (81.12.34.56) This internal NATted IP is know to the arbitrator, but not to the other sites, whereas the external IP is reachable from the other sites, but not the arbitrator itself. Thus the above pseudo-syntax, resembling a bit the ipsec.conf details in a NATted setup. > > * is IPsec mandatory, and if so, what is the best setup ? (both > > sites > > have a DMZ and a cluster private network, both use PPPoE to reach > > the > > internet; each Pacemaker manages a virtual IP in the DMZ and > > another in > > the internal network, and spawns the pppd daemon which acts as a > > gateway to the Internet; there is an existing IPsec tunnel between > > the > > 2 sites' internal networks) > > No, IPsec is not mandatory. Great... or so. I don't know any other way to make the internal/external IPs match. I just tried using DNS names (resolving into different IPs depending on location), to no avail: booth: [5364]: ERROR: Address string "address.at.arbitrator.net" is bad It just occurred to me that I can also try NOT to have the exact same booth.conf in all the instances... > > * with IPsec, should the booth.conf site= and arbitrator= IPs be > > the > > internal virtual IPs, or DMZ IPs, or something else entirely ? > > Well, however the sites address each other ;-) Both sites can address each other in a symmetric way (I'll choose the exact fashion in time then), but the arbitrator is an outlier with it's NAT (that I can't change for various other reasons). I understand that my setup is not high-end, as I try to take advantage of an existing well-managed home server. -- Nicolas Huillard ___ Users mailing list: Users@clusterlabs.org http://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
Re: [ClusterLabs] Configuring booth for multi-site cluster
Hi, On Mon, Oct 30, 2017 at 07:03:28PM +0100, Nicolas Huillard wrote: > Hello all, > > I have 2 sites, each with an independent configured cluster > (corosync+pacemaker), and an arbitrator server, which is behind a NAT > connection to the Internet. > I see in the booth.conf templates that each site/arbitrator is only > designated by a single IP address, not taking into account the > potential NAT, ie. the arbitrator identifies itself using its internal > address, but is reached from the outside using the public address of > the NAT device. > IPsec is mentionned in https://www.suse.com/documentation/sle-ha-geo-12 > /singlehtml/art-ha-geo-quick-start/art-ha-geo-quick-start.html without > much details. > I'm using booth 1.0 from Debian/strech. > > Questions: > * is it a good idea to route the booth plain UDP/9929 traffic via > Internet ? (the firewalls are configured to accept only traffic from/to > the known public addresses, and the booth shared secret authentication > remains secret) There's nothing particularly interesting in booth traffic. > * is it possible to use some kind of special syntax in booth.conf to > declare both the NATted local and the public addresses, say > arbitrator="192.168.1.1@81.12.34.56" That never occurred as a possible setup/requirement and I'm not sure if it'd be necessary. Shouldn't it be possible that the arbitrator's internal address is also translated into the public one? Or does booth at the arbitrator complain about it? > * is IPsec mandatory, and if so, what is the best setup ? (both sites > have a DMZ and a cluster private network, both use PPPoE to reach the > internet; each Pacemaker manages a virtual IP in the DMZ and another in > the internal network, and spawns the pppd daemon which acts as a > gateway to the Internet; there is an existing IPsec tunnel between the > 2 sites' internal networks) No, IPsec is not mandatory. > * with IPsec, should the booth.conf site= and arbitrator= IPs be the > internal virtual IPs, or DMZ IPs, or something else entirely ? Well, however the sites address each other ;-) Thanks, Dejan > TIA, > > -- > Nicolas Huillard > > ___ > Users mailing list: Users@clusterlabs.org > http://lists.clusterlabs.org/mailman/listinfo/users > > Project Home: http://www.clusterlabs.org > Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf > Bugs: http://bugs.clusterlabs.org ___ Users mailing list: Users@clusterlabs.org http://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
[ClusterLabs] Configuring booth for multi-site cluster
Hello all, I have 2 sites, each with an independent configured cluster (corosync+pacemaker), and an arbitrator server, which is behind a NAT connection to the Internet. I see in the booth.conf templates that each site/arbitrator is only designated by a single IP address, not taking into account the potential NAT, ie. the arbitrator identifies itself using its internal address, but is reached from the outside using the public address of the NAT device. IPsec is mentionned in https://www.suse.com/documentation/sle-ha-geo-12 /singlehtml/art-ha-geo-quick-start/art-ha-geo-quick-start.html without much details. I'm using booth 1.0 from Debian/strech. Questions: * is it a good idea to route the booth plain UDP/9929 traffic via Internet ? (the firewalls are configured to accept only traffic from/to the known public addresses, and the booth shared secret authentication remains secret) * is it possible to use some kind of special syntax in booth.conf to declare both the NATted local and the public addresses, say arbitrator="192.168.1.1@81.12.34.56" * is IPsec mandatory, and if so, what is the best setup ? (both sites have a DMZ and a cluster private network, both use PPPoE to reach the internet; each Pacemaker manages a virtual IP in the DMZ and another in the internal network, and spawns the pppd daemon which acts as a gateway to the Internet; there is an existing IPsec tunnel between the 2 sites' internal networks) * with IPsec, should the booth.conf site= and arbitrator= IPs be the internal virtual IPs, or DMZ IPs, or something else entirely ? TIA, -- Nicolas Huillard ___ Users mailing list: Users@clusterlabs.org http://lists.clusterlabs.org/mailman/listinfo/users Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org