Re: Network question - disable access to an IP without running ifdown ?

2014-05-01 Thread Bluejay Adametz
> Is there a way to disable any traffic from getting to the old master via
> commands we can run outside of the master server?

The surest way would be to get access to the network switch and
disable the port going to the master server. Depending on the switch,
a little ssh and expect could do the job (I do that sort of thing with
a lot of Cisco switches to collect information). Or you might be able
to do it through SNMP.

 - Bluejay Adametz

When life gives you lemons, keep them.
Hey, I mean, free lemons, right?

-- 


NOTICE: This message, including any attachments, is only for the use of the 
intended recipient(s) and may contain confidential and privileged information, 
or information otherwise protected from disclosure by law.  If the reader of 
this message is not the intended recipient, you are hereby notified that any 
use, disclosure, copying, dissemination or distribution of this message or any 
of its attachments is strictly prohibited.  If you received this message in 
error, please contact the sender immediately by reply email and destroy this 
message, including all attachments, and any copies thereof. 


Re: Network question - disable access to an IP without running ifdown ?

2014-05-01 Thread Keith Chadwick
A couple of possibilities to consider:
- use a private network (or perhaps even just an Ethernet crossover cable) 
between the systems to ssh into the unreachable system to perform an ifdown.
- have the surviving system access an external console / pdu to remove power 
from the unreachable system (stonith - shoot the other node in the head).

-Keith.
On May 1, 2014, at 11:31 AM, CS_DBA  wrote:

> Hi All;
> 
> we have a failover tool (for a database) that pings te master and if it's not 
> responding runs ifdown over ssh to bring an ip alias down, then runs ifup of 
> the alias on the standby node.
> 
> A possible issue would be if the master was not reachable, thus the ifdown 
> fails and once the master becomes available again then we have 2 nodes with 
> the ip alias and we risk a split brain issue
> 
> Is there a way to disable any traffic from getting to the old master via 
> commands we can run outside of the master server?
> 
> Thanks in advance


Re: Network question - disable access to an IP without running ifdown ?

2014-05-02 Thread Nico Kadel-Garcia
Don't use the main IP address for your traffic. Use a secondary,
virtual IP address on the same port or ports, say "ifcfg-eth0:1", and
tie it to any of the common VIP monitoring packages such as is used by
the master-master-mysql monitoring program. Basically, they
communicate over the available, primary IP address. If it's down, the
secondary VIP is kept down. When the primary address comes back down,
they negotiate over the primary address about which host to enable the
secondary VIP on.

On Thu, May 1, 2014 at 12:31 PM, CS_DBA  wrote:
> Hi All;
>
> we have a failover tool (for a database) that pings te master and if it's
> not responding runs ifdown over ssh to bring an ip alias down, then runs
> ifup of the alias on the standby node.
>
> A possible issue would be if the master was not reachable, thus the ifdown
> fails and once the master becomes available again then we have 2 nodes with
> the ip alias and we risk a split brain issue
>
> Is there a way to disable any traffic from getting to the old master via
> commands we can run outside of the master server?
>
> Thanks in advance


Re: Network question - disable access to an IP without running ifdown ?

2014-05-02 Thread John Lauro
Any reason not just using heartbeat on the two nodes?  (yum install heartbeat)
Then setup multiple interfaces between the two servers and let heartbeat bring 
services up/down as needed, and heartbeat can control which node has the 
secondary ip address active, etc.


- Original Message -
> From: "Nico Kadel-Garcia" 
> To: "CS_DBA" 
> Cc: "Scientific Linux Users" 
> Sent: Friday, May 2, 2014 8:02:05 AM
> Subject: Re: Network question - disable access to an IP without running 
> ifdown ?
> 
> Don't use the main IP address for your traffic. Use a secondary,
> virtual IP address on the same port or ports, say "ifcfg-eth0:1", and
> tie it to any of the common VIP monitoring packages such as is used
> by
> the master-master-mysql monitoring program. Basically, they
> communicate over the available, primary IP address. If it's down, the
> secondary VIP is kept down. When the primary address comes back down,
> they negotiate over the primary address about which host to enable
> the
> secondary VIP on.
> 
> On Thu, May 1, 2014 at 12:31 PM, CS_DBA 
> wrote:
> > Hi All;
> >
> > we have a failover tool (for a database) that pings te master and
> > if it's
> > not responding runs ifdown over ssh to bring an ip alias down, then
> > runs
> > ifup of the alias on the standby node.
> >
> > A possible issue would be if the master was not reachable, thus the
> > ifdown
> > fails and once the master becomes available again then we have 2
> > nodes with
> > the ip alias and we risk a split brain issue
> >
> > Is there a way to disable any traffic from getting to the old
> > master via
> > commands we can run outside of the master server?
> >
> > Thanks in advance
> 


Re: Network question - disable access to an IP without running ifdown ?

2014-05-02 Thread James Rogers
arp could help.

But your best option is to use heartbeat / pacemaker, and deploy hard
fencing such as a networked PDU, or a managed switch.

On Fri, May 2, 2014 at 8:27 AM, John Lauro  wrote:
> Any reason not just using heartbeat on the two nodes?  (yum install heartbeat)
> Then setup multiple interfaces between the two servers and let heartbeat 
> bring services up/down as needed, and heartbeat can control which node has 
> the secondary ip address active, etc.
>
>
> - Original Message -
>> From: "Nico Kadel-Garcia" 
>> To: "CS_DBA" 
>> Cc: "Scientific Linux Users" 
>> Sent: Friday, May 2, 2014 8:02:05 AM
>> Subject: Re: Network question - disable access to an IP without running 
>> ifdown ?
>>
>> Don't use the main IP address for your traffic. Use a secondary,
>> virtual IP address on the same port or ports, say "ifcfg-eth0:1", and
>> tie it to any of the common VIP monitoring packages such as is used
>> by
>> the master-master-mysql monitoring program. Basically, they
>> communicate over the available, primary IP address. If it's down, the
>> secondary VIP is kept down. When the primary address comes back down,
>> they negotiate over the primary address about which host to enable
>> the
>> secondary VIP on.
>>
>> On Thu, May 1, 2014 at 12:31 PM, CS_DBA 
>> wrote:
>> > Hi All;
>> >
>> > we have a failover tool (for a database) that pings te master and
>> > if it's
>> > not responding runs ifdown over ssh to bring an ip alias down, then
>> > runs
>> > ifup of the alias on the standby node.
>> >
>> > A possible issue would be if the master was not reachable, thus the
>> > ifdown
>> > fails and once the master becomes available again then we have 2
>> > nodes with
>> > the ip alias and we risk a split brain issue
>> >
>> > Is there a way to disable any traffic from getting to the old
>> > master via
>> > commands we can run outside of the master server?
>> >
>> > Thanks in advance
>>