[Linux-cluster] rhcs x iptables

Tue Mar 31 15:28:23 UTC 2009

Fernando Lozano wrote:
> Hi,
> 
> Four days and no replies... maybe you folks don't like me as the list
> has a healthy trafic on other topics ;-)
> 
> Is there anything with my setup that shouldn't work? The problem is not
> with VMs because I tried the same configs with two real Dell servers and
> got the same problems. My iptables rules follow what's in RHCS manuals
> and wiki, and I found nothing new with netstat -a.
> 
> Even them rgmanager only works correctly with iptables turned off (that
> is, iptables -F). If I start iptables (service iptables start) and then
> try to start cman and rgmanager, it won't work to flush iptables rules,
> I am forced to power off because rgmanager won't work and won't stop.
> 
> My setup is simple: no clvm, no gfs, no gnbd. Just rgmanager and an http
> service configured as a script and an ip resource. But with iptables on,
> rgmanager won't relocate or failover the http service. More strange,
> system-config-cluster shows the service status only on the first node,
> on the second one it shows an emply service list.
> 
> What can I do to debug the problem, as my /var/log/messages don't show
> any error messages, just what apears to be a regular two-node cluster
> startup?

Right before the last iptables command which usually blocks all other 
connections, add a LOG command to log all denied connections. Clustering 
uses many ports and multicast. One time I had a fencing problem using 
virtual fence on Xen, it turned out the multicast was blocked on then 
Xen host Dom0.

> 
> 
> []s, Fernando Lozano
> 
>> Hi there,
>>
>> I have a Fedora 10 system with two KVM virtual machines, both running RHEL 5.2 and RHCS. The intent
>> is to prototype a cluster configuration for a customer.
>>
>> The problem is, everything is fine unless I start iptables on the VMs. But it's unacceptable to run
>> the cluster without am OS-level firewall. The ports list on rhcs manuals, on the cluster project
>> wiki, and what I observe using netstat do not agree. None of them talks about port 5149 which I
>> observe being opened by aisexec (cman). And I don't see any use of ports 41966 through 41968 which
>> are supposed to be opened my rgmanager or 5404 by cman.
>>
>> But even after I changed my iptables config to open all ports, I still canot relocate or failover
>> services between nodes.
>>
>> I configured apache as a script service to play with cluster administration. My vms are on the
>> default KVM network, 192.168.122./24.
>>
>> It's very strange system-config-cluster on node 1 shows both nodes (cs1 and cs2) joined the cluster
>> and starts my teste-httpd service, but node 2 doesn't show the status of any cluster service (on
>> system-config-cluster).
>>
>> If I try to use clusvnadm to relocate the service from cs1 to cs2, it hangs. And I can't stop
>> rgmanager with iptables enabled. Flushing iptables doesn't help when cman and rgmanager were started
>> with iptables on.
>>
>> Attached are my cluster.conf, /etc/sysconfig/iptables and netstat -anp
>>
>>
>> []s, Fernando Lozano
>>
>>   