[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Linux-cluster] rhcs x iptables

Fernando Lozano wrote:

Four days and no replies... maybe you folks don't like me as the list
has a healthy trafic on other topics ;-)

Is there anything with my setup that shouldn't work? The problem is not
with VMs because I tried the same configs with two real Dell servers and
got the same problems. My iptables rules follow what's in RHCS manuals
and wiki, and I found nothing new with netstat -a.

Even them rgmanager only works correctly with iptables turned off (that
is, iptables -F). If I start iptables (service iptables start) and then
try to start cman and rgmanager, it won't work to flush iptables rules,
I am forced to power off because rgmanager won't work and won't stop.

My setup is simple: no clvm, no gfs, no gnbd. Just rgmanager and an http
service configured as a script and an ip resource. But with iptables on,
rgmanager won't relocate or failover the http service. More strange,
system-config-cluster shows the service status only on the first node,
on the second one it shows an emply service list.

What can I do to debug the problem, as my /var/log/messages don't show
any error messages, just what apears to be a regular two-node cluster

Right before the last iptables command which usually blocks all other connections, add a LOG command to log all denied connections. Clustering uses many ports and multicast. One time I had a fencing problem using virtual fence on Xen, it turned out the multicast was blocked on then Xen host Dom0.

[]s, Fernando Lozano

Hi there,

I have a Fedora 10 system with two KVM virtual machines, both running RHEL 5.2 and RHCS. The intent
is to prototype a cluster configuration for a customer.

The problem is, everything is fine unless I start iptables on the VMs. But it's unacceptable to run
the cluster without am OS-level firewall. The ports list on rhcs manuals, on the cluster project
wiki, and what I observe using netstat do not agree. None of them talks about port 5149 which I
observe being opened by aisexec (cman). And I don't see any use of ports 41966 through 41968 which
are supposed to be opened my rgmanager or 5404 by cman.

But even after I changed my iptables config to open all ports, I still canot relocate or failover
services between nodes.

I configured apache as a script service to play with cluster administration. My vms are on the
default KVM network, 192.168.122./24.

It's very strange system-config-cluster on node 1 shows both nodes (cs1 and cs2) joined the cluster
and starts my teste-httpd service, but node 2 doesn't show the status of any cluster service (on

If I try to use clusvnadm to relocate the service from cs1 to cs2, it hangs. And I can't stop
rgmanager with iptables enabled. Flushing iptables doesn't help when cman and rgmanager were started
with iptables on.

Attached are my cluster.conf, /etc/sysconfig/iptables and netstat -anp

[]s, Fernando Lozano

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]