[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Linux-cluster] Network Interface Binding



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27/07/10 17:02, Steven Whitehouse wrote:
> Hi,
> 
> On Tue, 2010-07-27 at 16:30 +0100, Mark Watts wrote:
> I have a working CentOS 5.5/RHCS cluster in order to support a simple
> GFS2 filesystem (ontop of DRBD) between 2 nodes.
> 
> Since the two nodes have multiple network interfaces, I'd like to tie
> all cluster communication to ETH2 as ETH0 is my production-facing interface.
> 
> I understand I can partially achieve this by using a hostname mapped
> (via /etc/hosts) to the IP address of ETH2 in cluster.conf.
> This seems to work for OpenAIS; the multicast address it uses is bound
> to to eth2 according to "ip maddress show dev eth2", but ccsd is still
> listening on 0.0.0.0 for various ports according to netstat.
> 
> How can I force ccsd to use ETH2?
> 
> Regards,
> 
> Mark.
> 
>> Assuming that you have different subnets on the interfaces, setting the
>> routing table correctly should be enough. Just be careful that any names
>> which are being resolved point to the correct ip addresses.
> 
>> If you don't have a different subnet, you can still do it if you mark
>> the traffic with iptables and route according to the mark.
> 
>> You may need multiple routing tables (again depending on the exact
>> configuration) and a couple of routing rules to ensure that replies are
>> always sent out of the same interfaces on which the queries came in on,
> 
>> Steve.

Well, My interfaces are setup as follows:

ETH0	192.168.1.1/24
ETH2	172.16.1.1/24

cluster.conf references "node1.cluster" which is in /etc/hosts as
172.16.1.1 (node2.cluster follows as .2)

I have no explicit routing on the box, other than a default gateway out
on ETH3's subnet, which is different to the two I've listed.

I suppose my main issue is that I don't want to expose anything other
than TCP/80 on ETH0. Usually I'd do this as a combination of binding
services to specific IP's and doing both inbound and outbound iptables
rules for each interface. These would typically cover every service/port
that I'd use, but multicast makes this a slightly different beast.

Not having done iptables rules for multicast before, I'm a little wary
of doing something without fully understanding how something works
before I firewall it!

Regards,

Mark.

- -- 
Mark Watts BSc RHCE MBCS
Senior Systems Engineer, IPR Secure Managed Hosting
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxPB0EACgkQBn4EFUVUIO3ndQCeK5DZp3WKMmZNuYFFdWG8Nph+
Qu4AoMSnzIMFsSqEW/G7CsL28Psnv/kZ
=SwPT
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]