|
|
b4b3ce |
From 92c49b6f2847546f3f938b10a2a97021774f0be3 Mon Sep 17 00:00:00 2001
|
|
|
b4b3ce |
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
|
|
|
b4b3ce |
Date: Wed, 4 Dec 2019 14:36:59 +0100
|
|
|
b4b3ce |
Subject: [PATCH] IPaddr2: ipt_CLUSTERIP "iptables" extension not "nft" backend
|
|
|
b4b3ce |
compatible
|
|
|
b4b3ce |
MIME-Version: 1.0
|
|
|
b4b3ce |
Content-Type: text/plain; charset=UTF-8
|
|
|
b4b3ce |
Content-Transfer-Encoding: 8bit
|
|
|
b4b3ce |
|
|
|
b4b3ce |
Reference:
|
|
|
b4b3ce |
https://lists.clusterlabs.org/pipermail/users/2019-December/026674.html
|
|
|
b4b3ce |
(thread also sketches a future ambition for a [presumably, to revert
|
|
|
b4b3ce |
the habit of a functional overloading] separate agent to use
|
|
|
b4b3ce |
"xt_cluster" extension/cluster match).
|
|
|
b4b3ce |
|
|
|
b4b3ce |
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
|
|
|
b4b3ce |
---
|
|
|
b4b3ce |
heartbeat/IPaddr2 | 29 ++++++++++++++++++++++-------
|
|
|
b4b3ce |
heartbeat/ocf-binaries.in | 2 ++
|
|
|
b4b3ce |
2 files changed, 24 insertions(+), 7 deletions(-)
|
|
|
b4b3ce |
|
|
|
b4b3ce |
diff --git a/heartbeat/IPaddr2 b/heartbeat/IPaddr2
|
|
|
b4b3ce |
index 6f8e8c734..db0b0e547 100755
|
|
|
b4b3ce |
--- a/heartbeat/IPaddr2
|
|
|
b4b3ce |
+++ b/heartbeat/IPaddr2
|
|
|
b4b3ce |
@@ -123,6 +123,8 @@ VLDIR=$HA_RSCTMP
|
|
|
b4b3ce |
SENDARPPIDDIR=$HA_RSCTMP
|
|
|
b4b3ce |
CIP_lockfile=$HA_RSCTMP/IPaddr2-CIP-${OCF_RESKEY_ip}
|
|
|
b4b3ce |
|
|
|
b4b3ce |
+IPADDR2_CIP_IPTABLES=$IPTABLES
|
|
|
b4b3ce |
+
|
|
|
b4b3ce |
#######################################################################
|
|
|
b4b3ce |
|
|
|
b4b3ce |
meta_data() {
|
|
|
b4b3ce |
@@ -138,11 +140,21 @@ It can add an IP alias, or remove one.
|
|
|
b4b3ce |
In addition, it can implement Cluster Alias IP functionality
|
|
|
b4b3ce |
if invoked as a clone resource.
|
|
|
b4b3ce |
|
|
|
b4b3ce |
-If used as a clone, you should explicitly set clone-node-max >= 2,
|
|
|
b4b3ce |
+If used as a clone, "shared address with a trivial, stateless
|
|
|
b4b3ce |
+(autonomous) load-balancing/mutual exclusion on ingress" mode gets
|
|
|
b4b3ce |
+applied (as opposed to "assume resource uniqueness" mode otherwise).
|
|
|
b4b3ce |
+For that, Linux firewall (kernel and userspace) is assumed, and since
|
|
|
b4b3ce |
+recent distributions are ambivalent in plain "iptables" command to
|
|
|
b4b3ce |
+particular back-end resolution, "iptables-legacy" (when present) gets
|
|
|
b4b3ce |
+prioritized so as to avoid incompatibilities (note that respective
|
|
|
b4b3ce |
+ipt_CLUSTERIP firewall extension in use here is, at the same time,
|
|
|
b4b3ce |
+marked deprecated, yet said "legacy" layer can make it workable,
|
|
|
b4b3ce |
+literally, to this day) with "netfilter" one (as in "iptables-nft").
|
|
|
b4b3ce |
+In that case, you should explicitly set clone-node-max >= 2,
|
|
|
b4b3ce |
and/or clone-max < number of nodes. In case of node failure,
|
|
|
b4b3ce |
clone instances need to be re-allocated on surviving nodes.
|
|
|
b4b3ce |
-This would not be possible if there is already an instance on those nodes,
|
|
|
b4b3ce |
-and clone-node-max=1 (which is the default).
|
|
|
b4b3ce |
+This would not be possible if there is already an instance
|
|
|
b4b3ce |
+on those nodes, and clone-node-max=1 (which is the default).
|
|
|
b4b3ce |
</longdesc>
|
|
|
b4b3ce |
|
|
|
b4b3ce |
<shortdesc lang="en">Manages virtual IPv4 and IPv6 addresses (Linux specific version)</shortdesc>
|
|
|
b4b3ce |
@@ -995,7 +1007,7 @@ ip_start() {
|
|
|
b4b3ce |
|
|
|
b4b3ce |
if [ -n "$IP_CIP" ] && ([ $ip_status = "no" ] || [ $ip_status = "partial2" ]); then
|
|
|
b4b3ce |
$MODPROBE ip_conntrack
|
|
|
b4b3ce |
- $IPTABLES -I INPUT -d $OCF_RESKEY_ip -i $NIC -j CLUSTERIP \
|
|
|
b4b3ce |
+ $IPADDR2_CIP_IPTABLES -I INPUT -d $OCF_RESKEY_ip -i $NIC -j CLUSTERIP \
|
|
|
b4b3ce |
--new \
|
|
|
b4b3ce |
--clustermac $IF_MAC \
|
|
|
b4b3ce |
--total-nodes $IP_INC_GLOBAL \
|
|
|
b4b3ce |
@@ -1089,7 +1101,7 @@ ip_stop() {
|
|
|
b4b3ce |
i=1
|
|
|
b4b3ce |
while [ $i -le $IP_INC_GLOBAL ]; do
|
|
|
b4b3ce |
ocf_log info $i
|
|
|
b4b3ce |
- $IPTABLES -D INPUT -d $OCF_RESKEY_ip -i $NIC -j CLUSTERIP \
|
|
|
b4b3ce |
+ $IPADDR2_CIP_IPTABLES -D INPUT -d $OCF_RESKEY_ip -i $NIC -j CLUSTERIP \
|
|
|
b4b3ce |
--new \
|
|
|
b4b3ce |
--clustermac $IF_MAC \
|
|
|
b4b3ce |
--total-nodes $IP_INC_GLOBAL \
|
|
|
b4b3ce |
@@ -1186,8 +1198,11 @@ ip_validate() {
|
|
|
b4b3ce |
set_send_arp_program
|
|
|
b4b3ce |
|
|
|
b4b3ce |
if [ -n "$IP_CIP" ]; then
|
|
|
b4b3ce |
- check_binary $IPTABLES
|
|
|
b4b3ce |
- check_binary $MODPROBE
|
|
|
b4b3ce |
+ if have_binary "$IPTABLES_LEGACY"; then
|
|
|
b4b3ce |
+ IPADDR2_CIP_IPTABLES="$IPTABLES_LEGACY"
|
|
|
b4b3ce |
+ fi
|
|
|
b4b3ce |
+ check_binary "$IPADDR2_CIP_IPTABLES"
|
|
|
b4b3ce |
+ check_binary $MODPROBE
|
|
|
b4b3ce |
fi
|
|
|
b4b3ce |
|
|
|
b4b3ce |
# $BASEIP, $NETMASK, $NIC , $IP_INC_GLOBAL, and $BRDCAST have been checked within ip_init,
|
|
|
b4b3ce |
diff --git a/heartbeat/ocf-binaries.in b/heartbeat/ocf-binaries.in
|
|
|
b4b3ce |
index 9439ae170..e9bf95fc2 100644
|
|
|
b4b3ce |
--- a/heartbeat/ocf-binaries.in
|
|
|
b4b3ce |
+++ b/heartbeat/ocf-binaries.in
|
|
|
b4b3ce |
@@ -26,6 +26,8 @@ export PATH
|
|
|
b4b3ce |
: ${GREP:=grep}
|
|
|
b4b3ce |
: ${IFCONFIG:=ifconfig}
|
|
|
b4b3ce |
: ${IPTABLES:=iptables}
|
|
|
b4b3ce |
+## for cases that are known not to be serviceable with iptables-nft impl.
|
|
|
b4b3ce |
+: ${IPTABLES_LEGACY:=iptables-legacy}
|
|
|
b4b3ce |
: ${IP2UTIL:=ip}
|
|
|
b4b3ce |
: ${MDADM:=mdadm}
|
|
|
b4b3ce |
: ${MODPROBE:=modprobe}
|