LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: Keepalived/Vrrp with Shorewall

from [Graeme Fowler] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Keepalived/Vrrp with Shorewall
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Wed, 23 Aug 2006 09:37:17 +0100 
Hi
Quiet as it may be over there, this question really belongs on the keepalived mailing list as this is not LVS related. I'll try to answer it here in any case: 

On 23/08/2006 05:37, Noc Phibee wrote:

I request a small help on my Keepalived config ;=)

1- For Vrrp protocol, anyone know what entry i pu into shorewall 3.1.2 ?


You must allow packets from/to network 224.0.0.0/8
If you want to control this a bit more accurately, define mcast_src_ip in your keepalived.conf for each defined vrrp_instance, and set your filters accordingly. 


2- I want that when my group change of state, he restart Shorewall.
   I have used the notify_*:
      When my MASTER are dead, the BACKUP change state and it's good.
   but when the MASTER are available and get the virtual IP, he start 8/10x
   the same script (restart of shorewall).

   Anyone have a idea why he don't change immediatly the states ?
Firstly it looks like the Master is receiving the announcements from the Backup. This is good. The Backup is also receiving packets from the Master, which is also good - this is why the Backup flip-flops from BACKUP to MASTER to BACKUP state continuously.
However - something else is happening here, and I expect it's your Shorewall config.
Ignoring the Master machine for a moment, let me put forward a possible reason:
The Backup machine starts up, brings up keepalived, and goes into BACKUP state. Shorewall is dropping packets at this point, so the Backup machine goes to MASTER state, does things to Shorewall with the notify script, and starts to accept packets. It then receives an advertisement from the Master director, so it switches to BACKUP state, changes the Shorewall config back, misses advertisement, switches to MASTER, changes the firewall, misses advertisement, etc etc. 

Assuming this is correct, there are several things you need to do:
1. Make sure the Shorewall config isn't dropping the packets you want (see the suggestions above).
2. Put your notify* script actions into your vrrp_sync_group block instead of the vrrp_instance. That way it'll only fire once, when the group changes state, rather than one being fired off for every instance state change *and* the group. 

Graeme
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Keepalived/Vrrp with Shorewall, Noc Phibee
Next by Date:  how actually does source-hashing work?, Jiang
Previous by Thread:  Keepalived/Vrrp with Shorewall, Noc Phibee
Next by Thread:  Re: Keepalived/Vrrp with Shorewall, Noc Phibee
Indexes:  [Date] [Thread] [Top] [All Lists]