Keepalived/Vrrp with Shorewall

Noc Phibee noc at phibee.net
Wed Aug 23 15:32:59 BST 2006 

Thanks for your help ;=)

Yes, but the keepalived list have no asnwer ;=)

for my problems (2-)

his issue happens also when shorewall is desactivated on both machines and
iptables accepts all, this seems to me a keepalive issue no ?




Graeme Fowler a écrit :
> Hi
>
> Quiet as it may be over there, this question really belongs on the 
> keepalived mailing list as this is not LVS related. I'll try to answer 
> it here in any case:
>
> On 23/08/2006 05:37, Noc Phibee wrote:
>> I request a small help on my Keepalived config ;=)
>>
>> 1- For Vrrp protocol, anyone know what entry i pu into shorewall 3.1.2 ?
>
> You must allow packets from/to network 224.0.0.0/8
>
> If you want to control this a bit more accurately, define mcast_src_ip 
> in your keepalived.conf for each defined vrrp_instance, and set your 
> filters accordingly.
>
>> 2- I want that when my group change of state, he restart Shorewall.
>>    I have used the notify_*:
>>       When my MASTER are dead, the BACKUP change state and it's good.
>>    but when the MASTER are available and get the virtual IP, he start 
>> 8/10x
>>    the same script (restart of shorewall).
>>
>>    Anyone have a idea why he don't change immediatly the states ?
>
> Firstly it looks like the Master is receiving the announcements from 
> the Backup. This is good. The Backup is also receiving packets from 
> the Master, which is also good - this is why the Backup flip-flops 
> from BACKUP to MASTER to BACKUP state continuously.
>
> However - something else is happening here, and I expect it's your 
> Shorewall config.
>
> Ignoring the Master machine for a moment, let me put forward a 
> possible reason:
>
> The Backup machine starts up, brings up keepalived, and goes into 
> BACKUP state. Shorewall is dropping packets at this point, so the 
> Backup machine goes to MASTER state, does things to Shorewall with the 
> notify script, and starts to accept packets. It then receives an 
> advertisement from the Master director, so it switches to BACKUP 
> state, changes the Shorewall config back, misses advertisement, 
> switches to MASTER, changes the firewall, misses advertisement, etc etc.
>
> Assuming this is correct, there are several things you need to do:
>
> 1. Make sure the Shorewall config isn't dropping the packets you want 
> (see the suggestions above).
>
> 2. Put your notify* script actions into your vrrp_sync_group block 
> instead of the vrrp_instance. That way it'll only fire once, when the 
> group changes state, rather than one being fired off for every 
> instance state change *and* the group.
>
> Graeme
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
> Send requests to lvs-users-request at LinuxVirtualServer.org
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
>

More information about the lvs-users mailing list