On Thu, 2019-12-19 at 15:01 +0000, Marcus Vinicius wrote: > Hi, > > As I know, CLUSTERIP is deprecated for some time. Recent > distributions doesn't have this module on their repositories at all > (Red Hat 8) > > It seems Pacemaker still use CLUSTERIP for clone an IP address. > > For this reason, I have the following error on an Active/Active > cluster VIP: > > Cenario: > > CentOS 8 > Pacemaker 2.0.1 > Kernel 4.18.0 > Iptables 1.8.2 > > # pcs resource create ClusterIP ocf:heartbeat:IPaddr2 > ip=172.18.14.100 nic=ens160 cidr_netmask=24 op monitor interval=2s > # pcs resource clone ClusterIP > # pcs status > ... > Failed Resource Actions: > * ClusterIP_start_0 on pcsnode1 'unknown error' (1): call=40, > status=complete, exitreason='iptables failed', > last-rc-change='Thu Dec 19 12:30:40 2019', queued=0ms, exec=172ms > > Logs: > > Dec 19 12:32:54 pcsnode1 IPaddr2(ClusterIP)[10245]: ERROR: iptables > failed > Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice: > ClusterIP_start_0:10245:stderr [ iptables v1.8.2 (nf_tables): chain > name not allowed to start with `-' ] > Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice: > ClusterIP_start_0:10245:stderr [ ] > Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice: > ClusterIP_start_0:10245:stderr [ Try `iptables -h' or 'iptables -- > help' for more information. ] > Dec 19 12:32:54 pcsnode1 pacemaker-execd[1436]: notice: > ClusterIP_start_0:10245:stderr [ ocf-exit-reason:iptables failed ] > Dec 19 12:32:54 pcsnode1 pacemaker-controld[1439]: notice: Result of > start operation for ClusterIP on pcsnode1: 1 (unknown error) > > Any one can simulate the module problem, outside Pacemaker, with this > command: > > Perfectly good for CentOS 7 installation with ipt_CLUSTERIP.ko: > > # iptables -A INPUT -d 172.18.14.100/32 -i ens192 -j CLUSTERIP --new > --hashmode sourceip-sourceport --clustermac 43:0A:1F:80:58:36 -- > total-nodes 2 --local-node 2 --hash-init 0 > > No good for a default CentOS 8 installation: > > # iptables -A INPUT -d 172.18.14.100/32 -i ens192 -j CLUSTERIP --new > --hashmode sourceip-sourceport --clustermac 43:0A:1F:80:58:36 -- > total-nodes 2 --local-node 2 --hash-init 0 > iptables v1.8.2 (nf_tables): chain name not allowed to start with `-' > > Try `iptables -h' or 'iptables --help' for more information. > > > Is there any intention to abandon CLUSTERIP
yes > in favor of xt_cluster.ko? no :) A recent thread about this: https://lists.clusterlabs.org/pipermail/users/2019-December/026663.html resulted in a change to allow IPaddr2 clones to continue working on newer systems if "iptables-legacy" is available: https://github.com/ClusterLabs/resource-agents/pull/1439 tl;dr Cloned IPaddr2 is supported only on platforms that support CLUSTERIP, and can be considered deprecated since CLUSTERIP itself is deprecated. A pull request with an xt_cluster implementation would be very welcome, as it's a low priority for available developers. > Thanks a lot! > > > Att, > > Marcus Vinícius -- Ken Gaillot <[email protected]> _______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/
