Ah, and yes, it is for iptables, not for nft or firewalld. Could be easily
fixed though.
And RA expects target chains to be pre-created.
Vladislav Bogdanov <[email protected]> 5 апреля 2023 г. 14:53:35 написал:
Please find attached.
I use it the following way:
primitive vip-10-5-4-235 ocf:my-org:IPaddr2 \
params ip="10.5.4.235" cidr_netmask="24" \
op start interval="0" timeout="20" \
op stop interval="0" timeout="20" \
op monitor interval="30" timeout="20"
primitive vip-10-5-4-235-fw ocf:my-org:VIPfirewall \
params vip="10.5.4.235" allow_action="pass" \
input_chain="_ISCSI_INPUT" output_chain="_ISCSI_OUTPUT" \
op start interval="0" timeout="30" \
op stop interval="0" timeout="60" \
op monitor interval="30" timeout="10" role="Master" \
op monitor interval="15" timeout="10" role="Slave"
primitive vip-10-5-4-236 ocf:my-org:IPaddr2 \
params ip="10.5.4.236" cidr_netmask="24" \
op start interval="0" timeout="20" \
op stop interval="0" timeout="20" \
op monitor interval="30" timeout="20"
primitive vip-10-5-4-236-fw ocf:my-org:VIPfirewall \
params vip="10.5.4.236" allow_action="pass" \
input_chain="_ISCSI_INPUT" output_chain="_ISCSI_OUTPUT" \
op start interval="0" timeout="30" \
op stop interval="0" timeout="60" \
op monitor interval="30" timeout="10" role="Master" \
op monitor interval="15" timeout="10" role="Slave"
group c01-pool-0-iscsi-vips vip-10-5-4-235 vip-10-5-4-236
group c01-pool-0-iscsi-vips-fw vip-10-5-4-235-fw vip-10-5-4-236-fw
ms ms-c01-pool-0-iscsi-vips-fw c01-pool-0-iscsi-vips-fw \
meta master-max="1" master-node-max="1" clone-max="2" \
clone-node-max="1" notify="false" interleave="true" \
target-role="Master"
colocation c01-pool-0-iscsi-vips-fw-with-vips inf: \
ms-c01-pool-0-iscsi-vips-fw:Master \
c01-pool-0-iscsi-vips:Started
order c01-pool-0-iscsi-vips-fw-after-target inf: iscsi-export:start \
ms-c01-pool-0-iscsi-vips-fw:promote
order c01-pool-0-iscsi-vips-fw-after-vips inf: \
c01-pool-0-iscsi-vips:start \
ms-c01-pool-0-iscsi-vips-fw:promote
On Wed, 2023-04-05 at 07:17 +0300, Александр via Users wrote:
What is this agent? For iscsitarget, I only found portblock RA, in
the linstor manual. Can you share the agent and setup instructions?>
Среда, 5 апреля 2023, 6:09 +10:00 от Vladislav Bogdanov
<[email protected]>:
>
> I know that uscsi initiators are very sensible to connection drops.
> That's why in all my setups with iscsi I use a special m/s resource
> agent which in a slave mode drops all packets to/from portals. That
> prevents initiators from receiving FIN packets from the target when
> it migrates, and they usually behave much better. I can share that
> RA and setup instructions if that is interesting to someone.
--
С уважением,
Александр Волков
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
----------
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
