Please login or register. September 22, 2017, 09:40:46 AM

Author Topic: peristant and service addresses  (Read 15373 times)

0 Members and 1 Guest are viewing this topic.

nazaki

  • Full Member
  • ***
  • Posts: 18
  • Karma: +0/-0
peristant and service addresses
« on: April 29, 2007, 03:49:23 PM »
Hi,
my 2 nodes cluster is running hacmp v5.4.
I configured 1 persistant and 1 service per node address.
When Clients (users) requests the active node using its service address the client receive the response with no problem.
When the communication is initiated by the node to other servers behind a firewall, no communication established.
My interpretation is when the node initiate communication, it use the persistent the persistent address instide of the service one. On the firewall, only the service IP address i allowed so the trafic with the peristant address is blocked.

So, how can force any traffic initiated from server to use the service ip address ?

 
   
« Last Edit: April 29, 2007, 03:51:31 PM by nazaki »

nazaki

  • Full Member
  • ***
  • Posts: 18
  • Karma: +0/-0
Re: peristant and service addresses
« Reply #1 on: April 29, 2007, 09:26:34 PM »
I don't know if my question was clear !

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: peristant and service addresses
« Reply #2 on: April 30, 2007, 03:08:21 PM »
A persistent address is a non-service address in most cases. I am trying to think of an exception, perhaps with a "on every node" resource group - but basically, I would not use a persistent address as a "service" address.

What makes an address a "service" address? By including it in a resource group. HACMP is responsible for making that address accessible before starting the application. Normally, service addresses are not bound to a node but move with the resource group via the IPAT mechanism.

I think you may be confusing the purpose and configuration of persistent and service addresses. Note: persistent addresses are node bound, and added by HACMP to the AIX ODM. Service addresses exist only in the HACMP ODM and are activated during resource group activation.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: peristant and service addresses
« Reply #3 on: April 30, 2007, 03:13:39 PM »

So, how can force any traffic initiated from server to use the service ip address ?

The simpliest way is to make sure that the IP network used by the service addresses are not being used by any of the non-service addresses.

If there are two interfaces in the same IP network AIX (any UNIX, or IP stack actually) may choose which interface it uses. IP does not specify which interface must be used.

In consideration: I think your problem is that your service address and persistent address are in the same IP network (some might say subnet).

Considering using the persistent address by alias feature. HACMP should then generate persistent addresses that will not overlap with any of the other known networks.

nazaki

  • Full Member
  • ***
  • Posts: 18
  • Karma: +0/-0
Re: peristant and service addresses
« Reply #4 on: May 02, 2007, 12:26:23 AM »
in fact, i have no confusion problem between persisant and service address understanding.
My question is clear. I have both persistant and service address on the same network, and i have problem with outgoing traffic which taek the persistent address as its source ip address, then the traffic is dineded on the firewall level.
So my question is how to force the outgoing  traffic to use the service ip address instead of using persistent one?
for information: I am using IPAT via IP aliasing with the distrubution preference " collocation with persistent", so all boot, pesistent and service ip addresses are configured on the same network interface.

 
« Last Edit: May 02, 2007, 12:30:53 AM by nazaki »

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: peristant and service addresses
« Reply #5 on: May 02, 2007, 08:08:56 AM »
This is an issue I discuss at great lengths in my HACMP class - and why I try to convince them that even if technically possible to configure (i.e. HACMP accepts it) there may be surprises.

In your situation (assuming a TCP application now, as UDP behavior is different) when acting as a server the connections should work as expected. However, when the application initiates (as a 'client') communication there may be complications. Please note: in the discussion that follows I will be using "client" for the initiator of communication, and "server" for the target (initiator/target are the terms used in non-IP networks in HACMP).

The difficulity has to do with the way the socket(), bind(), connect(), and listen() calls are used to setup a communication link. In most situations a server uses socket() to create it's endpoint, bind() to attach itself to a specific port, and then listen() to await incoming connections on ALL valid ip addresses. However, bind() can also be used to specify a specific address or network that can be connected to.

The client also uses socket() to create the initial endpoint. Most clients are not interested in their own local address or port number and let the system give them an appropiate value. Rather than use bind() to specify anything, defaults are accepted for the local values - only the remote (destination) values are specified in the connect() call.

So, imho, you are going to need to make your application aware of the service address and get itself to bind() itself to that address regardless of whether the communication is incoming (server using listen()) or outgoing (client, or using connect())

Hope this helps!

nazaki

  • Full Member
  • ***
  • Posts: 18
  • Karma: +0/-0
Re: peristant and service addresses
« Reply #6 on: May 02, 2007, 11:52:09 PM »
I understood that there is an non controbale behavior done in socket level. So the problem is difficult to resolve.
So what network options like ipsendredirects and ipforwarding .... ?
can be part of the solution ?

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: peristant and service addresses
« Reply #7 on: May 06, 2007, 02:56:24 PM »
ipforwarding is simply telling a node/host whether it should forwarding packets received that do not have itself as a destination.

ipredirects (if I remember correctly) are ICMP packets to tell a host that has sent a packet to a node that it is better to send it to another node.

The control is still nonexistant/minimal.

The structural solution is to have persistent addresses in a different IP network than service addresses.

nazaki

  • Full Member
  • ***
  • Posts: 18
  • Karma: +0/-0
Re: peristant and service addresses
« Reply #8 on: May 08, 2007, 01:18:25 AM »
the fact of having persistent and service address will resolve certainly the problem, but will not in case of takeover with two service addresses on the same .

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1052
  • Karma: +0/-0
Re: peristant and service addresses
« Reply #9 on: May 09, 2007, 06:12:21 PM »
My assumption is that the FW has packets permitting both service addresses to pass. If the filter is IP:port, then you will continue to have a problem.

In the class, we also state (it is one of the foils):

HACMP does not work well where there is too little security (everyone is root , e.g.)

Neither does HACMP work well where there is "too much" security. You will need to incorporate some messaging between your firewall and the application start/stop scripts.

From what you have stated, and replied - I further assume you have done it all correctly in terms of HACMP configuration, but the facitities outside of the HACMP cluster are hampering the accessibility of the services.

Sorry, it is not a more conclusive answer.