Mailing List Archive: Linux-HA: Users

OCF resource for conntrack

Index | Next | Previous | View Threaded

jpetersson at garnser

Sep 8, 2010, 12:26 PM

Post #1 of 11 (803 views)
Permalink

OCF resource for conntrack

Hi all,

I haven't been active on this list for quite some time but I recall
conntrack-support for heartbeat/pacemaker has been on the wall a few
times. As I was in the process of installing a couple of new firewalls
I figured I would spend some time actually getting some support for it
now that the resource-based system has been put in place (great work
btw).

Please notice that the code-set is still work in progress and I'll be
spending the next few days expanding it.

The code is available at: http://pastebin.com/Bv060JvR

Feel free to reply with comments and recommended changes.

/Jonathan
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

dejanmm at fastmail

Sep 23, 2010, 4:47 AM

Post #2 of 11 (747 views)
Permalink

Re: OCF resource for conntrack [In reply to]

Hi,

On Wed, Sep 08, 2010 at 09:26:40PM +0200, Jonathan Petersson wrote:
> Hi all,
>
> I haven't been active on this list for quite some time but I recall
> conntrack-support for heartbeat/pacemaker has been on the wall a few
> times. As I was in the process of installing a couple of new firewalls
> I figured I would spend some time actually getting some support for it
> now that the resource-based system has been put in place (great work
> btw).
>
> Please notice that the code-set is still work in progress and I'll be
> spending the next few days expanding it.

Any new developments in the meantime?

> The code is available at: http://pastebin.com/Bv060JvR
>
> Feel free to reply with comments and recommended changes.

Isn't conntrack supposed to be a master-slave implementation,
i.e. where one instance sends updates to other instances? I don't
know if migrate can be used instead of demote/promote.

A note about the style and comments:

Almost everywhere there's stuff such as

# Check for conntrackd lock-file
if [ -f $OCF_RESKEY_lck ]; then

There's no need to write a comment which echos what the code says
in the next line.

Cheers,

Dejan

> /Jonathan
> _______________________________________________
> Linux-HA mailing list
> Linux-HA [at] lists
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

misch at clusterbau

Sep 27, 2010, 9:22 PM

Post #3 of 11 (734 views)
Permalink

Re: OCF resource for conntrack [In reply to]

On Wednesday 08 September 2010 21:26:40 Jonathan Petersson wrote:
> Hi all,
>
> I haven't been active on this list for quite some time but I recall
> conntrack-support for heartbeat/pacemaker has been on the wall a few
> times. As I was in the process of installing a couple of new firewalls
> I figured I would spend some time actually getting some support for it
> now that the resource-based system has been put in place (great work
> btw).
>
> Please notice that the code-set is still work in progress and I'll be
> spending the next few days expanding it.
>
> The code is available at: http://pastebin.com/Bv060JvR
>
> Feel free to reply with comments and recommended changes.
>
> /Jonathan
> _______________________________________________
> Linux-HA mailing list
> Linux-HA [at] lists
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems

Hi,

I just found the time to read your conntrack RA now. Sorry.

The idea of a conntrackd RA is cool. I like it very much.

Some comments:

1) Start and stop is good. All commands included that are recommended by the
author of conntrackd in his init script.

2) monitor needs improvement:
- Just looking for the PID is not sufficient. Please consider running conntrackd
with some option to check the output.
- Why do you start conntrackd in the monitor part, if it is not running? This
is the task of the cluster.

3) I don't think migration scenario is needed in the RA.

Greetings,

--
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 M�nchen

Tel: (0163) 172 50 98
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

misch at clusterbau

Sep 27, 2010, 9:27 PM

Post #4 of 11 (730 views)
Permalink

Re: OCF resource for conntrack [In reply to]

On Thursday 23 September 2010 13:47:43 Dejan Muhamedagic wrote:
> Hi,
>
> On Wed, Sep 08, 2010 at 09:26:40PM +0200, Jonathan Petersson wrote:
> > Hi all,
> >
> > I haven't been active on this list for quite some time but I recall
> > conntrack-support for heartbeat/pacemaker has been on the wall a few
> > times. As I was in the process of installing a couple of new firewalls
> > I figured I would spend some time actually getting some support for it
> > now that the resource-based system has been put in place (great work
> > btw).
> >
> > Please notice that the code-set is still work in progress and I'll be
> > spending the next few days expanding it.
>
> Any new developments in the meantime?
>
> > The code is available at: http://pastebin.com/Bv060JvR
> >
> > Feel free to reply with comments and recommended changes.
>
> Isn't conntrack supposed to be a master-slave implementation,
> i.e. where one instance sends updates to other instances? I don't
> know if migrate can be used instead of demote/promote.

Hi,

A MS RA for conntrackd is not nescessary. conntrack publishes its state table
via multicast. You start it on all nodes of your firewall cluster as a clone
resource. The firewall that has the floating IP address sees new entries in the
state table and published it. All other nodes get the new entries.

Passive nodes just do not get traffic and thus do not publish new entries.

Of course, you could write a MS RA. But that would be too much work.

Greetings,

--
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 M�nchen

Tel: (0163) 172 50 98
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

dejanmm at fastmail

Sep 28, 2010, 2:13 AM

Post #5 of 11 (728 views)
Permalink

Re: OCF resource for conntrack [In reply to]

Hi,

On Tue, Sep 28, 2010 at 06:27:17AM +0200, Michael Schhwartzkopff wrote:
> On Thursday 23 September 2010 13:47:43 Dejan Muhamedagic wrote:
> > Hi,
> >
> > On Wed, Sep 08, 2010 at 09:26:40PM +0200, Jonathan Petersson wrote:
> > > Hi all,
> > >
> > > I haven't been active on this list for quite some time but I recall
> > > conntrack-support for heartbeat/pacemaker has been on the wall a few
> > > times. As I was in the process of installing a couple of new firewalls
> > > I figured I would spend some time actually getting some support for it
> > > now that the resource-based system has been put in place (great work
> > > btw).
> > >
> > > Please notice that the code-set is still work in progress and I'll be
> > > spending the next few days expanding it.
> >
> > Any new developments in the meantime?
> >
> > > The code is available at: http://pastebin.com/Bv060JvR
> > >
> > > Feel free to reply with comments and recommended changes.
> >
> > Isn't conntrack supposed to be a master-slave implementation,
> > i.e. where one instance sends updates to other instances? I don't
> > know if migrate can be used instead of demote/promote.
>
> Hi,
>
> A MS RA for conntrackd is not nescessary. conntrack publishes its state table
> via multicast. You start it on all nodes of your firewall cluster as a clone
> resource. The firewall that has the floating IP address sees new entries in the
> state table and published it. All other nodes get the new entries.

So, you could just as well let conntrack start by the boot
process, right? I always wondered on the relative merit of
cloning such resources or starting them via init.

> Passive nodes just do not get traffic and thus do not publish new entries.

I wonder why then there is migrate_to/from in the RA.

> Of course, you could write a MS RA. But that would be too much work.

Well, that doesn't seem to be needed.

Thanks,

Dejan

> Greetings,
>
> --
> Dr. Michael Schwartzkopff
> Guardinistr. 63
> 81375 M�nchen
>
> Tel: (0163) 172 50 98
> _______________________________________________
> Linux-HA mailing list
> Linux-HA [at] lists
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

jpetersson at garnser

Sep 28, 2010, 2:59 AM

Post #6 of 11 (738 views)
Permalink

Re: OCF resource for conntrack [In reply to]

On Tue, Sep 28, 2010 at 11:13 AM, Dejan Muhamedagic <dejanmm [at] fastmail> wrote:
> Hi,
>
> On Tue, Sep 28, 2010 at 06:27:17AM +0200, Michael Schhwartzkopff wrote:
>> On Thursday 23 September 2010 13:47:43 Dejan Muhamedagic wrote:
>> > Hi,
>> >
>> > On Wed, Sep 08, 2010 at 09:26:40PM +0200, Jonathan Petersson wrote:
>> > > Hi all,
>> > >
>> > > I haven't been active on this list for quite some time but I recall
>> > > conntrack-support for heartbeat/pacemaker has been on the wall a few
>> > > times. As I was in the process of installing a couple of new firewalls
>> > > I figured I would spend some time actually getting some support for it
>> > > now that the resource-based system has been put in place (great work
>> > > btw).
>> > >
>> > > Please notice that the code-set is still work in progress and I'll be
>> > > spending the next few days expanding it.
>> >
>> > Any new developments in the meantime?

There's been some modifications, I'll put it under git during the week.

>> >
>> > > The code is available at: http://pastebin.com/Bv060JvR
>> > >
>> > > Feel free to reply with comments and recommended changes.
>> >
>> > Isn't conntrack supposed to be a master-slave implementation,
>> > i.e. where one instance sends updates to other instances? I don't
>> > know if migrate can be used instead of demote/promote.
>>
>> Hi,
>>
>> A MS RA for conntrackd is not nescessary. conntrack publishes its state table
>> via multicast. You start it on all nodes of your firewall cluster as a clone
>> resource. The firewall that has the floating IP address sees new entries in the
>> state table and published it. All other nodes get the new entries.
>
> So, you could just as well let conntrack start by the boot
> process, right? I always wondered on the relative merit of
> cloning such resources or starting them via init.

I guess it makes sense to leave out starting the daemon using the OCF
resource since the resource doesn't really maintain service-state of
the daemon, just failover.

>
>> Passive nodes just do not get traffic and thus do not publish new entries.
>
> I wonder why then there is migrate_to/from in the RA.
>
>> Of course, you could write a MS RA. But that would be too much work.
>
> Well, that doesn't seem to be needed.
>
> Thanks,
>
> Dejan
>
>> Greetings,
>>
>> --
>> Dr. Michael Schwartzkopff
>> Guardinistr. 63
>> 81375 M�nchen
>>
>> Tel: (0163) 172 50 98
>> _______________________________________________
>> Linux-HA mailing list
>> Linux-HA [at] lists
>> http://lists.linux-ha.org/mailman/listinfo/linux-ha
>> See also: http://linux-ha.org/ReportingProblems
> _______________________________________________
> Linux-HA mailing list
> Linux-HA [at] lists
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
>
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

jpetersson at garnser

Sep 28, 2010, 3:00 AM

Post #7 of 11 (732 views)
Permalink

Re: OCF resource for conntrack [In reply to]

On Tue, Sep 28, 2010 at 6:22 AM, Michael Schhwartzkopff
<misch [at] clusterbau> wrote:
> On Wednesday 08 September 2010 21:26:40 Jonathan Petersson wrote:
>> Hi all,
>>
>> I haven't been active on this list for quite some time but I recall
>> conntrack-support for heartbeat/pacemaker has been on the wall a few
>> times. As I was in the process of installing a couple of new firewalls
>> I figured I would spend some time actually getting some support for it
>> now that the resource-based system has been put in place (great work
>> btw).
>>
>> Please notice that the code-set is still work in progress and I'll be
>> spending the next few days expanding it.
>>
>> The code is available at: http://pastebin.com/Bv060JvR
>>
>> Feel free to reply with comments and recommended changes.
>>
>> /Jonathan
>> _______________________________________________
>> Linux-HA mailing list
>> Linux-HA [at] lists
>> http://lists.linux-ha.org/mailman/listinfo/linux-ha
>> See also: http://linux-ha.org/ReportingProblems
>
> Hi,
>
> I just found the time to read your conntrack RA now. Sorry.
>
> The idea of a conntrackd RA is cool. I like it very much.
>
> Some comments:
>
> 1) Start and stop is good. All commands included that are recommended by the
> author of conntrackd in his init script.
>
> 2) monitor needs improvement:
> - Just looking for the PID is not sufficient. Please consider running conntrackd
> with some option to check the output.
> - Why do you start conntrackd in the monitor part, if it is not running? This
> is the task of the cluster.

I'll make some mods to accomodate this.

>
> 3) I don't think migration scenario is needed in the RA.

True, I'll have that removed.

>
> Greetings,
>
> --
> Dr. Michael Schwartzkopff
> Guardinistr. 63
> 81375 M�nchen
>
> Tel: (0163) 172 50 98
> _______________________________________________
> Linux-HA mailing list
> Linux-HA [at] lists
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
>
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

misch at schwartzkopff

Sep 28, 2010, 4:14 AM

Post #8 of 11 (732 views)
Permalink

Re: OCF resource for conntrack [In reply to]

On Tuesday 28 September 2010 11:13:47 Dejan Muhamedagic wrote:
> Hi,
>
> On Tue, Sep 28, 2010 at 06:27:17AM +0200, Michael Schhwartzkopff wrote:
> > On Thursday 23 September 2010 13:47:43 Dejan Muhamedagic wrote:
> > > Hi,
> > >
> > > On Wed, Sep 08, 2010 at 09:26:40PM +0200, Jonathan Petersson wrote:
> > > > Hi all,
> > > >
> > > > I haven't been active on this list for quite some time but I recall
> > > > conntrack-support for heartbeat/pacemaker has been on the wall a few
> > > > times. As I was in the process of installing a couple of new
> > > > firewalls I figured I would spend some time actually getting some
> > > > support for it now that the resource-based system has been put in
> > > > place (great work btw).
> > > >
> > > > Please notice that the code-set is still work in progress and I'll be
> > > > spending the next few days expanding it.
> > >
> > > Any new developments in the meantime?
> > >
> > > > The code is available at: http://pastebin.com/Bv060JvR
> > > >
> > > > Feel free to reply with comments and recommended changes.
> > >
> > > Isn't conntrack supposed to be a master-slave implementation,
> > > i.e. where one instance sends updates to other instances? I don't
> > > know if migrate can be used instead of demote/promote.
> >
> > Hi,
> >
> > A MS RA for conntrackd is not nescessary. conntrack publishes its state
> > table via multicast. You start it on all nodes of your firewall cluster
> > as a clone resource. The firewall that has the floating IP address sees
> > new entries in the state table and published it. All other nodes get the
> > new entries.
>
> So, you could just as well let conntrack start by the boot
> process, right? I always wondered on the relative merit of
> cloning such resources or starting them via init.

Monitoring via the cluster. An reaction when the resource doesn't run any
more.

--
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 M�nchen

Tel: (0163) 172 50 98
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

florian.haas at linbit

Sep 28, 2010, 1:23 PM

Post #9 of 11 (710 views)
Permalink

Re: OCF resource for conntrack [In reply to]

Hi Jonathan,

as this discussion applies to a new RA, let's move it to the -dev list.
Very helpful contribution, thanks a lot. A few comments below.

> # Fill in some defaults if no values are specified
> OCF_RESKEY_bin_default="/usr/sbin/conntrackd"
> OCF_RESKEY_cfg_default="/etc/conntrackd/conntrackd.conf"
> OCF_RESKEY_lck_default="/var/lock/conntrack.lock"

Please use self-explanatory parameter names wherever possible; makes
life a whole lot easier for your users. I'd suggest "binary", "config",
and "lockfile" instead of "bin", "cfg", and "lck".

> CONNTRACKD="${OCF_RESKEY_bin} -C ${OCF_RESKEY_cfg}"

This assignment should come _after_ you initialize those variables with
their defaults.

> : ${OCF_RESKEY_bin=${OCF_RESKEY_bin_default}}
> : ${OCF_RESKEY_cfg=${OCF_RESKEY_cfg_default}}
> : ${OCF_RESKEY_lck=${OCF_RESKEY_lck_default}}

> meta_data() {
> cat <<END

This is a pet peeve, but would you mind using EOF for the here document
marker to make emacs users happy? :)

> <?xml version="1.0"?>
> <!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
> <resource-agent name="Conntrackd" version="0.5">
> <version>1.0</version>

Really minor issue here, but the version numbers should agree.

>
> <longdesc lang="en">
> This is a Conntrackd resource to manage primary and secondary state between two firewalls in a cluster.
> </longdesc>
> <shortdesc lang="en">Manages primary/backup conntrackd state</shortdesc>
>
> <parameters>
> <parameter name="bin" unique="1">

Nope. That one's definitely not unique.

> <longdesc lang="en">
> Location of conntrackd binary.
> </longdesc>
> <shortdesc lang="en">Conntrackd bin</shortdesc>
> <contect type="string" default="/usr/sbin/conntrackd"/>

You have a variable defined for the default; it's wise to use it here.

> </parameter>
>
> <parameter name="cfg" unique="1">

That one isn't unique either, I think.

> <longdesc lang="en">
> Location of conntrackd configuration file.
> </longdesc>
> <shortdesc lang="en">Conntrackd config</shortdesc>
> <contect type="string" default="/etc/conntrackd/conntrackd.conf"/>

As above.

> </parameter>
>
> <parameter name="lck" unique="1">

This one _might_ be unique, though I really don't think so.

> <longdesc lang="en">
> Location of conntrackd lock-file.
> </longdesc>
> <shortdesc lang="en">Conntrackd lock-file</shortdesc>
> <contect type="string" default="/var/lock/conntrackd.lock"/>

Again, as above.

> # Call monitor to verify that conntrackd is running
> conntrackd_monitor
>
> if [ $? = $OCF_SUCCESS ]; then

Use -eq instead of = for numeric comparisons.

>
> # commit the external cache into the kernel table
> $CONNTRACKD -c
> if [ $? -eq 1 ]
> then
> return $OCF_ERR_GENERIC

As a general rule, there is hardly ever any need to _return_ error
codes, you could just exit on them. And, whenever you error out, do so
after logging an error message with ocf_log err. In your case, it's
likely that you want to run the conntrackd command, capture its output,
and log it on error. All of which is easily achieved with ocf_run, like so:

ocf_run $CONNTRACKD -c || exit $OCF_ERR_GENERIC

You can probably apply that to most of your invocations of $CONNTRACKD.

> conntrackd_monitor() {
>
> # Define conntrackd_pid variable
> local conntrackd_pid=`pidof ${OCF_RESKEY_bin}`

Bashism. If you decĺare the resource agent as bourne shell compatible
(#!/bin/sh), this should be:

local conntrackd_pid
conntrackd_pid=`pidof ${OCF_RESKEY_bin}`

... or you force bash with #!/bin/bash.

> # Check for conntrackd lock-file
> if [ -f $OCF_RESKEY_lck ]; then
>
> # Check for conntrackd pid
> if [ $conntrackd_pid ]; then

I think this is another bashism, Bourne shell would expect [ -n
"$conntrackd_pid" ].

> # Successfull if lock and pid exists
> return $OCF_SUCCESS
> else
> # Error if pid exists but pid isn't running
> return $OCF_ERR_GENERIC
> fi
> else
> # False if lock and pid missing
> $OCF_NOT_RUNNING
>
> # Start conntrackd daemon
> $CONNTRACKD -d

No. It's not the monitor action's job to restart anything. If monitor
exits with $OCF_NOT_RUNNING, it's Pacemaker's job to recover that
resource. And it happens to be good at that job. :)

> conntrackd_validate() {
>
> # Check if conntrackd binary exists
> check_binary ${OCF_RESKEY_bin}
>
> if [ $? != 0 ]; then
> return $OCF_ERR_ARGS
> fi

Not necessary, check_binary already exits with $OCF_ERR_INSTALLED (which
is the correct error code here) if the binary isn't found.

>
> # Check if conntrackd config exists
> if [ ! -f ${OCF_RESKEY_cfg} ]; then
> return $OCF_ERR_ARGS

This should be $OCF_ERR_INSTALLED.

> fi
>
> return $OCF_SUCCESS
> }
>
> case $__OCF_ACTION in
> meta-data) meta_data
> exit $OCF_SUCCESS
> ;;
> start) conntrackd_start;;
> stop) conntrackd_stop;;
> monitor) conntrackd_monitor;;
> migrate_to) ocf_log info "Migrating ${OCF_RESOURCE_INSTANCE} to ${OCF_RESKEY_CRM_meta_migrate_to}."
> conntrackd_stop
> ;;
> migrate_from) ocf_log info "Migrating ${OCF_RESOURCE_INSTANCE} to ${OCF_RESKEY_CRM_meta_migrated_from}."
> conntrackd_start

Migrate actions are really not needed here.

> ;;
> reload) ocf_log err "Reloading..."
> conntrackd_start
> ;;
> validate-all) conntrackd_validate;;

You might want to invoke conntrackd_validate before start, or even
before any action except metadata, help, and usage.

> usage|help) conntrackd_usage
> exit $OCF_SUCCESS
> ;;
> *) conntrackd_usage
> exit $OCF_ERR_UNIMPLEMENTED
> ;;
> esac
> rc=$?
> ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"
> exit $rc
>

Thanks. Keep up the good work!

Cheers,
Florian

Attachments:

signature.asc (0.26 KB)

jpetersson at garnser

Sep 28, 2010, 1:28 PM

Post #10 of 11 (712 views)
Permalink

Re: OCF resource for conntrack [In reply to]

Great feedback, thanks a bunch, I'll get to it making the mods recommended asap.

On Tue, Sep 28, 2010 at 10:23 PM, Florian Haas <florian.haas [at] linbit> wrote:
> Hi Jonathan,
>
> as this discussion applies to a new RA, let's move it to the -dev list.
> Very helpful contribution, thanks a lot. A few comments below.
>
>> # Fill in some defaults if no values are specified
>> OCF_RESKEY_bin_default="/usr/sbin/conntrackd"
>> OCF_RESKEY_cfg_default="/etc/conntrackd/conntrackd.conf"
>> OCF_RESKEY_lck_default="/var/lock/conntrack.lock"
>
> Please use self-explanatory parameter names wherever possible; makes
> life a whole lot easier for your users. I'd suggest "binary", "config",
> and "lockfile" instead of "bin", "cfg", and "lck".
>
>> CONNTRACKD="${OCF_RESKEY_bin} -C ${OCF_RESKEY_cfg}"
>
> This assignment should come _after_ you initialize those variables with
> their defaults.
>
>> : ${OCF_RESKEY_bin=${OCF_RESKEY_bin_default}}
>> : ${OCF_RESKEY_cfg=${OCF_RESKEY_cfg_default}}
>> : ${OCF_RESKEY_lck=${OCF_RESKEY_lck_default}}
>
>
>> meta_data() {
>> cat <<END
>
> This is a pet peeve, but would you mind using EOF for the here document
> marker to make emacs users happy? :)
>
>> <?xml version="1.0"?>
>> <!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
>> <resource-agent name="Conntrackd" version="0.5">
>> <version>1.0</version>
>
> Really minor issue here, but the version numbers should agree.
>
>>
>> <longdesc lang="en">
>> This is a Conntrackd resource to manage primary and secondary state between two firewalls in a cluster.
>> </longdesc>
>> <shortdesc lang="en">Manages primary/backup conntrackd state</shortdesc>
>>
>> <parameters>
>> <parameter name="bin" unique="1">
>
> Nope. That one's definitely not unique.
>
>> <longdesc lang="en">
>> Location of conntrackd binary.
>> </longdesc>
>> <shortdesc lang="en">Conntrackd bin</shortdesc>
>> <contect type="string" default="/usr/sbin/conntrackd"/>
>
> You have a variable defined for the default; it's wise to use it here.
>
>> </parameter>
>>
>> <parameter name="cfg" unique="1">
>
> That one isn't unique either, I think.
>
>> <longdesc lang="en">
>> Location of conntrackd configuration file.
>> </longdesc>
>> <shortdesc lang="en">Conntrackd config</shortdesc>
>> <contect type="string" default="/etc/conntrackd/conntrackd.conf"/>
>
> As above.
>
>> </parameter>
>>
>> <parameter name="lck" unique="1">
>
> This one _might_ be unique, though I really don't think so.
>
>> <longdesc lang="en">
>> Location of conntrackd lock-file.
>> </longdesc>
>> <shortdesc lang="en">Conntrackd lock-file</shortdesc>
>> <contect type="string" default="/var/lock/conntrackd.lock"/>
>
> Again, as above.
>
>> # Call monitor to verify that conntrackd is running
>> conntrackd_monitor
>>
>> if [ $? = $OCF_SUCCESS ]; then
>
> Use -eq instead of = for numeric comparisons.
>
>>
>> # commit the external cache into the kernel table
>> $CONNTRACKD -c
>> if [ $? -eq 1 ]
>> then
>> return $OCF_ERR_GENERIC
>
> As a general rule, there is hardly ever any need to _return_ error
> codes, you could just exit on them. And, whenever you error out, do so
> after logging an error message with ocf_log err. In your case, it's
> likely that you want to run the conntrackd command, capture its output,
> and log it on error. All of which is easily achieved with ocf_run, like so:
>
> ocf_run $CONNTRACKD -c || exit $OCF_ERR_GENERIC
>
> You can probably apply that to most of your invocations of $CONNTRACKD.
>
>> conntrackd_monitor() {
>>
>> # Define conntrackd_pid variable
>> local conntrackd_pid=`pidof ${OCF_RESKEY_bin}`
>
> Bashism. If you decĺare the resource agent as bourne shell compatible
> (#!/bin/sh), this should be:
>
> local conntrackd_pid
> conntrackd_pid=`pidof ${OCF_RESKEY_bin}`
>
> ... or you force bash with #!/bin/bash.
>
>> # Check for conntrackd lock-file
>> if [ -f $OCF_RESKEY_lck ]; then
>>
>> # Check for conntrackd pid
>> if [ $conntrackd_pid ]; then
>
> I think this is another bashism, Bourne shell would expect [ -n
> "$conntrackd_pid" ].
>
>> # Successfull if lock and pid exists
>> return $OCF_SUCCESS
>> else
>> # Error if pid exists but pid isn't running
>> return $OCF_ERR_GENERIC
>> fi
>> else
>> # False if lock and pid missing
>> $OCF_NOT_RUNNING
>>
>> # Start conntrackd daemon
>> $CONNTRACKD -d
>
> No. It's not the monitor action's job to restart anything. If monitor
> exits with $OCF_NOT_RUNNING, it's Pacemaker's job to recover that
> resource. And it happens to be good at that job. :)
>
>> conntrackd_validate() {
>>
>> # Check if conntrackd binary exists
>> check_binary ${OCF_RESKEY_bin}
>>
>> if [ $? != 0 ]; then
>> return $OCF_ERR_ARGS
>> fi
>
> Not necessary, check_binary already exits with $OCF_ERR_INSTALLED (which
> is the correct error code here) if the binary isn't found.
>
>>
>> # Check if conntrackd config exists
>> if [ ! -f ${OCF_RESKEY_cfg} ]; then
>> return $OCF_ERR_ARGS
>
> This should be $OCF_ERR_INSTALLED.
>
>> fi
>>
>> return $OCF_SUCCESS
>> }
>>
>> case $__OCF_ACTION in
>> meta-data) meta_data
>> exit $OCF_SUCCESS
>> ;;
>> start) conntrackd_start;;
>> stop) conntrackd_stop;;
>> monitor) conntrackd_monitor;;
>> migrate_to) ocf_log info "Migrating ${OCF_RESOURCE_INSTANCE} to ${OCF_RESKEY_CRM_meta_migrate_to}."
>> conntrackd_stop
>> ;;
>> migrate_from) ocf_log info "Migrating ${OCF_RESOURCE_INSTANCE} to ${OCF_RESKEY_CRM_meta_migrated_from}."
>> conntrackd_start
>
> Migrate actions are really not needed here.
>
>> ;;
>> reload) ocf_log err "Reloading..."
>> conntrackd_start
>> ;;
>> validate-all) conntrackd_validate;;
>
> You might want to invoke conntrackd_validate before start, or even
> before any action except metadata, help, and usage.
>
>> usage|help) conntrackd_usage
>> exit $OCF_SUCCESS
>> ;;
>> *) conntrackd_usage
>> exit $OCF_ERR_UNIMPLEMENTED
>> ;;
>> esac
>> rc=$?
>> ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"
>> exit $rc
>>
>
> Thanks. Keep up the good work!
>
> Cheers,
> Florian
>
>
> _______________________________________________
> Linux-HA mailing list
> Linux-HA [at] lists
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
>
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

jpetersson at garnser

Sep 29, 2010, 1:37 AM

Post #11 of 11 (704 views)
Permalink

Re: OCF resource for conntrack [In reply to]

I think I've covered most of the input I've gotten so far, in lack of
git access internally here's another pastebin. Please let me know if
there's any additional changes that should be made.

http://pastebin.com/QMuyTRWB

On Tue, Sep 28, 2010 at 10:28 PM, Jonathan Petersson
<jpetersson [at] garnser> wrote:
> Great feedback, thanks a bunch, I'll get to it making the mods recommended asap.
>
> On Tue, Sep 28, 2010 at 10:23 PM, Florian Haas <florian.haas [at] linbit> wrote:
>> Hi Jonathan,
>>
>> as this discussion applies to a new RA, let's move it to the -dev list.
>> Very helpful contribution, thanks a lot. A few comments below.
>>
>>> # Fill in some defaults if no values are specified
>>> OCF_RESKEY_bin_default="/usr/sbin/conntrackd"
>>> OCF_RESKEY_cfg_default="/etc/conntrackd/conntrackd.conf"
>>> OCF_RESKEY_lck_default="/var/lock/conntrack.lock"
>>
>> Please use self-explanatory parameter names wherever possible; makes
>> life a whole lot easier for your users. I'd suggest "binary", "config",
>> and "lockfile" instead of "bin", "cfg", and "lck".
>>
>>> CONNTRACKD="${OCF_RESKEY_bin} -C ${OCF_RESKEY_cfg}"
>>
>> This assignment should come _after_ you initialize those variables with
>> their defaults.
>>
>>> : ${OCF_RESKEY_bin=${OCF_RESKEY_bin_default}}
>>> : ${OCF_RESKEY_cfg=${OCF_RESKEY_cfg_default}}
>>> : ${OCF_RESKEY_lck=${OCF_RESKEY_lck_default}}
>>
>>
>>> meta_data() {
>>> cat <<END
>>
>> This is a pet peeve, but would you mind using EOF for the here document
>> marker to make emacs users happy? :)
>>
>>> <?xml version="1.0"?>
>>> <!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
>>> <resource-agent name="Conntrackd" version="0.5">
>>> <version>1.0</version>
>>
>> Really minor issue here, but the version numbers should agree.
>>
>>>
>>> <longdesc lang="en">
>>> This is a Conntrackd resource to manage primary and secondary state between two firewalls in a cluster.
>>> </longdesc>
>>> <shortdesc lang="en">Manages primary/backup conntrackd state</shortdesc>
>>>
>>> <parameters>
>>> <parameter name="bin" unique="1">
>>
>> Nope. That one's definitely not unique.
>>
>>> <longdesc lang="en">
>>> Location of conntrackd binary.
>>> </longdesc>
>>> <shortdesc lang="en">Conntrackd bin</shortdesc>
>>> <contect type="string" default="/usr/sbin/conntrackd"/>
>>
>> You have a variable defined for the default; it's wise to use it here.
>>
>>> </parameter>
>>>
>>> <parameter name="cfg" unique="1">
>>
>> That one isn't unique either, I think.
>>
>>> <longdesc lang="en">
>>> Location of conntrackd configuration file.
>>> </longdesc>
>>> <shortdesc lang="en">Conntrackd config</shortdesc>
>>> <contect type="string" default="/etc/conntrackd/conntrackd.conf"/>
>>
>> As above.
>>
>>> </parameter>
>>>
>>> <parameter name="lck" unique="1">
>>
>> This one _might_ be unique, though I really don't think so.
>>
>>> <longdesc lang="en">
>>> Location of conntrackd lock-file.
>>> </longdesc>
>>> <shortdesc lang="en">Conntrackd lock-file</shortdesc>
>>> <contect type="string" default="/var/lock/conntrackd.lock"/>
>>
>> Again, as above.
>>
>>> # Call monitor to verify that conntrackd is running
>>> conntrackd_monitor
>>>
>>> if [ $? = $OCF_SUCCESS ]; then
>>
>> Use -eq instead of = for numeric comparisons.
>>
>>>
>>> # commit the external cache into the kernel table
>>> $CONNTRACKD -c
>>> if [ $? -eq 1 ]
>>> then
>>> return $OCF_ERR_GENERIC
>>
>> As a general rule, there is hardly ever any need to _return_ error
>> codes, you could just exit on them. And, whenever you error out, do so
>> after logging an error message with ocf_log err. In your case, it's
>> likely that you want to run the conntrackd command, capture its output,
>> and log it on error. All of which is easily achieved with ocf_run, like so:
>>
>> ocf_run $CONNTRACKD -c || exit $OCF_ERR_GENERIC
>>
>> You can probably apply that to most of your invocations of $CONNTRACKD.
>>
>>> conntrackd_monitor() {
>>>
>>> # Define conntrackd_pid variable
>>> local conntrackd_pid=`pidof ${OCF_RESKEY_bin}`
>>
>> Bashism. If you decĺare the resource agent as bourne shell compatible
>> (#!/bin/sh), this should be:
>>
>> local conntrackd_pid
>> conntrackd_pid=`pidof ${OCF_RESKEY_bin}`
>>
>> ... or you force bash with #!/bin/bash.
>>
>>> # Check for conntrackd lock-file
>>> if [ -f $OCF_RESKEY_lck ]; then
>>>
>>> # Check for conntrackd pid
>>> if [ $conntrackd_pid ]; then
>>
>> I think this is another bashism, Bourne shell would expect [ -n
>> "$conntrackd_pid" ].
>>
>>> # Successfull if lock and pid exists
>>> return $OCF_SUCCESS
>>> else
>>> # Error if pid exists but pid isn't running
>>> return $OCF_ERR_GENERIC
>>> fi
>>> else
>>> # False if lock and pid missing
>>> $OCF_NOT_RUNNING
>>>
>>> # Start conntrackd daemon
>>> $CONNTRACKD -d
>>
>> No. It's not the monitor action's job to restart anything. If monitor
>> exits with $OCF_NOT_RUNNING, it's Pacemaker's job to recover that
>> resource. And it happens to be good at that job. :)
>>
>>> conntrackd_validate() {
>>>
>>> # Check if conntrackd binary exists
>>> check_binary ${OCF_RESKEY_bin}
>>>
>>> if [ $? != 0 ]; then
>>> return $OCF_ERR_ARGS
>>> fi
>>
>> Not necessary, check_binary already exits with $OCF_ERR_INSTALLED (which
>> is the correct error code here) if the binary isn't found.
>>
>>>
>>> # Check if conntrackd config exists
>>> if [ ! -f ${OCF_RESKEY_cfg} ]; then
>>> return $OCF_ERR_ARGS
>>
>> This should be $OCF_ERR_INSTALLED.
>>
>>> fi
>>>
>>> return $OCF_SUCCESS
>>> }
>>>
>>> case $__OCF_ACTION in
>>> meta-data) meta_data
>>> exit $OCF_SUCCESS
>>> ;;
>>> start) conntrackd_start;;
>>> stop) conntrackd_stop;;
>>> monitor) conntrackd_monitor;;
>>> migrate_to) ocf_log info "Migrating ${OCF_RESOURCE_INSTANCE} to ${OCF_RESKEY_CRM_meta_migrate_to}."
>>> conntrackd_stop
>>> ;;
>>> migrate_from) ocf_log info "Migrating ${OCF_RESOURCE_INSTANCE} to ${OCF_RESKEY_CRM_meta_migrated_from}."
>>> conntrackd_start
>>
>> Migrate actions are really not needed here.
>>
>>> ;;
>>> reload) ocf_log err "Reloading..."
>>> conntrackd_start
>>> ;;
>>> validate-all) conntrackd_validate;;
>>
>> You might want to invoke conntrackd_validate before start, or even
>> before any action except metadata, help, and usage.
>>
>>> usage|help) conntrackd_usage
>>> exit $OCF_SUCCESS
>>> ;;
>>> *) conntrackd_usage
>>> exit $OCF_ERR_UNIMPLEMENTED
>>> ;;
>>> esac
>>> rc=$?
>>> ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"
>>> exit $rc
>>>
>>
>> Thanks. Keep up the good work!
>>
>> Cheers,
>> Florian
>>
>>
>> _______________________________________________
>> Linux-HA mailing list
>> Linux-HA [at] lists
>> http://lists.linux-ha.org/mailman/listinfo/linux-ha
>> See also: http://linux-ha.org/ReportingProblems
>>
>
_______________________________________________
Linux-HA mailing list
Linux-HA [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads