https://bugzilla.novell.com/show_bug.cgi?id=250580 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@novell.com AssignedTo|lnussel@novell.com |lmb@novell.com ------- Comment #1 from lnussel@novell.com 2007-03-05 01:33 MST ------- SuSEfirewall2_init blocks new incoming connections early in the boot process. SuSEfirewall2_setup later applies all rules and opens ports. I don't know the first thing about drbd though so I don't know how it interacts with a firewall. Reassigning to drbd maintainer. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=250580 ------- Comment #3 from eugen@drnet.at 2007-03-05 12:32 MST ------- Ludwig and Lars, IMHO this is a firewall issue, but it needs both of you. Ludwig: SuSEfirewall2_setup doesn't set the rules the moment it is invoked, but queues setting those rules for immediately after the boot process ends. So e.g. S50SuSEfirewall2_setup and S51drbd doesn't work, as the firewall script returns, before the rules are set leaving drbd in a blocking situation again. For me a perfect resolution would be a directive like FW_SET_RULES_SYNCHRONOUS in /etc/sysconfig/SuSEfirewall2, that forces the rules to be set the moment the script is called. I guess this creates trouble not only for drbd, but for all services, that need an incoming connection to boot. I can not understand, why the rules are not set immediately after network comes up - but I guess this is my fault, not the firewall's! Now Lars: You could then add a startup dependency (or whatever mechanism) to make sure, drbd is started only after this is done (if SuSEfirewall2 is enabled) Our first workaround was something like S50network S51drbd S52SuSEfirewall2_init which is a REALLY bad idea if the drbd partner is slow or down. Our final workaround (after discovering this asynchronousity in SuSEfirewall2_setup) was to add a similar asynchronous wrapper to drbd, so that drbd is only started some seconds after the boot process has finished (and the firewall rules are set). This ofcourse needs an asynchronous start of heartbeat, which depends on drbd - a maintenance nightmare (and I haven't yet talked of clean shutdown)! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=250580 ------- Comment #5 from eugen@drnet.at 2007-03-06 06:56 MST ------- I apologize for creating unnecessary work by mixing up an asynchronous boot process with an async firewall script. 1.) changed "Should-Start: $ALL" to "Should-Start: portmap" in SuSEfirewall2_setup 2.) added "Should-Start: SuSEfirewall2_setup" and "Should-Stop: SuSEfirewall2_setup" to drbd Works like a charme now, including shutdown. Heartbeat already contains "Should-Start: drbd" (inter al.), IMHO a "Should-Stop: drbd" would also be a good idea - but I have already proven to understand too little of the boot process as to give advice. Ludwig: Are there other services (apart from portmap) that need to be started before SuSEfirewall2_setup to allow the firewall's auto-magic? I didn't produce a patchset, as I miss this piece of information. AFAIAC this bug is closed. I am not in a position to decide, wether this should go to mainstream, maybe a comment in the firewall docs would be enough - anyone creating heartbeat-clusters with drbd and still using SuSEfirewall2 should be able to solve this! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=250580 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=250580#c7 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #7 from Ludwig Nussel 2008-09-17 03:06:08 MDT --- Having thought about this back and forth I cannot come up with a simple solution that doesn't hurt in general and also automatically works in this corner case. So the workarounds for using SuSEfirewall2 and drbd at the same time are to either - remove 'close' from SuSEfirewall2_init so at least the external zone is set up or - modify the dependencies of SuSEfirewall2_setup. One can do that without actually modifing the file by using /etc/insserv/overrides/, see man insserv. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.