[Bug 250580] New: Init scripts for drbd and Suse-firewall (together) prohibit unattended reboot
https://bugzilla.novell.com/show_bug.cgi?id=250580 Summary: Init scripts for drbd and Suse-firewall (together) prohibit unattended reboot Product: openSUSE 10.2 Version: Final Platform: i386 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: eugen@drnet.at QAContact: qa@suse.de When creating a 2-node cluster with DRBD and using the suse-firewall, the dependencies of the init-scripts work out to prohibit unattended reboot: 1.) suse-firewall-init blocks everything 2.) drbd starts and blocks (cannot communicate with partner) 3.) suse-firewall-setup is never run (as init blocks in step 2) since 3.) is never run, ssh to fix the problem is impossible Workaround: (A) Manual intervention on boot console: Stop blocking drbd init, this completes the init and runs suse-firewall-setup. Then start rdbd manually (B) Rename rc-links so that drbd is started after firewall I didn't know wether to file this under yast, security, maintenance or installation - so I chose "other" Thanks for an excellent product! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=250580 chrubis@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |lnussel@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=250580 lnussel@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@novell.com AssignedTo|lnussel@novell.com |lmb@novell.com ------- Comment #1 from lnussel@novell.com 2007-03-05 01:33 MST ------- SuSEfirewall2_init blocks new incoming connections early in the boot process. SuSEfirewall2_setup later applies all rules and opens ports. I don't know the first thing about drbd though so I don't know how it interacts with a firewall. Reassigning to drbd maintainer. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=250580 lmb@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lmb@novell.com AssignedTo|lmb@novell.com |lnussel@novell.com ------- Comment #2 from lmb@novell.com 2007-03-05 07:42 MST ------- The firewall must not block allowed ports, as in this case: drbd. drbd is a mechanism to replicate over TCP (networked raid1), so blocking the connection ain't going to work. Not a drbd problem, reassigning back to firewall maintainer ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=250580 ------- Comment #3 from eugen@drnet.at 2007-03-05 12:32 MST ------- Ludwig and Lars, IMHO this is a firewall issue, but it needs both of you. Ludwig: SuSEfirewall2_setup doesn't set the rules the moment it is invoked, but queues setting those rules for immediately after the boot process ends. So e.g. S50SuSEfirewall2_setup and S51drbd doesn't work, as the firewall script returns, before the rules are set leaving drbd in a blocking situation again. For me a perfect resolution would be a directive like FW_SET_RULES_SYNCHRONOUS in /etc/sysconfig/SuSEfirewall2, that forces the rules to be set the moment the script is called. I guess this creates trouble not only for drbd, but for all services, that need an incoming connection to boot. I can not understand, why the rules are not set immediately after network comes up - but I guess this is my fault, not the firewall's! Now Lars: You could then add a startup dependency (or whatever mechanism) to make sure, drbd is started only after this is done (if SuSEfirewall2 is enabled) Our first workaround was something like S50network S51drbd S52SuSEfirewall2_init which is a REALLY bad idea if the drbd partner is slow or down. Our final workaround (after discovering this asynchronousity in SuSEfirewall2_setup) was to add a similar asynchronous wrapper to drbd, so that drbd is only started some seconds after the boot process has finished (and the firewall rules are set). This ofcourse needs an asynchronous start of heartbeat, which depends on drbd - a maintenance nightmare (and I haven't yet talked of clean shutdown)! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=250580 ------- Comment #4 from lnussel@novell.com 2007-03-06 01:33 MST ------- SuSEfirewall2 is not asynchronous. When the script exits all rules are set. The boot process is parallelized though. Ie drbd and SuSEfirewall2 init scripts can run at the same time if dependencies are wrong. SuSEfirewall2_setup has "Should-Start: $ALL" so it will run as the very last script, you cannot start drbd after it. If you remove that line and add "Should-Start: SuSEfirewall2_setup" to drbd then drbd will run after SuSEfirewall2_setup. You need to remove and add the script via insserv to actually apply the changes. Manually modifying the symlinks will not have the desired effect. The reason why SuSEfirewall2_setup runs last is that it needs all services running for e.g. autodetection of RPC ports. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=250580 ------- Comment #5 from eugen@drnet.at 2007-03-06 06:56 MST ------- I apologize for creating unnecessary work by mixing up an asynchronous boot process with an async firewall script. 1.) changed "Should-Start: $ALL" to "Should-Start: portmap" in SuSEfirewall2_setup 2.) added "Should-Start: SuSEfirewall2_setup" and "Should-Stop: SuSEfirewall2_setup" to drbd Works like a charme now, including shutdown. Heartbeat already contains "Should-Start: drbd" (inter al.), IMHO a "Should-Stop: drbd" would also be a good idea - but I have already proven to understand too little of the boot process as to give advice. Ludwig: Are there other services (apart from portmap) that need to be started before SuSEfirewall2_setup to allow the firewall's auto-magic? I didn't produce a patchset, as I miss this piece of information. AFAIAC this bug is closed. I am not in a position to decide, wether this should go to mainstream, maybe a comment in the firewall docs would be enough - anyone creating heartbeat-clusters with drbd and still using SuSEfirewall2 should be able to solve this! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=250580 ------- Comment #6 from lnussel@novell.com 2007-03-06 08:16 MST ------- portmap alone isn't of much use. SuSEfirewall2 needs to run after the services that use portmap, like nfsd, ypbind etc. There used to be a third init script that would run directly after the network script but that's usually not needed and therefore just wasted boot time. This is the first use case I know of that would require it so I'm reluctant to make changes specifically for drbd. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=250580
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=250580#c7
Ludwig Nussel
participants (1)
-
bugzilla_noreply@novell.com