Hi Chiradeep, On 21-Aug-2012, at 2:50 AM, Chiradeep Vittal <chiradeep.vit...@citrix.com> wrote: > On 8/16/12 2:41 AM, "Rohit Yadav" <rohit.ya...@citrix.com> wrote: >> >> >> 1. Async Callback: >> With bug http://bugs.cloudstack.org/browse/CS-15970 fixed, the >> management server knows when router's redundant changed and CS re-applies >> iptables rules when state changes from UNKNOWN (possible crash/reboot) to >> MASTER/BACKUP. > > This may fix the issue at hand, but out-of-band operations on the VR is a > generic problem.
These were related to the bug http://bugs.cloudstack.org/browse/CS-15907 which is resolved by design now, but I want to fix this in later versions. I agree with your comments on push mechanisms, see below. > >> >> 2. Pull mechanism: >> On reboot, a script/daemon on the router pulls any updates or iptables >> rules, but it won't work if management server is down. > > Also doesn't account for several other failure scenarios. > >> >> 3, Push mechanism: >> CS periodically checks/resets/updates iptables rules etc. Cons: it's a >> bad design. > > Not sure why you think this is a bad design. I prefer event driven programming, but you're right it should work well. > Every update to the virtual > router gets a transaction id. You can design a background task to push > updates to the VR whenever the txid is different from the database. This > is similar to the design of the SecurityGroups feature. It isn't unlike a > DB master-slave sync or in some respects to eventual consistency. You > could even checksum the configuration to detect other inconsistencies. We already have a background thread that periodically checks for redundant router status and gets values (Master, Backup or Unknown) every 30s (which may be reduced to a lower number for frequent polling, by admin). We use state changes to push and reapply iptables rules. This becomes an event driven polling/push mechanism which can use txids/checksum as you suggest. Will work on it soon. >> >> 4. Modifying VRRP [3] [4] such that when one of the routers goes away, >> the other one will be responsible to re-apply iptables rules. Cons: when >> both/all go down. > > Modifying GPL software is a non-starter in most cases. Thanks, Rohit
