[OpenAFS] Multihomed issues

Derrick Brashear shadow@gmail.com
Mon, 17 Jan 2011 23:28:59 -0500

On Mon, Jan 17, 2011 at 11:24 PM, Jaap Winius <jwinius@umrk.nl> wrote:
> Quoting Derrick Brashear <shadow@gmail.com>:
>> I kind of follow what you're saying here. However:
>> 1) CellServDB is "where are database servers"
>> 2) what's in the VLDB is "where are the volumes"
>> so just because it appeared in 1, well, that has nothing to do with 2.
>> mantra: "solve the real problem"
> Makes sense. Right now I think the real problem is my DNS configuration:
> externally, each AFS server's host name resolves only to its public IP
> address, internally to both its private and public IP addresses.

are both addresses reachable internally?

>> CellServDB on each host must list the addresses that the database
>> servers are reachable at from *this* host. not what each believes
>> their own address are. Make it so.
> That would mean listing both its private IP address and its public IP
> address (which both resolve to the same name).

can't do it, alas. if both are reachable, list only the outside,
everywhere. otherwise, list only the inside, inside.

>> e.g. a db server behind a nat would list its internal address for
>> itself; one outside a nat would list the external address which you
>> are port forwarding from. The internal server would include in NetInfo
>> as its first line:
>> f (external address)
>> e.g.
>> f
>> if its external address was
>> then whatever internal address
> I don't think the "f" option applies in my situation. My servers aren't
> behind a NAT: they each have a public IP address via PPP; their broadband
> CPEs act as modems only. Both route between the Internet and an internal
> network and both run an iptables firewall that includes a NAT.

then you don't (shouldn't) need the f line.

>> NetRestrict could be used to mask unwanted addresses, *but* you
>> probably want both addresses, the local and the external, so if there
>> are these two only, mask none with NetRestrict.
> So, in your opinion no NetRestrict file is necessary?

if the outside addresses can talk to each other, NetRestrict away the
internal addresses.
if they can't, no NetRestrict is needed and in fact one is harmful.

>> Now, as to fileservers, the same tip(s) with NetInfo/NetRestrict
>> apply.
> So far, I currently have a server NetInfo file with the external address
> only (you think that should include the internal address too?) and a
> NetRestrict file containing the address for the internal network (which I
> gather you think it should not).

well, i assumed nat. apparently your internal addresses can talk to each other.

>> Here, the CellServDB only *needs* to provide an address for at
>> least one server, but ideally you still list, for each server, an
>> address which reaches it.
> Right not it contains only the external IP address for the other server, as
> well as it's own external IP address. The plan is to add an external address
> for a third server soon.

again, as long as external-to-external works in all cases, "good enough"

>> vos delentry is for a VLDB entry, not a server, so you didn't remove
>> any server addresses from the VLDB with it. remsite removes a server
>> for a volume. delentry removes a whole volume entry. ...
> Considering what I've seen, that would explain things.
>> ... changeaddr -remove removes an address but probably still isn't
>> what you want. make the fileserver register the addresses you want
>> (using netinfo and netrestrict), start it and let it register. all
>> will be well.
> I'll try again tomorrow.
> Thanks,
> Jaap