Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Sun Cluster and IP Filter

19 views
Skip to first unread message

Ceri Davies

unread,
Jan 8, 2007, 9:45:48 AM1/8/07
to
After installing Sun Cluster 3.2 and configuring a single node cluster,
the ipfilter service is failing to start on my system.

This looks to be because Sun Cluster has put this line in /etc/iu.ap:

eri -1 0 clhbsndr

and this is overriding, or otherwise causing to fail, the line in
/etc/ipf/pfil.ap:

eri -1 0 pfil

Is there a way around this?

Ceri

PS On a related note, how does one determine the major and minors to
feed to "autopush -g"? They don't seem to match the device node major
and minors.
--
That must be wonderful! I don't understand it at all.
-- Moliere

Gary Mills

unread,
Jan 8, 2007, 10:08:35 AM1/8/07
to
In <wOsoh.22636$RL5....@newsfe2-gui.ntli.net> Ceri Davies <ceri_...@submonkey.net> writes:

>After installing Sun Cluster 3.2 and configuring a single node cluster,
>the ipfilter service is failing to start on my system.

>This looks to be because Sun Cluster has put this line in /etc/iu.ap:

> eri -1 0 clhbsndr

>and this is overriding, or otherwise causing to fail, the line in
>/etc/ipf/pfil.ap:

> eri -1 0 pfil

The Sun Cluster documentation states that ipfilter is not supported
on a cluster. Now we know why this is so.

--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-

Ceri Davies

unread,
Jan 8, 2007, 11:14:14 AM1/8/07
to
On 2007-01-08, Gary Mills <mi...@cc.umanitoba.ca> wrote:
> In <wOsoh.22636$RL5....@newsfe2-gui.ntli.net> Ceri Davies <ceri_...@submonkey.net> writes:
>
>>After installing Sun Cluster 3.2 and configuring a single node cluster,
>>the ipfilter service is failing to start on my system.
>
>>This looks to be because Sun Cluster has put this line in /etc/iu.ap:
>
>> eri -1 0 clhbsndr
>
>>and this is overriding, or otherwise causing to fail, the line in
>>/etc/ipf/pfil.ap:
>
>> eri -1 0 pfil
>
> The Sun Cluster documentation states that ipfilter is not supported
> on a cluster. Now we know why this is so.

Ah, now I see it, in the Installation Guide (819-2970).

Could someone comment on the necessity or functionality of clhbsnr
please, as so far commenting that line out of /etc/iu.ap seems to be
working OK.

Interestingly, the Installation Guide also states that interface groups
are not supported, and yet the installer has created one...

Ceri

Casper H.S. Dik

unread,
Jan 8, 2007, 11:42:40 AM1/8/07
to
Ceri Davies <ceri_...@submonkey.net> writes:

>After installing Sun Cluster 3.2 and configuring a single node cluster,
>the ipfilter service is failing to start on my system.

>This looks to be because Sun Cluster has put this line in /etc/iu.ap:

> eri -1 0 clhbsndr

>and this is overriding, or otherwise causing to fail, the line in
>/etc/ipf/pfil.ap:

> eri -1 0 pfil

>Is there a way around this?

You can list multiple modules on a single iu.ap list.

(Note that this issue will go away in future as pfil is no longer used
in current Solaris build [Solaris Nevada b52 and later])

>PS On a related note, how does one determine the major and minors to
>feed to "autopush -g"? They don't seem to match the device node major
>and minors.

You mean '11'? The clonse devices are all numbered
<clone major [11], device major>

So the minor number is the major number of the device.

The /etc/name_to_major lists the full mapping of names to major numbers.

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Ceri Davies

unread,
Jan 8, 2007, 4:49:21 PM1/8/07
to
On 2007-01-08, Casper H.S Dik <Caspe...@Sun.COM> wrote:
> Ceri Davies <ceri_...@submonkey.net> writes:
>
>>After installing Sun Cluster 3.2 and configuring a single node cluster,
>>the ipfilter service is failing to start on my system.
>
>>This looks to be because Sun Cluster has put this line in /etc/iu.ap:
>
>> eri -1 0 clhbsndr
>
>>and this is overriding, or otherwise causing to fail, the line in
>>/etc/ipf/pfil.ap:
>
>> eri -1 0 pfil
>
>>Is there a way around this?
>
> You can list multiple modules on a single iu.ap list.

Seems to work well with them both in iu.ap, thanks for the hint.

> (Note that this issue will go away in future as pfil is no longer used
> in current Solaris build [Solaris Nevada b52 and later])

I'd seen Darren Reed's packet filter hooks paper on that kind of
subject; is it a different piece of work?

>>PS On a related note, how does one determine the major and minors to
>>feed to "autopush -g"? They don't seem to match the device node major
>>and minors.
>
> You mean '11'? The clonse devices are all numbered
><clone major [11], device major>

Hmm, I was thinking more of examining the stream on a given eri device.
I realise that I can do that with "ifconfig eri0 modlist", but I
couldn't work out what to put for X in "autopush -g -M X -m 0"...

> So the minor number is the major number of the device.
>
> The /etc/name_to_major lists the full mapping of names to major numbers.

... the answer to which lies here. Thanks again.

Ceri

Ceri Davies

unread,
Mar 3, 2007, 9:55:34 AM3/3/07
to
On 2007-01-08, Ceri Davies <ceri_...@submonkey.net> wrote:
> On 2007-01-08, Gary Mills <mi...@cc.umanitoba.ca> wrote:
>> In <wOsoh.22636$RL5....@newsfe2-gui.ntli.net> Ceri Davies <ceri_...@submonkey.net> writes:
>>
>>>After installing Sun Cluster 3.2 and configuring a single node cluster,
>>>the ipfilter service is failing to start on my system.
>>
>>>This looks to be because Sun Cluster has put this line in /etc/iu.ap:
>>
>>> eri -1 0 clhbsndr
>>
>>>and this is overriding, or otherwise causing to fail, the line in
>>>/etc/ipf/pfil.ap:
>>
>>> eri -1 0 pfil
>>
>> The Sun Cluster documentation states that ipfilter is not supported
>> on a cluster. Now we know why this is so.
>
> Ah, now I see it, in the Installation Guide (819-2970).

Good God. Thank you Sun.

http://blogs.sun.com/SC/entry/ip_filter_support_for_failover

0 new messages