[DRBD-user] Restarting IPtables caused split-brain and OCFS2 corruption? <SOLVED, mostly>

Herman herman6x9 at ymail.com
Wed Jun 8 20:56:09 CEST 2011

Sorry, meant to reply to this earlier.

Thanks to Bart for the OCFS2 timeout settings.  They were set to 2000ms;
however, raising it to 10000ms didn't seem to make any difference for
IPTables, but I think I may raise them in production anyways.  Anyone
know if there's any problems with raising this?

>From Andreas suggestion for the unloading modules, I found the problem
with RHEL6's iptables init.d script.  It seems that by default, it
unloads *all* modules when doing a restart.

Thanks Andreas!

There's a line that sets a variable in /etc/init.d/iptables which
controls this:

After changing this to "no", it doesn't have any problems with
split-brain anymore.

Still no luck on the OCFS2 corruption, but I guess I probably should ask
the OCFS2 mailing list about that one.


On Tue, 2011-05-17 at 22:47 +0100, bart at timedout.org wrote:
> Herman wrote:
> > I made a change to IPTables, and did a "service iptables restart", and
> > next thing I knew, I had a split brain.
> Are you sure it was a split-brain on DRBD level, or perhaps OCFS2 
> "freaked" out and nodes started fencing each other?
> Default OCFS2 cluster rules have quite low timeout levels -- I used to 
> have some problems with default settings even in active/standby mode.
> 'service o2cb status' should be able to tell you timeouts etc.  If it's 
> going to be 2000ms, I would raise it to something around 10000ms and try 
> reloading firewall then.
> I have DRBD running on few nodes and reloading firewall, although I am 
> using filtergen -- so 'fgadm reload' -- never caused any issues with 
> neither DRBD nor OCFS2.

