[Openstack-operators] Pacemaker / Corosync in guests on OpenStack

Hauke Bruno Wollentin Hauke-Bruno.Wollentin at innovo-cloud.de
Thu Aug 17 02:06:39 UTC 2017

+1 to Johns answer.

We also run Pacemaker/Corosync clusters inside OpenStack instances (in project/self service networks). Our clusters are formed by 3 instances each and run in production currently. We didn't see any problems with migrations, handmade or triggered by Pacemaker.

I recommend using unicast for the cluster communication too + using the default ocf:heartbeat:IPaddr2 resource agent to keep things simple.

For the VIP we use a _dummy_ port (neutron port create) and allow its IP address to all cluster members via 'neutron port update'. That port is never attached to any instance, they are just using its IP address on their default ports.

The idea of fencing via the API sounds pretty neat, so I will have a look on that ;)

best regards,


From: John Petrini <jpetrini at coredial.com>
Sent: Wednesday, August 16, 2017 12:55 PM
To: Tim Bell
Cc: openstack-operators
Subject: Re: [Openstack-operators] Pacemaker / Corosync in guests on OpenStack

I just did recently and had no issues. I used a provider network so I don't have experience using it with project networks but I believe the only issue you might run into with project networks is multicast. You can work around this by using unicast instead.

If you do you use multicast you need to enable IGMP in your security groups. You can do this in Horizon by selecting other protocol and setting the IP protocol number to 2.

I hit a minor issue setting up a VIP because port security wouldn't allow traffic to the instance that was destined for that address but all I had to do was add the VIP as an allowed address pair on the port of each instance. Also, I attached an additional interface to one of the instances to allocate the VIP, I just didn't configure the interface within the instance. Since we use DHCP this was a simple way to reserve the IP. I'm sure I could have created a pacemaker resource that would move the port using the OpenStack API but I prefer the simplicity and speed of Pacemakers ocf:ipaddr2 resource.

I setup fencing of the instances via the openstack api to avoid any chance of a duplicate IP when moving the VIP. I borrowed this script https://github.com/beekhof/fence_openstack/blob/master/fence_openstack and made a few minor changes.

Overall there weren't many differences between setting up pacemaker in OpenStack vs Iron but I hope this is helpful.


John Petrini

On Wed, Aug 16, 2017 at 6:06 AM, Tim Bell <Tim.Bell at cern.ch<mailto:Tim.Bell at cern.ch>> wrote:

Has anyone had experience setting up a cluster of VM guests running Pacemaker / Corosync? Any recommendations?


OpenStack-operators mailing list
OpenStack-operators at lists.openstack.org<mailto:OpenStack-operators at lists.openstack.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170817/5eac1017/attachment.html>

More information about the OpenStack-operators mailing list