CTDB 2.0: how to get rid of these messages?

Martin Schwenke martin at meltin.net
Fri Jun 14 14:55:43 MDT 2013

On Fri, 14 Jun 2013 17:14:50 +0200, Ulrich Sibiller
<u.sibiller at science-computing.de> wrote:

> we have a 6 node GPFS cluster running on RHEL5 and 6 (4 RHEL5, 2xRHEL6) using ctdb-2.0-1.x86_64 and 
> sernet's samba3-3.6.13-45.el6.x86_64 packages. This running fine most of the time. However, I have 
> lots of lines like the following in the syslogs of all nodes. Example from node 5:
> Jun 14 15:01:24 gpfs02s05 ctdbd: Could not add client IP xx.yy.zz.236. This is not a public address.
> This address is the private address of the node's bond0 interface.

> [root at gpfs02s05 samba]# cat /etc/ctdb/nodes
> xx.yy.zz.236
> [...]

This message comes from the code that registers client connections so
that they can be handled efficiently during an IP failover.  This
means that a client (probably Samba) is accepting connections on
private addresses.  That's bad because those connections won't failover
if a node has a problem.

Your options include:

* If you're using round-robin DNS then ensure that the DNS name for the
  cluster does not map to any private addresses.

* Configuring clients more carefully.  This is like the above but if
  the clients are using IPs (instead of a DNS name) to connect to
  Samba then they should not be configured to use private IPs.

* Configure Samba to only accept connections on public IPs.

* Add firewall rules to block SMB connections to private IPs.

> I am suspecting that ctdb complains because the nodes and the
> private adresses are located in the same subnet [...]

You should also note that CTDB does not have any security on the
private network.  If the private node IPs are exposed via the public
network then it may be possible for users on the public network to do
bad things to CTDB.  You might want to consider securing the private
IPs/CTDB ports in some way.

peace & happiness,

More information about the samba-technical mailing list