Thank you for visiting!
My little window on internet allowing me to share several of my passions
Categories:
- OpenBSD
- vdcron
- My Sysupgrade
- FreeBSD
- Nas
- DragonflyBSD
- fapws
- Alpine Linux
- Openbox
- Desktop
- Security
- nvim
- yabitrot
- nmctl
- Tint2
- Firewall
- VPN
- Project Management
- Hifi
- Alarm
Most Popular Articles:
Last Articles:
Create Active/Passive servers for a more resilient service (on OpenBSD)
Posted on 2022-09-09 15:43:00 from Vincent in OpenBSD
I've build a DNS server which allow me to skip ads, and all those not funny informations. All devises use it as DNS profit from this functionality, mobiles, laptops, ...
This feature is so addictive, that when I must replace his hardware, we can feel how it's annoying to not have it.
I've decided to have 2 machines in a cluster allowing me to never stop the service even during maintenance.
This is really common in our professional servers with paying solutions.
This blog will explain how to it with OpenBSD.
Introdution
I have one tiny machine using few electricity and running 24x7 on which I've build a DNS server which filter annoying machines. This is not the goal of this blog to explain this DNS. The key point is how to make sure a 24x7 service can be maintained even during maintenance period.
As we are used to do in professional context, how to build a cluster a 2 machines providing the same service and switching from to another without business impact ?
You will see that OpenBSD comes with all required elements.
Setup
I have 2 machines running my DNS application. They both have a dedicated IP like described here under:
+----+ +----+
| S1 | | S2 |
+----+ +----+
re1|192.168.3.31 re1|192.168.3.32
| |
---+----VIP: 192.168.3.1----+---
Creation of such Virtual IP (VIP) will be made by carp
Nothing to install, all required software are already in the standard setup of OpenBSD
Configuration
The configuration will be made by ifconfig
Make sure that carp is activated on the machines:
sysctl net.inet.carp.allow=1
sysctl net.inet.carp.preempt=1
The 1st parameter is normally by default set to 1.
To make sure those parameters resist to the next reboot, please uncomment them in /etc/sysctl.conf
Create a carp interface
ifconfig carp1 create
Copy the following line in a new file called /etc/hostnames.carp1
inet 192.168.3.1 255.255.255.0 192.168.3.255 vhid 1 pass strongpassword carpdev re1 advskew 100
In few words, this tells to carp that we create a new cluster having a virtual ID (vhid): 1
This vhid is:
- protected by a password.
- linked to the hardware interface called re1
- has an advertisement of 1+100/256 seconds. This comes from advbase and advskew. This means that this machine will share his status with other carp having the same vhid and same password every 1.39 seconds.
The machine having the lowest advertisement duration will be the MASTER, the other will be BACKUP.
Then we must make sure that the firewall do not block carp messages:
pass on re1 inet proto carp keep state
And that's it !!!!!
We can implement those changes by doing:
sh /etc/netstart
pfctl -vf /etc/pf.conf
Or you can reboot the machine.
So in summary config on our server S1 is:
ifconfig carp1 create
(make sure that in /etc/hostnames.re1 we already have) inet 192.168.3.31 255.255.255.0 192.168.1.255
(in /etc/sysctl.conf) net.inet.carp.allow=1
(in /etc/sysctl.conf) net.inet.carp.preempt=1
(in /etc/hostnames.carp1) inet 192.168.3.1 255.255.255.0 192.168.3.255 vhid 1 pass strongpassword carpdev re1 advskew 100
(in /etc/pf.conf) pass on re1 inet proto carp keep state
sh /etc/netstart
pfctl -vf /etc/pf.conf
So in summary config on our server S2 is:
ifconfig carp1 create
(make sure that in /etc/hostnames.re1 we already have) inet 192.168.3.32 255.255.255.0 192.168.1.255
(in /etc/sysctl.conf) net.inet.carp.allow=1
(in /etc/sysctl.conf) net.inet.carp.preempt=1
(in /etc/hostnames.carp1) inet 192.168.3.1 255.255.255.0 192.168.3.255 vhid 1 pass strongpassword carpdev re1 advskew 50
(in /etc/pf.conf) pass on re1 inet proto carp keep state
sh /etc/netstart
pfctl -vf /etc/pf.conf
Please note the lower advskew value. Lower means this machine will become MASTER
On both machines we have our DNS server listing on 192.168.3.1 port 53.
Tests and validations
To test this setup, there is a several approaches:
- shutdown one of the server
- set down one of the network interface
- and modify the advertisement value.
This last method is my preferred one. So, I log on S1 and type the following
ifconfig carp1 advskew 30
I can check the status thanks to:
ifconfig carp1
Here after the test procedure:
fw1 # ifconfig carp1
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
index 5 priority 15 llprio 3
carp: BACKUP carpdev re1 vhid 1 advbase 1 advskew 100
groups: carp
status: backup
inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
fw1 # ifconfig carp1 advskew 30
fw1 # ifconfig carp1
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
index 5 priority 15 llprio 3
carp: MASTER carpdev re1 vhid 1 advbase 1 advskew 30
groups: carp
status: master
inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
To make it more visible, I have 2 dedicated window each connected to S1 and S2 respectively where I execute the following commande:
while true; do clear; ifconfig carp1; sleep 1; done
I can switch from S1 to S2 and back during a period where several persons are intensively using their device to surf on internet and no one had an impact on his activity.
Conclusion
Once again I'm amazed on how simple it is to have it running. With few ifconfig commands we can setup a cluster with Active/Passive machines.
With such setup the switch from BACKUP to MASTER is triggered by an issue detected at network level. The next step will be to trigger such switch based on issues with the DNS service it self. This will be part of a next blog.