LinkedIn Sourceforge

Vincent's Blog

Pleasure in the job puts perfection in the work (Aristote)

Create Active/Passive servers for a more resilient service (on OpenBSD)

Posted on 2022-09-09 15:43:00 from Vincent in OpenBSD

I've build a DNS server which allow me to skip ads, and all those not funny informations. All devises use it as DNS profit from this functionality, mobiles, laptops, ...

This feature is so addictive, that when I must replace his hardware, we can feel how it's annoying to not have it.

I've decided to have 2 machines in a cluster allowing me to never stop the service even during maintenance.

This is really common in our professional servers with paying solutions.

This blog will explain how to it with OpenBSD.


Introdution

I have one tiny machine using few electricity and running 24x7 on which I've build a DNS server which filter annoying machines. This is not the goal of this blog to explain this DNS. The key point is how to make sure a 24x7 service can be maintained even during maintenance period.

As we are used to do in professional context, how to build a cluster a 2 machines providing the same service and switching from to another without business impact ?

You will see that OpenBSD comes with all required elements.

Setup

I have 2 machines running my DNS application. They both have a dedicated IP like described here under:

    +----+                  +----+
    | S1 |                  | S2 |
    +----+                  +----+
    re1|192.168.3.31         re1|192.168.3.32
       |                        |
    ---+----VIP: 192.168.3.1----+---

Creation of such Virtual IP (VIP) will be made by carp

Nothing to install, all required software are already in the standard setup of OpenBSD

Configuration

The configuration will be made by ifconfig

Make sure that carp is activated on the machines:

sysctl net.inet.carp.allow=1
sysctl net.inet.carp.preempt=1

The 1st parameter is normally by default set to 1.

To make sure those parameters resist to the next reboot, please uncomment them in /etc/sysctl.conf

Create a carp interface

ifconfig carp1 create

Copy the following line in a new file called /etc/hostnames.carp1

inet 192.168.3.1 255.255.255.0 192.168.3.255 vhid 1 pass strongpassword carpdev re1 advskew 100

In few words, this tells to carp that we create a new cluster having a virtual ID (vhid): 1
This vhid is:

  • protected by a password.
  • linked to the hardware interface called re1
  • has an advertisement of 1+100/256 seconds. This comes from advbase and advskew. This means that this machine will share his status with other carp having the same vhid and same password every 1.39 seconds.

The machine having the lowest advertisement duration will be the MASTER, the other will be BACKUP.

Then we must make sure that the firewall do not block carp messages:

pass on re1 inet proto carp keep state

And that's it !!!!!

We can implement those changes by doing:

sh /etc/netstart
pfctl -vf /etc/pf.conf

Or you can reboot the machine.

So in summary config on our server S1 is:

ifconfig carp1 create
(make sure that in /etc/hostnames.re1 we already have) inet 192.168.3.31 255.255.255.0 192.168.1.255
(in /etc/sysctl.conf) net.inet.carp.allow=1
(in /etc/sysctl.conf) net.inet.carp.preempt=1
(in /etc/hostnames.carp1) inet 192.168.3.1 255.255.255.0 192.168.3.255 vhid 1 pass strongpassword carpdev re1 advskew 100
(in /etc/pf.conf) pass on re1 inet proto carp keep state
sh /etc/netstart
pfctl -vf /etc/pf.conf

So in summary config on our server S2 is:

ifconfig carp1 create
(make sure that in /etc/hostnames.re1 we already have) inet 192.168.3.32 255.255.255.0 192.168.1.255
(in /etc/sysctl.conf) net.inet.carp.allow=1
(in /etc/sysctl.conf) net.inet.carp.preempt=1
(in /etc/hostnames.carp1) inet 192.168.3.1 255.255.255.0 192.168.3.255 vhid 1 pass strongpassword carpdev re1 advskew 50
(in /etc/pf.conf) pass on re1 inet proto carp keep state
sh /etc/netstart
pfctl -vf /etc/pf.conf

Please note the lower advskew value. Lower means this machine will become MASTER

On both machines we have our DNS server listing on 192.168.3.1 port 53.

Tests and validations

To test this setup, there is a several approaches:

  • shutdown one of the server
  • set down one of the network interface
  • and modify the advertisement value.

This last method is my preferred one. So, I log on S1 and type the following

ifconfig carp1 advskew 30

I can check the status thanks to:

ifconfig carp1

Here after the test procedure:

fw1 # ifconfig carp1
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:00:5e:00:01:01
       index 5 priority 15 llprio 3
       carp: BACKUP carpdev re1 vhid 1 advbase 1 advskew 100
       groups: carp
       status: backup
       inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255

fw1 # ifconfig carp1 advskew 30

fw1 # ifconfig carp1
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       lladdr 00:00:5e:00:01:01
       index 5 priority 15 llprio 3
       carp: MASTER carpdev re1 vhid 1 advbase 1 advskew 30
       groups: carp
       status: master
       inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255

To make it more visible, I have 2 dedicated window each connected to S1 and S2 respectively where I execute the following commande:

while true; do clear; ifconfig carp1; sleep 1; done

I can switch from S1 to S2 and back during a period where several persons are intensively using their device to surf on internet and no one had an impact on his activity.

Conclusion

Once again I'm amazed on how simple it is to have it running. With few ifconfig commands we can setup a cluster with Active/Passive machines.

With such setup the switch from BACKUP to MASTER is triggered by an issue detected at network level. The next step will be to trigger such switch based on issues with the DNS service it self. This will be part of a next blog.



15, 15
displayed: 6723



What is the second letter of the word Moon?