Failsafe IP address with ucarp

Task

It is required to ensure the operability of a specific IP address (gateway, important server, etc.) when communication with the device to which this address originally belongs is lost using backup devices.

The article will use Debian Linux, the CARP protocol, and the ucarp utility for this purpose.

Operating principle

• One or more backup (backup) with the same services is added to the main device owner IP (master)
• Each device additionally has a unique service IP address and assigned priority,
• Backup devices are continuously polled by the wizard
• As soon as the master stops responding, the backup device that has the highest priority raises the public IP on its network interface,

Protocols and terms

• Hot standby is a generic term for the mechanism (as well as the name of the obsolete proprietary protocol HSRP from Cisco), in which a reserve is created for a resource that operates in idle mode and is ready to immediately switch to operational mode automatically.
• VRRP , Virtual Router Redundancy Protocol — Developed by the HSRP-based IETF, but incompatible with it. Available as RFC, but contains Cisco patent bookmarks. Supported by many professional-grade hardware routers and has open implementations for Linux / Unix.
• CARP , Common Address Redundancy Protocol - open, developed as part of OpenBSD, ported to FreeBSD. In * BSD, it is supported directly by the kernel and is controlled by the base system.
• High availability (HA) is what the Hot-standby for VRRP and CARP is used for IP addresses.
• Load balancing (LB) - something that is often referred to in conjunction with HA, but in our case is not provided.

Linux / Unix Solutions

• heartbeat is a system for cluster nodes, i.e. able to do more than just add-remove IP-address ( example of application ).
• keepalived is another system for organizing a cluster.
• carp is a module for the Linux kernel by Evgeny Polyakov. The official kernel is not included, with standard CARP, it is either incompletely compatible, or incompatible at all.
• vrrpd , ucarp - User-space daemons implementing VRRP and CARP.

Test system configuration

• Two physical routers R1 and R2 , forming one virtual fault tolerant VR .
• 1.2.3.4 - the external IP address of VR.
• 10.0.0.1/16 - the internal IP address of VR.
• eth0 - LAN interfaces of routers.
• eth1 - WAN interfaces of routers.
• 10.255.0.0/24 - a private subnet for connecting routers via a LAN interface.
• 10.255.1.0/24 - a private subnet for connecting routers via the WAN interface.
• 10.255. *. 11, .12, .13, ... - IP addresses of routers R1, R2, ... in private subnets.
• 10.0.0.2 - test computer with default gateway 10.0.0.1

Installing ucarp on R1 and R2

apt-get install ucarp

Documentation

In Debian, setting up and launching ucarp is not done directly, but with the help of additional parameters in the standard system settings file / etc / network / interfaces , it is recommended that you first read not “man ucarp” (although this is also not superfluous) and /usr/share/doc/ucarp/README.Debian .
')
This approach has both pros and cons. On the one hand, the setting becomes more visual. On the other hand, if on one interface it is required to support several independent virtual IPs, then for all but the first one, ucarp will have to be started manually.

Tuning to R1

auto eth0
iface eth0 inet static
address 10.255.0.11
netmask 255.255.255.0
ucarp-vid 1
ucarp-vip 10.0.0.1
ucarp-password qwerty1
ucarp-advskew 10

iface eth0:ucarp inet static
address 10.0.0.0.1
netmask 255.255.0.0

iface eth1 inet static
address 10.255.1.11
netmask 255.255.255.0
ucarp-vid 2
ucarp-vip 1.2.3.4
ucarp-password qwerty2
ucarp-advskew 10

iface eth1:ucarp inet static
address 1.2.3.4
netmask 255.255.255.248
gateway 1.2.3.1

Setup on R2

auto eth0
iface eth0 inet static
address 10.255.0.12
netmask 255.255.255.0
ucarp-vid 1
ucarp-vip 10.0.0.1
ucarp-password qwerty1
ucarp-advskew 20

iface eth0:ucarp inet static
address 10.0.0.1
netmask 255.255.0.0

iface eth1 inet static
address 10.255.1.12
netmask 255.255.255.0
ucarp-vid 2
ucarp-vip 1.2.3.4
ucarp-password qwerty2
ucarp-advskew 20

iface eth1:ucarp inet static
address 1.2.3.4
netmask 255.255.255.248
gateway 1.2.3.1

Explanations

• vid is the number of the failover group. Must be the same on all servers. From 1 to 255.
• password - network protocol encryption key. Must be the same on all servers participating in this group.
• advskew - allows you to manage the priority of assigning a master from several candidates.

The procedure for electing a master of several candidates

• Elections are made if no master is detected, or if several masters have been discovered (for example, after a split-brain ).
• The “preemptive” flag is compared (the “ucarp-master yes” directive). Flag presence = higher priority.
• Compares the notification interval advbase + advskew / 255, sec. Shorter interval = higher priority.
• IP addresses are compared. Smaller IP = higher priority.

Check

1. On R1 and R2: /etc/init.d/networking restart .
2. After a few seconds, we run on both " ip a " and see that eth0: ucarp = 10.0.0.1 and eth1: ucarp = 1.2.3.4 are added to R2.
3. " ip r " shows the route "default via 1.2.3.1" on R2.
4. Perform "ps axww | grep ucarp "on R1 and R2, see two instances of" / usr / sbin / ucarp -i eth ... "
5. On the test workstation, run "ping 8.8.8.8" (on Windows, with the " -t " key).
6. On R2 (with access to the physical console!): /Etc/init.d/networking stop . Ping at the workstation will miss 3-4 responses and resume.
7. “Ip a” and “ip r” will show that the route and IP addresses disappeared on R2 and appeared on R1.
8. " arp 10.0.0.1 " on the workstation will show that the gateway's MAC address has changed.