Fault tolerant IP with ucarp

Task

It is required to ensure the operability of a certain IP address (gateway, important server, etc.) when communication with the device to which this address originally belongs using backup devices is lost.

The article will use Debian Linux, the CARP protocol, and the ucarp utility for this purpose.

Operating principle

• One or more backups with the same services are added to the main device owner IP (master)
• Each device additionally has a unique service IP address and an assignable priority,
• Redundant devices continuously poll masters,
• As soon as the master stops responding, the backup device with the highest priority raises the public IP on its network interface,

Protocols and Terms

• Hot standby is the general designation of the mechanism (as well as the name of the obsolete proprietary HSRP protocol from Cisco), in which a reserve is created for the resource, working in idle mode and ready to immediately automatically switch to operating mode.
• VRRP , Virtual Router Redundancy Protocol - developed by the IETF based on HSRP, but is not compatible with it. Available as an RFC, but contains Cisco patent bookmarks. It is supported by many professional-grade hardware routers and has open source implementations for Linux / Unix.
• CARP , Common Address Redundancy Protocol - open, developed as part of OpenBSD, ported to FreeBSD. In * BSD, it is directly supported by the kernel and managed by the underlying system.
• High Availibility (HA) - this is what Hot-standby means for VRRP and CARP when applied to IP addresses.
• Load balancing (LB) is what is often mentioned in conjunction with HA, but in our case it is not provided.

Linux / Unix Solutions

• heartbeat - system for cluster nodes, i.e. able to do more than just add-remove IP-addresses ( application example ).
• keepalived is another system for organizing a cluster.
• carp is a module for the Linux kernel by Evgeny Polyakov. It is not included in the official core, with standard CARP it is either incomplete compatible or incompatible at all.
• vrrpd , ucarp - User-space daemons implementing VRRP and CARP.

Test system configuration

• Two physical routers R1 and R2 , forming one virtual fault-tolerant VR .
• 1.2.3.4 is the external IP address of VR.
• 10.0.0.1/16 - The internal IP address of VR.
• eth0 - LAN interfaces of routers.
• eth1 - WAN interfaces of routers.
• 10.255.0.0/24 - a private subnet for connecting routers through a LAN interface.
• 10.255.1.0/24 - a private subnet for connecting routers through a WAN interface.
• 10.255. *. 11, .12, .13, ... - IP addresses of routers R1, R2, ... in private subnets.
• 10.0.0.2 - test computer with a default gateway of 10.0.0.1

Install ucarp on R1 and R2

apt-get install ucarp

Documentation

In Debian, setting up and starting ucarp is not done directly, but with the help of additional parameters in the standard system settings file for network settings / etc / network / interfaces , therefore it is recommended that you do not read “man ucarp” first (although this will not be redundant), and /usr/share/doc/ucarp/README.Debian .

This approach has both pros and cons. On the one hand, the setting becomes more visual. On the other hand, if several independent virtual IPs are required to be supported on one interface, then for all but the first, ucarp will have to be started manually.

Setting to R1

auto eth0
iface eth0 inet static
address 10.255.0.11
netmask 255.255.255.0
ucarp-vid 1
ucarp-vip 10.0.0.1
ucarp-password qwerty1
ucarp-advskew 10

iface eth0:ucarp inet static
address 10.0.0.0.1
netmask 255.255.0.0

iface eth1 inet static
address 10.255.1.11
netmask 255.255.255.0
ucarp-vid 2
ucarp-vip 1.2.3.4
ucarp-password qwerty2
ucarp-advskew 10

iface eth1:ucarp inet static
address 1.2.3.4
netmask 255.255.255.248
gateway 1.2.3.1

Configure on R2

auto eth0
iface eth0 inet static
address 10.255.0.12
netmask 255.255.255.0
ucarp-vid 1
ucarp-vip 10.0.0.1
ucarp-password qwerty1
ucarp-advskew 20

iface eth0:ucarp inet static
address 10.0.0.1
netmask 255.255.0.0

iface eth1 inet static
address 10.255.1.12
netmask 255.255.255.0
ucarp-vid 2
ucarp-vip 1.2.3.4
ucarp-password qwerty2
ucarp-advskew 20

iface eth1:ucarp inet static
address 1.2.3.4
netmask 255.255.255.248
gateway 1.2.3.1

Explanations

• vid is the failover group number. Must be the same on all servers. 1 to 255.
• password - network protocol encryption key. Must be the same on all member servers of this group.
• advskew - allows you to control the priority of appointing a master from several candidates.

The procedure for selecting a master from several candidates

• Elections are made if no masters are found, or if several masters are found (for example, after a split-brain ).
• The preemptive flag is compared (ucarp-master yes directive). Flag presence = higher priority.
• The advbase + advskew / 255 notification distribution interval is compared, sec. Shorter interval = higher priority.
• IP addresses are compared. Lower IP = higher priority.

Check

1. On R1 and R2: /etc/init.d/networking restart .
2. After a few seconds, we execute on both " ip a " and we see that eth0: ucarp = 10.0.0.1 and eth1: ucarp = 1.2.3.4 were added to R2.
3. " ip r " shows on R2 the route "default via 1.2.3.1".
4. We execute "ps axww | grep ucarp "on R1 and R2, we see two instances of" / usr / sbin / ucarp -i eth ... "
5. On the test workstation, run “ping 8.8.8.8” (on Windows, with the “ -t ” switch ).
6. On R2 (with access to the physical console!): /Etc/init.d/networking stop . Ping on the workstation will skip 3-4 responses and resume.
7. “Ip a” and “ip r” will show that the route and IP addresses disappeared on R2 and appeared on R1.
8. " arp 10.0.0.1 " on the workstation will indicate that the MAC address of the gateway has changed.