16hot 的博客 » carp

关注FreeBSD下的新版CARP

16hot — Thu, 18 Aug 2011 01:13:59 +0000

http://lists.freebsd.org/pipermail/freebsd-net/2011-August/029539.html

http://people.freebsd.org/~glebius/newcarp/README

  Hello networkers,

  I'd like to present for review and early testing (for brave ones)
a new CARP implementation. The reason for this rewrite was that CARP
protocol actually doesn't bring a new interface, but is a property of
interface address. Rewriting it in this way helps to remove several
hacks from incoming packet processing[1], simplifies some code, makes
CARP addresses more sane from viewpoint of routing daemons such as
quagga/zebra. It also brings support for a single redundant address
on the subnet, the thing that is called "carpdev feature" in OpenBSD,
long awaited in FreeBSD.

More info and the patch itself is available here:

http://people.freebsd.org/~glebius/newcarp/README

I'm glad to here comments.

FreeBSD: Redundant DNS with CARP

16hot — Sat, 11 Dec 2010 03:41:00 +0000

http://zi0r.com/2010/02/28/freebsd-redundant-dns-with-carp.html

Improve reliability with CARP and redundant DNS on two boxes. Almost everyone already has (at least) two nameservers, so why not add CARP into the mix to make it appear as if they’re always available?

This setup assumes two nameservers. Both nameservers will have a total of 3 IPs assigned to them, two of which are the floating CARP IPs and one of which is a unique management IP for each box. Each nameserver will be the CARP backup for the other nameservers primary nameserver IP. If one goes down, the other will assume responsibility for the IP.

You’ll need to assign your nameservers two new IPs (to be used for management) and take the original pair of IPs and we’ll use those for the carp interfaces.

1. Rebuild/install your kernel with:
device carp

2. Edit /etc/rc.conf to add:
cloned_interfaces=“carp0 carp1”
ifconfig_carp0=“create”
ifconfig_carp1=“create”

3. Setup the CARP interfaces:

I set the vhid’s to be the last octet of the floaty IP, however, you can set them to be whatever you want as long as they match on both boxes.

On ns1:
Create /etc/start_if.carp0 with the following:
#!/bin/sh
ifconfig carp0 vhid XX advbase 1 advskew 10 pass supersecretpasswordhere netmask

Create /etc/start_if.carp1 with the following:
#!/bin/sh
ifconfig carp1 vhid YY advbase 2 advskew 10 pass othersupersecretpasswordhere netmask

Then run:
chmod go-rwx /etc/start_if.carp*;chmod +x /etc/start_if.carp*

On ns2:
Create /etc/start_if.carp0 with the following:
#!/bin/sh
ifconfig carp0 vhid YY advbase 1 advskew 10 pass supersecretpasswordhere netmask

Create /etc/start_if.carp1 with the following:
#!/bin/sh
ifconfig carp1 vhid XX advbase 2 advskew 10 pass othersupersecretpasswordhere netmask

Then run:
chmod go-rwx /etc/start_if.carp*;chmod +x /etc/start_if.carp*

carp0 on both boxes will be its PRIMARY IP whereas carp1 will be the SECONDARY IP on both. In a non-failover scenario, this means that carp0 on both boxes should show up as MASTER and carp1 should show up as BACKUP.

4. Ensure named is configured to bind to the management IP (for zone transfers, etc.), ns1.ip and ns2.ip (on both boxes!) or ensure that it listens on *.

5. Add net.inet.carp.log=2 to /etc/sysctl.conf for some extra logging info.

6. Reboot. Your primary box should come up with ns1.ip as MASTER and ns2.ip as BACKUP. Your secondary box should come up with ns2.ip as MASTER and ns1.ip as BACKUP. Check ifconfig and dmesg to confirm.

Note: CARP traffic is multicast and you may need to alter firewalls as appropriate to allow it. The destination is VRRP.MCAST.NET/224.0.0.18.
For defining masters/slaves, etc. in bind you will want to reference the management IPs of the boxes, not the floating CARP addresses.

Note: You can actually skip using the start_if.* files if you elect to put the ifconfig statements into rc.conf. In order to limit access to your CARP authentication key, you would need to change the permissions on rc.conf which could be bad in certain situations.

ESX Note: If you’re trying to do this with a box in VMware, you’ll need to disable the vSwitch security features (accept: promisc, forged transmits, mac changes). This is not advisable in production as any VM on that switch can sniff traffic from any other VM. For my setup at home, I simply allocated a second NIC and a second vSwitch and made the security changes on the dedicated vSwitch. No other VMs should share this other vSwitch where the security features have been disabled.

实战：用Carp实现故障转移和负载均衡集群(转)

16hot — Wed, 21 Jul 2010 03:14:48 +0000

在服务器b上修改大致相同，只是carp网卡的有一点变动
ee /etc/rc.conf #配置rc.conf文件，分别建立carp虚拟网卡。增加如下内容
cloned_interfaces=”carp0 carp1″
ifconfig_carp0=”vhid 1 advbase 5 advskew 100 pass passwd 192.168.1.100/24″
ifconfig_carp1=”vhid 2 advbase 5 pass passwd 192.168.1.100/24″

ee /etc/sysctl.conf #修改sysctl文件启用carp的arpbalance和carp抢占功能。增加如下内容
net.inet.carp.preempt=1
net.inet.carp.arpbalance=1

重启两台服务器即可生效。
如果不想重启服务器，立即生效则进行下列命令
服务器a
ifconfig carp0 create
ifconfig carp0 vhid 1 advbase 5 pass passwd 192.168.0.100/24
ifconfig carp1 create
ifconfig carp1 vhid 2 advbase 5 advskew 100 passwd 192.168.0.100/24
sysctl net.inet.carp.preempt=1
sysctl net.inet.carp.arpbalance=1

服务器b

ifconfig carp0 create
ifconfig carp0 vhid 1 advbase 5 advskew 100 pass passwd 192.168.0.100/24
ifconfig carp1 create
ifconfig carp1 vhid 2 advbase 5 passwd 192.168.0.100/24
sysctl net.inet.carp.preempt=1
sysctl net.inet.carp.arpbalance=1

ok,现在可以看到效果了。如果两台服务器正常，则客户请求分别由两台服务器均衡的提供服务。当断掉其中一台服务器，则另一台服务器，可立即接管所有服务。当这台服务器恢复服务，则又会自动启用负载均衡。