This procedure was created because I was unable to configure VRRP on OmniOSce/OpenIndiana.
(I am still looking for a way to make VRRP work on those systems, so if anyone knows how to do it, it would be great).
Therefore, I decided to write a simple secured method to transfer a VIP (Virtual IP) from one server to another.
There are two servers running on OmniOSce or OpenIndiana.
One of them is the primary server (n1 : 10.10.10.1) and holds a virtual IP address (10.10.10.42), while the other (n2 : 10.10.10.2) stays on standby.
If n1 suddenly stops functioning, then n2 must instantly take over the VIP.
The process is simple: n1 sends an encoded message using OpenSSL to n2 (which requires an exchange of public keys between the two servers). n2 decrypts the message and ensures that it is the correct message.
As soon as n1 stops sending the message, n2 takes over the VIP.
(Be root for all the procedure)
1) On n1 and n2
- Install netcat :
pkg install netcat
- Create a folder for the scripts :
mkdir /HA
- Configure NTP: the two servers must be correctly synchronized (at the same time).
Here it's a configuration for French time :
pkg install ntpsec && /usr/bin/ntpdate 0.fr.pool.ntp.org && date && svcadm enable svc:/network/ntp:default
2) On n1
Generate a private key
openssl genpkey -algorithm RSA -out /HA/private_key.pem
Extract the public key
openssl rsa -pubout -in /HA/private_key.pem -out /HA/public_key.pem
Send the public key to n2 :
scp /HA/public_key.pem USER@10.10.10.2:/tmp/public_key_n1.pem
Go to n2 (or connect to n2 via SSH : ssh USER@10.10.10.2
)
Then, when on n2, use sudo or become root and just move the key to /HA/ and go back to /HA/ folder.
mv /tmp/public_key_n1.pem /HA/
Then go back to n1.
Create a script to assign the VIP:
(copy/paste the block to create the script and allow its execution)
cat <<'EOF' > /HA/vip-up.sh
#! /bin/sh
exec 2> /dev/null
/sbin/ifconfig "$1" addif "$2" netmask 255.255.255.0 up
EOF
chmod +x /HA/vip-up.sh
Create a script to remove the VIP:
(copy/paste the block to create the script and allow its execution)
cat <<'EOF' > /HA/vip-down.sh
#! /bin/sh
exec 2> /dev/null
/sbin/ifconfig "$1" removeif "$2"
EOF
chmod +x /HA/vip-down.sh
Create a script to send an encrypted "ping" message (:-D) (or whatever you want !):
(copy/paste the block to create the script and allow its execution)
cat <<'EOF' > /HA/send_encrypted_ping.sh
#!/bin/bash
# Message to send
MESSAGE="ping"
# Create a temporary file for the message to send
echo "$MESSAGE" > /HA/message.txt
# Encrypt the message with the public key of n2
openssl pkeyutl -encrypt -pubin -inkey /HA/public_key_n2.pem -in /HA/message.txt -out /HA/encrypted_ping.bin
# Send the encrypted message to n2
nc 10.10.10.2 12345 < /HA/encrypted_ping.bin
EOF
chmod +x /HA/send_encrypted_ping.sh
Create a script to send the encrypted message to n2:
(copy/paste the block to create the script and allow its execution)
cat <<'EOF' > /HA/send_ping_loop.sh
#!/bin/bash
while true; do
/HA/send_encrypted_ping.sh
sleep 1
done
EOF
chmod +x /HA/send_ping_loop.sh
3) On n2 :
Generate a private key
openssl genpkey -algorithm RSA -out /HA/private_key.pem
Extract the public key
openssl rsa -pubout -in /HA/private_key.pem -out /HA/public_key.pem
Send the public key to n1 :
scp /HA/public_key.pem USER@10.10.10.1:/tmp/public_key_n2.pem
Go to n1 (or connect to n1 via SSH : ssh USER@10.10.10.1
)
Then, when on n1, use sudo or become root and just move the key to /HA/ and go back to /HA/ folder.
mv /tmp/public_key_n2.pem /HA/
Then go back to n2.
Create a script to assign the VIP:
(copy/paste the block to create the script and allow its execution)
cat <<'EOF' > /HA/vip-up.sh
#! /bin/sh
exec 2> /dev/null
/sbin/ifconfig "$1" addif "$2" netmask 255.255.255.0 up
EOF
chmod +x /HA/vip-up.sh
Create a script to remove the VIP:
(copy/paste the block to create the script and allow its execution)
cat <<'EOF' > /HA/vip-down.sh
#! /bin/sh
exec 2> /dev/null
/sbin/ifconfig "$1" removeif "$2"
EOF
chmod +x /HA/vip-down.sh
Create a script to receive the encrypted "ping" sent by n1:
(copy/paste the block to create the script and allow its execution)
cat <<'EOF' > /HA/receive_encrypted_ping.sh
#!/bin/bash
while true; do
nc -l -p 12345 > /HA/encrypted_ping.bin
# Decrypt the message with the private key of n2
DECRYPTED_MESSAGE=$(openssl pkeyutl -decrypt -inkey /HA/private_key.pem -in /HA/encrypted_ping.bin)
# Verify if the message is "ping"
if [ "$DECRYPTED_MESSAGE" == "ping" ]; then
touch /HA/ping_received
fi
done
EOF
chmod +x /HA/receive_encrypted_ping.sh
Create the failover script:
This script will monitor that messages are being received correctly between n1 and n2 and trigger the assignment of the VIP to n2 when n1 no longer responds.
(Copy/paste the block to create the script and allow its execution)
cat <<'EOF' > /HA/failover.sh
#!/bin/bash
# Initialize the variable to know if n2 has the VIP.
n2_has_vip=false
# Function to check if the ping_received file exists.
check_ping_received() {
if [ -f /HA/ping_received ]; then
rm /HA/ping_received
return 0
else
return 1
fi
}
# Loop to monitor the connection to n1.
while true; do
if check_ping_received; then
if $n2_has_vip; then
/HA/vip-down.sh e1000g0 10.10.10.42
n2_has_vip=false
fi
else
if ! $n2_has_vip; then
/HA/vip-up.sh e1000g0 10.10.10.42
n2_has_vip=true
fi
fi
sleep 1 # Adjust the check interval to your needs.
done
EOF
chmod +x /HA/failover.sh
4) On n1 and n2: perform a functionality test of the scripts.
- Test the assignment of the VIP:
/HA/vip-up.sh e1000g0 10.10.10.42 ; ipadm
- Test the removal of the VIP.
/HA/vip-down.sh e1000g0 10.10.10.42 ; ipadm
If both scripts work well on each server, then we're ready !
5) Start the High Availability process.
- On n1, Assign the VIP : this designates n1 as the primary server, the one that holds the VIP.
/HA/vip-up.sh e1000g0 10.10.10.42 ; ipadm
- On n1, start sending the encrypted "pings":
nohup /HA/send_ping_loop.sh &
- On n2, start the receiving and the failover scripts.
nohup /HA/failover.sh &
nohup /HA/receive_encrypted_ping.sh &
The system is now in place.
If you stop the n1 server, you will observe that n2 instantly takes over the VIP.
It's basic, but it works very well.
You can reduce the interval to 0.5 seconds, but it increases CPU usage.
However, below 0.5 seconds, the consumption becomes exponential.