Page MenuHomeDevCentral
Create Task
Maniphest T2205

Enable CARP high-availability on router-002 and router-003
Open, NormalPublic
Actions

Description

CARP is not enabled by default

  • Temporarily load the CARP kernel module

kldload carp

  • Then restart network services

service netif restart
service routing restart

  • Verify CARP election

router-003 should be the master for Public network and router-002 the backup (it is the case)

  • Analyze of the CARP advertisements with tcpdump

add here : https://agora.nasqueron.org/Protocol_CARP

  • And if everything works, we can add on the file /boot/loader.conf : carp_load="YES"

like this if we turn off the routers and restart the machines, CARP will be enabled

  • Verify CARP election

Analysis : router-003 is the master for Public network and router-002 is the backup

  • Test the failure of the Master and the recovery of the role Master

Analysis: router-003 does not regain the master role...

  • So we need to enable CARP preemption

Analysis: router-003 does now regain the master role...

  • Automate CARP activation and parameter preemption (D4006)
  • Deploy with Salt and check the CARP system's operation

commands :

  1. salt 'node' state.apply roles/router test=True
  2. salt 'node' state.apply roles/router
  3. salt 'node' state.apply roles/core/sysctl test=True
  4. salt 'node' state.apply roles/core/sysctl

Final analysis :

  1. CARP is automatically activated.
  2. Router-003 is the Master and router-002 the Backup, even when router-002 is started beforehand, thanks to preemption.
  3. If router-003 becomes unavailable, it becomes the Backup, but if it returns to the network, it resumes its role as Master because preemption is automatically activated.

Revisions and Commits

rOPS Nasqueron Operations
AcceptedD4006 Automate CARP activation and parameter preemption

Related Objects

Event Timeline

Duranzed created this task.Feb 5 2026, 16:08
Herald added a subscriber: dereckson. · View Herald TranscriptFeb 5 2026, 16:08
Duranzed renamed this task from Autoriser CARP sur les routeurs to Authorize CARP on all routers .Feb 6 2026, 11:11
Duranzed updated the task description. (Show Details)
Duranzed added a subscriber: yousra.
dereckson triaged this task as Normal priority.Feb 11 2026, 19:53
yousra renamed this task from Authorize CARP on all routers to Authorize CARP on router-002 and router-003.Sun, Mar 8, 15:16
yousra claimed this task.
yousra moved this task from Backlog to Working on on the Secure HA tunnels board.
yousra updated the task description. (Show Details)
yousra updated the task description. (Show Details)Sun, Mar 8, 15:21
yousra updated the task description. (Show Details)
yousra updated the task description. (Show Details)Sun, Mar 8, 16:15
yousra updated the task description. (Show Details)
yousra updated the task description. (Show Details)
yousra updated the task description. (Show Details)Sun, Mar 8, 21:08
yousra updated the task description. (Show Details)Sun, Mar 8, 21:19
yousra updated the task description. (Show Details)Thu, Mar 12, 11:37
yousra updated the task description. (Show Details)Thu, Mar 12, 11:41
yousra updated the task description. (Show Details)
yousra renamed this task from Authorize CARP on router-002 and router-003 to Enable CARP high-availability on router-002 and router-003.Thu, Mar 12, 11:46
yousra updated the task description. (Show Details)Fri, Mar 13, 15:21
yousra updated the task description. (Show Details)Mon, Mar 16, 12:53
yousra updated the task description. (Show Details)Mon, Mar 16, 13:08
yousra updated the task description. (Show Details)
yousra added a project: Salt.Mon, Mar 16, 13:49
yousra updated the task description. (Show Details)Mon, Mar 16, 13:54
yousra updated the task description. (Show Details)
yousra updated the task description. (Show Details)Mon, Mar 16, 14:28
yousra updated the task description. (Show Details)
yousra added a comment.Mon, Mar 16, 17:03

This task required the renewal of the Vault certificate :

[yousra@windriver ~]$  openssl s_client -connect 172.27.27.7:8200 </dev/null | openssl x509 -noout -subject -issuer -dates -serial

Connecting to 172.27.27.7
Can't use SSL_get_servername
depth=2 CN=nasqueron.drake
verify return:1
depth=1 CN=nasqueron.drake Intermediate Authority
verify return:1
depth=0 CN=complector.nasqueron.drake
verify return:1
DONE
subject=CN=complector.nasqueron.drake
issuer=CN=nasqueron.drake Intermediate Authority
notBefore=Mar 16 15:39:13 2026 GMT
notAfter=Jun 14 15:39:43 2026 GMT
yousra updated the task description. (Show Details)Mon, Mar 16, 19:34
yousra added projects: Monitoring and reporting, Vault.Mon, Mar 16, 20:02
yousra added a revision: D4006: Automate CARP activation and parameter preemption.Wed, Mar 18, 12:05
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator