Page MenuHomeDevCentral
Create Task
Maniphest T2227

CARP : what we need to know
Closed, ResolvedPublic
Actions

Description

Plan :

  • Document CARP behavior
  • Document the steps required to configure CARP
  • Explain CARP IP addressing model

the link wiki : https://agora.nasqueron.org/Protocol_CARP

Event Timeline

yousra triaged this task as Normal priority.Thu, Feb 12, 10:32
yousra created this task.
yousra renamed this task from CARP behavior IP addressing model to CARP behavior and IP addressing model.Thu, Feb 12, 10:38
yousra renamed this task from CARP behavior and IP addressing model to CARP : what we need to know.Thu, Feb 12, 10:58
yousra updated the task description. (Show Details)
dereckson added a comment.Sun, Feb 15, 00:57
Yousra asked on #nasqueron-ops

22:24:01 < yousra> Dereckson Je me disais que, dans la configuration actuelle, router-004 ne serait utilisé qu’en cas de panne. En fonctionnement normal, une des deux
machines resterait donc presque inactive. Je trouvais que se serait plutôt bien que les deux routeurs travaillent en permanence tout en gardant la redondance.
22:24:02 < yousra> Mais comme on n’a pas vraiment plusieurs VLAN ou réseaux distincts, je ne suis pas sûr que la topologie actuelle permette cette répartition. Est-ce qu’on > pourrait quand même optimiser ça d’une certaine manière ?

Indeed, even if blue/green deployment is a priority, with CARP, it's really interesting to allow to distribute traffic.
Beware it's not really redundant: as both VMs are on the same host, if there is an incident at host level, both VMs will be down or cut from traffic.

We have two networks on the hypervisor, one for 172.27.27.0/28 ("IntraNought") and one for public IPs ("Public").

We use the IPFO (fail-over IPs) system from OVH to assign public IPs by VM:

  • on the OVH side, we declare a specific need to route an IP to a VM on the hypervisor, the OVH manager provides us with a MAC address
  • traffic is routed to that MAC address

Hypervisor configuration

One of the question is also how to allow the OVH IPFO to work with CARP.

To route traffic from OVH router to ours, we need to configure a unique MAC address,
probably not for the CARP interface, as carp aggressively manage it, but for both the vmx0 interfaces.

That requires to be careful and ensure the hypervisor doesn't block a scenario with identical MAC on two machines, for example not to block incoming traffic and not to block ARP responses.

It seems the following options need to be enabled on the vSwitch:

  • Promiscuous Mode → Accept
  • MAC Address Changes → Accept (that allows CARP to change )
  • Forged Transmits → Accept

That allows ESXi to accept two identical MAC.

VM configuration

I think we could try this scenario:

InterfaceRoleIPMACCARP?
vmx0LAN172.27.27.0/28we let the default onesYES
vmx1WANthe SAME public IPwe force the SAME MAC (from OVH manager) NO

More stable configuration for non-routers

I wonder if we shouldn't actually create a more complex network topology with:

  • a switch with the "dangerous" options for routers
  • a switch with more conservative options for IntraNought
  • a switch to route public traffic

But in that case, I don't know how to configure the IntraNought switch to send traffic for .11 and .12 throguh the new vSwitch or if it's easily possible.

yousra updated the task description. (Show Details)Mon, Feb 16, 22:01
yousra added a project: documentation.Tue, Feb 17, 09:43
yousra added a comment.Tue, Feb 17, 11:04

We can then proceed with the CARP configuration, and if any problems occur, we will document them on the wiki :)

yousra closed this task as Resolved.Tue, Feb 17, 11:07
yousra moved this task from Working on to Done on the Secure HA tunnels board.
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator