Change Details

Implement automatic reassignment of the public VIP to the physical MAC of the router currently in CARP MASTER state. This is done by reacting to CARP state changes using devd : when a specific event happened, it triggers a script that calls the OVH API to update the physical MAC associated with the VIP. Why ??? This avoids situations where the backup router receives traffic for the VIP while the other node is the actual CARP master. Steps before writing the script : [x] 1 Observing the CARP state change through kernel logs. > command : tail -f /var/log/messages ``` Mar 22 14:49:21 router-002 kernel: carp: 2@vmx1: BACKUP -> MASTER (master timed out) ``` ______ [x] 2. Testing a rule to understand how devd works On the file /usr/local/etc/devd/carp.conf : ``` notify 0 { match "system" "IFNET"; match "subsystem" "vmx1"; action "logger CARP state change detected"; }; ``` > Then : sudo service devd restart > Then : simulate failover of Master ``` Mar 22 15:11:37 router-002 yousra[8464]: CARP state change detected Mar 22 15:11:37 router-002 kernel: carp: 2@vmx1: BACKUP -> MASTER (master timed out) ``` The FreeBSD kernel already writes a log when a CARP state change occurs, for example, when switching from BACKUP to MASTER, but this message is purely informational and doesn't trigger any automatic action. Using devd, we can detect this event and execute a custom action, such as running a script that automatically updates the MAC address associated with the VIP at OVH so that traffic always arrives on the master router. ______ Steps for the script carp-ovh: [x] 1. Write the secretsmith YAML configuration /usr/local/etc/secretsmith.yaml [x] 2. Verify the connection to Vault via a test script [x] 3. Allow role router to access ops/secrets/network/router/vault useful for Salt (D4029). [] 4. Verify that the script can access to credentials OVH []5. Once we know the exact state using the secret, document it in the [[ https://agora.nasqueron.org/Operations_grimoire/Deploy_with_Terraform#Propagate_secrets_(DRP) | secrets rolling procedure on Agora ]]

Implement automatic reassignment of the public VIP to the physical MAC of the router currently in CARP MASTER state. This is done by reacting to CARP state changes using devd : when a specific event happened, it triggers a script that calls the OVH API to update the physical MAC associated with the VIP. Why ??? This avoids situations where the backup router receives traffic for the VIP while the other node is the actual CARP master. Steps before writing the script : [x] 1 Observing the CARP state change through kernel logs. > command : tail -f /var/log/messages ``` Mar 22 14:49:21 router-002 kernel: carp: 2@vmx1: BACKUP -> MASTER (master timed out) ``` ______ [x] 2. Testing a rule to understand how devd works On the file /usr/local/etc/devd/carp.conf : ``` notify 0 { match "system" "IFNET"; match "subsystem" "vmx1"; action "logger CARP state change detected"; }; ``` > Then : sudo service devd restart > Then : simulate failover of Master ``` Mar 22 15:11:37 router-002 yousra[8464]: CARP state change detected Mar 22 15:11:37 router-002 kernel: carp: 2@vmx1: BACKUP -> MASTER (master timed out) ``` The FreeBSD kernel already writes a log when a CARP state change occurs, for example, when switching from BACKUP to MASTER, but this message is purely informational and doesn't trigger any automatic action. Using devd, we can detect this event and execute a custom action, such as running a script that automatically updates the MAC address associated with the VIP at OVH so that traffic always arrives on the master router. ______ Steps for the script carp-ovh: [x] 1. Write the secretsmith YAML configuration /usr/local/etc/secretsmith.yaml [x] 2. Verify the connection to Vault via a test script [x] 3. Allow role router to access ops/secrets/network/router/vault useful for Salt (D4029). [x] 4. Verify that the script can access to credentials OVH [] 5. Once we know the exact state using the secret, document it in the [[ https://agora.nasqueron.org/Operations_grimoire/Deploy_with_Terraform#Propagate_secrets_(DRP) | secrets rolling procedure on Agora ]]

Implement automatic reassignment of the public VIP to the physical MAC of the router currently in CARP MASTER state. This is done by reacting to CARP state changes using devd : when a specific event happened, it triggers a script that calls the OVH API to update the physical MAC associated with the VIP. Why ??? This avoids situations where the backup router receives traffic for the VIP while the other node is the actual CARP master. Steps before writing the script : [x] 1 Observing the CARP state change through kernel logs. > command : tail -f /var/log/messages ``` Mar 22 14:49:21 router-002 kernel: carp: 2@vmx1: BACKUP -> MASTER (master timed out) ``` ______ [x] 2. Testing a rule to understand how devd works On the file /usr/local/etc/devd/carp.conf : ``` notify 0 { match "system" "IFNET"; match "subsystem" "vmx1"; action "logger CARP state change detected"; }; ``` > Then : sudo service devd restart > Then : simulate failover of Master ``` Mar 22 15:11:37 router-002 yousra[8464]: CARP state change detected Mar 22 15:11:37 router-002 kernel: carp: 2@vmx1: BACKUP -> MASTER (master timed out) ``` The FreeBSD kernel already writes a log when a CARP state change occurs, for example, when switching from BACKUP to MASTER, but this message is purely informational and doesn't trigger any automatic action. Using devd, we can detect this event and execute a custom action, such as running a script that automatically updates the MAC address associated with the VIP at OVH so that traffic always arrives on the master router. ______ Steps for the script carp-ovh: [x] 1. Write the secretsmith YAML configuration /usr/local/etc/secretsmith.yaml [x] 2. Verify the connection to Vault via a test script [x] 3. Allow role router to access ops/secrets/network/router/vault useful for Salt (D4029). [x] 4. Verify that the script can access to credentials OVH [] 5. Once we know the exact state using the secret, document it in the [[ https://agora.nasqueron.org/Operations_grimoire/Deploy_with_Terraform#Propagate_secrets_(DRP) | secrets rolling procedure on Agora ]]