Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Fencing ClearBOX with Bypass and Heartbeat

This document is just notes and is not as fluid as a howto.

Getting Started

You will need 2 ClearBOX 300 servers installed with the default mode. We'll call them 'firewall1' and 'firewall2'. You will assign the NICs like this:

firewall1
  • eth0: WAN (crossconnected to eth1 on firewall2)
  • eth1: Not assigned (empty)
  • eth2: LAN (crossconnected to eth3 on firewall2)
  • eth3: Not assigned (empty)
  • eth4: Heartbeat NIC (crossconnected to eth4 on firewall2)
  • eth5: Management
firewall2
  • eth0: WAN (connected to Internet)
  • eth1: Not assigned (crossconnected to eth0 on firewall1)
  • eth2: LAN (connected to LAN)
  • eth3: Not assigned (crossconnected to eth2 on firewall1)
  • eth4: Heartbeat NIC (crossconnected to eth4 on firewall1)
  • eth5: Management

Nomenclature for networks

  • 172.16.0.x (WAN)
  • 192.168.1.x (LAN)
  • 10.10.10.x (Heartbeat)

You will need to name the servers correctly.

vi /etc/hosts

In addition, they must know the names of the other host as it pertains to the heartbeat network.

firewall1 /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		firewall1.clearos.lan system localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
10.10.10.2 firewall2.clearos.lan firewall2
firewall2 /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		firewall2.clearos.lan system localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
10.10.10.1 firewall1.clearos.lan firewall1

Test.

Install heartbeat packages

From command line, download the heartbeat rpm packages by running the following commands in the directory of your choosing:

yum --enablerepo=clearos-core,clearos-epel install heartbeat

Then enable heartbeat to start on reboot

chkconfig --add heartbeat && chkconfig --list heartbeat

Configure heartbeat

Configure the following on firewall1

/etc/ha.d/ha.cf
logfile /var/log/ha-log
logfacility local0
keepalive 1
deadtime 4
initdead 5
bcast eth4
udpport 694
auto_failback on
node firewall1.clearos.lan
node firewall2.clearos.lan
/etc/ha.d/haresources
firewall1.clearos.lan bypass

Propagate

Use the ha-propagate command to copy these setting to the partner of the HA cluster. This will also test you config.

/usr/share/heartbeat/ha_propagate

For ha_propagate to work you must have trusted key exchange between your servers. You can do this by adding the public key for each server into the authorized_keys section of the /root/.ssh/ of the other server.

Bypass Service

We are using a service here that doesn't really exist. Here is the code for it:

/etc/init.d/bypass
#!/bin/bash
#
# Init file for bypass
#
# chkconfig: 2345 55 25
# description: Bypass enable daemon
#
# processname: 
# source function library
. /etc/rc.d/init.d/functions
RETVAL=0
prog="bypass"
# Some functions to make the below more readable
BYPASSDISABLE=/usr/sbin/bypassdisable
BYPASSENABLE=/usr/sbin/bypassenable
# not used
PID_FILE=/var/run/bypass.pid
runlevel=$(set -- $(runlevel); eval "echo \$$#" )

start()
{
	echo -n $"Starting $prog: "
	$BYPASSDISABLE $OPTIONS && success || failure
	echo
}

stop()
{
	echo -n $"Starting $prog: "
	$BYPASSENABLE $OPTIONS && success || failure
	echo
}

case "$1" in
	start)
		start
		;;
	stop)
		stop
		;;
	restart)
		stop
		start
		;;
esac
exit $RETVAL
/usr/sbin/bypassdisable
#!/bin/sh
echo 0 > /sys/bus/i2c/devices/0-0026/bypass0
echo 0 > /sys/bus/i2c/devices/0-0022/bypass0
/usr/sbin/bypassenable
#!/bin/sh
echo 2 > /sys/bus/i2c/devices/0-0026/bypass0
echo 2 > /sys/bus/i2c/devices/0-0022/bypass0

Setting the BIOS for firewall2

You will want to configure the BIOS for firewall 2 to not activate the NIC but rather to default with the bypass activated.

Go to Advanced » Onboard ByPass Control

  • Set the Set Bypass Group 1 Status to: Next Boot: Non-Normal, BPE: Enable
  • Set the Set Bypass Group 2 Status to: Next Boot: Non-Normal, BPE: Enable
content/en_us/dev_apps_using_heartbeat_to_provide_fenced_clearbox.txt · Last modified: 2015/08/12 14:02 (external edit)

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Adev_apps_using_heartbeat_to_provide_fenced_clearbox&1710827854