Table of Contents

ClearBOX Network Bypass/Failover with ClearOS 7.x

This is not a formal documents and has been pulled together from various sources including an unfinished app

Note that in this example, ssh is running on port 32323 on gw1 and port 32324 on gw2. Please adjust your configs according to the ports your boxes are using for SSH. The reason for different ports is that when the one takes over it will use a different key and SSH will complain. I believe you can sync them to be the same but never had the time to write that up. Essentially, you'd need to make the cryptographic material exactly the same so that the two would be indistinguishable SSH-speaking. That would allow your ssh client to not balk at the key swap.

Create SSH keypair for server/server trust

On primary: 

ssh-keygen -t rsa
echo .ssh/id_rsa.pub >> .ssh/authorized_keys
scp -P 32324 -r .ssh* root@gw2:/root/ # you will need gw2's password for this step

Test with: 

ssh -p 32323 gw1 yum -y install rsync
ssh -p 32324 gw2 yum -y install rsync

This should work without prompting for passwords

Software Installation

Install app-bypass - see https://gitlab.com/clearos/clearcenter/app-bypass. The app is unfinished but the key files you need are in the deploy folder.

On gw2: 

rsync -av -e 'ssh -p 32323' root@gw1:/root/support* .
I am not sure what this step is doing. I think the intention is that common files should be synchronised through here but at this stage of the howto, /root/support* don't exist.

Install HA components

Install the following: 

ssh gw1 -p 32323 yum -y install corosync pacemaker pcs
ssh gw2 -p 32324 yum -y install corosync pacemaker pcs
ssh gw1 -p 32323 systemctl enable pcsd && systemctl enable corosync && systemctl enable pacemaker
ssh gw2 -p 32324 systemctl enable pcsd && systemctl enable corosync && systemctl enable pacemaker
ssh gw1 -p 32323 systemctl start pcsd
ssh gw2 -p 32324 systemctl start pcsd

On each server create hacluster user’s password: 

passwd hacluster

We set the password to ‘**’. Start the cluster from gw1: 

pcs cluster auth gw1 gw2
pcs cluster setup --name bypass_cluster gw1 gw2
pcs cluster start --all
pcs cluster enable --all

Test: 

ssh gw1 -p 32323 pcs status cluster
ssh gw2 -p 32324 pcs status cluster

Turn off fencing, the bypass service is its own fencing: 

pcs property set stonith-enabled=false
pcs property set no-quorum-policy=ignore
pcs property list

Lastly, add the bypass service.

Cabling

The following cabling is used with ClearBOX:

Primary

Backup

Next steps

After this, you will probably want to set up some rsync job to copy over critical files so the gateway on standby is always kept up to date with the live box. This synchronisation will need to happen in both directions so that whichever is live has the master set of files. Files you may want to consider are:

Remember to restart services either if any of the files change or on failover so the latest data is used.

search?q=clearos%2C%20clearos7%2C%20bypass%2C%20high%20availability%2C%20heartbeat%2C%20failover%2C%20ClearBOX%2C%20kb%2C%20howto%2C%20maintainer_nhowitt&btnI=lucky