Note that in this example, ssh is running on port 32323 on gw1 and port 32324 on gw2. Please adjust your configs according to the ports your boxes are using for SSH. The reason for different ports is that when the one takes over it will use a different key and SSH will complain. I believe you can sync them to be the same but never had the time to write that up. Essentially, you'd need to make the cryptographic material exactly the same so that the two would be indistinguishable SSH-speaking. That would allow your ssh client to not balk at the key swap.
ssh-keygen -t rsa echo .ssh/id_rsa.pub >> .ssh/authorized_keys scp -P 32324 -r .ssh* root@gw2:/root/ # you will need gw2's password for this step
ssh -p 32323 gw1 yum -y install rsync ssh -p 32324 gw2 yum -y install rsync
This should work without prompting for passwords
Install app-bypass - see https://gitlab.com/clearos/clearcenter/app-bypass. The app is unfinished but the key files you need are in the deploy folder.
rsync -av -e 'ssh -p 32323' root@gw1:/root/support* .
Install the following:
ssh gw1 -p 32323 yum -y install corosync pacemaker pcs ssh gw2 -p 32324 yum -y install corosync pacemaker pcs ssh gw1 -p 32323 systemctl enable pcsd && systemctl enable corosync && systemctl enable pacemaker ssh gw2 -p 32324 systemctl enable pcsd && systemctl enable corosync && systemctl enable pacemaker ssh gw1 -p 32323 systemctl start pcsd ssh gw2 -p 32324 systemctl start pcsd
On each server create hacluster user’s password:
We set the password to ‘**’. Start the cluster from gw1:
pcs cluster auth gw1 gw2 pcs cluster setup --name bypass_cluster gw1 gw2 pcs cluster start --all pcs cluster enable --all
ssh gw1 -p 32323 pcs status cluster ssh gw2 -p 32324 pcs status cluster
Turn off fencing, the bypass service is its own fencing:
pcs property set stonith-enabled=false pcs property set no-quorum-policy=ignore pcs property list
Lastly, add the bypass service.
The following cabling is used with ClearBOX:
After this, you will probably want to set up some rsync job to copy over critical files so the gateway on standby is always kept up to date with the live box. This synchronisation will need to happen in both directions so that whichever is live has the master set of files. Files you may want to consider are:
Remember to restart services either if any of the files change or on failover so the latest data is used.