content:en_us:clearbox_bypass_with_clearos7

ClearBOX Network Bypass/Failover with ClearOS 7.x

This is not a formal documents and has been pulled together from various sources including an unfinished app

Note that in this example, ssh is running on port 32323 on gw1 and port 32324 on gw2. Please adjust your configs according to the ports your boxes are using for SSH. The reason for different ports is that when the one takes over it will use a different key and SSH will complain. I believe you can sync them to be the same but never had the time to write that up. Essentially, you'd need to make the cryptographic material exactly the same so that the two would be indistinguishable SSH-speaking. That would allow your ssh client to not balk at the key swap.

Create SSH keypair for server/server trust

On primary:

ssh-keygen -t rsa
echo .ssh/id_rsa.pub >> .ssh/authorized_keys
scp -P 32324 -r .ssh* root@gw2:/root/ # you will need gw2's password for this step

Test with:

ssh -p 32323 gw1 yum -y install rsync
ssh -p 32324 gw2 yum -y install rsync

This should work without prompting for passwords

Software Installation

Install app-bypass - see https://gitlab.com/clearos/clearcenter/app-bypass. The app is unfinished but the key files you need are in the deploy folder.

On gw2:

rsync -av -e 'ssh -p 32323' root@gw1:/root/support* .
I am not sure what this step is doing. I think the intention is that common files should be synchronised through here but at this stage of the howto, /root/support* don't exist.

Install HA components

Install the following:

ssh gw1 -p 32323 yum -y install corosync pacemaker pcs
ssh gw2 -p 32324 yum -y install corosync pacemaker pcs
ssh gw1 -p 32323 systemctl enable pcsd && systemctl enable corosync && systemctl enable pacemaker
ssh gw2 -p 32324 systemctl enable pcsd && systemctl enable corosync && systemctl enable pacemaker
ssh gw1 -p 32323 systemctl start pcsd
ssh gw2 -p 32324 systemctl start pcsd

On each server create hacluster user’s password:

passwd hacluster

We set the password to ‘**’. Start the cluster from gw1:

pcs cluster auth gw1 gw2
pcs cluster setup --name bypass_cluster gw1 gw2
pcs cluster start --all
pcs cluster enable --all

Test:

ssh gw1 -p 32323 pcs status cluster
ssh gw2 -p 32324 pcs status cluster

Turn off fencing, the bypass service is its own fencing:

pcs property set stonith-enabled=false
pcs property set no-quorum-policy=ignore
pcs property list

Lastly, add the bypass service.

Cabling

The following cabling is used with ClearBOX:

Primary

  • NIC0:enp2s0 - short cable connected to NIC1:enp3s0 on Backup
  • NIC1:enp3s0 - NOT USED
  • NIC2:enp4s0 - short cable connected to NIC3:enp5s0 on Backup
  • NIC3:enp5s0 - NOT USED
  • NIC4:enp6s0 - short cable connected to NIC4:enp6s0 on Backup
  • NIC5:enp7s0 - Mgmt cable used to initially configure ClearBOX. NOT USED in production.
  • Console:Serial - short serial roll-over connected to Console:Serial on Backup (optional)

Backup

  • NIC0:enp2s0 - Connected to LACP configured switch group (same as NIC2:enp4s0)
  • NIC1:enp3s0 - short cable connected to NIC0:enp2s0 on Primary
  • NIC2:enp4s0 - Connected to LACP configured switch group (same as NIC0:enp2s0)
  • NIC3:enp5s0 - short cable connected to NIC0:enp4s0 on Primary
  • NIC4:enp6s0 - short cable connected to NIC4:enp6s0 on Backup
  • NIC5:enp7s0 - Mgmt cable used to initially configure ClearBOX. NOT USED in production.
  • Console:Serial - short serial roll-over connected to Console:Serial on Backup (optional)

Next steps

After this, you will probably want to set up some rsync job to copy over critical files so the gateway on standby is always kept up to date with the live box. This synchronisation will need to happen in both directions so that whichever is live has the master set of files. Files you may want to consider are:

  • Firewall:
    • /etc/clearos/firewall
    • /etc/clearos/firewall.d/custom
    • /etc/clearos/multiwan.conf # if you use multiwan
    • /etc/clearos/qos.conf # if you use the Bandwidth/QoS manager
  • Dnsmasq (for DHCP)
    • /etc/dnsmasq.conf (perhaps not so important as it should not change)
    • /etc/hosts # Your DNS server entries
    • /etc/ethers # for DHCP static leases
    • /etc/dnsmasq.d/dhcp.conf # for your DHCP configuration
    • /var/lib/dnsmasq/dnamasq.leases # for current DHCP leases
  • There are other files you may want on a case by case basis. Certificates are difficult. OpenVPN is even harder as it requires the directory as well.

Remember to restart services either if any of the files change or on failover so the latest data is used.

search?q=clearos%2C%20clearos7%2C%20bypass%2C%20high%20availability%2C%20heartbeat%2C%20failover%2C%20ClearBOX%2C%20kb%2C%20howto%2C%20maintainer_nhowitt&btnI=lucky

content/en_us/clearbox_bypass_with_clearos7.txt · Last modified: 2021/06/01 10:37 by 62.30.63.90