This is the 4th blog, (Part 4B) in a series of blogs regarding the ISV Architecture Validated Design. This blog focuses on the Failover Implementation section.
This blog series will contain the following topics
This architecture follows the ISV Architecture but it uses keepalived for the failover implementation to monitor the interfaces of the virtual routers (VR) and it requires scripting tools like Python or OCI CLI to move the Virtual IP (VIP) between the two VRs instead of using Pacemaker & Corosync (Part 4a) as outlined in the ISV Architecture. Protocols like HSRP (Cisco) or VRRP (IETF) are used to monitor the state of a route cluster. These protocols use multicast by default to monitor each other but multicast is not a featured available on the cloud. Keepalive which uses VRRP protocol has an option to use unicast instead of multicast giving us the opportunity to use it in the cloud. Keepalived is an open source code which is packaged with Linux. The purpose of this architecture is to provide an alternate way to deploy the architecture. For production environment you could use this software but keep in mind it is open source. New code releases or patches might cause this setup not to work. For ISVs/MSPs to provide service to their customer, it is recommended to use commercial virtual routing software from routing vendors like Cisco, Juniper, Fortinet, etc. which has additional features to track objects, has logging and visibility capabilities, and technical support in case of problems or bugs with the software as long as they support cloud deployments.
The diagram below is a representation of this lab and it will be use through this blog to guide you on the implementation. All VCNs are in the same region, all subnets are regional.
Please refer to Part 3A - OCI - Routing and Security Lists and Part 3B - OCI vRouter - OCI Shape, OS choices, VNIC and Secondary IP address creation of the ISV architecture before proceeding with the Keepalived configuration.
Now that you have the two VRs configured with the proper VNICs, IP addressing, and routing, the next step is to install keepalived. Keepalived will track the interfaces on each VR and will elect one VR as master and the other as backup using VRRP.
yum install -y keepalived
mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bkp
VR1 | VR2 |
global_defs { enable_script_security script_user root } #VRRP configuration for the VNIC in the transit subnet vrrp_instance ISV { state MASTER interface ens3 track_interface { ens3 ens5 ens6 } virtual_router_id 51 priority 200 unicast_src_ip 172.20.136.130 unicast_peer { 172.20.136.131 } authentication { auth_type PASS auth_pass ISV-test } notify_master /root/claim-vips-notify-master.sh } |
global_defs { enable_script_security script_user root } #VRRP configuration for the VNIC in the transit subnet vrrp_instance ISV { state BACKUP interface ens3 track_interface { ens3 ens5 ens6 } virtual_router_id 51 priority 100 unicast_src_ip 172.20.136.131 unicast_peer { 172.20.136.130 } authentication { auth_type PASS auth_pass ISV-test } notify_master /root/claim-vips-notify-master.sh } |
service keepalived start
chkconfig keepalived on
You can use the commands below to manage keepalived
service keepalived stop service keepalived start service keepalived status
You need to provide access rights to the two VRs in order for the scripts to interact with the cloud and move the VIPs. In the next steps you will create the IAM policy using Instance Principles. Instance Principles is an IAM service feature that enables instances to be authorized actors (or principals) to perform actions on service resources. Each compute instance has its own identity, and it authenticates using the certificates that are added to it. These certificates are automatically created, assigned to instances and rotated, preventing the need for you to distribute credentials to your hosts and rotate them.
Create Dynamic Groups |
Name: oci-vip-DG Matching rules ANY {instance.id = ‘ocid1.instance.oc1…………pruscpq’,instance.id =’ocid1.instance.oc1……….d4ebx24q’} |
Create Policy |
Name: oci-vip-p Matching rules Allow dynamic-group oci-vip-DG to use private-ips in compartment ISV Allow dynamic-group oci-vip-DG to use vnics in compartment ISV |
As stated above keepalived can’t move the VIPs in the cloud as the VIPs are owned by the cloud so you need an external application that can interact with the cloud. This can be accomplished via some scripting tool like Python or the OCI CLI or some other tool. Keepalived will execute claim-vips-notify-master.sh when it detects failures on the VRs. You need to create this file based on the scripting tool you use to perform the task.
You might need to collect the OCIDs for the VNICs and VIPs for each of the VRs depending of the scripting tool used. When a VR becomes the master it will execute the script to claim the VIPs for all the interfaces.
You can reference the links below for examples how Python can interact with the OCI API
You can use OCI CLI to move the VIPs. It should be installed on both VRs as they will execute a command when they are elected masters to move the VIPs. The OCI CLI it is very simple platform to use, if you decide to use it, there is no need to create a config file as stated on the public documentation because on this setup you will use instance principles.
To install OCI CLI your VM needs access to the Internet via an Internet Gateway or NAT gateway. Open a terminal window and run the following command. Accept the default prompts
bash -c "$(curl -L https:// raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)"
To test OCI CLI run the command below. Please note the use of –auth instance_principal at the end of the command which allows the use of Intance Principals with the OCI API gateway. If it works you should get the name of your tenancy. OCI CLI uses your primary VNIC (ens3) to interact with the OCI API gateway so make sure it has an Internet gateway or a NAT gateway to reach the API gateway and that DNS is enabled.
oci os ns get --auth instance_principal
You can use the command below to move the VIP for each VNIC on the VR.
oci network vnic assign-private-ip --vnic-id <VNIC OCID> --ip-address <VIP IP address> --unassign-if-already-assigned --auth instance_principal
Create a file on each VR and each file will have the command to claim the VIPs for all the VNICs. The OCIDs in the commands are the VNICs for each VR.
VR1 claim-vips-notify-master.sh |
oci network vnic assign-private-ip --vnic-id ocid1.vnic.oc1………diqtaxjs6yoa --ip-address 172.20.136.132 --unassign-if-already-assigned --auth instance_principal oci network vnic assign-private-ip --vnic-id ocid1.vnic.oc1………ftksweyvhegg --ip-address 10.0.0.4 --unassign-if-already-assigned --auth instance_principal oci network vnic assign-private-ip --vnic-id ocid1.vnic.oc1………5jdgolrn5fhhg --ip-address 10.0.0.36 --unassign-if-already-assigned --auth instance_principal |
VR2 claim-vips-notify-master.sh |
oci network vnic assign-private-ip --vnic-id ocid1.vnic.oc1………kd8fnhrudjhfo --ip-address 172.20.136.132 --unassign-if-already-assigned --auth instance_principal oci network vnic assign-private-ip --vnic-id ocid1.vnic.oc1………jsdnshdi42k94 --ip-address 10.0.0.4 --unassign-if-already-assigned --auth instance_principal oci network vnic assign-private-ip --vnic-id ocid1.vnic.oc1………ks9d8gjdhdekl4 --ip-address 10.0.0.36 --unassign-if-already-assigned --auth instance_principal |
You have successfully create the failover mechanism between the to VRs. Next check future blog about Operations which will be part 5 of this set ob blogs for the ISV Architecture
Next Post