Skip to content

High availability stack #871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gsanchietti merged 106 commits into from
Jun 9, 2025
Merged

High availability stack #871

gsanchietti merged 106 commits into from
Jun 9, 2025

Conversation

@gsanchietti
Copy link
Member

@gsanchietti gsanchietti commented Oct 23, 2024
edited
Loading

This pull request includes several changes to the config/ha.conf file to add new packages and configurations for high availability (HA) support. The most important changes include adding packages for network functionality and keepalived configurations.

Added packages:

  • keepalived
  • conntrackd
  • luci-app-keepalived

Current status:

  • IP switch is working
  • configured services are correctly restarted on the secondary machine

Reset command for development:

cp /root/config/* /etc/config/
rm -f /etc/keepalived/keys/id_rsa*
rm -f /etc/conntrackd/conntrackd.conf
/etc/init.d/conntrackd stop
/etc/init.d/conntrackd disable
reload_config

See the README for requirements, usage and limitations.

Companion PRs:

Main issue: #920

See also:

@gsanchietti gsanchietti mentioned this pull request Nov 19, 2024
Closed
@gsanchietti gsanchietti force-pushed the keepalived branch 2 times, most recently from 8416cbc to 82be12e Compare December 20, 2024 16:09
@gsanchietti gsanchietti force-pushed the keepalived branch 4 times, most recently from 8d6f00f to f6c45c0 Compare February 12, 2025 13:13
@gsanchietti gsanchietti self-assigned this Feb 13, 2025
@gsanchietti gsanchietti force-pushed the keepalived branch 4 times, most recently from 6d9c963 to 964c74d Compare February 14, 2025 16:27
@gsanchietti gsanchietti requested a review from Tbaile February 14, 2025 16:50
@gsanchietti gsanchietti marked this pull request as ready for review February 14, 2025 16:50
@gsanchietti gsanchietti assigned francio87 and unassigned gsanchietti Feb 14, 2025
@gsanchietti gsanchietti self-assigned this Apr 16, 2025
@gsanchietti gsanchietti force-pushed the keepalived branch 2 times, most recently from fb75a00 to 5d7b9bf Compare April 17, 2025 07:23
@gsanchietti gsanchietti mentioned this pull request Apr 17, 2025
Merged
@gsanchietti gsanchietti removed the request for review from Tbaile April 17, 2025 07:39
@gsanchietti gsanchietti force-pushed the keepalived branch 4 times, most recently from b250ada to c0673fe Compare April 22, 2025 13:24
gsanchietti added 26 commits June 9, 2025 09:30
@gsanchietti
feat(ns-ha): add ssh-remote command
7308103
@gsanchietti
fix(ns-api): update, suppress upgrade error
5cc2a6e 
Sometime the sysupgrade command returns and errore even
if everything goes well.
@gsanchietti
feat(ns-ha): add upgrade-remote command
2076666
@gsanchietti
fix(ns-ha): readme, better explain upgrade and ssh access
b9965bc
@gsanchietti
feat(ns-ha): add alerts
57bc02f
@gsanchietti
fix(ns-ha): profile.d, fix xterm title
2c73759
@gsanchietti
fix(ns-ha): pass check errors from remote
42af23c 
When checking the remote, parse the response and report
back errors on the primary node
@gsanchietti
feat(ns-ha): allow custom lan and wan interfaces
97bb28e 
Previous implementation was assuming the name of lan and wan device
was fixed: this was preventing adding the HA feature on existing
firewalls.

Now the config script and the API allow a custom interface name for lan
and wan.
Also please note that wan is not checked on backup node, because
the switchover will work as long as the underlaying device
of the wan (eg. eth1) is the same on both nodes.
@gsanchietti
fix(ns-ha): api, fix DHCP check
b72e447 
The check on DHCP must be executed only on the
provided lan interface: all other interfaces must be ignored.
@gsanchietti
fix(ns-ha): enable ipsec after switch
35d3029 
The ipsec interfaces and routes where not started due to the
following issues:
- ns-ha-export was running also on backup node
- the check to execute ns-ha-enable was always returning false
@gsanchietti
fix(ns-ha): really fix ns-ha-export
2db3d71
@gsanchietti
fix(ns-ha): ns-ha-export, execute only on primary/master
3b240e5
@gsanchietti
fix(ns-ha): fix ipsec and route migration
e158df0 
Previously, after a switch back from backup node
to primary node, the ipsec interfaces and routes
were disabled.
@gsanchietti
fix(ns-ha): flashstart, switch to new implementation
77a6902
@gsanchietti
fix(ns-ha): sync all dpi dbs
8a6f4b7
@gsanchietti
fix(ns-ui): add missing ui config
c16e6cf 
Manage UI availability
@gsanchietti
feat(ns-ha): support dedalo hotspot
984c215
@gsanchietti
fix(ns-ha): support extra lans with DHCP, fix mwan
5c939b2 
Non-WAN interfaces must be configured in the same way
of the main LAN interface: 2 static IPs, plus a virtual IP.
Previous configuration was not working with DHCP server.

Also fix an issue with MultiWAN: now each WAN is on a separated
network to avoid problems with routes.
@gsanchietti
feat(ns-ha): restore IP address on remove
fe73a11 
When removing an interface, move its IP address
to the original interface inside the primary node.
@gsanchietti
feat(ns-ha): status, add keepalived stats
fadb899
@gsanchietti
fix(ns-ha): wan, use /24 network
2618dbf
@gsanchietti
fix(ns-ha): acme, copy cert links
c21b2fa 
If the default certificate is configured to an ACME cert,
nginx was not starting because of the missing certificate.
@gsanchietti
fix(ns-api): ha, improve status output
e93e169
@gsanchietti
fix(ns-api): ha, stop and restart mwan3
c0e4936 
If mwan3 is running during HA configuration, it can mess
up the routes
@gsanchietti
fix(ns-ha): hotspot, fix mac address change
827c622 
Use a custom ns_macaddr property to set the mac address:
the mac is set when the node is master and cleared when the node
is backup.

Previously, using the macaddr uci option, on physical machine
the ethernet could take the primary node mac address on reboot:
the backup node was unreachable if the hotspot was configured on a
vlan over the main lan interface
@gsanchietti
fix(ns-api): ha, improve status output
62fde14 
Read keepalived status from /tmp/keepalived.json:
simpler to parse and do not use /var/log/messages to find
current state.

To obtain the file, use:

  kill -37 $(cat /tmp/run/keepalived.pid)
@gsanchietti
Copy link
Member Author

gsanchietti commented Jun 9, 2025

Tested and verified both by @filippocarletti and @cotosso

@gsanchietti gsanchietti merged commit b8915af into main Jun 9, 2025
1 check passed
@gsanchietti gsanchietti deleted the keepalived branch June 9, 2025 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@filippocarletti filippocarletti Awaiting requested review from filippocarletti

@Tbaile Tbaile Awaiting requested review from Tbaile

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

High Availability

5 participants

@gsanchietti @filippocarletti @francio87 @cotosso