$_ BSDHowTo.ch
How To... Why not..? Scripts RSS logo

How to configure VMware to run carp(4)

Last update: 2018-09-06

Introduction

In this post I show you how to configure carp(4) on virtual machines that run on VMware vSphere. The setup will consist of two VMs running OpenBSD -current. Each VM gets one single vNIC.

Preparation

As a preparation for this setup I’ve filled in the required information in the following table:

InformationValue
Shared IP192.0.2.10
Hostname VM1vmone
Mgmt IP VM1192.0.2.11
AdvSkew VM10
Hostname VM2vmtwo
Mgmt IP VM2192.0.2.12
AdvSkew100
VHID99
PasswordSharedSecret
Subnetmask255.255.255.0
Domain nameexample.net

Configuration of vSphere

The network functionality that VMware vSphere provides for virtual machines comes along with a security policy. Using this policy you can prevent certain networking practices:

Rejecting all three can slightly improve the security in your network. But all three are required if you want to use carp(4). I recommend that you set all three to Accept for the port group your carp(4) interface will be connected to.

Configuration of carp(4)

VM1 is my designated master and VM2 is the backup. To enforce this policy you need different values for the parameter advskew on each VM and the following sysctl(8) setting:

$ doas sysctl net.inet.carp.preempt=1

Write this setting to /etc/sysctl.conf. OpenBSD will set the value automatically during startup.

I will first config the backup, then the master. On VM2 I create the file /etc/hostname.carp0 with the following content:

vhid 99 pass SharedSecret carpdev vmx0 advskew 100 192.0.2.10/24

To create and configure the interface you can use /etc/netstart:

$ doas /bin/sh /etc/netstart

On VM1 the line in /etc/hostname.carp0 looks slightly different:

vhid 99 pass SharedSecret carpdev vmx0 192.0.2.10/24

Reboot both VMs to test the new configuration and make sure you don’t have any typos in your config files.

Checking the setup

You can look at the carp0 interface using ifconfig(8) to perform a basic check of the configuration. On my VM2 I get the following output:

$ ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    lladdr 00:00:53:67:89:ab
    index 4 priority 15 llprio 3
    carp: BACKUP carpdev vmx0 vhid 99 advbase 1 advskew 100
    groups: carp
    status: backup
    inet 192.0.2.10 netmask 0xffffff00 broadcast 192.0.2.255

On my VM1 the output is slightly different:

$ ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 150
    lladdr 00:00:5e:12:34:56
    index 4 priority 15 llprio 3
    carp: MASTER carpdev vmx0 vhid 81 advbase 1 advskew 0
    groups: carp
    status: master
    inet 192.0.2.10 netmask 0xffffff00 broadcast 192.0.2.255

Your final test should be pinging the carp IP from a third system and shutdown the current master during the pinging. If everything works as expected you should not loose a single echo reply packet.