|How To...||Why not..?||Scripts|
Last update: 2018-09-06
In this post I show you how to configure carp(4) on virtual machines that run on VMware vSphere. The setup will consist of two VMs running OpenBSD -current. Each VM gets one single vNIC.
As a preparation for this setup I’ve filled in the required information in the following table:
|Mgmt IP VM1||192.0.2.11|
|Mgmt IP VM2||192.0.2.12|
The network functionality that VMware vSphere provides for virtual machines comes along with a security policy. Using this policy you can prevent certain networking practices:
Rejecting all three can slightly improve the security in your network. But all three are required if you want to use carp(4). I recommend that you set all three to Accept for the port group your carp(4) interface will be connected to.
VM1 is my designated master and VM2 is the backup. To enforce this
policy you need different values for the parameter
advskew on each VM
and the following sysctl(8) setting:
$ doas sysctl net.inet.carp.preempt=1
Write this setting to
/etc/sysctl.conf. OpenBSD will set the value
automatically during startup.
I will first config the backup, then the master. On VM2 I create the
/etc/hostname.carp0 with the following content:
vhid 99 pass SharedSecret carpdev vmx0 advskew 100 192.0.2.10/24
To create and configure the interface you can use
$ doas /bin/sh /etc/netstart
On VM1 the line in
/etc/hostname.carp0 looks slightly different:
vhid 99 pass SharedSecret carpdev vmx0 192.0.2.10/24
Reboot both VMs to test the new configuration and make sure you don’t have any typos in your config files.
You can look at the
carp0 interface using ifconfig(8)
to perform a basic check of the configuration. On my VM2 I get the
$ ifconfig carp0 carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:53:67:89:ab index 4 priority 15 llprio 3 carp: BACKUP carpdev vmx0 vhid 99 advbase 1 advskew 100 groups: carp status: backup inet 192.0.2.10 netmask 0xffffff00 broadcast 192.0.2.255
On my VM1 the output is slightly different:
$ ifconfig carp0 carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 150 lladdr 00:00:5e:12:34:56 index 4 priority 15 llprio 3 carp: MASTER carpdev vmx0 vhid 81 advbase 1 advskew 0 groups: carp status: master inet 192.0.2.10 netmask 0xffffff00 broadcast 192.0.2.255
Your final test should be pinging the carp IP from a third system and shutdown the current master during the pinging. If everything works as expected you should not loose a single echo reply packet.