Re: CARP health check ?

2012-01-13 Thread rik 
Just an idea, but you might consider giving private ip to the phydev and
using nrpe plugin for nagios so you'll be able to ping them from the inside
and report everything to your external nagios monitor

Alex

On Fri, Jan 13, 2012 at 5:12 AM, PP;QQ P(P8P?P8QP8P=
chipits...@gmail.com wrote:

 sounds nice.

 I came to somewhat similar. Just ssh to external address and ping both carp
 peers (via internal addresses), if there're less than 2 answers, we are in
 trouble.

 your idea is also good.

 2012/1/13 Nick Holland n...@holland-consulting.net

  ok, let's try this idea...
 
  Your systems have ONE external address, but they can have as many
  internal addresses as desired, right?
 
  SO...let's say you have two CARP'd firewalls, FW1 and FW2.  They share
  external address of x.x.x.x.
 
   FW1:   FW2:
  Externalx.x.x.xx.x.x.x   (same)
  Internal real   10.0.0.2   10.0.0.3
  internal CARP   10.0.0.1   10.0.0.1  (same)
 
  port 22 gets you ssh on the active firewall...but which is that?
 
  How about a PF ruleset that redirects port 2202 to 10.0.0.2 port 22 and
  port 2203 to 10.0.0.3?  Now you can find out anything you wish about
  either box ON DEMAND by selecting the port you ssh to?  If 2202 doesn't
  answer, you've lost fw1, if 2203 doesn't answer, you have lost fw2
 
  In addition to checking to see that the box is up, it's good to check
  for a sane CARP status -- i.e., all MASTER on one box, SLAVE on the
  other, plus other overall health issues.
 
  Nick.
 
  On 01/12/12 13:48, iLXQ {IPICIN wrote:
   well, it's usually not possible.
   we use OpenBSD, because it supports carpdev option (FreeBSD does not
   support it)
  
   most of our carp clusters run on single address. no spare IP space.
  
   we could do ssh and ping carp peer (some trouble with preemption), but
 we
   do not want to stick with certain IP addresses. we would like to
 monitor
   in general
  
   1) define new carp cluster for monitoring
   2) ssh to it and monitorcarp peer in general without specifying it's
  address
  
   2012/1/13 Simon Perreault simon.perrea...@viagenie.ca
  
   On 01/12/2012 01:18 PM, P P;Q Q  P(P8P?P8Q P8P= wrote:
  
   we are using nagios for monitoring and it is running on separate
  server.
   we
   do not want to monitor server from inside.
   we want to run run something via ssh and see whether carp peer is
 dead
  or
   not.
  
  
   Give each server it's unique IP address.
   Use a third IP address for carp.
   Monitor all three addresses.
  
   Simon
   --
   DTN made easy, lean, and smart -- http://postellation.viagenie.**ca
  http://postellation.viagenie.ca
   NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
   STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

2012-01-12 Thread Justin Jereza 
I think ifstated is what you want to use.

--
Composed on a phone.
On Jan 13, 2012 2:07 AM, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com
wrote:

 Hello!


 I'm running OpenBSD with CARP (and because of CARP), 10 servers in total.
 Some of them preemt=1, some with preemt=0
 I'd like to know that spare CARP server is up and running (and will play it
 part when master server die).

 questions are

 1) how to detect that server is master? any other way except parsing
 ifconfig output ?

 2) how to detect whether carp peer is alive ?

 Cheers,
 Ilya Shipitsin

Re: CARP health check ?

2012-01-12 Thread Илья Шипицин 
well, I need to make question more certain.

we are using nagios for monitoring and it is running on separate server. we
do not want to monitor server from inside.
we want to run run something via ssh and see whether carp peer is dead or
not.

probably we do not want to determine that we are carp master, because we
will always connect to master via ssh.

2012/1/13 Justin Jereza justinjer...@gmail.com

 I think ifstated is what you want to use.

 --
 Composed on a phone.
 On Jan 13, 2012 2:07 AM, iLXQ {IPICIN chipits...@gmail.com wrote:

 Hello!


 I'm running OpenBSD with CARP (and because of CARP), 10 servers in total.
 Some of them preemt=1, some with preemt=0
 I'd like to know that spare CARP server is up and running (and will play
 it
 part when master server die).

 questions are

 1) how to detect that server is master? any other way except parsing
 ifconfig output ?

 2) how to detect whether carp peer is alive ?

 Cheers,
 Ilya Shipitsin

Re: CARP health check ?

2012-01-12 Thread Justin Jereza 
I would still consider using ifstated to signal to the network monitor the
state of the interface.

An alternative that may be better though is to use SNMP.

--
Composed on a phone.

Re: CARP health check ?

2012-01-12 Thread Simon Perreault 

On 01/12/2012 01:18 PM, PP;QQ P(P8P?P8QP8P= wrote:

we are using nagios for monitoring and it is running on separate server. we
do not want to monitor server from inside.
we want to run run something via ssh and see whether carp peer is dead or
not.


Give each server it's unique IP address.
Use a third IP address for carp.
Monitor all three addresses.

Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

2012-01-12 Thread Илья Шипицин 
well, it's usually not possible.
we use OpenBSD, because it supports carpdev option (FreeBSD does not
support it)

most of our carp clusters run on single address. no spare IP space.

we could do ssh and ping carp peer (some trouble with preemption), but we
do not want to stick with certain IP addresses. we would like to monitor
in general

1) define new carp cluster for monitoring
2) ssh to it and monitorcarp peer in general without specifying it's address

2012/1/13 Simon Perreault simon.perrea...@viagenie.ca

 On 01/12/2012 01:18 PM, P P;Q Q  P(P8P?P8Q P8P= wrote:

 we are using nagios for monitoring and it is running on separate server.
 we
 do not want to monitor server from inside.
 we want to run run something via ssh and see whether carp peer is dead or
 not.


 Give each server it's unique IP address.
 Use a third IP address for carp.
 Monitor all three addresses.

 Simon
 --
 DTN made easy, lean, and smart -- 
 http://postellation.viagenie.**cahttp://postellation.viagenie.ca
 NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
 STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

2012-01-12 Thread Simon Perreault 

On 01/12/2012 01:49 PM, PP;QQ P(P8P?P8QP8P= wrote:

most of our carp clusters run on single address. no spare IP space.


That's the root of the problem.

Use IPv6 for the non-carp addresses? RFC 1918? rdr on some ports?

Otherwise, you'll have to invent a hackish and fragile solution...

Simon
--
DTN made easy, lean, and smart -- http://postellation.viagenie.ca
NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

2012-01-12 Thread Илья Шипицин 
RFC1918 addreeses are not routable.
there's no problem for carp peers to ping each other, I just cannot ping
both of them from Internet (where nagios is located)

the problem is to specify each peer's address in nagios config, I do not
want to depend on 10.0.0.2 for cluster1 peer and so on.
especially from preemption point of view.

I want to keep things simple.

1) there's another carp cluster at x.y.z.t
2) either it is running in preemption mode or not, I connect to carp master
from Internet
3) there should be alive carp backup (at some rfc1918 address, which I do
not want to specifi in nagios)
4) if backup is unreacheble, we are in trouble

2012/1/13 Simon Perreault simon.perrea...@viagenie.ca

 On 01/12/2012 01:49 PM, iLXQ {IPICIN wrote:

 most of our carp clusters run on single address. no spare IP space.


 That's the root of the problem.

 Use IPv6 for the non-carp addresses? RFC 1918? rdr on some ports?

 Otherwise, you'll have to invent a hackish and fragile solution...


 Simon
 --
 DTN made easy, lean, and smart --
http://postellation.viagenie.**cahttp://postellation.viagenie.ca
 NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
 STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

2012-01-12 Thread Nick Holland 
ok, let's try this idea...

Your systems have ONE external address, but they can have as many
internal addresses as desired, right?

SO...let's say you have two CARP'd firewalls, FW1 and FW2.  They share
external address of x.x.x.x.

  FW1:   FW2:
Externalx.x.x.xx.x.x.x   (same)
Internal real   10.0.0.2   10.0.0.3
internal CARP   10.0.0.1   10.0.0.1  (same)

port 22 gets you ssh on the active firewall...but which is that?

How about a PF ruleset that redirects port 2202 to 10.0.0.2 port 22 and
port 2203 to 10.0.0.3?  Now you can find out anything you wish about
either box ON DEMAND by selecting the port you ssh to?  If 2202 doesn't
answer, you've lost fw1, if 2203 doesn't answer, you have lost fw2

In addition to checking to see that the box is up, it's good to check
for a sane CARP status -- i.e., all MASTER on one box, SLAVE on the
other, plus other overall health issues.

Nick.

On 01/12/12 13:48, iLXQ {IPICIN wrote:
 well, it's usually not possible.
 we use OpenBSD, because it supports carpdev option (FreeBSD does not
 support it)
 
 most of our carp clusters run on single address. no spare IP space.
 
 we could do ssh and ping carp peer (some trouble with preemption), but we
 do not want to stick with certain IP addresses. we would like to monitor
 in general
 
 1) define new carp cluster for monitoring
 2) ssh to it and monitorcarp peer in general without specifying it's address
 
 2012/1/13 Simon Perreault simon.perrea...@viagenie.ca
 
 On 01/12/2012 01:18 PM, P P;Q Q  P(P8P?P8Q P8P= wrote:

 we are using nagios for monitoring and it is running on separate server.
 we
 do not want to monitor server from inside.
 we want to run run something via ssh and see whether carp peer is dead or
 not.


 Give each server it's unique IP address.
 Use a third IP address for carp.
 Monitor all three addresses.

 Simon
 --
 DTN made easy, lean, and smart -- 
 http://postellation.viagenie.**cahttp://postellation.viagenie.ca
 NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
 STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

2012-01-12 Thread Илья Шипицин 
sounds nice.

I came to somewhat similar. Just ssh to external address and ping both carp
peers (via internal addresses), if there're less than 2 answers, we are in
trouble.

your idea is also good.

2012/1/13 Nick Holland n...@holland-consulting.net

 ok, let's try this idea...

 Your systems have ONE external address, but they can have as many
 internal addresses as desired, right?

 SO...let's say you have two CARP'd firewalls, FW1 and FW2.  They share
 external address of x.x.x.x.

  FW1:   FW2:
 Externalx.x.x.xx.x.x.x   (same)
 Internal real   10.0.0.2   10.0.0.3
 internal CARP   10.0.0.1   10.0.0.1  (same)

 port 22 gets you ssh on the active firewall...but which is that?

 How about a PF ruleset that redirects port 2202 to 10.0.0.2 port 22 and
 port 2203 to 10.0.0.3?  Now you can find out anything you wish about
 either box ON DEMAND by selecting the port you ssh to?  If 2202 doesn't
 answer, you've lost fw1, if 2203 doesn't answer, you have lost fw2

 In addition to checking to see that the box is up, it's good to check
 for a sane CARP status -- i.e., all MASTER on one box, SLAVE on the
 other, plus other overall health issues.

 Nick.

 On 01/12/12 13:48, iLXQ {IPICIN wrote:
  well, it's usually not possible.
  we use OpenBSD, because it supports carpdev option (FreeBSD does not
  support it)
 
  most of our carp clusters run on single address. no spare IP space.
 
  we could do ssh and ping carp peer (some trouble with preemption), but we
  do not want to stick with certain IP addresses. we would like to monitor
  in general
 
  1) define new carp cluster for monitoring
  2) ssh to it and monitorcarp peer in general without specifying it's
 address
 
  2012/1/13 Simon Perreault simon.perrea...@viagenie.ca
 
  On 01/12/2012 01:18 PM, P P;Q Q  P(P8P?P8Q P8P= wrote:
 
  we are using nagios for monitoring and it is running on separate
 server.
  we
  do not want to monitor server from inside.
  we want to run run something via ssh and see whether carp peer is dead
 or
  not.
 
 
  Give each server it's unique IP address.
  Use a third IP address for carp.
  Monitor all three addresses.
 
  Simon
  --
  DTN made easy, lean, and smart -- http://postellation.viagenie.**ca
 http://postellation.viagenie.ca
  NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
  STUN/TURN server   -- http://numb.viagenie.ca