12.5.3.1. Procedure – Configure Keepalived

  1. Create cluster configuration with configured network interfaces.

  2. Add Virtual IP addresses to the Networking component via setting the interface type to keepalived.

    Type-specific parameters are: 'Address' and 'Netmask'. They are the same as in case of 'static' interface type.

    Setting interface type to 'Keepalived' in the Networking component

    Figure 12.11. Setting interface type to 'Keepalived' in the Networking component

    Note

    If the type of the interface is keepalived, it must be an alias interface of an existing interface.

    If the type of the interface is keepalived in the Networking component, it cannot be disabled. If the Virtual IP Address shall be disabled, it shall be set in the configuration of the Keepalived component.

    When the Networking component is restarted, the Virtual IPs are dropped from the existing interfaces. To avoid this, add the keep-configuration interface option with the static value to those used physical interfaces which have keepalived alias interfaces on them. 

    Also, if the static value is set, then after any change made on these interfaces, the old values will not be removed at the restart of the Networking component, but new values will be added (for example, IP, subnet). Temporarily turning the keep-configuration parameter to no and restarting the node is not advised, because the networking restart will remove all settings added by other sources too. It is recommended to reboot the node after these values have been changed, or to configure these changes manually, and skip restart. For details on configuring interface options, see Procedure 5.1.6.3.1, Configuring interface parameters.

  3. Add keepalived component to cluster configuration.

  4. Select the cluster in the configuration tree and click the New button below the Components in use subwindow on the Cluster tab to add the Keepalived component.

  5. Choose the Keepalived default template and change the component name, if needed.

    The Keepalived component appears in the configuration tree.

  6. Set the configuration options for the Keepalived component under the Configuration tab.

    The configuration options for Keepalived component under Configuration tab

    Figure 12.12. The configuration options for Keepalived component under Configuration tab

    The configuration options are as follows:

    • Binding interface:

      The name of the interface, where Keepalived binds on.

    • Node IP address:

      This option must be a linked cluster property of an IPv4 or IPv6 address, which is used as source address in VRRP packets and also for unicast peer IP purposes.

      Example:

      A firewall cluster with three nodes and with their Node IP address cluster properties' value:

      • node-1: 10.0.0.1

      • node-2: 10.0.0.2

      • node-3: 10.0.0.3

      In this case, for node-2, the unicast source IP option for Keepalived is as follows: 10.0.0.2. The unicast peer IP addresses are as follows: 10.0.0.1 and 10.0.0.3

    • Node priority:

      It defines the VRRP priority of the cluster nodes.

      Note

      It can be set to the same value for all nodes, or linked via cluster property to be different on all nodes.

    • Default state:

      The start-up default state of the nodes.

      Note

      It can be set to the same value for all nodes, or linked via cluster property to be different on all nodes.

      Note

      In case of non-preemptive configuration, the state for all nodes shall be BACKUP.

    • Virtual Router ID:

      The value for the VRRP Virtual Router Identifier (VRID).

      Note

      It can be set to the same value for all nodes. If it is linked via cluster property, it can be used for grouping nodes.

    • Debug level:

      This option sets the debug level of the Keepalived VRRP module between the values 0 and 4.

    • Preemptive:

      This option enables or disables VRRP RFC preemption. If it is disabled, it allows the lower priority machine to maintain the master role, even when a higher priority machine comes back online.

    • Do not track primary interface:

      It ignores VRRP interface faults. It is useful for cross-connect VRRP configurations.

    • Check unicast source IP:

      It checks whether the source address of a unicast packet is a unicast peer.

    • Set shared key:

      It is the authentication password used in VRRP packets.

      Note

      Keepalived truncates passwords longer than 8 character.

    • Virtual IP Addresses:

      This table contains the configured Virtual IP Addresses. The addresses shall be in the order of configuration precedence. The table can contain only linked IP addresses, which are configured in Networking, on interfaces, which have the type value Keepalived.

      Note

      Because of the limitations of the VRRP protocol, the first VRRP packet can contain the maximum of 20 IP addresses. The rest of the Virtual IP Addresses are defined later via extra packets.

      Note

      In case of mixing IPv4 and IPv6 Virtual IP Addresses there is a limitation of the VRRP protocol: In the first VRRP packet, the IP addresses must be in the same address family as that of the first item. The IP addresses with different address families are defined later via extra packets.

  7. Configure the following options in Keepalived component, under Service failover tab.

    Configuring Keepalived component under Service failover tab

    Figure 12.13. Configuring Keepalived component under Service failover tab

    • Service :

      In this table systemd service actions can be configured, which can be executed after the change of the state on the new master or backup nodes.

      Service actions are: start, stop, restart and reload.

      Note

      Consider disabling any of the listed systemd services to avoid the situation, when unrequested actions take place, in some cases even parallelly. For example, when the service is running on both nodes instead of running on only one node.

      Note

      Service names are suggested in the drop-down menu, according to the available modules, added in the cluster configuration. Free-text service names can also be added.

      Note

      It is not necessary to set action both for the master and the backup node. It can be set only for one of them.

    • External failover notification scripts:

      User scripts can be given or selected from a list, which is executed on the hosts, when the change of the state has been executed.

      Warning

      There are strict requirements with regards to the rights of the selected script files. Without the necessary rights no action will be executed. The file must be owned by the root user and group, and there must not be write right for any other user. Neither shall be there writing right for any other level of the file path, except for the root user and group.

      Note

      In the listed drop-down menus a file can be selected, which is managed in a Freetext plugin for this Cluster.

  8. Configure the following items in Keepalived component's E-mail notification tab.

    Configuring Keepalived component under E-mail notification tab

    Figure 12.14. Configuring Keepalived component under E-mail notification tab

    • SMTP server:

      The IP address or domain name of SMTP server to use.

      Note

      Optional port parameter can be added, the default value is 25.

    • Notification email from:

      The information in the header field on the address the e-mail is received from.

    • SMTP connect timeout:

      The SMTP server connection timeout in seconds.

    • E-mail notification recipients:

      The list of e-mail addresses, where the notifications on the change of state shall be sent.

    Tip

    Maintenance tip: if the firewall administrator wants to manually change the state of the cluster nodes ("switch over") it can be done as follows:

    • Restart (or in case of preemptive configuration, stop) the Keepalived service with Control Service on those nodes, which are not meant to be master nodes.

    Also consider Virtual Router IDs: if not all nodes have the same ID, restart (or stop) Keepalived service only on those nodes, which have the same ID.

    Note

    After completing Keepalived configuration, Management Access component may be Invalidated, if Keepalived packet filter rule entry has been added/changed. The created rule allows VRRP traffic from all possible node IP addresses to enter the cluster hosts. The Virtual Router ID helps to identify the relevant VRRP packets in case of multiple node groups.