From owner-freebsd-stable@FreeBSD.ORG  Fri Jul  7 09:17:48 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C4CF016A4DA
	for <freebsd-stable@freebsd.org>; Fri,  7 Jul 2006 09:17:48 +0000 (UTC)
	(envelope-from dkirhlarov@oilspace.com)
Received: from office.oilspace.com (ns2.oilspace.com [194.129.65.230])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1741E43D45
	for <freebsd-stable@freebsd.org>; Fri,  7 Jul 2006 09:17:47 +0000 (GMT)
	(envelope-from dkirhlarov@oilspace.com)
Received: from dimma.mow.oilspace.com (hq.oilspace.com [81.222.156.185])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by office.oilspace.com (Postfix) with ESMTP id D5C7D136CDB
	for <freebsd-stable@freebsd.org>; Fri,  7 Jul 2006 10:17:36 +0100 (BST)
Received: from dimma.mow.oilspace.com (localhost [127.0.0.1])
	by dimma.mow.oilspace.com (8.13.4/8.13.3) with ESMTP id k679Ha03040354
	for <freebsd-stable@freebsd.org>; Fri, 7 Jul 2006 13:17:36 +0400 (MSD)
	(envelope-from dkirhlarov@localhost.oilspace.com)
Received: (from dkirhlarov@localhost)
	by dimma.mow.oilspace.com (8.13.4/8.13.3/Submit) id k679HZOk040353
	for freebsd-stable@freebsd.org; Fri, 7 Jul 2006 13:17:35 +0400 (MSD)
	(envelope-from dkirhlarov)
Date: Fri, 7 Jul 2006 13:17:35 +0400
From: Dmitriy Kirhlarov <dimma@higis.ru>
To: freebsd-stable@freebsd.org
Message-ID: <20060707091734.GA38936@dimma.mow.oilspace.com>
Mail-Followup-To: freebsd-stable@freebsd.org
References: <44AD688A.6050408@nikiforov.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <44AD688A.6050408@nikiforov.ru>
X-Mailer: Mutt-ng devel (2005-03-13) based on Mutt 1.5.9
X-Operating-System: FreeBSD 5.4-STABLE
User-Agent: mutt-ng/devel-r581 (FreeBSD)
Subject: Re: carp+pfsync+freevrrpd+jail
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2006 09:17:49 -0000

Hi!

First of all.  If you're using carp, you need ports/net/ifstated, not
freevrrpd.

On Thu, Jul 06, 2006 at 11:46:18PM +0400, Anton Nikiforov wrote:

> What i have is that when i'm pinging carp0 (inet) or carp1(lan)
> interface's ip address of my firewall - i'm receivind DUP responses.

One from carp and other from freevrrpd.

> And when host2 is ths slave and i'm starting to ping carp0 address -
> no traffic appears on master host - that means that the local carp
> interface responding to my packets..

Yep. Full standby mode (backup don't have shared IP) is not
implemented now.

> That means that in case some service (provided by jail managed by
> freevrrpd) will be accessed from outside - i cannot be sure what
> host will answer the request.

I don't understand your idea. Do you want to start-stop jail, when
master node is down-up?

> I have done some tests. When i'm sshing to virtual IP - sometimes
> i'm getting ssh prompt and can login, and sometimes it says that
> host auth info is bad (yes, because second server answering me at
> this time) and sometimes i'm loosing ssh connection while session is
> active.

Use 'advbase' and 'advskew' params on both hosts for hard managing
status of nodes.

> No ballance needed. I want to have some service run in main OS, some
> services run in jail and i want to be sure which host will answer
> the request when bouth hosts are up and running.

Be careful, if you want to use carp IP inside jail. Only master node can
get data from external world.
I tried to make this schema:
           ldap1
	  /    \
       ldapn1   ldapn2
       | | |    | | |
      clients  clients

Where ldap1 -- master ldap server.
ldapn1, ldapn2 -- jail on different hosts on carp shared IP. They
connect to ldap1 and get fresh data from master ldap server.

I found, that only master node can start successfully. Jail on backup
node can't start, because ldap server can't start. It can't start,
because, it can't successfully connect to ldap1.
ldapn2 sends SYN, ldap1 returns SYN+ACK, and switch delivers this
packet to ldapn1 -- active master node.
In order to have this schema working, both nodes must have personal IP
and shared IP, but it's impossible within current jail implementation.

WBR
-- 
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 495 105 7247 ext.203 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com