Maniphest T1972

Allow setting interface name for virtual_ipaddress in VRRP VRID
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	_mrplow
	Jan 20 2020, 8:59 AM

Description

keepalived allows to set an interface in the virtual_ipaddress context that differs from the interface set in the VRID settings. This allows for a dedicated VRRP interface to be used and virtual addresses to be set on another interface.

The configuration would look like this for keepalived:

vrrp_instance VRID100 {
	state BACKUP
	preempt_delay 180

        # this interface is used for VRRP multicast traffic
	interface eth0
	virtual_router_id 100
	priority 100
	advert_int 1
	virtual_ipaddress {
                # this address gets bound to eth1 instead of eth0
		192.0.2.1/24 dev eth1
	}
}

As for the Vyos configuration, I imagine something like this:

high-availability {
    vrrp {
        group VRID100 {
            interface eth0
            preempt-delay 180
            priority 100
            virtual-address 192.0.2.1/24 {
                dev eth1
            }
            vrid 100
        }
    }
}

Due to this configuration, no IPv4 address needs to be configured on eth1 for keepalived to be able to bind the address to it. Only the VRRP interface (here: eth0) needs to have an address configured. This adds security to a setup where you do not control every device in your L2 segment that is connected to eth1 because you would keep the multicast traffic in a secure environment (e. g. a direct cable between two Vyos boxes).

But this setup also depends on track_interface to be set for eth1 and dont_track_primary set in the vrrp_instance context. So in conclusion, the keepalived configuration would look like this:

vrrp_instance VRID100 {
	state BACKUP
	preempt_delay 180

        # this interface is used for VRRP multicast traffic
	interface eth0

        # dont track eth0 
        dont_track_primary
	virtual_router_id 100
	priority 100
	advert_int 1

        # track the desired interface for the virtual addresses
        track_interface {
            eth1
        }
	virtual_ipaddress {
                # this address gets bound to eth1 instead of eth0
		192.0.2.1/24 dev eth1
	}
}

Is this something, that can be done?

Details

Difficulty level: Normal (likely a few hours)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Config syntax change (migratable)
Issue type: Feature (new functionality)

Related Objects

Mentioned In: 1.3.3
1.3.1

Event Timeline

_mrplow created this task.Jan 20 2020, 8:59 AM

pasik added a subscriber: pasik.Jan 20 2020, 9:54 PM

erkin set Issue type to Feature (new functionality).Aug 31 2021, 5:52 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM

Viacheslav added a project: VyOS 1.4 Sagitta.Dec 29 2021, 3:55 PM

This sounds like a "peer-link" or "heartbeat-link" between two VyOS boxes. I have yet no idea how the CLI could look like, maybe you have one?

If CLI design is complete it should not be hard to implement this for 1.4

c-po triaged this task as Low priority.Dec 31 2021, 7:59 AM

c-po removed a project: VyOS 1.3 Equuleus (1.3.0).

c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).

How about starting with a simple interface and allowing to set interface for binding address?

set high-availability vrrp group foo address 203.0.113.1 interface ethX      
Possible completions:
 > ethN         Interfcae used to assign virtual address
 > eth0         
 > eth1         
 > eth2

PR https://github.com/vyos/vyos-1x/pull/1143

set high-availability vrrp group WAN address 192.0.2.55/24
set high-availability vrrp group WAN address 192.168.222.222/24 interface 'eth2'
set high-availability vrrp group WAN address 198.51.100.111/24
set high-availability vrrp group WAN interface 'eth0'
set high-availability vrrp group WAN no-preempt
set high-availability vrrp group WAN priority '200'
set high-availability vrrp group WAN track-options notrack-main-interface
set high-availability vrrp group WAN track-options track-interface 'eth2'
set high-availability vrrp group WAN track-options track-interface 'eth1'
set high-availability vrrp group WAN vrid '100'

Keepalived configuration:

vrrp_instance WAN {
    state BACKUP
    interface eth0
    virtual_router_id 100
    priority 200
    advert_int 1
    dont_track_primary
    nopreempt
    virtual_ipaddress {
        192.0.2.55/24
        192.168.222.222/24 dev eth2
        198.51.100.111/24
    }
    track_interface {
        eth2
        eth1
    }
}

Viacheslav closed this task as Resolved.Jan 14 2022, 8:11 PM

Viacheslav claimed this task.

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

Is there any chance to backport this to 1.3x ?
It makes migration from cluster way easier.

@Alexey.Kirillov it required more tests and responses from 1.4
Could you test it?

sure, I'll test 1.4 rolling
but if this feature simply adds "dev XXX" to virtual_address in vrrp config that shouldn't break much

works as expected:

vyos@vyos# run sh ver | head -2

Version:          VyOS 1.4-rolling-202202140317

vyos@vyos# run sh conf com | grep high
set high-availability vrrp group test address 192.168.87.200/24 interface 'eth1.100'
set high-availability vrrp group test address 192.168.88.200/24
set high-availability vrrp group test interface 'eth1'
set high-availability vrrp group test priority '200'
set high-availability vrrp group test vrid '100'
[edit]
vyos@vyos# run sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth1             192.168.88.201/24                 u/u
                 192.168.88.200/24
eth1.100         192.168.87.200/24                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
[edit]
vyos@vyos# cat /run/keepalived/keepalived.conf
# Autogenerated by VyOS
# Do not edit this file, all your changes will be lost
# on next commit or reboot

global_defs {
    dynamic_interfaces
    script_user root
    notify_fifo /run/keepalived/keepalived_notify_fifo
    notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
}

vrrp_instance test {
    state BACKUP
    interface eth1
    virtual_router_id 100
    priority 200
    advert_int 1
    preempt_delay 0
    virtual_ipaddress {
        192.168.87.200/24 dev eth1.100
        192.168.88.200/24
    }
}

also I've tested IP migration - disabled vrrp group on 1st router, and got this on 2nd:

vyos@vyos# run sh vrrp
Name    Interface      VRID  State      Priority  Last Transition
------  -----------  ------  -------  ----------  -----------------
test    eth1            100  MASTER          100  3s
[edit]
vyos@vyos# run sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth1             192.168.88.202/24                 u/u
                 192.168.88.200/24
eth1.100         192.168.87.200/24                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128

Viacheslav reopened this task as In progress.Feb 16 2022, 2:57 PM

Viacheslav added a project: VyOS 1.3 Equuleus ( 1.3.1).

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1224

Viacheslav changed the task status from In progress to Needs testing.Feb 17 2022, 3:53 PM

Viacheslav closed this task as Resolved.May 10 2022, 10:37 AM

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.

dmbaturin mentioned this in 1.3.1.Jun 11 2022, 8:40 AM

dmbaturin mentioned this in 1.3.3.Sep 22 2022, 10:56 AM

Allow setting interface name for virtual_ipaddress in VRRP VRIDClosed, ResolvedPublicFEATURE REQUESTActions

Description

Details

Related Objects

Event Timeline

Allow setting interface name for virtual_ipaddress in VRRP VRID
Closed, ResolvedPublicFEATURE REQUEST
Actions