Re: Failover/High Availability, Virtual Server support in OpenBSD

Okay, the whole "High Available" phase encompasses a concept, a way of thinking. Evan Marcus and Hal Stern wrote a book on it.

It can be a couple systems, it can be a whole network. It's a vague term.

In creating levels of uptime (5 9's leads to insane costs and very little down time), you have several choices, depending on what you are doing.

Serving web pages is often easy. You can do it at the app layer and layer 3. Static and database driven apps can do really well with a load balancer. I prefer hardware ones (cisco, bigip, etc). They tend to not eat it so much, they aren't running so much, they offer options I've mentioned before, like "knowing" that machine A is getting a little unresponsive and coping.

DNS does it in the protocol. Put up two servers. Same for SMTP. Firewalls? Well, routing was invented for this. OSPF is a great way to get packets out. But you don't really define "firewall".

For things like VPN servers, I start by stripping machines down to their core. Where are failures likely? Moving parts and cables. For small stuff, a box that boots from CF works great for me. Should it fail, I swap machines (it loses connections, but that's acceptable since it's going to be excessively rare and cost a lot less than a system that takes special training and requires idle machines). A load balancer might also work for you there - all connections maintain a state and go to one of N machines. Should a machine fail, yeah, you lose the VPN state (rare), but you have an automatic switch over. In the meantime, the end machines are stock unix boxes that don't require training.

For traditional failover package events, having an interface (or many) that are part of an HA set is straightforward. You obviously use 2+ public networks, and multiple routers, but on the machines (primary/secondary), you simply toss around an IPaddress/Macaddress pair. Private interfaces are used to do interference free poking to make sure that the other guy is truly down. The program that pokes/listens to the other machine has been written several times. It's not really a complex concept (we initially used a ping-derivative to probe specific interfaces).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

Service based failovers (take over a shared disk, perhaps then startup a database server) get complex and it out of the scope of free answers on an offtopic question without lots more information.

Quoting Jaimie Livingston (Jaimie.Livingston@HAHT.com):
> Sorry for the delay in replying, but I've been offline for a few days.
Received on Sat Nov 16 13:02:20 2002