Documentation


Viewing posts for the category Omarine User's Manual

Building a fault-tolerant firewall system with virtual machines: Load balancing

Going hand in hand with high availability (HA) is the load balancing technique. Two servers srv-1 and srv-2 to be added to the network topology

The omarine server running keepalived acts as a virtual server that distributes connections equally to the real servers srv-1 and srv-2. All service access to the virtual server is routed to real servers. Real servers are health checked to monitor the health of the network. A quorum is set (required minimum total weight of all live servers in the pool). If a real server has problem and the quorum is below the minimum, then access goes to a sorry server. In this example we create a virtual Web service. The contents of the server's homepage are as follows:

    • Real server srv-1: Hello, I am server 1.
    • Real server srv-2: Hello, I am server 2.
    • The sorry server: Sorry, the quorum was not achieved!

The quorum is set to 2. At startup both real servers are healthy and the quorum is sufficient. From the client we go to http://omarine.omarine.co several times, the connections go to srv-1 and srv-2 in turn equally. Then we stop the service on the srv-1. At this point the quorum is not reached and we are redirected to the home page of the sorry server at omarine


The configuration file is as follows:

Building a fault-tolerant firewall system with virtual machines: Configuring HA and conntrackd

Once the network topology has been established, configuring the HA and conntrackd becomes simple.

HA Configuration
Keepalived uses VRRP (Virtual Router Redundancy Protocol) protocol to provide HA system. We use the sample configuration file keepalived.conf in the doc/sync directory of the conntrack-tools package, copy it to the /etc/keepalived directory and modify the parameters accordingly. The actual configuration file is as follows:

Building a fault-tolerant firewall system with virtual machines: Routing

Routing is an interesting and important issue. Not only smoothing traffic, routing work also determines the path of a packet so that the correct packet filtering can be performed.
We start from the client. There are two ways out from the client, so which way to go?


192.168.2.1 on the firewall machine fw-1 cannot be set as the client's default gateway, as such the firewall machine fw-2 is completely disabled. Likewise, the firewall machine fw-2's 192.168.2.2 cannot be used. The solution is to use the virtual IP address 192.168.2.100 generated by the HA system. From the point of view of the HA system, all four machines above are real machines. It generates virtual IP addresses for automatic routing. If the firewall machine fw-1 is the primary firewall, the address 192.168.2.100 will be added to fw-1's eth1 interface


So the client needs to create a route through the default gateway 192.168.2.100. You run this command:

Building a fault-tolerant firewall system with virtual machines: Testing spice agent and USB redirection

To see the effect of spice agent and USB redirection we practice the tasks like this:

     1. Perform drag and drop to transfer the gnome-backgrounds-40.1-1.x86_64.rpm package from the client to the virtual machine
     2. Copy a text from the client and paste it into gedit's editing area on the virtual machine
     3. While working on the virtual machine, plug a USB stick whose label DUMMY into the client machine. The label DUMMY then appears in the virtual machine's file browser as a new drive. Click it to open the USB drive

We also see no mouse capture and no need to release the mouse when switching between the client and the virtual machine

Building a fault-tolerant firewall system with virtual machines: Network configuration using systemd

Almost any network configuration can be done using commands in the iproute2 package. For example, you can run the command below to rename the enp0s2 interface to eth0: