cluster — Kernun firewall redundancy cluster support
To reduce the risk of system failure, Kernun firewall allows to build hot stand-by clusters. As the name suggests, apart from the main system, there is another host, usually equipped with the same features and configuration, ready to step up and start handling the communication automatically if the partner fails. The system that is currently in charge of traffic control is called master node within the cluster, while its idle peer is backup node.
One physical cluster of firewalls can provide several logical clusters (called virtual clusters). In such a case, each cluster may have a different master, which handles a certain subset of services. The advantage of such setup is that when all firewalls are functional, the workload is distributed among them.
The partners in a virtual cluster can be two equivalent peers, or one of them can be dedicated for the master role whenever is ready. This mode is called preemptive and the node is called primary. In non-preemptive mode, the current master node keeps the role all the time it is operational.
The signalling and switching of states between partners is implemented using a special PIKE protocol (as a replacement of VRRP and CARP ones). For this purpose, the couple is interconnected by a special “wire”, ideally really an extra ethernet cable binding them. This interface is called heart-beat interface. The subprotocol of PIKE responsible for keepalive control is called HELLO and it can be controlled by a set of timeouts.
The monitoring is executed by a special daemon pikemon (see pikemon(8) and pikemon.cfg(5) manual pages) which is run as an ordinary Kernun application.
Technically, the traffic is lead through a bridge interface
with assigned both a common shared IP address and MAC address.
The master node sends a gratuitous ARP to inform all network nodes
about current localisation of the MAC address.
This bridge interface has assigned a single ordinary interface handling the
real traffic and this interface becomes a member of the bridge interface
when the node takes the master role and discontinues the membership
when it drops the master role.
The backup node can keep the IP address, or it unconfigures it whenever
it looses the master role (so called nomadic mode
configured within the bridge interface
section).
One virtual cluster can consist of more bridge interfaces.
The operation ability is periodically monitored by the pikemon daemon using the ICMP ECHO messages. For every virtual cluster, there can be several ping groups, i.e. lists of hosts from which at least one has to respond within given timeout, otherwise the group (and whole node) is considered to be “down”.
The node role can be also bound to a set of services. Thus, a set of Kernun components should be started only in case of master role and/or a special command should be executed when taking or dropping the role.