search

f5devcentral / f5-oci-failover

Failover configuration for BIG-IP VE in Oracle Cloud Infrastructure
3 stars 5 forks source link

OCI Regional Subnets #5

Closed github-lbad closed 5 years ago

github-lbad commented 5 years ago

OCI now has regional subnets supporting the spanning of a single class C across availability domains. If you move the private IP it will also move the associated RESERVED PUBLIC IP. Can we use these scripts to perform that function? I have an HA pair setup across AD1 and AD2 it works fine. Just need to get the IP to move after failure. For Beeline/OCI Thanks.

github-lbad commented 5 years ago

I have updated the scripts for my environment. I'm running into another issue now. I can run the oci-curl script locally from my local net as a simple test: oci-curl iaas.us-phoenix-1.oraclecloud.com GET /20160918/privateIps/ocid1.privateip.oc1.phx.aaaaaaaawezoncbb4ryxcwhzcoeq6abp4tvdwqzkldzvga3cccxbxk3

This returns fine. I run this same command from the F5 in OCI and it takes about 10 seconds but comes back connection refused. (same authUserID, same KeyFingerprint, etc) IDK why it's doing this. I'm going to open a case with Oracle to see if they can advise.

Failed to connect to iaas.us-phoenix-1.oraclecloud.com port 443: Connection refused

github-lbad commented 5 years ago

I think I have it figured out. I was able to successfully automate this process using the info you provided. I failed over a private IP, with associated reserved public, from the F5 in AD1 to the F5 in AD2. It works!

github-lbad commented 5 years ago

I reduced tgactive to this. I was getting errors saying unknown traffic group and it was failing to move the IP.

logger -p local0.notice "$0 ($TRAFFICGROUP): Started."

    # Internal Secondary IP failover
    /config/failover/oci-curl iaas.us-phoenix-1.oraclecloud.com PUT /config/failover/vnicint2.json "/20160918/privateIps/ocid1.privateip.oc1.phx.aaaaaaaawezoncbb4ryxcwhzcoeq6abp4tvdwqzkldzvga3cccxbxk3"

logger -p local0.notice "$0 ($TRAFFICGROUP): Finished."

snowblind- commented 5 years ago

Yes. I heard they recently went GA with the regional subnets.

For some reason the $TRAFFICGROUP variable isn't getting populated properly. Will look in to it.

github-lbad commented 5 years ago

I rebuilt another cluster so I could get HA across ADs. I'm running into a weird issue. On both units the tgactive script runs but it fails to move the IP. I see the log entries hit very quickly as if it did nothing and it does nothing. However I can immediately run tgactive manually logged in as root and it works perfectly. What account does tgactive run as? Are there certain permissions on files that I'm missing? Not sure why this is happening. Thanks.

github-lbad commented 5 years ago

Looks like. Not sure why it works when run manually from CLI as root. notice oci-curl: 47453253591528:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:391: notice oci-curl: unable to load key file notice oci-curl: { notice oci-curl: "code" : "NotAuthenticated", notice oci-curl: "message" : "The required information to complete authentication was not provided or was incorrect."

github-lbad commented 5 years ago

The issue was in oci-curl. The line defining the path for the private key. Had to put full path /config/failover/private.key