fix(ns-ha): remove ha zone

gsanchietti · gsanchietti · commit 0f6182ee3918 · 2025-04-17T09:13:37.000+02:00
The ha zone makes the configuration harder and requires
an extra interface connected to a switch.
It also raise the possibility to have a split-brain situation
diff --git a/packages/ns-api/files/ns.ha b/packages/ns-api/files/ns.ha
@@ -14,7 +14,7 @@ import os
 import subprocess
 import hashlib
 import time
-from nethsec import firewall
+from nethsec import utils
 from jinja2 import Template
 
 conntrack_ji_template = """
@@ -27,8 +27,8 @@ Sync {
 
     UDP {
         # Dedicated link for connection replication
-        IPv4_address {{ first_ip }}
-        IPv4_Destination_Address {{ second_ip }}
+        IPv4_address {{ main_ip }}
+        IPv4_Destination_Address {{ backup_ip }}
         Port 3780
         Interface {{ ha_interface }}
         SndSocketBuffer 1249280
@@ -70,28 +70,21 @@ General {
 }
 """
 
+def get_device_from_ip(uci, ipaddr):
+    for n in utils.get_all_by_type(uci, 'network', 'interface'):
+        if uci.get('network', n, 'ipaddr', default=None) == ipaddr:
+            return uci.get('network', n, 'device', default=None)
 
-def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_secondary_ipaddress, pubkey = "", password = ""):
+
+def setup(role, main_node_ip, backup_node_ip, virtual_ip, pubkey = "", password = ""):
     ret = {}
     u = EUci()
-
-    firewall.add_template_zone(u, 'ns_ha', link="keepalived/ha_address")
-
-    u.set('network', 'ha', 'interface')
-    u.set('network', 'ha', 'proto', 'static')
-    u.set('network', 'ha', 'netmask', '255.255.255.0')
-    u.set('network', 'ha', 'device', ha_interface)
-    if role == 'main':
-        u.set('network', 'ha', 'ipaddr', ha_main_ipaddress)
+    if role == "main":
+        lan_device = get_device_from_ip(u, main_node_ip)
     else:
-        u.set('network', 'ha', 'ipaddr', ha_secondary_ipaddress)
-    u.save('network')
-
-    # setup UAM rule, if needed
-    (z_name, z_config) = firewall.get_zone_by_name(u, 'ha')
-    if 'ha' not in z_config.get('network', []):
-        u.set('firewall', z_name, 'network', ['ha'])
-        u.save('firewall')
+        lan_device = get_device_from_ip(u, backup_node_ip)
+    if lan_device is None:
+        raise utils.ValidationError('main_node_ip', 'no_device_with_static_ip_found')
 
     u.set('dropbear', 'ha_link', 'dropbear')
     u.set('dropbear', 'ha_link', 'Port', '65022')
@@ -100,9 +93,9 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
     u.save('dropbear')
     
     u.set('keepalived', 'ha_address', 'ipaddress')
-    u.set('keepalived', 'ha_address', 'name', f'{lan_interface}_ha')
+    u.set('keepalived', 'ha_address', 'name', f'{lan_device}_ha')
     u.set('keepalived', 'ha_address', 'address', virtual_ip)
-    u.set('keepalived', 'ha_address', 'device', lan_interface)
+    u.set('keepalived', 'ha_address', 'device', lan_device)
     u.set('keepalived', 'ha_address', 'label_suffix', 'ha')
 
     u.set('keepalived', 'ha_sync', 'vrrp_script')
@@ -112,8 +105,8 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
     u.set('keepalived', 'ha_sync', 'weight', '100')
 
     u.set('keepalived', 'lan_track', 'track_interface')
-    u.set('keepalived', 'lan_track', 'name', f'{lan_interface}_ha')
-    u.set('keepalived', 'lan_track', 'value', lan_interface)
+    u.set('keepalived', 'lan_track', 'name', f'{lan_device}_ha')
+    u.set('keepalived', 'lan_track', 'value', lan_device)
     u.set('keepalived', 'lan_track', 'weight', '100')
 
     if role == 'main':
@@ -124,7 +117,7 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
 
         u.set('keepalived', 'ha_peer', 'peer')
         u.set('keepalived', 'ha_peer', 'name', 'backup')
-        u.set('keepalived', 'ha_peer', 'address', ha_secondary_ipaddress)
+        u.set('keepalived', 'ha_peer', 'address', backup_node_ip)
         u.set('keepalived', 'ha_peer', 'sync', '1')
         u.set('keepalived', 'ha_peer', 'sync_mode', 'send')
         u.set('keepalived', 'ha_peer', 'sync_dir', '/usr/share/keepalived/rsync')
@@ -134,13 +127,13 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
         u.set('keepalived', 'main', 'vrrp_instance')
         u.set('keepalived', 'main', 'name', 'master')
         u.set('keepalived', 'main', 'state', 'MASTER')
-        u.set('keepalived', 'main', 'interface', ha_interface)
+        u.set('keepalived', 'main', 'interface', lan_device)
         u.set('keepalived', 'main', 'virtual_router_id', '100')
         u.set('keepalived', 'main', 'priority', '100')
         u.set('keepalived', 'main', 'advert_int', '1')
         u.set('keepalived', 'main', 'nopreempt', '0')
-        u.set('keepalived', 'main', 'virtual_ipaddress', [f'{lan_interface}_ha'])
-        u.set('keepalived', 'main', 'unicast_src_ip', ha_main_ipaddress)
+        u.set('keepalived', 'main', 'virtual_ipaddress', [f'{lan_device}_ha'])
+        u.set('keepalived', 'main', 'unicast_src_ip', main_node_ip)
         u.set('keepalived', 'main', 'unicast_peer', ['backup'])
         u.set('keepalived', 'main', 'auth_type', 'PASS')
 
@@ -151,13 +144,13 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
             password = hashlib.sha1(current_time).hexdigest()[:8]
         ret['password'] = password
         u.set('keepalived', 'main', 'auth_pass', password)
-        u.set('keepalived', 'main', 'track_interface', [f'{lan_interface}_ha'])
+        u.set('keepalived', 'main', 'track_interface', [f'{lan_device}_ha'])
         u.set('keepalived', 'main', 'track_script', ['sender'])
 
         # Generate the private key if it does not exist
         private_key_path = '/etc/keepalived/keys/id_rsa'
         if not os.path.isfile(private_key_path):
-            subprocess.run(['dropbearkey', '-t', 'rsa', '-f', private_key_path])
+            subprocess.run(['dropbearkey', '-t', 'rsa', '-f', private_key_path], capture_output=True)
 
         # Print the public key
         result = subprocess.run(['dropbearkey', '-y', '-f', private_key_path], capture_output=True, text=True)
@@ -167,7 +160,7 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
 
         # Setup conntrackd configuration
         conntrack_template = Template(conntrack_ji_template)
-        conntrack_conf = conntrack_template.render(first_ip=ha_main_ipaddress, second_ip=ha_secondary_ipaddress, ha_interface=ha_interface)
+        conntrack_conf = conntrack_template.render(main_ip=main_node_ip, backup_ip=backup_node_ip, ha_interface=lan_device)
         with open('/etc/conntrackd/conntrackd.conf', 'w') as file:
             file.write(conntrack_conf)
     else:
@@ -178,7 +171,7 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
 
         u.set('keepalived', 'ha_peer', 'peer')
         u.set('keepalived', 'ha_peer', 'name', 'master')
-        u.set('keepalived', 'ha_peer', 'address', ha_main_ipaddress)
+        u.set('keepalived', 'ha_peer', 'address', main_node_ip)
         u.set('keepalived', 'ha_peer', 'sync', '1')
         u.set('keepalived', 'ha_peer', 'sync_mode', 'receive')
         u.set('keepalived', 'ha_peer', 'sync_dir', '/usr/share/keepalived/rsync')
@@ -187,17 +180,17 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
         u.set('keepalived', 'backup', 'vrrp_instance')
         u.set('keepalived', 'backup', 'name', 'backup')
         u.set('keepalived', 'backup', 'state', 'BACKUP')
-        u.set('keepalived', 'backup', 'interface', ha_interface)
+        u.set('keepalived', 'backup', 'interface', lan_device)
         u.set('keepalived', 'backup', 'virtual_router_id', '100')
         u.set('keepalived', 'backup', 'priority', '50')
         u.set('keepalived', 'backup', 'advert_int', '1')
         u.set('keepalived', 'backup', 'nopreempt', '0')
-        u.set('keepalived', 'backup', 'virtual_ipaddress', [f'{lan_interface}_ha'])
-        u.set('keepalived', 'backup', 'unicast_src_ip', ha_secondary_ipaddress)
+        u.set('keepalived', 'backup', 'virtual_ipaddress', [f'{lan_device}_ha'])
+        u.set('keepalived', 'backup', 'unicast_src_ip', backup_node_ip)
         u.set('keepalived', 'backup', 'unicast_peer', ['master'])
         u.set('keepalived', 'backup', 'auth_type', 'PASS')
         u.set('keepalived', 'backup', 'auth_pass', password)
-        u.set('keepalived', 'backup', 'track_interface', [f'{lan_interface}_ha'])
+        u.set('keepalived', 'backup', 'track_interface', [f'{lan_device}_ha'])
         u.set('keepalived', 'backup', 'track_script', ['receiver'])
 
         # Append publick key to root dropbear authorized_keys
@@ -212,7 +205,7 @@ def setup(role, lan_interface, ha_interface, virtual_ip, ha_main_ipaddress, ha_s
 
         # Setup conntrackd configuration
         conntrack_template = Template(conntrack_ji_template)
-        conntrack_conf = conntrack_template.render(first_ip=ha_secondary_ipaddress, second_ip=ha_main_ipaddress, ha_interface=ha_interface)
+        conntrack_conf = conntrack_template.render(first_ip=main_node_ip, second_ip=backup_node_ip, ha_interface=lan_device)
         with open('/etc/conntrackd/conntrackd.conf', 'w') as file:
             file.write(conntrack_conf)
 
@@ -250,11 +243,9 @@ cmd = sys.argv[1]
 if cmd == 'list':
     print(json.dumps({"setup": {
         "role": "main",
-        "lan_interface": "eth0",
-        "ha_interface": "eth1",
+        "main_node_ip": "100.100.100.1",
+        "backup_node_ip": "100.100.100.2",
         "virtual_ip": "192.168.1.1",
-        "ha_main_ipaddress": "100.100.100.1",
-        "ha_secondary_ipaddress": "100.100.100.2",
         "pubkey": "ssh-rsa AAAAB....",
         "password": "admin"
         },
@@ -265,7 +256,7 @@ else:
     if action == "setup":
         # Paramaters:
         args = json.loads(sys.stdin.read())
-        ret = setup(args.get('role'), args.get('lan_interface'), args.get('ha_interface'), args.get('virtual_ip'), args.get('ha_main_ipaddress'), args.get('ha_secondary_ipaddress'), args.get('pubkey'), args.get('password'))
+        ret = setup(args.get('role'), args.get('main_node_ip'), args.get('backup_node_ip'), args.get('virtual_ip'), args.get('pubkey'), args.get('password'))
     elif action == "status":
         ret = status()
 
diff --git a/packages/ns-api/files/templates b/packages/ns-api/files/templates
@@ -112,15 +112,6 @@ config template_rule 'ns_guest_dhcp'
 	option proto 'udp'
 	option target 'ACCEPT'
 
-# HA zone
-
-config template_zone 'ns_ha'
-	option name 'ha'
-	option input 'ACCEPT'
-	option output 'ACCEPT'
-	option forward 'ACCEPT'
-	option ns_description 'HA zone for cluster traffic'
-
 # IPSec
 
 config template_rule 'ns_ipsec_esp'
diff --git a/packages/ns-ha/README.md b/packages/ns-ha/README.md
@@ -7,7 +7,6 @@ Requirements:
 
 - Two nodes with similar hardware
 - Nodes must be connected to the same LAN
-- Nodes must have a dedicated interface for HA configuration
 - Nodes must have only one WAN interface configured with DHCP
 
 Limitations:
@@ -48,16 +47,15 @@ The following features are supported:
 ## Configuration
 
 The setup process configures the following:
-- Creates a new firewall zone `ha`
-- Configures the HA interface dedicated to HA traffic
+- Configures HA traffic on lan interface
 - Sets up keepalived with the virtual IP, a random password and a public key for the synchronization
 - Configures dropbear to listen on port `65022`: this is used to sync data between the nodes using rsync, only
   key-based authentication is allowed
 - Configures conntrackd to sync the connection tracking table
 
 In this example:
 - `main` is the primary node, with LAN IP `192.168.100.238` and HA IP `10.12.12.1`
-- `secondary` is the secondary node, with LAN IP `192.168.100.237` and HA IP `10.12.12.2`
+- `backup` is the backup node, with LAN IP `192.168.100.237` and HA IP `10.12.12.2`
 - the virtual IP is `192.168.100.240`
 
 1. On the primary node:
@@ -67,13 +65,13 @@ In this example:
   - Reserve `eth2` for HA configuration (it must not configured in the network settings)
   - Setup the configuration that will: create the `ha` zone, configure the IP for the HA interface, setup keepalived:
     ```sh
-    echo '{"role": "main", "lan_interface": "br-lan", "ha_interface": "eth2", "virtual_ip": "192.168.100.240/24", "ha_main_ipaddress": "10.12.12.1", "ha_secondary_ipaddress": "10.12.12.2"}' | /usr/libexec/rpcd/ns.ha call setup
+    echo '{"role": "main", "main_node_ip": "192.168.100.238", "backup_node_ip": "192.168.100.239", "virtual_ip": "192.168.100.240/24"}' | /usr/libexec/rpcd/ns.ha call setup
     ```
     The command will output something like:
     ```json
     {"password": "5aeab1d8", "pubkey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF7MYY8vfgE/JgJT8mOejwIhB4UYKS4g/QSA7fwntCbN0LQ3nTA6LO3AzqhUCHd6LBS5P9aefTqDcG+cJQiGbXReqX1z4trQGs7QkBLbjlXb2Vock17UIGbm5ao8jyPsD4ADNdMF8p0S2xDvnfsOh7MXLy5N7QZGp1G3ISB6JVw0mdCn3GXYg1X9XB7Pqu0OJm7+n2SJvA1KXn9fKUDX92U1fGQcid05C3yRBS5QXB7VAAP55KKYp4RmQMCOcJDhDoHGB6Ia/fTxfhnLdXJcAHU2MTtyaEY7NWoPjKZ3769GIu4KLLDPB8aH9emg23Mej+eiMRIg0vFXsaJWVPuZzj root@primary"}
     ```
-    The `password` and `pubkey` fields must be used in the secondary node configuration.
+    The `password` and `pubkey` fields must be used in the backup node configuration.
   - Apply the configuration:
     ```
     uci commit
@@ -82,14 +80,14 @@ In this example:
     /etc/init.d/keepalived restart
     ```
 
-2. On the secondary node:
-  - Name the secondary firewall `secondary`
+2. On the backup node:
+  - Name the backup firewall `backup`
   - Set `eth0` (LAN) to static IP: `192.168.100.237/24`
   - Set `eth1` (WAN) to DHCP (no PPPoE)
   - The `eth2` interface will be used for the HA configuration
   - Setup the configuration that will: create the `ha` zone, configure the IP for the HA interface, setup keepalived. Use the `password` and `pubkey` from the primary node:
     ```sh
-    echo '{"role": "secondary", "lan_interface": "br-lan", "ha_interface": "eth2", "virtual_ip": "192.168.100.240/24", "ha_main_ipaddress": "10.12.12.1", "ha_secondary_ipaddress": "10.12.12.2", "password": "5aeab1d8", "pubkey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF7MYY8vfgE/JgJT8mOejwIhB4UYKS4g/QSA7fwntCbN0LQ3nTA6LO3AzqhUCHd6LBS5P9aefTqDcG+cJQiGbXReqX1z4trQGs7QkBLbjlXb2Vock17UIGbm5ao8jyPsD4ADNdMF8p0S2xDvnfsOh7MXLy5N7QZGp1G3ISB6JVw0mdCn3GXYg1X9XB7Pqu0OJm7+n2SJvA1KXn9fKUDX92U1fGQcid05C3yRBS5QXB7VAAP55KKYp4RmQMCOcJDhDoHGB6Ia/fTxfhnLdXJcAHU2MTtyaEY7NWoPjKZ3769GIu4KLLDPB8aH9emg23Mej+eiMRIg0vFXsaJWVPuZzj root@primary"}' | /usr/libexec/rpcd/ns.ha call setup
+    echo '{"role": "backup", "main_node_ip": "192.168.100.238", "backup_node_ip": "192.168.100.239", "virtual_ip": "192.168.100.240/24", "password": "5aeab1d8", "pubkey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF7MYY8vfgE/JgJT8mOejwIhB4UYKS4g/QSA7fwntCbN0LQ3nTA6LO3AzqhUCHd6LBS5P9aefTqDcG+cJQiGbXReqX1z4trQGs7QkBLbjlXb2Vock17UIGbm5ao8jyPsD4ADNdMF8p0S2xDvnfsOh7MXLy5N7QZGp1G3ISB6JVw0mdCn3GXYg1X9XB7Pqu0OJm7+n2SJvA1KXn9fKUDX92U1fGQcid05C3yRBS5QXB7VAAP55KKYp4RmQMCOcJDhDoHGB6Ia/fTxfhnLdXJcAHU2MTtyaEY7NWoPjKZ3769GIu4KLLDPB8aH9emg23Mej+eiMRIg0vFXsaJWVPuZzj root@primary"}' | /usr/libexec/rpcd/ns.ha call setup
     uci commit
     /etc/init.d/network restart
     /etc/init.d/firewall restart
