Adding a deafult route during heartbeat handover on debian

Question

We have a heartbeat handover that goes on between 2 firewalls out of one of our networks, the interface that the handover happens on has no IP set by default and only gets this IP when the handover happens. This also happens to be the default route out of this network (machines being used as firewalls) we don't have the IP space to give these machines another IP address each. This however causes issues when trying to route traffic to anything outside of the WAN port.

How do I go about adding a default route to an interface that has no IP address currently (the interface comes up via a system.d service on boot) or can I add a route on the handover over of the IP?

Which software are you using for the heartbeat? Something like corosync / pacemaker? — gxx, Aug 29 '17 at 16:15
Isn't there a resource agent for dealing with routes? Doesn't this help? — gxx, Aug 29 '17 at 17:20
There is a haresources file but I can't find any documentation on changing routes via this — johnstod, Aug 29 '17 at 18:10
`haresources` is the deprecated, heartbeat v1, cluster configuration. — Matt Kereczman, Aug 29 '17 at 22:04

score 1 · Accepted Answer · answered Aug 29 '17 at 22:22

You can add/remove routes with the ocf:heartbeat:Route resource agent.

The description of the Route resource-agent is:

Manages network routes (ocf:heartbeat:Route)

Enables and disables network routes.

Supports host and net routes, routes via a gateway address, 
and routes using specific source addresses.

This resource agent is useful if a node's routing table
needs to be manipulated based on node role assignment.

Consider the following example use case:

  -  One cluster node serves as an IPsec tunnel endpoint.

  -  All other nodes use the IPsec tunnel to reach hosts
     in a specific remote network.

Then, here is how you would implement this scheme making use
of the Route resource agent:

  -  Configure an ipsec LSB resource.

  -  Configure a cloned Route OCF resource.

  -  Create an order constraint to ensure 
     that ipsec is started before Route.

  -  Create a colocation constraint between the
     ipsec and Route resources, to make sure no instance
     of your cloned Route resource is started on the
     tunnel endpoint itself.

Parameters (*: required, []: default):

destination* (string): Destination network
    The destination network (or host) to be configured for the route. 
    Specify the netmask suffix in CIDR notation (e.g. "/24").
    If no suffix is given, a host route will be created.
    Specify "0.0.0.0/0" or "default" if you want this resource to set 
    the system default route.

device (string): Outgoing network device
    The outgoing network device to use for this route.

gateway (string): Gateway IP address
    The gateway IP address to use for this route.

source (string): Source IP address
    The source IP address to be configured for the route.

table (string): Routing table
    The routing table to be configured for the route.

Operations' defaults (advisory minimum):

    start         timeout=20
    stop          timeout=20
    monitor       timeout=20 interval=10
    reload        timeout=20

Define that in your configuration after your IP, and the route will get added once the IP is there.

Using Heartbeat without Pacemaker is deprecated, so finding any current documentation on that will be difficult. If able, you should probably have a look at adding Pacemaker to your setup.

Adding a deafult route during heartbeat handover on debian

1 Answers1