Tuesday, April 30, 2019

Re: Upgrading a CARP firewall cluster

mabi writes:

> Now I would first like to upgrade the cluster to 6.4 and then to 6.5 and was
> wondering if it is possible to operate that cluster for a short amount of tim
> e having one node running 6.3 and the other node with 6.4 and then the same f
> or going to 6.4 to 6.5.

In general this is not a problem. We run several carp-ed firewall
(and load balancer/proxy) pairs, and upgrade them in this manner.
As was already mentioned, always read the release notes to look for
carp or pfsync changes that might cause trouble.

On our systems, we run the 'a' machine as primary and the 'b' machine
as backup. When upgrading, we do the 'b' machine first, since this
doesn't disrupt the primary. After the 'b' machine is fully configured,
monitor its state table to ensure it's consistent with the 'a'
machine. Once you are convinced pf is staying in sync, demote the
'a' machine and upgrade it.

Make sure you have 'net.inet.carp.preempt=1' in /etc/sysctl.conf, and
set advskew appropriately on each host in the pair.

--lyndon

No comments:

Post a Comment