CARP across two jails on one host?

Paul Schenkeveld fb-jail at psconsult.nl
Fri Jul 23 12:29:05 UTC 2010 

Hi,

On Thu, Jul 22, 2010 at 12:51:23PM -0400, Aaron Weeden wrote:
> My box is running FreeBSD version 8.1-PRERELEASE.  I've created two
> jails and want them to be able to share an IP address via CARP.  As I
> understand it, each host must use the same VHID and IP address on its
> carp interface in order to work as a failover for the other hosts.
> I'm also under the impression that jails cannot create interfaces, as
> my attempt to run 'ifconfig carp0 create' within a jail returned the
> error 'ifconfig: SIOCIFCREATE2: Operation not permitted'.  I'm
> wondering, then, if it's possible to use CARP for two jails on one
> host, since attempting to create two carp interfaces with the same
> vhid on the parent produces the error 'ifconfig: SIOCSVH: File
> exists'.  Does anyone here have experience running CARP in jails?

The CARP protocol involves multicast hello packets among the master
and backup nodes.  Each CARP interface must also be capable of
responding to ARP requests if it is operating in MASTER mode.

With traditional jails traffic between jails on the same host is sent
over the loopback interface which does not support multicasting so
thest jails would not be able to see each others hello packets.

Since FreeBSD 8 jails support virtual networking (a.k.a. vimage).  It
looks like it should be possible to do CARP between jails using vnet
instances.  You'd need to do some network plumbing to get a virtual
bus topology network between the jails (ng_ether probably) but I have
not yet tried this myself.  Also, beware that virtual networking is
still not production quality as far as I know and rc.d/jail doesn't
know how to set it up (yet).

OTOH, is CARP the right solution for your problem?  If you would
succeed to build the setup using vnet, CARP would only fail over if
CARP of the master jail stops sending hello packets.  This would
normally only occur when the master jail and vnet instance are torn
down completely (or the CARP interface in the master jail destroyed).
It would not kick in if the application inside the master jail stops
responding.

If you just want to simulate a multi-host network instead of doing
application fail-over then vnet is your best bet.

> Thank you,
> Aaron Weeden

HTH

Paul Schenkeveld

More information about the freebsd-jail mailing list