| View previous topic :: View next topic |
| Author |
Message |
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
 Posted: Mon Jul 06, 2009 7:28 am Post subject: pls help: IP migration via ssh: 2 eths & iLO - apache se |
 |
|
hi guys,
I am needing to do a remote controlled ip migration on my server.
Basically I have been running as three nodes on a class c network from my co-lo host
I have two eth NICs - eth0 and eth1 as well as my iLO interface
At the moment I can ssh in on either nic
What has been suggested is that I bind the new IPs to the existing nics and then allow dns propagation to occur before removing the old addresses (which will become inactive at midnight in two days anyway)
Here is my theory (and what i have been trying)
1) ssh in on eth0 legacy addy
2) confirm that I can ssh in on eth1 legacy addy
3) log off from eth1 ssh session
4) edit /etc/ssh/sshd_config to "listen" on the new IP for eth1
5) edit /etc/conf.d/net to bind the new addy,netmask,brd to eth1
6) restart eth1
7) confirm eth1 pings on legacy and new addys
 restart sshd
9) confirm ssh still works on eth0 and eth1 legacy (as well as having iLO open as a fallback)
10) ssh in on the new addy on eth1
these 10 things I have tried to complete but only manage to get as far as pinging the new addy on eth1.
I followed this guide:
http://www.gentoo-wiki.info/HOWTO_IP_Aliasing
and can now locally ping the interface eth1 on the newly assigned IP but when I ifconfig I don't get the eth1:1 as shown in the guide.
I am pretty sure that exposing my IPs is the same as running an apache server anyway - so I am presenting some of the results here to get help:
| Code: |
helios etc # cat /etc/conf.d/net
# This blank configuration will automatically use DHCP for any net.*
# scripts in /etc/init.d. To create a more complete configuration,
# please review /etc/conf.d/net.example and save your configuration
# in /etc/conf.d/net (this file :]!).
dns_domain="sourcepoint.com.au"
dns_domain_lo="sourcepoint.com.au"
dns_domain_eth0="sourcepoint.com.au"
dns_domain_eth1="sourcepoint.com.au"
nameserver_eth0=( "119.63.202.186" )
nameserver_eth0=( "119.63.202.187" )
config_eth0=( "119.63.202.186 netmask 255.255.255.0" )
routes_eth0=( "default via 119.63.202.1" )
#config_eth1=( "119.63.202.187 netmask 255.255.255.0" )
#routes_eth1=( "default via 119.63.202.1" )
config_eth1=(
"119.63.202.187 netmask 255.255.255.0 brd 119.63.202.255"
"202.130.34.115 netmask 255.255.255.248 brd 202.130.34.119"
)
routes_eth1=( "default via 202.130.34.113" )
|
so I restart eth1 and try ping the two addresses I have tried to bind:
| Code: | helios etc # ping 119.63.202.187
PING 119.63.202.187 (119.63.202.187) 56(84) bytes of data.
64 bytes from 119.63.202.187: icmp_seq=1 ttl=64 time=0.071 ms
64 bytes from 119.63.202.187: icmp_seq=2 ttl=64 time=0.057 ms
64 bytes from 119.63.202.187: icmp_seq=3 ttl=64 time=0.067 ms
^C
--- 119.63.202.187 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2022ms
rtt min/avg/max/mdev = 0.057/0.065/0.071/0.005 ms
helios etc # ping 202.130.34.115
PING 202.130.34.115 (202.130.34.115) 56(84) bytes of data.
64 bytes from 202.130.34.115: icmp_seq=1 ttl=64 time=0.075 ms
64 bytes from 202.130.34.115: icmp_seq=2 ttl=64 time=0.027 ms
64 bytes from 202.130.34.115: icmp_seq=3 ttl=64 time=0.022 ms
^C
--- 202.130.34.115 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.022/0.041/0.075/0.024 ms
|
so far so good...
But no sign of the new interface with ifconfig:
| Code: |
helios etc # ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:12:79:90:b0:16
inet addr:119.63.202.186 Bcast:119.63.202.255 Mask:255.255.255.0
inet6 addr: fe80::212:79ff:fe90:b016/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:247773781 errors:0 dropped:7772 overruns:0 frame:0
TX packets:225045199 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1986503949 (1.8 GiB) TX bytes:3735843461 (3.4 GiB)
Interrupt:25
eth1 Link encap:Ethernet HWaddr 00:12:79:90:b0:15
inet addr:119.63.202.187 Bcast:119.63.202.255 Mask:255.255.255.0
inet6 addr: fe80::212:79ff:fe90:b015/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11710 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:774199 (756.0 KiB) TX bytes:576 (576.0 B)
Interrupt:26
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:414256560 errors:0 dropped:0 overruns:0 frame:0
TX packets:414256560 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:683852015 (652.1 MiB) TX bytes:683852015 (652.1 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
|
I am in touch with my co-lo host and they are going to try and help but are more windows oriented os wise.
What step have I missed.
I really need help with the complexity of this -= but should be able to stay online with two interfaces and the iLO as backup.
Will
_________________
]8P |
|
| Back to top |
|
 |
Exil
Apprentice
Joined: 10 Oct 2005
Posts: 251
Location: Nibylandia
|
| Posted: Mon Jul 06, 2009 7:34 am Post subject: |
|
|
emerge iproute2 and then
ip a s
it will show you all ip addresses assigned to interfaces |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Mon Jul 06, 2009 7:45 am Post subject: |
|
|
OK, thanks for the instruction; I have emerged this tool and provide the following results:
| Code: | helios conf.d # /etc/init.d/net.eth1 restart
* Caching service dependencies ... [ ok ]
* WARNING: you are stopping a boot service.
* Stopping eth1
* Bringing down eth1
* Shutting down eth1 ... [ ok ]
* Starting eth1
* Bringing up eth1
* 119.63.202.187 [ ok ]
* 202.130.34.115 [ ok ]
* Adding routes
* default via 202.130.34.113 ... [ ok ]
helios conf.d # ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:12:79:90:b0:16 brd ff:ff:ff:ff:ff:ff
inet 119.63.202.186/24 brd 119.63.202.255 scope global eth0
inet6 fe80::212:79ff:fe90:b016/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:12:79:90:b0:15 brd ff:ff:ff:ff:ff:ff
inet 119.63.202.187/24 brd 119.63.202.255 scope global eth1
inet 202.130.34.115/29 brd 202.130.34.119 scope global eth1
inet6 fe80::212:79ff:fe90:b015/64 scope link
valid_lft forever preferred_lft forever
4: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
|
is this not curious since it will ping to both IP addresses? but does not show as expected in ifconfig -a ...
the fact that I am listening on this address but ssh client times out at my end suggests something wrong - I have tried it with shorewall down too - btw - same behavior when I have only the new address assigned to eth1...
_________________
]8P |
|
| Back to top |
|
|
Sysa
Apprentice
Joined: 16 Mar 2005
Posts: 161
Location: Europe
|
| Posted: Mon Jul 06, 2009 8:08 am Post subject: |
|
|
| stardotstar wrote: | OK, thanks for the instruction; I have emerged this tool and provide the following results:
| Code: | helios conf.d # /etc/init.d/net.eth1 restart
* Caching service dependencies ... [ ok ]
* WARNING: you are stopping a boot service.
* Stopping eth1
* Bringing down eth1
* Shutting down eth1 ... [ ok ]
* Starting eth1
* Bringing up eth1
* 119.63.202.187 [ ok ]
* 202.130.34.115 [ ok ]
* Adding routes
* default via 202.130.34.113 ... [ ok ]
helios conf.d # ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:12:79:90:b0:16 brd ff:ff:ff:ff:ff:ff
inet 119.63.202.186/24 brd 119.63.202.255 scope global eth0
inet6 fe80::212:79ff:fe90:b016/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:12:79:90:b0:15 brd ff:ff:ff:ff:ff:ff
inet 119.63.202.187/24 brd 119.63.202.255 scope global eth1
inet 202.130.34.115/29 brd 202.130.34.119 scope global eth1
inet6 fe80::212:79ff:fe90:b015/64 scope link
valid_lft forever preferred_lft forever
4: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
|
is this not curious since it will ping to both IP addresses? but does not show as expected in ifconfig -a ...
the fact that I am listening on this address but ssh client times out at my end suggests something wrong - I have tried it with shorewall down too - btw - same behavior when I have only the new address assigned to eth1... |
It's OK. Please keep in mind to change default gateway as well  - at the time being it is the 202.130.34.113. You can set both (the old one and the new one) simultaneously with iproute2 also: | Code: | | ip route add default via <new GW> |
and check the routes: or just
BTW: Usually it is not a good idea to set IP addresses from the same subnet to different NICs. It is better to make a trunk and set only 1 IP address to the join NIC.
_________________
RedHat -> SuSE -> Debian -> Gentoo |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Mon Jul 06, 2009 8:54 am Post subject: |
|
|
Thank you Sysa.
This is most helpful.
I am finding still some problems:
| Code: | helios conf.d # ip r
202.130.34.112/29 dev eth1 proto kernel scope link src 202.130.34.115
119.63.202.0/24 dev eth0 proto kernel scope link src 119.63.202.186
119.63.202.0/24 dev eth1 proto kernel scope link src 119.63.202.187
127.0.0.0/8 dev lo scope link
default via 119.63.202.1 dev eth0
default via 202.130.34.113 dev eth1 metric 1
|
I can ping the gateway 113 from remote and local but cannot reach 115 from remote...
ie I can ssh to 115 from my ssh connection to eth0 on the legacy (as yet untouched nic) but not from remote.
I have tried all this with the firewall off too.
Unless I misunderstand you I have set the default route to the new GW... Does it need two routes - ie one that allows these two subnets to see eachother?
(actually that is making some sense thinking about it ... How am I going to be able to see the new IP from anywhere unless there is a route from my incoming connection on eth0 to the new subnet...)
| Quote: | | BTW: Usually it is not a good idea to set IP addresses from the same subnet to different NICs. It is better to make a trunk and set only 1 IP address to the join NIC. |
This has me confused unfortunately...
Given that my setup is currently:
eth0 address a subnet 1
eth1 address b subnet 1
and I want to migrate to
eth0 address c subnet 2
eth1 address d subnet 2
what you seem to be saying is that this is not good practice and that two interfaces would be better served with:
eth0 address c,d subnet 2
eth1 address a,b subnet 1
or visa versa.
Then provide a route between subnet 1 and 2...
Now, what in reality I need to do is this:
I have subnet 1 with address a on eth0 - all my daily ssh and apache,ftp and other services are run off this IP and interface...
I have been told that subnet 1 address a,b etc are going away in a few days and that I need to get going on subnet 2 address c,d etc...
I have an apache server running virtual hosts like this:
| Code: | <VirtualHost 119.63.202.186:80>
ServerName arcplane.com.au
ServerAlias www.arcplane.com.au
Include /etc/apache2/vhosts.d/arcplane.com.au_vhost.include
</VirtualHost>
<VirtualHost 119.63.202.186:80>
ServerName mdmas.com.au
ServerAlias www.mdmas.com.au
Include /etc/apache2/vhosts.d/mdmas.com.au_vhost.include
</VirtualHost>
|
and therefore all these will need their IP changed and the DNS propagation done before my old range dies...
It has me a bit overwheamed since I can't even seem to get the interface to respond to ssh from outside the way my existing ones do - even though I can see the gateway IP and ssh is responding from local on the new address at eth1.
_________________
]8P |
|
| Back to top |
|
|
Sysa
Apprentice
Joined: 16 Mar 2005
Posts: 161
Location: Europe
|
| Posted: Mon Jul 06, 2009 7:10 pm Post subject: |
|
|
First of all I have to understand your network topology. Please fix me if I'm wrong.
So, I suggest that current (old) connection is using eth1 (202.130.34.115/24 gw 202.130.34.113) and you plan to migrate to the 119.63.202.[186,187]/24 assigned to different NICs (gw 119.63.202.1).
Also it looks like both your NICs are connected to the same network segment and both (old and new) IP addresses and gateways are available now. Please double check that your firewall settings are correct or it is switched off.
| stardotstar wrote: | I am finding still some problems:
| Code: | helios conf.d # ip r
202.130.34.112/29 dev eth1 proto kernel scope link src 202.130.34.115
119.63.202.0/24 dev eth0 proto kernel scope link src 119.63.202.186
119.63.202.0/24 dev eth1 proto kernel scope link src 119.63.202.187
127.0.0.0/8 dev lo scope link
default via 119.63.202.1 dev eth0
default via 202.130.34.113 dev eth1 metric 1
|
I can ping the gateway 113 from remote and local but cannot reach 115 from remote...
ie I can ssh to 115 from my ssh connection to eth0 on the legacy (as yet untouched nic) but not from remote.
I have tried all this with the firewall off too.
|
Since it is not a firewall problem but the routing problem  - it should be clear from your routing table (I asked you for it to be sure that it is misconfigured). I think it is not worth to waste time explaining the details (just look at very good docs at http://lartc.org/), so herewith I would like to suggest you my migration scenario.
| stardotstar wrote: |
Unless I misunderstand you I have set the default route to the new GW... Does it need two routes - ie one that allows these two subnets to see eachother?
(actually that is making some sense thinking about it ... How am I going to be able to see the new IP from anywhere unless there is a route from my incoming connection on eth0 to the new subnet...)
| Quote: | | BTW: Usually it is not a good idea to set IP addresses from the same subnet to different NICs. It is better to make a trunk and set only 1 IP address to the join NIC. |
This has me confused unfortunately...
...I have been told that subnet 1 address a,b etc are going away in a few days and that I need to get going on subnet 2 address c,d etc...
|
BTW: why you need 2 IP addresses from the same subnet in one box?! Forget it!
I suggest to use 1 NIC and 1 old and 1 new IP addresses only. At least during migration.
So, I suggest the following procedure:
1. add new IP address to the same NIC (to share with the old one). You can do it on the run (do not forget to change /etc/conf.d/net accordingly):
| Code: | | ip address add 119.63.202.186/24 brd 119.63.202.255 dev eth1 |
2. check that new gateway is accessible right way (the same subnet == 1 hop):
| Code: | traceroute -n 202.12.27.33
arp -n |
You must see a correct MAC address of the gateway.
3. manually set new route for any host allows traceroute you know (but not from the route to your client host), e.g. 202.12.27.33:
| Code: | ip route add 202.12.27.33 via 119.63.202.1
traceroute -n 202.12.27.33 |
You must see the correct path to the host (via new gateway).
4. restart sshd and double check that it listen and allowed on all IP addresses.
5. change your default route (or remove old one if you have both) and check a new routing table:
| Code: | ip route change default via 119.63.202.1
ip route |
You'll lost your SSH session and will have to connect to the new IP address (119.63.202.186).
6. Restart all your services to be sure it listen and allowed on all IP addresses.
7. adjust your DNS as soon as possible. BTW: you can do it at the beginning of the procedure and keep both IP addresses configured for a while...
I hope it helps...
_________________
RedHat -> SuSE -> Debian -> Gentoo |
|
| Back to top |
|
|
stardotstar
l33t
Joined: 10 Feb 2006
Posts: 887
Location: 2074/SYD/NSW/AU
|
| Posted: Tue Jul 07, 2009 2:02 am Post subject: |
|
|
Thank you sysa for your guidance. It is very very much appreciated.
Due to the time variance we did not manage to stay in sync on this in a very economical way and I have managed to progress to a much more advanced but just as borked state as I could ever have hoped! 
This has led to an extended outage that appears to be a DNS issue now.
In case you are able to further assist (and I appreciate the time you have taken so far to "learn" me )
The topology is this;
Original/Legacy/Old state:
iLO 119.63.202.190 snm 255.255.255.0 gw 119.63.202.1 bc 119.63.202.255
eth0 119.63.202.186 snm 255.255.255.0 gw 119.63.202.1 bc 119.63.202.255
eth1 119.63.202.187 snm 255.255.255.0 gw 119.63.202.1 bc 119.63.202.255
I am learning why to only use one nic - this is obscure to me - my original setup was on the basis that I have only one physical server with two NICs and I therefore ran
ns1.sourcepoint.com.au 119.63.202.186
ns2.sourcepoint.com.au 119.63.202.187
the only use for the second NIC in my thinking was to have a separate physical IP for the secondary or slave name server (I know they are supposed to be on different boxes, let alone separate networks etc... I have a second server waiting to be installed and put in another remote colocation and once I do that I will have a more ideal situation - for now this is what I have...)
Now the goal state is to have all the virtual hosts on the server running as before (above) but like this:
iLO (not necessary to publish - its working on the new node of the new subnet)
eth0 202.130.34.115 snm 255.255.255.248 gw 202.130.34.113 bc 202.130.34.119
eth1 202.130.34.116 snm 255.255.255.248 gw 202.130.34.113 bc 202.130.34.119
So, lets focus on eth0...
We wanted to do a phased transition by binding the old and new IPs to the eth0 but I couldn't get the default routes to work so I figured I'll put up with the DNS outage while propagation takes place overnight and just switch over to the new IPs physically.
I did this by being able to use iLO as a fallback to get ssh access when I stuffed up; and configured the two ethernet adapters as above...
Now I can ssh in to the box via iLO, eth0 on 202.130.34.115 or eth1 on 202.130.34.116
I reconfigured named and apache2 to point to the new IPs everywhere I could see that it needed doing and for a while after complete outage of all the sites, the sites all worked ok on the new IPs! I was able to send mail via roundcube on my https domain, use the database on the primary forums domain on the new IP; I went to bed.
This morning and today none of the sites are working and although name resolution is working locally on the server nothing resolves from outside world.
_________________
]8P |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
