From 07c56086aa0c4e015c9044e333ae4001debcb28d Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Tue, 30 Apr 2024 13:14:09 +0300 Subject: Update content for html --- .../DRAFT-KISS-high-availability-with-OpenBSD.html | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'gemfeed/DRAFT-KISS-high-availability-with-OpenBSD.html') diff --git a/gemfeed/DRAFT-KISS-high-availability-with-OpenBSD.html b/gemfeed/DRAFT-KISS-high-availability-with-OpenBSD.html index 4f7cddf8..857bcb0f 100644 --- a/gemfeed/DRAFT-KISS-high-availability-with-OpenBSD.html +++ b/gemfeed/DRAFT-KISS-high-availability-with-OpenBSD.html @@ -8,7 +8,7 @@ -

KISS high-availability with OpenBSD

 Art by Michael J. Penick (mod. by Paul B)
@@ -43,7 +43,7 @@ _____|_:_:_|  (o)-(o)  |_:_:_|--'`-.     ,--. ksh under-water (((\'/
 

 PS: ASCII-art reflects the OpenBSD under-water world with all the tools available in the base system.

 

-My auto-failover requirements


+My auto-failover requirements


 

 
 Be OpenBSD-based (I prefer OpenBSD because of the cleanliness and good documentation) and rely on as few external packages as possible. 
@@ -56,9 +56,9 @@ _____|_:_:_|  (o)-(o)  |_:_:_|--'`-.     ,--. ksh under-water (((\'/
 Have good monitoring in place so I know when a failover was performed and when something went wrong with the failover.
 Don't configure everything manually. The configuration should be automated and reproducible.
 


-My HA solution


+My HA solution


 

-Only OpenBSD base installation required


+Only OpenBSD base installation required


 

 My HA solution for Web and Gemini is based on DNS (OpenBSD's nsd) and a simple shell script (OpenBSD's ksh and some little sed and awk and grep). All software used here is part of the OpenBSD base system and no external package needs to be installed - OpenBSD is a complete operating system.

 

@@ -212,7 +212,7 @@ echo "Failover of zone $zone to $MASTER completed"
 

 https://codeberg.org/snonux/rexfiles/src/branch/master/frontends/scripts/dns-failover.ksh

 

-Fairly cheap and geo-redundant


+Fairly cheap and geo-redundant


 

 I am renting two small OpenBSD VMs: One at OpenBSD Amsterdam and the other at Hetzner Cloud. So, both VMs are hosted at another provider, in different IP subnets, and in different countries (the Netherlands and Germany).

 

@@ -223,13 +223,13 @@ echo "Failover of zone $zone to $MASTER completed"
 

 A DNS-based failover is cheap, as there isn't any BGP or fancy load balancer to pay for. Small VMs also cost less than millions.

 

-Failover time and split-brain


+Failover time and split-brain


 

 A DNS failover doesn't happen immediately. I've configured a DNS TTL of 300 seconds, and the failover script checks once per minute whether to perform a failover or not. So, in total, a failover can take six minutes (not including other DNS caching servers somewhere in the interweb, but that's fine - eventually, all requests will resolve to the new master after a failover).

 

 A split-brain scenario between the old master and the new master might happen. That's OK, as my sites are static, and there's no database to synchronise other than HTML, CSS, and images when the site is updated.

 

-Failover support for multiple protocols


+Failover support for multiple protocols


 

 With the DNS failover, HTTP, HTTPS, and Gemini protocols are failovered. This works because all domain virtual hosts are configured on either VM's httpd (OpenBSD's HTTP server) and relayd (it's also part of OpenBSD and I use it to TLS offload the Gemini protocol). So, both VMs accept requests for all the hosts. It's just a matter of the DNS entry, which hosts receive the requests.

 

@@ -240,7 +240,7 @@ echo "Failover of zone $zone to $MASTER completed"
 

 On DNS failover, master and standby swap roles without config changes other than the DNS entries. That's KISS (keep it simple and stupid)!

 

-Let's encrypt TLS certificates


+Let's encrypt TLS certificates


 

 All my hosts use TLS certificates from Let's Encrypt. The ACME automation for requesting and keeping the certificates valid (up to date) requires that the host requesting a certificate from Let's Encrypt is also the host using that certificate.

 

@@ -277,21 +277,21 @@ http://www.gnu.org/software/src-highlite -->
 https://man.openbsd.org/acme-client.1

 Let's Encrypt with OpenBSD and Rex

 

-Monitoring


+Monitoring


 

 CRON is sending me an E-Mail whenever a failover is performed (or whenever a failover failed). Furthermore, I am monitoring my DNS servers and hosts through Gogios, the monitoring system I have developed. 

 

 https://codeberg.org/snonux/gogios

 KISS server monitoring with Gogios

  

-Rex automation


+Rex automation


 

 I use Rexify, a friendly configuration management system that allows automatic deployment and configuration.

 

 https://www.rexify.org

 https://codeberg.org/snonux/rexfiles/src/branch/master/frontends

 

-More HA


+More HA


 

 Other high-available services running on my OpenBSD VMs are my MTAs for mail forwarding (OpenSMTPD) and the authoritative DNS servers (nsd) for all my domains. No particular HA setup is required, though, as the protocols (SMTP and DNS) already take care of the failover to the next available host! 

 

-- 
cgit v1.2.3