Configuring Network High Availability on Alpine Linux

Network high availability ensures your services remain accessible even when failures occur. Learn how to implement robust network redundancy and failover mechanisms on Alpine Linux! 🚀

What is Network High Availability?

Network High Availability (HA) provides:

• Continuous Service: Minimize downtime through redundancy
• Automatic Failover: Seamless switching during failures
• Load Distribution: Balance traffic across multiple paths
• Fault Tolerance: Survive hardware and software failures
• Business Continuity: Maintain operations during incidents

Prerequisites

Before implementing HA:

• Multiple Alpine Linux servers (minimum 2)
• Multiple network interfaces per server
• Basic networking knowledge
• Understanding of routing protocols
• Root access on all systems

Step 1: Network Architecture Planning

HA Design Principles

# Typical HA Network Architecture
#
# Internet
#    |
# [Router 1] --- [Router 2]  (VRRP)
#    |              |
# [Switch 1] --- [Switch 2]  (Link Aggregation)
#    |              |
# [Server 1] --- [Server 2]  (Application HA)

Install Required Packages

# Update repositories
sudo apk update

# Install HA networking tools
sudo apk add keepalived conntrack-tools ipvsadm
sudo apk add bird quagga frr
sudo apk add haproxy nginx
sudo apk add iptables iproute2 bridge-utils

Step 2: Configure VRRP with Keepalived

Install Keepalived

# Install keepalived
sudo apk add keepalived

# Enable IP forwarding
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.arp_ignore = 1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.arp_announce = 2" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Configure Master Node

# Edit keepalived configuration on master
sudo nano /etc/keepalived/keepalived.conf

Add master configuration:

! Configuration File for keepalived

global_defs {
    notification_email {
        admin@example.com
    }
    notification_email_from [email protected]
    smtp_server localhost
    smtp_connect_timeout 30
    router_id LVS_MASTER
    vrrp_skip_check_adv_addr
    vrrp_garp_interval 0
    vrrp_gna_interval 0
}

vrrp_script chk_haproxy {
    script "killall -0 haproxy"
    interval 2
    weight 2
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 150
    advert_int 1
    
    authentication {
        auth_type PASS
        auth_pass secretpass
    }
    
    virtual_ipaddress {
        192.168.1.100/24 dev eth0 label eth0:vip
    }
    
    track_script {
        chk_haproxy
    }
    
    notify_master "/etc/keepalived/notify.sh MASTER"
    notify_backup "/etc/keepalived/notify.sh BACKUP"
    notify_fault "/etc/keepalived/notify.sh FAULT"
}

Configure Backup Node

# Edit keepalived configuration on backup
sudo nano /etc/keepalived/keepalived.conf

Add backup configuration:

! Configuration File for keepalived

global_defs {
    notification_email {
        admin@example.com
    }
    notification_email_from [email protected]
    smtp_server localhost
    smtp_connect_timeout 30
    router_id LVS_BACKUP
    vrrp_skip_check_adv_addr
    vrrp_garp_interval 0
    vrrp_gna_interval 0
}

vrrp_script chk_haproxy {
    script "killall -0 haproxy"
    interval 2
    weight 2
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    
    authentication {
        auth_type PASS
        auth_pass secretpass
    }
    
    virtual_ipaddress {
        192.168.1.100/24 dev eth0 label eth0:vip
    }
    
    track_script {
        chk_haproxy
    }
    
    notify_master "/etc/keepalived/notify.sh MASTER"
    notify_backup "/etc/keepalived/notify.sh BACKUP"
    notify_fault "/etc/keepalived/notify.sh FAULT"
}

Create Notification Script

# Create notification script
sudo nano /etc/keepalived/notify.sh

Add notification logic:

#!/bin/sh

TYPE=$1
NAME=$2
STATE=$3

case $TYPE in
    MASTER)
        echo "$(date) - Becoming MASTER" >> /var/log/keepalived-state.log
        # Start services or update routes
        /usr/sbin/service haproxy start
        ;;
    BACKUP)
        echo "$(date) - Becoming BACKUP" >> /var/log/keepalived-state.log
        # Stop services or update routes
        /usr/sbin/service haproxy stop
        ;;
    FAULT)
        echo "$(date) - FAULT state" >> /var/log/keepalived-state.log
        # Handle fault condition
        ;;
esac

# Send notification
echo "VRRP transition to $TYPE state" | mail -s "Keepalived State Change" [email protected]

Make it executable:

sudo chmod +x /etc/keepalived/notify.sh

Step 3: Configure Load Balancing with HAProxy

Install and Configure HAProxy

# Install HAProxy
sudo apk add haproxy

# Backup default configuration
sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak

# Edit HAProxy configuration
sudo nano /etc/haproxy/haproxy.cfg

Add HAProxy configuration:

global
    log 127.0.0.1:514 local0
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Tune for high availability
    maxconn 4096
    spread-checks 5
    
defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    option  forwardfor
    option  redispatch
    retries 3
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

# Statistics
stats enable
stats uri /haproxy?stats
stats realm HAProxy\ Statistics
stats auth admin:password

# Frontend configuration
frontend web_frontend
    bind *:80
    bind *:443 ssl crt /etc/ssl/certs/server.pem
    redirect scheme https if !{ ssl_fc }
    
    # ACLs
    acl is_api path_beg /api
    acl is_static path_beg /static
    
    # Use backends based on ACL
    use_backend api_servers if is_api
    use_backend static_servers if is_static
    default_backend web_servers

# Backend configurations
backend web_servers
    balance roundrobin
    option httpchk GET /health
    server web1 192.168.1.10:80 check inter 2000 rise 2 fall 3
    server web2 192.168.1.11:80 check inter 2000 rise 2 fall 3
    server web3 192.168.1.12:80 check backup

backend api_servers
    balance leastconn
    option httpchk GET /api/health
    server api1 192.168.1.20:8080 check
    server api2 192.168.1.21:8080 check

backend static_servers
    balance source
    server static1 192.168.1.30:80 check
    server static2 192.168.1.31:80 check

Step 4: Configure Network Bonding

Create Bond Interface

# Install bonding module
sudo modprobe bonding

# Make it persistent
echo "bonding" | sudo tee -a /etc/modules

# Configure network interfaces
sudo nano /etc/network/interfaces

Add bonding configuration:

# Loopback
auto lo
iface lo inet loopback

# Physical interfaces (slaves)
auto eth0
iface eth0 inet manual
    bond-master bond0

auto eth1
iface eth1 inet manual
    bond-master bond0

# Bond interface
auto bond0
iface bond0 inet static
    address 192.168.1.50
    netmask 255.255.255.0
    gateway 192.168.1.1
    bond-mode active-backup
    bond-miimon 100
    bond-downdelay 200
    bond-updelay 200
    bond-slaves eth0 eth1
    bond-primary eth0

Apply Configuration

# Restart networking
sudo rc-service networking restart

# Verify bonding
cat /proc/net/bonding/bond0

Step 5: Configure Redundant Routing

Install FRR (Free Range Routing)

# Install FRR
sudo apk add frr frr-openrc

# Enable required daemons
sudo nano /etc/frr/daemons

Enable daemons:

zebra=yes
bgpd=yes
ospfd=yes
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
ldpd=no
nhrpd=no
eigrpd=no
babeld=no
sharpd=no
pbrd=no
bfdd=yes

Configure OSPF

# Configure FRR
sudo nano /etc/frr/frr.conf

Add OSPF configuration:

hostname alpine-router
password zebra
enable password zebra

router ospf
    ospf router-id 192.168.1.50
    network 192.168.1.0/24 area 0.0.0.0
    area 0.0.0.0 authentication
    passive-interface default
    no passive-interface eth0
    no passive-interface eth1

interface eth0
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 SECRET
    ip ospf cost 10
    ip ospf hello-interval 10
    ip ospf dead-interval 40
    ip ospf priority 150

interface eth1
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 SECRET
    ip ospf cost 20
    ip ospf hello-interval 10
    ip ospf dead-interval 40
    ip ospf priority 100

log syslog informational

Step 6: Configure Connection Tracking Sync

Set Up Conntrack Sync

# Install conntrack tools
sudo apk add conntrack-tools

# Configure primary node
sudo nano /etc/conntrackd/conntrackd.conf

Add conntrack configuration:

Sync {
    Mode FTFW {
        ResendQueueSize 131072
        PurgeTimeout 60
        ACKWindowSize 300
        DisableExternalCache Off
    }
    
    Multicast {
        IPv4_address 225.0.0.50
        Group 3780
        IPv4_interface 192.168.1.50
        Interface eth0
        SndSocketBuffer 1249280
        RcvSocketBuffer 1249280
        Checksum on
    }
}

General {
    Nice -20
    HashSize 32768
    HashLimit 131072
    
    LogFile on
    Syslog on
    
    LockFile /var/lock/conntrack.lock
    
    UNIX {
        Path /var/run/conntrackd.ctl
        Backlog 20
    }
    
    SocketBufferSize 262142
    SocketBufferSizeMaxGrown 655355
    
    Filter From Userspace {
        Protocol Accept {
            TCP
            UDP
            ICMP
        }
        Address Ignore {
            IPv4_address 127.0.0.1
            IPv4_address 192.168.1.100
        }
    }
}

Start Services

# Start keepalived
sudo rc-update add keepalived
sudo rc-service keepalived start

# Start HAProxy
sudo rc-update add haproxy
sudo rc-service haproxy start

# Start FRR
sudo rc-update add frr
sudo rc-service frr start

# Start conntrackd
sudo rc-update add conntrackd
sudo rc-service conntrackd start

Step 7: Monitoring and Testing

Create Monitoring Script

# Create HA monitoring script
sudo nano /usr/local/bin/ha-monitor.sh

Add monitoring script:

#!/bin/sh

echo "=== Network HA Status Check ==="
echo "Date: $(date)"
echo

# Check VRRP status
echo "=== VRRP Status ==="
if ip addr show | grep -q "192.168.1.100"; then
    echo "✓ This node has the VIP (MASTER)"
else
    echo "• This node is BACKUP"
fi

# Check keepalived
echo -e "\n=== Keepalived Status ==="
if pgrep keepalived > /dev/null; then
    echo "✓ Keepalived is running"
else
    echo "✗ Keepalived is not running"
fi

# Check HAProxy
echo -e "\n=== HAProxy Status ==="
if pgrep haproxy > /dev/null; then
    echo "✓ HAProxy is running"
    echo "Backend status:"
    echo "show stat" | socat /run/haproxy/admin.sock stdio | cut -d',' -f1,2,18 | column -t -s','
else
    echo "✗ HAProxy is not running"
fi

# Check bonding
echo -e "\n=== Network Bonding Status ==="
if [ -f /proc/net/bonding/bond0 ]; then
    grep -E "Bonding Mode|Currently Active Slave|MII Status" /proc/net/bonding/bond0
else
    echo "No bonding configured"
fi

# Check routing
echo -e "\n=== Routing Status ==="
ip route show
echo -e "\nOSPF Neighbors:"
vtysh -c "show ip ospf neighbor"

# Check conntrack sync
echo -e "\n=== Connection Tracking ==="
conntrackd -s

Make executable:

sudo chmod +x /usr/local/bin/ha-monitor.sh

Test Failover

# Simulate primary failure
sudo rc-service keepalived stop

# Check VIP migration
ip addr show | grep 192.168.1.100

# Simulate network failure
sudo ip link set eth0 down

# Check bonding failover
cat /proc/net/bonding/bond0

# Test application availability
curl http://192.168.1.100

Step 8: Advanced HA Features

Configure BFD (Bidirectional Forwarding Detection)

# In FRR configuration
router ospf
    bfd all-interfaces

interface eth0
    ip ospf bfd
    ip ospf bfd detect-multiplier 3
    ip ospf bfd min-rx 300
    ip ospf bfd min-tx 300

Implement Split-Brain Prevention

# Add to keepalived.conf
vrrp_instance VI_1 {
    # ... existing config ...
    
    # Prevent split-brain
    nopreempt
    garp_master_delay 10
    garp_master_repeat 1
    
    # Use unicast for better reliability
    unicast_src_ip 192.168.1.10
    unicast_peer {
        192.168.1.11
    }
}

Configure Application-Level HA

# Example: PostgreSQL streaming replication
# On primary
echo "host replication replica 192.168.1.0/24 md5" >> /etc/postgresql/pg_hba.conf

# On standby
pg_basebackup -h 192.168.1.10 -D /var/lib/postgresql/data -U replica -v -P -W

# Create recovery.conf
cat > /var/lib/postgresql/data/recovery.conf << EOF
standby_mode = 'on'
primary_conninfo = 'host=192.168.1.10 port=5432 user=replica'
trigger_file = '/tmp/postgresql.trigger'
EOF

Troubleshooting

Common Issues

1. VIP Not Migrating

# Check keepalived logs
tail -f /var/log/messages | grep keepalived

# Verify VRRP packets
tcpdump -i eth0 vrrp

2. HAProxy Backend Down

# Check health checks
echo "show servers state" | socat /run/haproxy/admin.sock stdio

# Enable/disable server
echo "disable server web_servers/web1" | socat /run/haproxy/admin.sock stdio

3. Network Bonding Issues

# Check slave status
cat /sys/class/net/bond0/bonding/slaves

# Force active slave
echo eth1 > /sys/class/net/bond0/bonding/active_slave

Best Practices

1. Test Regularly: Schedule failover tests
2. Monitor Actively: Use monitoring tools
3. Document Procedures: Create runbooks
4. Automate Recovery: Script common fixes
5. Plan Capacity: Size for peak + failover
6. Secure Communications: Use authentication
7. Version Control: Track configuration changes

Conclusion

You’ve successfully configured comprehensive network high availability on Alpine Linux! Your setup now includes:

✅ VRRP Failover: Automatic IP failover with keepalived ✅ Load Balancing: Traffic distribution with HAProxy ✅ Network Bonding: Link redundancy at Layer 2 ✅ Dynamic Routing: Path redundancy with OSPF ✅ Connection Sync: Stateful failover with conntrackd ✅ Monitoring: Comprehensive health checks

Your network is now resilient to failures and ready for production workloads! 🌐