Ip

Pacemaker Constraints

Pacemaker Constraints Add a location constraint using this command: $ pcs constraint location VIP-10.11.12.99 prefers 10.11.12.200=50 Display any current constraints with this: $ pcs constraint --full Location Constraints: Resource: VIP-10.11.12.99 Enabled on: 10.11.12.200 (score:50) (id:location-VIP-10.11.12.99-10.11.12.200-50) Resource: VIP-10.11.12.100 Enabled on: 10.11.12.220 (score:50) (id:location-VIP-10.11.12.100-10.11.12.220-50) Ordering Constraints: Colocation Constraints: Or this: $ crm_resource -a -r resource_name * VIP-10.11.12.99 : Node 10.11.12.10 (score=-INFINITY, id=cli-ban-VIP-10.11.12.99-on-10.11.12.10) : Node 10.11.12.11 (score=50, id=location-VIP-VIP-10.11.12.99-10.11.12.10-50) Remove a constraint like so:

ICMP Redirect Linux Kernel Settings

ICMP Redirects You can check the current setting like so: $ sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 1 $ sysctl net.ipv4.conf.default.secure_redirects net.ipv4.conf.default.secure_redirects = 1 $ sysctl net.ipv4.conf.default.shared_media net.ipv4.conf.default.shared_media = 1 $ sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects = 1 The accept_redirects setting enables acceptance of ICMP redirects. The secure_redirects setting, if enabled, ensures only redirects from a default gateway are accepted (if accept_redirects is itself enabled). The shared_media setting informs the kernel whether the physical network connected to the a network interface is a shared medium, or not.

IPv6 Unicast Address Maximum Linux Kernel Setting

Unicast Address Number This setting defines the maximum number of global unicast IPv6 addresses that can be assigned to a single interface. You can check the current setting like so: $ sysctl net.ipv6.conf.default.max_addresses net.ipv6.conf.default.max_addresses = 16 Note: The default keyword changes the interface default setting for any interface that does not have a custom setting specified (even if it matches the default setting). You can replace it with either a specific interface name (so the setting applies only to that interface) or the keyword all to configure all interfaces at once (ignoring interface specific custom settings).

TCP MSS Linux Kernel Setting

Maximum Segment Size (MSS) You can check the current setting like so: $ sysctl net.ipv4.route.min_adv_mss net.ipv4.route.min_adv_mss = 256 The MSS advertised by the host depends on the first hop route MTU, but will never be lower than this setting. Dynamic Configuration To change the running configuration, use this command with your desired value: $ sysctl -w net.ipv4.route.min_adv_mss=NNN You can confirm like so: $ sysctl net.ipv4.route.min_adv_mss Permanent Configuration To make this setting persistent across reboots, edit the /etc/sysctl.

TCP SYN Retries Linux Kernel Setting

SYN Retries Number of times a SYN is retried if no response is received. A lower value means less memory usage and reduces the impact of SYN flood attacks but on lossy networks a 5+ value is probably worthwhile. Also see the SYN Cookies section. You can check the current setting like so: $ sysctl net.ipv4.tcp_syn_retries net.ipv4.tcp_syn_retries = 6 The interval between each resend is doubled every time, starting from 3s.

TCP TTL Linux Kernel Setting

Time to Live (TTL) Simply the maximum number of hops a packet may travel. The TTL can also be specified on a per destination network basis. You can check the current setting like so: $ sysctl net.ipv4.ip_default_ttl net.ipv4.ip_default_ttl = 64 Dynamic Configuration To change the running configuration, use this command with your desired value: $ sysctl -w net.ipv4.ip_default_ttl=NN You can confirm like so: $ sysctl net.ipv4.ip_default_ttl Permanent Configuration To make this setting persistent across reboots, edit the /etc/sysctl.

TCP Nonlocal Bind Linux Kernel Setting

tcp nonlocal bind This setting allows binding (by applications etc.) to IP addresses that are not assigned to a network interface on the host (thus nonlocal). This may be required when using VRRP with Keepalived in conjunction with HA Proxy for instance. If it is not enabled, HA Proxy cannot bind to a VRRP addresses unless the local host is the VRRP master for it. You can check the current setting like so:

SYN ACK Retry Linux Kernel Setting

SYN/ACK Retries The number of times a SYN/ACK response to a SYN is retried. Passive, inbound. A lower value means less memory usage and lower impact of SYN flood attacks but on lossy networks a 5+ value is probably worthwhile. Also see the SYN Cookies section. You can check the current setting like so: $ sysctl net.ipv4.tcp_synack_retries net.ipv4.tcp_synack_retries = 5 The interval between each resend is doubled every time, starting from 3s.

IGMP Linux Kernel Settings

You can check the current settings like so: $ sysctl net.ipv4.igmp_max_memberships net.ipv4.igmp_max_memberships = 20 $ sysctl net.ipv4.igmp_max_msf net.ipv4.igmp_max_msf = 10 net.ipv4.igmp_max_memberships specifies the maximum number of multicast groups the host can subscribe to. net.ipv4.igmp_max_msf specifies the maximum number of multicast source filters the host will support. Dynamic Configuration To change the running configuration, use this command with your desired value: $ sysctl -w net.ipv4.igmp_max_memberships=NN $ sysctl -w net.ipv4.igmp_max_msf=NN You can confirm like so:

Linux Capabilities Required By Containerised Contemporary Network Applications

To minimise the privileges you assign to a Linux container, to increase security and minimise risk, Linux capabilities should be used instead of granting full root privileges. These provide the least privilege necessary. Here’s the capabilities required by contemporary network applications. HAProxy : None Pacemaker & Corosync : NET_ADMIN and NET_BROADCAST Keepalived : NET_ADMIN and NET_BROADCAST Mounting NFS : SYS_ADMIN Mounting SMB : CAP_SYS_ADMIN and CAP_DAC_READ_SEARCH Note: You should omit any leading CAP_ when specifiying capabilities in a Docker Compose file or with the docker run command.