On 10/13/2012 9:47 AM, Matt Morrow wrote:
After dealing with a number of issues due to an old 3.8 install which have
been resolved in current releases, I think I'm going to do the individual
release upgrades (3.8->3.9->4.0, etc etc)
The 3.9 upgrade guide says:
pfsync(4) <http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sektion=4> has
changed format, so it can not keep state between a 3.8 and a 3.9 box.
Mismatched systems will lose all connections when you switch which box is
master, as states will not be transfered between systems. You can minimize
the impact of this by upgrading your backup boxes first, so there is only
one loss of active states.
Can anyone explain what that means in terms of my existing pf configuration
working as a simple router with a port forward? Does this simply mean that
during the upgrade, if I had multiple servers running, that boxes would
temporarily lose connectivity during the upgrade as they wouldnt switch
over to a backup server automatically?
I am assuming you are using CARP in a master/backup configuration and
that's what you mean when you talk about switching over to a backup
server automatically. Please disregard if that is not true.
It seems pretty straight forward from the notes:
1) Upgrade your backup box.
2) Fail over to it, losing all current states -- dropping all
established connections, but being immediately available to create new
ones. It's not a full loss of connectivity, but any established
connections will be dropped.
3a) Optionally change the advskew of the carp interfaces on your primary
box so they don't automatically takeover as master before you get a
chance to verify pfsync is working.
3b) Upgrade your primary box, verify pfsync is working (pfctl -s
states), and takeover as master in carp (if you haven't already).
4) Keep upgrading!
So, like it said, there would only be one loss of established/active states.
You will hit this issue at least one more time going from 4.4 to 4.5 as
well:
http://www.openbsd.org/faq/upgrade45.html#pfsync
