# pls help: IP migration via ssh: 2 eths & iLO - apache server

## stardotstar

hi guys,

I am needing to do a remote controlled ip migration on my server.

Basically I have been running as three nodes on a class c network from my co-lo host 

I have two eth NICs - eth0 and eth1 as well as my iLO  interface 

At the moment I can ssh in on either nic

What has been suggested is that I bind the new IPs to the existing nics and then allow dns propagation to occur before removing the old addresses (which will become inactive at midnight in two days anyway)

Here is my theory (and what i have been trying)

1) ssh in on eth0 legacy addy

2) confirm that I can ssh in on eth1 legacy addy

3) log off from eth1 ssh session

4) edit /etc/ssh/sshd_config to "listen" on the new IP for eth1

5) edit /etc/conf.d/net to bind the new addy,netmask,brd to eth1

6) restart eth1

7) confirm eth1 pings on legacy and new addys

 :Cool:  restart sshd

9) confirm ssh still works on eth0 and eth1 legacy (as well as having iLO open as a fallback)

10) ssh in on the new addy on eth1

these 10 things I have tried to complete but only manage to get as far as pinging the new addy on eth1.

I followed this guide:

http://www.gentoo-wiki.info/HOWTO_IP_Aliasing

and can now locally ping the interface eth1 on the newly assigned IP but when I ifconfig I don't get the eth1:1 as shown in the guide.

I am pretty sure that exposing my IPs is the same as running an apache server anyway - so I am presenting some of the results here to get help:

```

helios etc # cat /etc/conf.d/net

# This blank configuration will automatically use DHCP for any net.*

# scripts in /etc/init.d.  To create a more complete configuration,

# please review /etc/conf.d/net.example and save your configuration

# in /etc/conf.d/net (this file :]!).

dns_domain="sourcepoint.com.au"

dns_domain_lo="sourcepoint.com.au"

dns_domain_eth0="sourcepoint.com.au"

dns_domain_eth1="sourcepoint.com.au"

nameserver_eth0=( "119.63.202.186" )

nameserver_eth0=( "119.63.202.187" )

config_eth0=( "119.63.202.186 netmask 255.255.255.0" )

routes_eth0=( "default via 119.63.202.1" )

#config_eth1=( "119.63.202.187 netmask 255.255.255.0" )

#routes_eth1=( "default via 119.63.202.1" )

config_eth1=(

        "119.63.202.187 netmask 255.255.255.0 brd 119.63.202.255"

        "202.130.34.115 netmask 255.255.255.248 brd 202.130.34.119"

)

routes_eth1=( "default via 202.130.34.113" )

```

so I restart eth1 and try ping the two addresses I have tried to bind:

```
helios etc # ping 119.63.202.187

PING 119.63.202.187 (119.63.202.187) 56(84) bytes of data.

64 bytes from 119.63.202.187: icmp_seq=1 ttl=64 time=0.071 ms

64 bytes from 119.63.202.187: icmp_seq=2 ttl=64 time=0.057 ms

64 bytes from 119.63.202.187: icmp_seq=3 ttl=64 time=0.067 ms

^C

--- 119.63.202.187 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2022ms

rtt min/avg/max/mdev = 0.057/0.065/0.071/0.005 ms

helios etc # ping 202.130.34.115

PING 202.130.34.115 (202.130.34.115) 56(84) bytes of data.

64 bytes from 202.130.34.115: icmp_seq=1 ttl=64 time=0.075 ms

64 bytes from 202.130.34.115: icmp_seq=2 ttl=64 time=0.027 ms

64 bytes from 202.130.34.115: icmp_seq=3 ttl=64 time=0.022 ms

^C

--- 202.130.34.115 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 1998ms

rtt min/avg/max/mdev = 0.022/0.041/0.075/0.024 ms

```

so far so good...

But no sign of the new interface with ifconfig:

```

helios etc # ifconfig -a

eth0      Link encap:Ethernet  HWaddr 00:12:79:90:b0:16

          inet addr:119.63.202.186  Bcast:119.63.202.255  Mask:255.255.255.0

          inet6 addr: fe80::212:79ff:fe90:b016/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:247773781 errors:0 dropped:7772 overruns:0 frame:0

          TX packets:225045199 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:1986503949 (1.8 GiB)  TX bytes:3735843461 (3.4 GiB)

          Interrupt:25

eth1      Link encap:Ethernet  HWaddr 00:12:79:90:b0:15

          inet addr:119.63.202.187  Bcast:119.63.202.255  Mask:255.255.255.0

          inet6 addr: fe80::212:79ff:fe90:b015/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:11710 errors:0 dropped:0 overruns:0 frame:0

          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:774199 (756.0 KiB)  TX bytes:576 (576.0 B)

          Interrupt:26

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:414256560 errors:0 dropped:0 overruns:0 frame:0

          TX packets:414256560 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:683852015 (652.1 MiB)  TX bytes:683852015 (652.1 MiB)

sit0      Link encap:IPv6-in-IPv4

          NOARP  MTU:1480  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tunl0     Link encap:IPIP Tunnel  HWaddr

          NOARP  MTU:1480  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

```

I am in touch with my co-lo host and they are going to try and help but are more windows oriented os wise.

What step have I missed.

I really need help with the complexity of this -= but should be able to stay online with two interfaces and the iLO as backup.

Will

----------

## Exil

emerge iproute2 and then 

ip a s 

it will show you all ip addresses assigned to interfaces

----------

## stardotstar

OK, thanks for the instruction; I have emerged this tool and provide the following results:

```
helios conf.d # /etc/init.d/net.eth1 restart

 * Caching service dependencies ...                                               [ ok ]

 * WARNING:  you are stopping a boot service.

 * Stopping eth1

 *   Bringing down eth1

 *     Shutting down eth1 ...                                                     [ ok ]

 * Starting eth1

 *   Bringing up eth1

 *     119.63.202.187                                                             [ ok ]

 *     202.130.34.115                                                             [ ok ]

 *   Adding routes

 *     default via 202.130.34.113 ...                                             [ ok ]

helios conf.d # ip a s

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:12:79:90:b0:16 brd ff:ff:ff:ff:ff:ff

    inet 119.63.202.186/24 brd 119.63.202.255 scope global eth0

    inet6 fe80::212:79ff:fe90:b016/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:12:79:90:b0:15 brd ff:ff:ff:ff:ff:ff

    inet 119.63.202.187/24 brd 119.63.202.255 scope global eth1

    inet 202.130.34.115/29 brd 202.130.34.119 scope global eth1

    inet6 fe80::212:79ff:fe90:b015/64 scope link

       valid_lft forever preferred_lft forever

4: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN

    link/ipip 0.0.0.0 brd 0.0.0.0

5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN

    link/sit 0.0.0.0 brd 0.0.0.0

```

is this not curious since it will ping to both IP addresses? but does not show as expected in ifconfig -a ...

the fact that I am listening on this address but ssh client times out at my end suggests something wrong - I have tried it with shorewall down too - btw - same behavior when I have only the new address assigned to eth1...

----------

## Sysa

 *stardotstar wrote:*   

> OK, thanks for the instruction; I have emerged this tool and provide the following results:
> 
> ```
> helios conf.d # /etc/init.d/net.eth1 restart
> 
> ...

 

It's OK. Please keep in mind to change default gateway as well  :Wink:  - at the time being it is the 202.130.34.113. You can set both (the old one and the new one) simultaneously with iproute2 also:

```
ip route add default via <new GW>
```

and check the routes:

```
ip routes
```

 or just 

```
ip r
```

BTW: Usually it is not a good idea to set IP addresses from the same subnet to different NICs. It is better to make a trunk and set only 1 IP address to the join NIC.

----------

## stardotstar

Thank you Sysa.

This is most helpful.

I am finding still some problems:

```
helios conf.d # ip r

202.130.34.112/29 dev eth1  proto kernel  scope link  src 202.130.34.115

119.63.202.0/24 dev eth0  proto kernel  scope link  src 119.63.202.186

119.63.202.0/24 dev eth1  proto kernel  scope link  src 119.63.202.187

127.0.0.0/8 dev lo  scope link

default via 119.63.202.1 dev eth0

default via 202.130.34.113 dev eth1  metric 1

```

 I can ping the gateway 113 from remote and local but cannot reach 115 from remote...

ie I can ssh to 115 from my ssh connection to eth0 on the legacy (as yet untouched nic) but not from remote.

I have tried all this with the firewall off too.

Unless I misunderstand you I have set the default route to the new GW...  Does it need two routes - ie one that allows these two subnets to see eachother?

(actually that is making some sense thinking about it ... How am I going to be able to see the new IP from anywhere unless there is a route from my incoming connection on eth0 to the new subnet...)

 *Quote:*   

> BTW: Usually it is not a good idea to set IP addresses from the same subnet to different NICs. It is better to make a trunk and set only 1 IP address to the join NIC.

 

This has me confused unfortunately...

Given that my setup is currently:

eth0 address a subnet 1

eth1 address b subnet 1

and I want to migrate to 

eth0 address c subnet 2

eth1 address d subnet 2

what you seem to be saying is that this is not good practice and that two interfaces would be better served with:

eth0 address c,d subnet 2

eth1 address a,b subnet 1

or visa versa.

Then provide a route between subnet 1 and 2...

Now, what in reality I need to do is this:

I have subnet 1 with address a on eth0 - all my daily ssh and apache,ftp and other services are run off this IP and interface...

I have been told that subnet 1 address a,b etc are going away in a few days and that I need to get going on subnet 2 address c,d etc...

I have an apache server running virtual hosts like this:

```
<VirtualHost 119.63.202.186:80>

  ServerName arcplane.com.au

  ServerAlias www.arcplane.com.au

  Include /etc/apache2/vhosts.d/arcplane.com.au_vhost.include

</VirtualHost>

<VirtualHost 119.63.202.186:80>

  ServerName mdmas.com.au

  ServerAlias www.mdmas.com.au

  Include /etc/apache2/vhosts.d/mdmas.com.au_vhost.include

</VirtualHost>

```

and therefore all these will need their IP changed and the DNS propagation done before my old range dies...

It has me a bit overwheamed since I can't even seem to get the interface to respond to ssh from outside the way my existing ones do - even though I can see the gateway IP and ssh is responding from local on the new address at eth1.

----------

## Sysa

First of all I have to understand your network topology. Please fix me if I'm wrong.

So, I suggest that current (old) connection is using eth1 (202.130.34.115/24 gw 202.130.34.113) and you plan to migrate to the 119.63.202.[186,187]/24 assigned to different NICs  (gw 119.63.202.1).

Also it looks like both your NICs are connected to the same network segment and both (old and new) IP addresses and gateways are available now. Please double check that your firewall settings are correct or it is switched off.

 *stardotstar wrote:*   

> I am finding still some problems:
> 
> ```
> helios conf.d # ip r
> 
> ...

 

Since it is not a firewall problem but the routing problem  :Smile:  - it should be clear from your routing table (I asked you for it to be sure that it is misconfigured). I think it is not worth to waste time explaining the details (just look at very good docs at http://lartc.org/), so herewith I would like to suggest you my migration scenario.

 *stardotstar wrote:*   

> 
> 
> Unless I misunderstand you I have set the default route to the new GW...  Does it need two routes - ie one that allows these two subnets to see eachother?
> 
> (actually that is making some sense thinking about it ... How am I going to be able to see the new IP from anywhere unless there is a route from my incoming connection on eth0 to the new subnet...)
> ...

 

BTW: why you need 2 IP addresses from the same subnet in one box?! Forget it! 

I suggest to use 1 NIC and 1 old and 1 new IP addresses only. At least during migration.

So, I suggest the following procedure:

1. add new IP address to the same NIC (to share with the old one). You can do it on the run (do not forget to change /etc/conf.d/net accordingly):

```
ip address add 119.63.202.186/24 brd 119.63.202.255 dev eth1
```

2. check that new gateway is accessible right way (the same subnet == 1 hop):

```
traceroute -n 202.12.27.33

arp -n
```

You must see a correct MAC address of the gateway.

3. manually set new route for any host allows traceroute you know (but not from the route to your client host), e.g.  202.12.27.33:

```
ip route add 202.12.27.33 via 119.63.202.1

traceroute -n 202.12.27.33
```

You must see the correct path to the host (via new gateway).

4. restart sshd and double check that it listen and allowed on all IP addresses.

5. change your default route (or remove old one if you have both) and check a new routing table:

```
ip route change default via 119.63.202.1

ip route
```

You'll lost your SSH session and will have to connect to the new IP address (119.63.202.186).

6. Restart all your services to be sure  it listen and allowed on all IP addresses.

7. adjust your DNS as soon as possible. BTW: you can do it at the beginning of the procedure and keep both IP addresses configured for a while...

I hope it helps...

----------

## stardotstar

Thank you sysa for your guidance.  It is very very much appreciated.

Due to the time variance we did not manage to stay in sync on this in a very economical way and I have managed to progress to a much more advanced but just as borked state as I could ever have hoped!  :Laughing: 

This has led to an extended outage that appears to be a DNS issue now.

In case you are able to further assist (and I appreciate the time you have taken so far to "learn" me  :Smile:  ) 

The topology is this;

Original/Legacy/Old state:

iLO 119.63.202.190 snm 255.255.255.0 gw 119.63.202.1 bc 119.63.202.255

eth0 119.63.202.186 snm 255.255.255.0 gw 119.63.202.1 bc 119.63.202.255

eth1 119.63.202.187 snm 255.255.255.0 gw 119.63.202.1 bc 119.63.202.255

I am learning why to only use one nic - this is obscure to me - my original setup was on the basis that I have only one physical server with two NICs and I therefore ran

ns1.sourcepoint.com.au 119.63.202.186

ns2.sourcepoint.com.au 119.63.202.187

the only use for the second NIC in my thinking was to have a separate physical IP for the secondary or slave name server (I know they are supposed to be on different boxes, let alone separate networks etc... I have a second server waiting to be installed and put in another remote colocation and once I do that I will have a more ideal situation - for now this is what I have...)

Now the goal state is to have all the virtual hosts on the server running as before (above) but like this:

iLO (not necessary to publish - its working on the new node of the new subnet)

eth0 202.130.34.115 snm 255.255.255.248 gw 202.130.34.113 bc 202.130.34.119

eth1 202.130.34.116 snm 255.255.255.248 gw 202.130.34.113 bc 202.130.34.119

So, lets focus on eth0...

We wanted to do a phased transition by binding the old and new IPs to the eth0 but I couldn't get the default routes to work so I figured I'll put up with the DNS outage while propagation takes place overnight and just switch over to the new IPs physically.

I did this by being able to use iLO as a fallback to get ssh access when I stuffed up; and configured the two ethernet adapters as above...

Now I can ssh in to the box via iLO, eth0 on 202.130.34.115 or eth1 on 202.130.34.116

I reconfigured named and apache2 to point to the new IPs everywhere I could see that it needed doing and for a while after complete outage of all the sites, the sites all worked ok on the new IPs!  I was able to send mail via roundcube on my https domain, use the database on the primary forums domain on the new IP; I went to bed.

This morning and today none of the sites are working and although name resolution is working locally on the server nothing resolves from outside world.

----------

