Configuration for a LVS-NAT system.
Purpose: load-balanced http services
non-load-balanced other services: https, ftp
firewall services provided by director
| VIP=220.127.116.11 (these 3 IP addresses are subject
| DEP1=18.104.22.168 to change when we move from testing
|eth0 DEP=22.214.171.124 to production)
| director/ | 2 NIC, Linux 2.2.19 with ipvs 1.0.7
| firewall | Pentium III 860 Mhz, 768 MB Ram
| | |
| | |
| | |
|RIP1=10.0.0.1 |RIP2=10.0.0.2 |RIP3=10.0.0.3 ..... more real servers
+----------+ +--------+ +---------+ added in future
| "w1" | | "w2" | | "w3" |
| real ser.| | real s.| | real s. |
| http, ftp| | http | | http |
| https, | | | | |
| dbms | +--------+ +---------+
The real servers are all dual CPU 1000 Mhz Pentium III with 1 or 2 Gb RAM
and Linux 2.2.19
in director only for http under IP=VIP
We do not need persistent http sessions because all real servers
share data via the joint dbms on 'w1'.
Servers also share static web data via NFS-mounting the docs directory.
Our http services are computation intensive, so our limiting
factor is CPU load and not bandwidth. We hope that we will be far
from saturating our 100 Mhz network connection, as this would become
very expensive, paying per Gb data volume to the provider.
In addition to load balancing, director shall serve as a packet filter
firewall and NAT translator (? terminology).
https: Requests for https IP=VIP should be directly forwarded to 'w1' IP=RIP1.
(we have only about 0.5% https sessions, compared with the many
ftp: Requests for ftp IP=VIP should be directly forwarded to 'w1' IP=RIP1.
(we have only few public ftp conncections).
ssh to IP=DEP should connect to the director
ssh to IP=DEP1 should connect to "w1" IP=RIP1
Other services required:
dns all real servers need to be able to resolve clients domain names
I propose running a named service on director, which the servers
use as their name servers
ntp we run an ntp server on director, broadcasting time to the internal
net, and querying time from an internet time server.
smtp all real servers, and director need to be able to sendmail to
clients; the cluster does not receive mail.
ping allow ping to director under IP=DEP and IP=VIP,
and to "w1", i.e. ping to IP=DEP2 should be forwarded to "w1"
The cluster will be deployed at a remote location (the ISP's
colocation server room). We will usually not have physical access to
the cluster - except emergency intervention - and will do all further
adminstration of services and server content via ssh/scp.
I think that using an eth0 alias for VIP will allow me to turn off
the public service in a convenient way, by disabling this alias IP
on director, while maintaining the other two IPs for cluster maintenance.
This should be helpful when the server would be flooded with request
to VIP/http, for example.
This is the first time that I setup a LVS system, and
the first time that I setup a Linux firewall/packet filter.
Before that; I have setup packet filters only on Cisco routers; my
main work experience is with HPUX and not Linux.
Is my design prudent, and will it work?
(I chose this so that I do not need a separate firewall box).
I would appreciate detailed help on configuring both,
the LVS configuration and the firewall/ipchains configuration.
|| Alois Treindl, Astrodienst AG, mailto:alois@xxxxxxxxx
|| Zollikon/Zurich, Switzerland