|
Configuration for a LVS-NAT system.
Purpose: load-balanced http services
non-load-balanced other services: https, ftp
firewall services provided by director
(clients)
|
Internet
|
(provider router)
|
|
|
| VIP=192.53.104.4 (these 3 IP addresses are subject
| DEP1=192.53.104.3 to change when we move from testing
|eth0 DEP=192.53.104.2 to production)
+------------+
| |
| director/ | 2 NIC, Linux 2.2.19 with ipvs 1.0.7
| firewall | Pentium III 860 Mhz, 768 MB Ram
| |
+------------+
|eth1 DIP=10.0.0.254
|
|
----------------------------------------- (switch)
| | |
| | |
| | |
|RIP1=10.0.0.1 |RIP2=10.0.0.2 |RIP3=10.0.0.3 ..... more real servers
+----------+ +--------+ +---------+ added in future
| "w1" | | "w2" | | "w3" |
| real ser.| | real s.| | real s. |
| http, ftp| | http | | http |
| https, | | | | |
| dbms | +--------+ +---------+
+----------+
The real servers are all dual CPU 1000 Mhz Pentium III with 1 or 2 Gb RAM
and Linux 2.2.19
Load balancing
--------------
in director only for http under IP=VIP
We do not need persistent http sessions because all real servers
share data via the joint dbms on 'w1'.
Servers also share static web data via NFS-mounting the docs directory.
Our http services are computation intensive, so our limiting
factor is CPU load and not bandwidth. We hope that we will be far
from saturating our 100 Mhz network connection, as this would become
very expensive, paying per Gb data volume to the provider.
Non-Load-balanced services:
---------------------------
In addition to load balancing, director shall serve as a packet filter
firewall and NAT translator (? terminology).
https: Requests for https IP=VIP should be directly forwarded to 'w1' IP=RIP1.
(we have only about 0.5% https sessions, compared with the many
http sessions)
ftp: Requests for ftp IP=VIP should be directly forwarded to 'w1' IP=RIP1.
(we have only few public ftp conncections).
ssh to IP=DEP should connect to the director
ssh to IP=DEP1 should connect to "w1" IP=RIP1
Other services required:
dns all real servers need to be able to resolve clients domain names
I propose running a named service on director, which the servers
use as their name servers
ntp we run an ntp server on director, broadcasting time to the internal
net, and querying time from an internet time server.
smtp all real servers, and director need to be able to sendmail to
clients; the cluster does not receive mail.
ping allow ping to director under IP=DEP and IP=VIP,
and to "w1", i.e. ping to IP=DEP2 should be forwarded to "w1"
Remote operation
----------------
The cluster will be deployed at a remote location (the ISP's
colocation server room). We will usually not have physical access to
the cluster - except emergency intervention - and will do all further
adminstration of services and server content via ssh/scp.
I think that using an eth0 alias for VIP will allow me to turn off
the public service in a convenient way, by disabling this alias IP
on director, while maintaining the other two IPs for cluster maintenance.
This should be helpful when the server would be flooded with request
to VIP/http, for example.
Help needed
-----------
This is the first time that I setup a LVS system, and
the first time that I setup a Linux firewall/packet filter.
Before that; I have setup packet filters only on Cisco routers; my
main work experience is with HPUX and not Linux.
Is my design prudent, and will it work?
(I chose this so that I do not need a separate firewall box).
I would appreciate detailed help on configuring both,
the LVS configuration and the firewall/ipchains configuration.
Alois
|| Alois Treindl, Astrodienst AG, mailto:alois@xxxxxxxxx
|| Zollikon/Zurich, Switzerland
|
