|
Hi Joe,
> > :) Yeah, but it's more a thermo shock. I had 90+ degrees in Florida
> > and 70 in Switzerland. And I found out that Alligators don't like me.
>
> what, are you too boney? not enough meat on you?
<OT, for interesting stuff, read after this section>
Oh no, I'd appreciated if they eated away some pounds, but my friend and
I made this bet at a river close to Everglades City. I bet that I'd jump
into the river where there was about a dozen of alligators for 100$. He
accepted but declined to take any responsability. So I jumped into the
river and as usual, the alligators fear big things coming from heavon into
their playground and they swam away. I stayed there for 15 seconds and was
about to go out when that bloody county ranger (you US people are really
to cautions about certain things) showed up and fined me for 200 bucks.
I really don't know what this idiot had to do with our bet since obviously
he wasn't aware of the fact that alligators fear people, at least 99% of
them do and since there were only some dozen in the river I was sure about
being able to get the money with both hands after the experiment. So I
lost 100$. The tourists didn't want to pay for the show and I had to get
my missing 100 bucks from another place. We then entered the everglades
and were able to find a Florida panther (didn't know that there was panthers
in Florida) and I decided that this would be a good bet to get back my
100$. So we made another bet that I would stay together with this panther.
Unfortunately the panther wasn't afraid of me but instead kept me running
like hell. I still don't have my 100 bucks back but I will get them, some
day ...
</OT>
> > there are not many setups with complex firewall settings and I mean really
> > complex, like merging different advanced routing aspects with QoS and own
> > Targets over different networks with all kind of non-TCP/UDP traffic and
> > an maybe IPV6 connection
>
> no wonder, there's no iptables -C.
Oh, you're right, I haven't yet tested it, I just made a iptables --help and:
.
.
.
--zero -Z [chain] Zero counters in chain or all chains
--check -C chain Test this packet on chain
--new -N chain Create a new user-defined chain
:) They mention it on the --help output but don't have it. Funny people!
zar:~ # iptables -C
iptables v1.2: Unknown arg `-C'
Try `iptables -h' or 'iptables --help' for more information.
zar:~ # iptables -C INPUT -s 10.10.1.1/32 -d 172.23.1.1/32 -p tcp -i eth0
iptables: Will be implemented real soon. I promise.
zar:~ #
Aha! Real soon. Maybe I have an old version of iptables, I'll check it
later. Once again here you see how funny Australians sometimes are. The
best prove is reading Rusty's comments in the netfilter code in the kernel.
> > they simply forgot it and it seems that not a lot of people knew about this
> > nice help before.
>
> you can't "forget" these things. First time a rule doesn't work you'll
> remember
> quickly.
Hmm, I rather use the --log approach and check the DENY's because to use the
-C option you also need the final rules set.
> it's fixed now (whew)
:) I'll send you some more fixes as soon as I get to work off my 10 days lost.
> > You must not zero a counter in the kernel!
>
> OK, won't wait for a -Z then.
Mhh, I don't know, what do others like e.g. Horms, Wensong and Julian think?
It's affecting 4 lines in the kernel and 14 lines in ipvsadm :)
> > feature. It would be ipvsadm -Z as an analogy to ip{chains|tables}. BTW,
> > we are proud of haveing 64bit counters in the kernel :)
>
> I'll make a big point of it in the HOWTO :-)
We should maybe write something about cycling counters. This of course is
not handled. I mean when exceeding the 64bits we start over by 1 IIRC and
then we should set a flag to 1 to know that we already had 2**64 packets.
Also here, I first have to check the facts first before but I remember
having had a discussion with Julian and Wensong weeks ago.
> > Storing ... there are different approaches to this (complexity order):
> >
> > 1. Use a script that extracts the info and writes it flat to a file
> > 2. Use mrtg or rrdtool since I reckon you wanted to use the stats to
> > generate some graphics anyway. These tools handle the problem for
> > you.
>
> something like this. I thought mrtg used SNMP only. When I wanted to use
> it, none of my stuff was SNMP'ed so I didn't use it.
Yep, your assumption is correct but you can have a slightely modified snmpd.conf
and execute a script that parses /proc/net/ip_masq/vs_stats and writes it
into a file. The advantage of this over the first one is, that you can write
the current number into one file and mrtg will know how to draw the graph.
I give you an example:
We have a customer named plx. Now he has only one service and 2 realserver.
We extended the snmpd.conf with following lines:
exec lbsessions /bin/sh /opt/tac/snmp/lbsessions
exec lbsessions.plx.total /bin/sh /opt/tac/snmp/lbsessions.plx.total
exec lbsessions.plx.web-web1 /bin/sh /opt/tac/snmp/lbsessions.plx.web-web1
exec lbsessions.plx.web-web2 /bin/sh /opt/tac/snmp/lbsessions.plx.web-web2
The scripts are awk scripts that get the information accordingly to
the service or the realserver. You can then do a table walk of the OID
1.3.6.1.4.1.2021.8 to see what your values are:
snmpwalk $IP $COMMUNITY .1.3.6.1.4.1.2021.8
Example output if everything is ok:
enterprises.ucdavis.extTable.extEntry.extNames.1 = lbsessions
enterprises.ucdavis.extTable.extEntry.extNames.2 = lbsessions.plx.total
enterprises.ucdavis.extTable.extEntry.extNames.3 = lbsessions.plx.web-web1
enterprises.ucdavis.extTable.extEntry.extNames.4 = lbsessions.plx.web-web2
enterprises.ucdavis.extTable.extEntry.extCommand.1 = /bin/sh
/opt/tac/snmp/lbsessions
enterprises.ucdavis.extTable.extEntry.extCommand.2 = /bin/sh
/opt/tac/snmp/lbsessions.plx.total
enterprises.ucdavis.extTable.extEntry.extCommand.3 = /bin/sh
/opt/tac/snmp/lbsessions.plx.web-web1
enterprises.ucdavis.extTable.extEntry.extCommand.4 = /bin/sh
/opt/tac/snmp/lbsessions.plx.web-web2
enterprises.ucdavis.extTable.extEntry.extResult.1 = 0
enterprises.ucdavis.extTable.extEntry.extResult.2 = 0
enterprises.ucdavis.extTable.extEntry.extResult.3 = 0
enterprises.ucdavis.extTable.extEntry.extResult.4 = 0
enterprises.ucdavis.extTable.extEntry.extOutput.1 = 292
enterprises.ucdavis.extTable.extEntry.extOutput.2 = -1
enterprises.ucdavis.extTable.extEntry.extOutput.3 = -1
enterprises.ucdavis.extTable.extEntry.extOutput.4 = -1
Here you see that the total amount of sessions of the load balancer
serving about 8 customers is 292 currently and that customer plx has
no connections so far.
Do you get the idea and do you see now why I would like to have a MIB?
> > 3. Write a MIB for LVS stats, which is what I would love to see but am
> > currently unable to write.
>
> Anyone want to write a MIB for LVS?
Please, anyone with experiences writing MIBs should contact me. I have no
time and little to no experience with writing MIBs.
Best regards,
ratz
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|
