LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Problem solved .. but unable to use VIP for all ports using FW mark

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Problem solved .. but unable to use VIP for all ports using FW mark
From: Ranga Nathan <kairanga@xxxxxxx>
Date: Sun, 20 Nov 2005 00:52:56 -0800
When I set the firewall marks based on the destination like below, everything worked.

ild2:~ # iptables -t mangle -A PREROUTING -d 172.21.113.89/32 -j MARK --set-mark 100

I was going by the examples in http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.fwmark.html which set the mark on the source!

Wasted more than 2 hours trying all the options!
:-(

The

Ranga Nathan wrote:

I traced it down to my ldirectord configuration. I assumed that the VIP is available for all ports. But the configuration opens only port 80 and I was testing with ssh connection. I changed the port to 22, and it worked fine. Now I really want to cluster for all ports for a given VIP. According to the instructions I should use a firewall mark for this. So I now have:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
all -- 172.21.113.89 anywhere MARK match 0x64

and in ipvsadm.rules:
-A  -f 100 -s rr -p
-a -f 100  -r 172.21.113.87  -g -w 1
-a -f 100  -r 172.21.113.88  -g -w 1

and the ldirectord configuration is:
checktimeout=20
checkinterval=5
autoreload=yes
quiescent=no
logfile="info"
virtual=100
   real=127.0.0.1:0 gate 1 ".healthcheck.html" "OKAY"
   real=172.21.113.87:0 gate 1 ".healthcheck.html" "OKAY"
   real=172.21.113.88:0 gate 1 ".healthcheck.html" "OKAY"
   service=http
   checkport=80
   protocol=fwm
   scheduler=wrr
   checktype=negotiate
   fallback=127.0.0.1

But all access to the 172.21.113.89 go to the load director!

Ranga Nathan wrote:

When a real server goes down ( I forced reboot), ldirectord does not remove the entry from ipvsadm table. As a result a reconnection to the common IP from the same client fails. It tries to go to the same client. I am using roundrobin. I expect ldirectord to remove an entry as soon as it loses the http link. From then on any new connection should use the remaining real servers.

This is a shot of my ipvsadm  watch ...
Every 2s: ipvsadm -L -n Fri Nov 18 23:05:32 2005

IP Virtual Server version 1.2.0 (size=4096)
Prot LocalAddress:Port Scheduler Flags
 -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.21.113.89:80 wrr
 -> 172.21.113.88:80             Route   1      0          0
 -> 172.21.113.87:80             Route   1      0          0
TCP  172.21.113.89:0 rr persistent 360
 -> 172.21.113.88:0              Route   1      0          0
 -> 172.21.113.87:0              Route   1      1          0


Here is the config for ldirecgtord ( I created based on an example)

checktimeout=20
checkinterval=5
autoreload=yes
quiescent=no
logfile="info"
virtual=172.21.113.89:80
   real=127.0.0.1:80 gate 1 ".healthcheck.html" "OKAY"
   real=172.21.113.87:80 gate 1 ".healthcheck.html" "OKAY"
   real=172.21.113.88:80 gate 1 ".healthcheck.html" "OKAY"
   service=http
   checkport=80
   protocol=tcp
   scheduler=wrr
   checktype=negotiate
   fallback=127.0.0.1

Here is the network config for the load director:
eth0      Link encap:Ethernet  HWaddr 00:08:74:32:4B:73
inet addr:172.21.112.1 Bcast:172.21.115.255 Mask:255.255.252.0
         inet6 addr: fe80::208:74ff:fe32:4b73/64 Scope:Link
         UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:3542 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2250 errors:0 dropped:0 overruns:0 carrier:0
         collisions:2 txqueuelen:1000
         RX bytes:449504 (438.9 Kb)  TX bytes:261717 (255.5 Kb)

eth0:0    Link encap:Ethernet  HWaddr 00:08:74:32:4B:73
inet addr:172.21.113.89 Bcast:172.21.115.255 Mask:255.255.252.0
         UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://www.in-addr.de/mailman/listinfo/lvs-users


<Prev in Thread] Current Thread [Next in Thread>