On Fri, 2008-01-18 at 12:39 -0800, Joseph Mack NA3T wrote:
> On Fri, 18 Jan 2008, chris barry wrote:
> >> I assume you've read my attempts at xdmcp in the HOWTO. It
> >> looks like you got further than me. If so, can you send me
> >> (off-line) what you did, so I can update the HOWTO.
> > Yes.
> thanks got it. I was hoping for a verbal description of how
> to get it going :-)
I'll try to write something up soon.
> Can you run your setup without iptables rules. You shouldn't
> need them to set up any standard LVS, and they'll only
> confuse the picture till you get it running.
Well, originally I didn't. I needed the POSTROUTING rules to get stuff
> >> are you then connecting directly to the realserver by
> >> chance.
> > That's what I'm not sure of. It seems so, however the clients cannot
> > route to the real servers on their own,
> don't trust ping on this. You'll need tcpdump
These nodes are on a private LAN that has no routes to it except through
the director. That and the default gateway on all of the nodes is the
inside VIP of the director.
> > so the packets must be somehow going around the lvs stuff.
> > I think it's a FWM issue too. I'll need to do some more
> > captures to understand what port ranges are being used.
> > From what you say in the howto, basically you hook up on
> > 177, but after that it's not used anymore. the RS and
> > client must negotiate another port to use.
> If X steps in next, there'll be a whole heap of ports at
> 6000 (I think). Look at the writeup for ftp, identd and rsh
> for the problems that LVS gets into when the realserver
> negotiates ports with the client that the director doesn't
> know about.
This is it in a nutshell. I need to sniff, get a handle on the port
ranges used, and bundle them up in a FWM.
> Can you tunnel the X through ssh?
Yes. This works fine. X works fine for that matter, it just falls out of
the connection list and I can't (easily) tell who's connected.
> >> I think you're going to have to be the one to figure it
> >> out. If X is involved as well, there's many ports
> >> involved - you may have to group them with fwmarks.
> > yep. I think you're right. I'll send my ipvsadm and
> > iptables files your way for perusal.
> Can you try a more minimal setup. You have enough lines in
> your ipvsadm output to be an X-server farm
heh. that's EXACTLY what it is! ;) It's a vnc/xdmcp/nfs/ssh/and telnet
farm. Basically the only thing it doesn't do is http... ;) It's call SDS
or Software Development System. a 6 node virtualized gfs development
I wrote a monitoring framework for these protocols that handles
add/remove from the lvs table with email alerting. Trying to do anything
out of the ordinary with nanny segfaults it.
Thanks for your help Joe. I will do a howto on this once it gets
deployed. And I'll let you know when I solve this port range puzzle.