LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] xdmcp question

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] xdmcp question
From: chris barry <Christopher.Barry@xxxxxxxxxx>
Date: Fri, 18 Jan 2008 17:11:11 -0500
On Fri, 2008-01-18 at 12:39 -0800, Joseph Mack NA3T wrote:
> On Fri, 18 Jan 2008, chris barry wrote:
> 
> >> I assume you've read my attempts at xdmcp in the HOWTO. It
> >> looks like you got further than me. If so, can you send me
> >> (off-line) what you did, so I can update the HOWTO.
> >
> > Yes.
> 
> thanks got it. I was hoping for a verbal description of how 
> to get it going :-)

I'll try to write something up soon.

> 
> Can you run your setup without iptables rules. You shouldn't 
> need them to set up any standard LVS, and they'll only 
> confuse the picture till you get it running.

Well, originally I didn't. I needed the POSTROUTING rules to get stuff
to work.

> 
> >> are you then connecting directly to the realserver by
> >> chance.
> >
> > That's what I'm not sure of. It seems so, however the clients cannot
> > route to the real servers on their own,
> 
> don't trust ping on this. You'll need tcpdump

These nodes are on a private LAN that has no routes to it except through
the director. That and the default gateway on all of the nodes is the
inside VIP of the director.

> 
> > so the packets must be somehow going around the lvs stuff. 
> > I think it's a FWM issue too. I'll need to do some more 
> > captures to understand what port ranges are being used. 
> > From what you say in the howto, basically you hook up on 
> > 177, but after that it's not used anymore. the RS and 
> > client must negotiate another port to use.
> 
> If X steps in next, there'll be a whole heap of ports at 
> 6000 (I think). Look at the writeup for ftp, identd and rsh 
> for the problems that LVS gets into when the realserver 
> negotiates ports with the client that the director doesn't 
> know about.

This is it in a nutshell. I need to sniff, get a handle on the port
ranges used, and bundle them up in a FWM.

> 
> Can you tunnel the X through ssh?

Yes. This works fine. X works fine for that matter, it just falls out of
the connection list and I can't (easily) tell who's connected.

> 
> >> I think you're going to have to be the one to figure it 
> >> out. If X is involved as well, there's many ports 
> >> involved - you may have to group them with fwmarks.
> >
> > yep. I think you're right. I'll send my ipvsadm and 
> > iptables files your way for perusal.
> 
> Can you try a more minimal setup. You have enough lines in 
> your ipvsadm output to be an X-server farm

heh. that's EXACTLY what it is! ;) It's a vnc/xdmcp/nfs/ssh/and telnet
farm. Basically the only thing it doesn't do is http... ;) It's call SDS
or Software Development System. a 6 node virtualized gfs development
cluster.

I wrote a monitoring framework for these protocols that handles
add/remove from the lvs table with email alerting. Trying to do anything
out of the ordinary with nanny segfaults it.

Thanks for your help Joe. I will do a howto on this once it gets
deployed. And I'll let you know when I solve this port range puzzle.

> 
> Joe
> 




<Prev in Thread] Current Thread [Next in Thread>