|
Hello,
On 2012-08-24 15:54, Graeme Fowler wrote:
> On Fri, 2012-08-24 at 15:33 +0400, Dmitry Akindinov wrote:
>> We are facing a problem with ipvsadm.
> <snip>
>
> This sounds very much like a problem I resolved some years ago with a
> two-node system like yours.
>
> In that case, I put additional rules or logic into the iptables ruleset
> to make sure that packets with a source MAC address of the other node in
> the system didn't get the fwmark applied, thus missed the ipvs rules,
> and got handled by the local application.
>
> For example, in the theoretical 2-node system we have a single VIP, then
> 2 nodes RIP1 + MAC1, RIP2 + MAC2.
>
> iptables rule for port 143:
>
> On Node 1:
>
> -A PREROUTING -d $VIP -p tcp -m tcp --dport 143 \
> -m mac ! --mac-source $MAC2 -j MARK --set-mark 0x6
>
> On node 2:
>
> -A PREROUTING -d $VIP -p tcp -m tcp --dport 143 \
> -m mac ! --mac-source $MAC1 -j MARK --set-mark 0x6
>
> This ensured in my case that the two nodes (which were both live at the
> same time) didn't end up sending traffic round and round in a circle
> between the two nodes.
>
> It *may* help in your case also.
Thank you for the tip. We will definitely try it out, but the thing is
that the "old" balancer has an empty ipvs rule set: it is emptied when
the failover takes place.
It looks like the problem is not in the ipvs rules, but in the ipvs
"connection table" that it gets from the "active" balancer via the
syncing daemon: as soon as we stop the syncing daemon, the problem
disappears.
The connection table looks correct: it does show that this particular
connection is directed to this particular server (the "inactive"
balancer), so it is unclear how a copy of the ipvs connection table from
the active balancer can make the "inactive" balancer drop the packets.
And - it looks like it drops the packets when the connecting client
sends some data first (as with the HTTP protocol). We get teh problem
more often when the server sends its data (a prompt) first.
> Graeme
>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
--
Best regards,
Dmitry Akindinov
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
