LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: News contrib to LVS

To: ratz@xxxxxx
Subject: Re: News contrib to LVS
Cc: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
From: Alexandre Cassen <Alexandre.Cassen@xxxxxxxxxx>
Date: Sat, 23 Dec 2000 20:03:57 +0100
Hi ratz,

As you can see, my code need to be cleaned :). I have just implement this on the scratch for a quick installation.

o Your signalhandling code looks somewhat fishy in keepalived.c.
What if a signal occurs during the execution of logmessage? Why
don't you use sigaction with that installs the signalhandler back
after exec? This is the code I mean:

if (signal(SIGTERM,sig_handler) == SIG_IGN)
  signal(SIGTERM,SIG_IGN);

signal(SIGINT,sig_handler);
signal(SIGHUP,sig_handler);

void sig_handler(int signum)
{
  keep_going=0;
  ClearLst(lstVS);
  logmessage("Ending keepalived daemon\n",getpid());
  signal(signum,sig_handler);
}

You are right, this one of the things that I must update. In fact I will probably use syslog call to log daemon message.

o What happens if your tcpcheck can't connect? eg firewall,
tcpwrapper? IMHO your code will timeout for some long time.
How about implementing some kind of timer in tcpcheck.c?
Just think about if this tcpcheck blocks the further checks
until it's timeouted? Maybe I've overseen something in your
code but I can't see how you handle this problem.

In fact, the tcpcheck perform an half open connection check. Tcpcheck build a TCP SYN packet and send it to the remote destination. Then a recvfrom process incoming packets. If the SYN ACK is not received then the check return false. I have tested this tcpcheck.c scanning windows, solaris, linux, ... and it seems to work. For me this tcpcheck fonction is quick and dirty for many reasons, like : I only check is the SYN ACK flag for the test, i do not consider SEQ number, nor IP/TCPPORT to be sure that this packet came from the right server tested. So if you implement a quick progy that send to the daemon tcp packets flagged to SYN ACK, the tcpcheck will allways consider that the server is not corrupt (and it can be).

Tcpcheck is a mission critical fonction. I am working with the new version that will consider all TCP/IP pacquet incoming feild to return the state of the tcp destination port tested. The main change must be :

1. Create a timer pool check : i send 3 SYN until a SYN ACK from the remote destination is recieved, if not the check is false 2. To prevent keepalived against abuse attack, tcpcheck.c must consider the tcp sequence (even ethernet MAC) => as you know you can abuse this strategy but I think it must be done at once.

o I suggest you have a look at the http_get attached in this
mail. With it you could even perform simple base64 and ssl
authentication. So SSL healthchecks would be a part of your
deamon too.

Great ! :) i have planed to integrated openssl to perform this check, but it will help me if I can start wih an existing check.

I hope that too and I hope I haven't insulted you with my
suggestions.

Of course NOT ! I am working for learning. So if you have any other suggestions or source codes, no problems for me !

regards,

Alexandre



<Prev in Thread] Current Thread [Next in Thread>