Hi Alexandre,
Alexandre CASSEN wrote:
> >What about SNMP? Do they have now some kind of intelligent snmpd?
>
> SNMP is pletty of security hole. Why not create a simple tcp protocole
> that integrate
> security issues ? (using SSL to push to the director the info) We can
> use an abstract
> similar to the ASN.1.
Oh, ok, you like to speak about security? Good, we can have a long and intense
talk about the security of your tools if you like to. The old snmpd (ucd-snmp
had some big security issues agreed, but the new one with MD5 and DES encryption
is encrypted. If you still think that the md5 and des encryption of the stream
is not enough then you can put a tcp-wrapper entry for the snmpd and if you
still
think this is not secure enough, you ssh-tunnel it and put another tcp-wrapper
on
it. So and now tell me how your half-open tcpcheck will be secured against Seq-
Number attacks, if it even doesn't check them? ;)
> I can suggest an integration with keepalived. But i thinks (due to the
> keepalived announce feedback), that
> we must have the two possibilities :
>
> 1. A simple standalone keepalived working all in the director (all
> checks are performed on the director). This
> solution can be usefull for small/medium LVS topology.
Maybe you even want to have a separate machine to have the checks done.
Sometimes
the director is quite busy and imagine doing all those checks on the same
machine.
I've done it in production and I have to say that if you do all the
healthchecks
you want to do and interact with LVS the machine must be extremely powerfull. So
I could even imagine having a separate dedicated probe that does the
healthchecking
and reporting to the director which in turn does a setsockopt or a netlink
socket
to inform the kernel to change the LVS-parameters.
> 2. An advanced keepalived daemon working with a listener on the
> director. All the servers push information to this
> listener. Finally the listener send action to LVS via setsockopt.
For me this is just another set of healthchecks but remote healthchecks. You
need
them for example to monitor CPU, RAM unless you take snmp.
> Do you agree ?
Basically yes, I think the concrete design is just not yet clear but lets hear
other opinions on this.
Best regards,
Roberto Nibali, ratz
BTW: do a cc to the lvs-user mailing list.
--
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
|