|
Julian Anastasov wrote:
>
> Hello,
>
> I just completed (well, in usable form) my healthchecking
> tool.
I'd like (eventually) to be able to check services on the VIP on
VS-DR||VS-Tun real-servers. I assume this will require an agent
running on the real-server.
In production, for security, we don't want the real-servers with
ports exposed unneccessarily.
For VS-DR real-servers, there should
be no ports listening on the RIP. On the VIP, only the LVS services
should be listening. (Well you can have a few extra services on the
RIP, eg ssh for connection between the LVS machines,
ntp for time synchronisation).
For the director, the number of ports open should be minimised
on the IPs on the NICs and the VIP should be blocked for all
ports except those LVS'ed.
In the version of my configure script that I am working on now,
for checking, I run multiscan (http://sourceforge.net/multiscan)
to look at ports 1:1024 on all the IPs on machines in the LVS.
I run multiscan on the real-servers from the director by ssh to
look at ports on the real-servers:VIP.
This multiscan info
is for information only at the moment. People will have to
change from inetd to tcpserver for a start. Currently
cluster monitoring tools (eg mon, which I'm using),
need services running on the RIP to
infer services being alive on the VIP.
I need such checking in the configure script anyhow. People
on the mailing list setup VS-DR LVS's which don't work
because their http/https setup on the real-server is listening
to the RIP and not the VIP. The configure script needs to
be able to check for services running on the real-server:VIP
during setup.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
