|
Hello,
On Fri, 2 Feb 2001, Joseph Mack wrote:
> I'd like (eventually) to be able to check services on the VIP on
> VS-DR||VS-Tun real-servers. I assume this will require an agent
> running on the real-server.
Yep, I don't see other solutions. An agent in the real server
have to run these checks (for L4 they can be bind(), for L7 netparse
or other tools) and to report the status to the director. But the
simpler solution is when these checks can be made to RIP:RPORT
on the director. IMO, the security built on the bind() syscall is
very complex and I prefer my services to listen on 0.0.0.0 if
possible. They any checks can be performed from the director. But
of course there are some services that use the bind() model.
> In production, for security, we don't want the real-servers with
> ports exposed unneccessarily.
Yes, but they can listen to private addresses that are not
visible. The users have different setups and they can select from
different ways to run these checks.
> For VS-DR real-servers, there should
> be no ports listening on the RIP. On the VIP, only the LVS services
> should be listening. (Well you can have a few extra services on the
> RIP, eg ssh for connection between the LVS machines,
> ntp for time synchronisation).
Yes, this is when RIP is visible. We can define HRIP which can
be Hidden RIP in the private network 192.168/16 that can be used only
for internal communications.
> For the director, the number of ports open should be minimised
> on the IPs on the NICs and the VIP should be blocked for all
> ports except those LVS'ed.
>
> In the version of my configure script that I am working on now,
> for checking, I run multiscan (http://sourceforge.net/multiscan)
> to look at ports 1:1024 on all the IPs on machines in the LVS.
> I run multiscan on the real-servers from the director by ssh to
> look at ports on the real-servers:VIP.
Hm, I will look at this software now.
> This multiscan info
> is for information only at the moment. People will have to
> change from inetd to tcpserver for a start. Currently
> cluster monitoring tools (eg mon, which I'm using),
> need services running on the RIP to
> infer services being alive on the VIP.
>
> I need such checking in the configure script anyhow. People
> on the mailing list setup VS-DR LVS's which don't work
> because their http/https setup on the real-server is listening
> to the RIP and not the VIP. The configure script needs to
> be able to check for services running on the real-server:VIP
> during setup.
Yes, may be games with raw sockets can work but this is a
routing problem too. I don't see a way to run such checks in the
director. You already know that I prefer the solution with agents
reporting information.
> Joe
Regards
--
Julian Anastasov <ja@xxxxxx>
|
