|
Carl wrote:
UltraMonkey (http://ultramonkey.org) has a nice set of tools and sample
configurations. Seems to work pretty well and was easy to set up. They use
heartbeat for HA and provide ldirectord for LVS stuff.
It looks like keepalived (http://keepalived.sourceforge.net/) dispenses with
heartbeat in favor of their own vrrp implementation. Real failover, right? No
backup serial connection that I can tell, but IPSEC for the advertisement
broadcasts (nice). One deamon does both LVS stuff and failover?
I set up both ldirectord and keepalived up to try them out and see which I
liked better. The goal was to have a redundant pair of LVS(-NAT) directors
which would also serve as the primary firewall/gateway for our external
connection and DMZ hosts. My firewall scripts use heavy stateful
inspection, iproute2 'ip' utils to add/remove ip's and routes, and proxy
arp. I did not want to lose any of the features of the firewall setup if at
all possible.
These are my observations, but as others have said, both are being heavily
developed by their authors, and anything I say here could be obsolete in
short time. I think they are both great packages.
LDIRECTORD/HEARTBEAT
Using ldirectord, you need heartbeat to handle the failover/redundancy
capabilities. The modular approach is a good idea, and they have developed
resource monitoring which goes well beyond just checking if a realserver
responds to a connection/request on a certain port/service.
I set up ldirectord first, on a single director, since this would get the
high availability of my real servers working. I used my firewall script to
add the VIP's to the director (with iproute2 'ip' commands), and added a
section to the script to create the virtual services with ipvsadm commands.
(I knew this wouldn't be necessary when/if I got heartbeat set up).
Ldirectord works quite well, and it apparently has the ability to do a basic
UDP check (since stopping named on one of the realservers causes ldirectord
to remove that RS from the 53/udp virtual service until named is started
back up).
I was disappointed to see that heartbeat (particularly the ipfail part) is
still written to use ifconfig and old-way ip "aliases" (ie, eth0:0, eth0:1,
etc.) to have multiple IP's on an interface. 2.2.x and ipchains is a bit
"passe" - 2.4.x and iptables has been stable/production for quite some time
now. iptables does not like interface names with ":" in them, so you are
imposing pretty stiff limits on what kinds of firewall rule sets you can
write if you use old-style ip aliases.
Reading the mailing list archives, it looks like some users have started
submitting patches that will cause heartbeat to use the iproute utils to set
up the interfaces instead, but this had not been incorporated into the
latest-available beta (at that time, 1st half of Apr. '03), and I was not
sure if the modifications were comprehensive in scope, or just addressing
certain aspects. (My programming skills are pretty weak).
This pretty much nixed any further looking into of heartbeat for me, so I
started looking at keepalived.
KEEPALIVED
Keepalived is an all-in-one package, which is written in C.
It uses 2.4-native netlink functions to set up interfaces, IP addresses, and
routes on 2.4 boxes, so it is no big deal to have multiple IP's on one
interface. You can use iptables commands which match a single interface to
cover all the IP's on the interface, or you can add a -d one.of.my.vips to
make that rule match a single VIP, subnet, etc.
Keepalived uses VRRPv2 to handle director failover, it's really nice. When
failover happens, the new master sends gratuitous arps out on the network,
so virtual services experience basically no interruption (especially since
keepalived also supports IPVS connection synchronization between directors).
There is currently an issue with HEAVY syslog activity when a pair of
directors are running (it logs the election process on both directors) but
Alexandre is working on that.
If you're running proxy-arp on the director, you can use keepalived's
ability to run scripts when a machine becomes master to send arping
unsolicited arps for the other hosts in your DMZ and your ISP's gateway, so
that the other hosts in your DMZ with routable IP's on their interfaces
(which only need the director as a router/firewall) are also updated with
the new master's MAC addresses. Keepalived doesn't send gratuitous arp's
out for IP's it didn't take over, so this is needed for your DMZ hosts to
see the ISP's gateway, and also for the ISP's gateway to be apprised of the
new (remember, proxy arp!) MAC address of those other DMZ hosts. (I am
currently working on a HOW-TO for this, which will apparently be added to
the keepalived online documentation, and also our website).
Keepalived currently does not support UDP connection check, but it is on
Alexandre's to-do list.
Also another feature (I haven't looked at yet) of keepalived is the
virtual_server_group capability, which allows you to group virtual services
together and have their health check pass/fail determined by a single
connection check - good for example if you have a stack of IP-based apache
virtual hosts on a realserver. You probably don't really need to check each
virtual host's IP, and you don't want to flood the realserver with health
checks.
I think they're both really great packages. If heartbeat were updated to
use iproute2 utils, instead of ifconfig and interface aliases to have
multiple IP's per interface, it would be much more viable for people running
strong iptables firewall rulesets, such as those who wish to use the
director as a firewall/gateway.
Me personally, I'm going to keep running keepalived. It also has a lower
CPU overhead.
cheers,
vinnie
lvwnet.com
(the linux stuff is pretty non-existent on our website right now, one of
these days I'll get around to editing/posting my documentation).
|
