|
Quoting Peter Mueller <pmueller@xxxxxxxxxxxx>:
> > I succeded in patch, compile, install and load ipvs module.
> > After this I created
> > a VIP 192.168.1.77 on node2 to serve as the cluster IP
>
> Not sure if it will matter in this case, but.. which version of all IPVS
> software, and what kernel/distribution?
Kernel 2.4.18 from www.kernel.org
linux-2.4.18-ipvs-1.0.4.patch
ipvsadm-1.21.tar.gz
maybe there is a problem here
> > in order to use ssh I added the folowing line to node2, so
> > the connection can
> > look as coming from node2 directly
> >
> > iptables -t nat -A POSTROUTING -j SNAT 192.168.1.77
>
> Maybe I'm going (am) crazy, but what does this do? SNAT to what target?
everything that is forwarded by this machine is snated, I guess.
> > Then I went to ipvs, i flushed all the iptables entries and
> > issued, on node2 the
> > command
> >
> > /sbin/ipvsadm -A -t 192.168.1.77:22 -s rr
>
> OK, using 192.168.1.77 port 22 as VIP, round-robin scheduler.
Oops, I forgot to say something here, I kept the rule do do SNAT, in order to
use the masquerading option
>
> > to add the virtual service
> > and the commands
> >
> > /sbin/ipvsadm -a -t 192.168.1.77:22 -r 192.168.1.15:22 -m -w 1
> > /sbin/ipvsadm -a -t 192.168.1.77:22 -r 192.168.1.16:22 -m -w 1
> >
> > to add the real servers.
>
> OK. But is masquerade (-m) what you want here? If you want to masquerade
> you need a separate subnet on the real server (what you call 'node') end.
> See this document for more details:
> http://www.linuxvirtualserver.org/how.html.
Well, that's something I want to understand. If I sent a ssh request to the
director and another machine answers without any masquerading, won't the client
refuse the connection? I mean, working with iptables alone I tried to redirect
traffic on the network to other server but seems to me that when the package
comes back with a different source address the client refuses and the connection
stucks. This happened to every test I did except ping which does something like
this
# ping -c 1 192.168.1.77
PING 192.168.1.77 (192.168.1.77) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.1.15: icmp_seq=1 ttl=64 time=0.818 ms
in other words, it sent a package to a server (192.168.1.77) and got the answer
from other (192.168.1.15). Now if I try it with ssh I got nothing. So I use the
masquerading rule to change this behavior.
My question here is, if I don't do the masquerading and I ask my director a
connection and it redirects the request to a real server _and_ the real server
answers directly to the client, how will the client accept the connection?
I wanted to use a ping for a first test, however I found nothing about the icmp
being covered by ipvs, only tcp and udp, so I tried the ssh, just as I did with
iptables
>
> > In order to do the test i tried to ssh from node1 on node2
> > put the conections
> > never completes and I got no login prompt, it just hangs.
> >
> > What could be happenning?
>
> A TCPDUMP on the client, director, and real server would immediately tell
> us
> what's going on. If I had to guess, I'd say something got mixed up in the
> subnets with that -m statement.
I'll try it.
> If this doesn't help you could try using Joseph Mack's configure script.
> It's included in the tarball. It makes setup a lot easier.
Ok, but I want to learn how to do it by hand first ;-)
|
