|
John Reuning wrote:
>
> Sorry, I left a few things without response.
>
> > actually in LVS-NAT, the director knows exactly the state of
> > each connection since it sees the packets in each direction.
>
> I had to enable connection tracking and SNAT on the director to allow
> the real servers to initiate connections. Is lvs supposed to provide
> this functionality to the real servers?
unless you do some special tricks (outlined in the HOWTO somewhere),
the realservers cannot connect to the services provided by the LVS.
> > LVS and netfilter aren't real compatible - they tread on each other's
> > toes - look for "Antefacto" in the HOWTO. Be careful here.
>
> I thought that the antefacto patch was what allowed packet filtering on
> the director. I don't need that, only the SNAT connection tracking.
you don't need the Antefacto patch. That is the part of the HOWTO where the
conflicts between netfilter and LVS are best discussed.
> Part of the issue is that for http, the connection doesn't stay open
> between page requests. From the testing described in my previous
> message, it looks like the active connection counting in lvs isn't
> maintaining http sessions as active.
I'm not sure what's happening at your end yet, but just to make sure you
understand
o LVS doesn't do anything to change the tcp layer involved in connecting
the client to the realserver. The client thinks it is connected directly
to the realserver and the realserver thinks it is being contacted
directly by the client. Unix semantics, tcp timouts... are all the same.
The director only selects which realserver gets the connection (and
with persistence, which realserver will get the next connection from
the same client).
o The director tries to keep track of the state of the connection. In LVS-NAT
since it sees packets in both directions, the director knows the state of
the connection exactly. In LVS-DR, since the packets from the realservers
are sent directly to the client and don't go via the director, the director
does some hand waving, uses likely values for timeouts and then takes a stab
at the likely state of the connection at the realserver. Since you are using
LVS-NAT, your director knows the connection state of the realservers
o http connections can be persistent
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.services.single-port.html#persistent_http
o If the ip_vs template has not expired and the client initiates a new
connection
from same port (it's called "reusing ports") to the VIP:service, LVS will not
see
it as a new connection. What happens to ActiveConn InActConn or to the tcp
state
of the realserver I don't know (Horms?)
Joe
--
Joseph Mack PhD, High Performance Computing & Scientific Visualization
SAIC, Supporting the EPA Research Triangle Park, NC 919-541-0007
Federal Contact - John B. Smith 919-541-1087 - smith.johnb@xxxxxxx
|
