Re: LVS-DR ssh service

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: LVS-DR ssh service
From:	Horms <horms@xxxxxxxxxxxx>
Date:	Mon, 24 Jan 2005 17:05:28 +0900

On Fri, Jan 21, 2005 at 12:35:11PM -0600, Karen Shepelak wrote:
> Hi all,
> 
>       I am not having any luck getting ssh service to run to LVS 
> running on LTS3.0,
> kernel 2.4.21-20.ELsmp. Main problem seems to be in getting rid of arp 
> problems.
> Odd thing is that after having used the "Horms method" to the 
> realservers, telnet
> service to LVS works ok. I tried installing the suggested "hidden" patch
> for this kernel to see if it would control the arp issues differently 
> enough to get ssh
> service to work, but the patch will not install with this kernel.
>     Question: has anyone else been able to get ssh working to LVS 
> (ipvsadm-1.21-9.ipvs108)
> on kernel 2.4.21-20.ELsmp?
>     Only clue to ssh not working is the following error message 
> reported in the /var/log/messages
> of the realservers:
> 
> Jan 19 19:45:40 minos08 sshd[4558]: *Did not receive identification 
> string from 131.225.110.58* < This is RIP  of the
> director, not VIP>
> 
>     At this point, I am thinking that the ipvsadm version is not the 
> best one for using with ssh.
> Anyone already encounter a problem like this? Anyone have any ideas or 
> suggestions on
> which way to go from here.
> 
> any and all suggestions welcome,

Hi,

It is quite curious that telnet works at all, as really
if you are using LVS-DR and you don't deal with the ARP
problem, you are going to be in trouble.

If you want to use RHEL + LVS I have several suggestions.

1. Use the packages on UltraMonkey.Org 
   (N.B: I made these so I am a bit biased here)

   In particular there is a kernel package with the hidden patch
   compiled in. There is also a version of ipvsadm that works.

2. Use the stock RHEL kernel, and use arptables to control the arp problem.
   There is an arptables package for RHEL AS and ES, and if you
   recompile the available source it works for WS.

   I have had some success in my lab with something along the lines of
   the following. And it has the advantage over 1) that you don't need
   to change the kernel.

    arptables -F
    arptables -A IN -d VIP -j DROP
    arptables -A OUT -d VIP -j DROP -j mangle --mangle-ip-s RIP

    http://archive.linuxvirtualserver.org/html/lvs-users/2004-12/msg00015.html

3. Try using policy routing. I have also had some success using this.

   http://archive.linuxvirtualserver.org/html/lvs-users/2003-10/msg00034.html

4. The noarp module.

   I have not tried this myself, but the author swears by it

   http://www.masarlabs.com/noarp/

-- 
Horms

<Prev in Thread]	Current Thread	[Next in Thread>
LVS-DR ssh service, Karen Shepelak Re: LVS-DR ssh service, Horms <= Re: LVS-DR ssh service, Michael Stiller Re: LVS-DR ssh service, Con Tassios Re: LVS-DR ssh service, Michael Stiller Re: LVS-DR ssh service, Horms

Previous by Date:	Re: [PATCH] wlib scheduler (fwd), Chris Caputo
Next by Date:	Re: Multiple virtual addresses but only 2 real servers, Horms
Previous by Thread:	LVS-DR ssh service, Karen Shepelak
Next by Thread:	Re: LVS-DR ssh service, Michael Stiller
Indexes:	[Date] [Thread] [Top] [All Lists]