|
Graeme Fowler wrote (at Thu, Apr 07, 2005 at 11:17:19PM +0100):
> You could always manage this from keepalived - write a script to do your
> iptables management, and have it run with appropriate options upon a
> transition. I do something similar for my DNS cluster:
>
> notify_master "/usr/local/bin/transitions MASTER"
> notify_backup "/usr/local/bin/transitions BACKUP"
> notify_fault "/usr/local/bin/transitions FAULT"
>
> where /usr/local/bin/transitions parses a list of IP addresses and
> shuffles them
> from loopback to ethernet interface appropriately (meaning I don't have
> to muck
> about with arptables).
> You could, I suspect, do something similar with iptables by making
> keepalived
> set them up appropriately when transitioning to MASTER state at startup. OK,
> it's cheating, but it'd probably work :)
Well, I did end up going with fwmark anyway for a few reasons:
1) I don't have to reload keepalived (causing a failover to the backup
director) when I change virtual service configuration (unless it
involves changing realserver configuration in some way).
2) I already had some stuff setup with fwmark anyway thanks to AOL's
annoying proxy stuff.
3) Less virtual services since I don't need to setup additional VSes
for SSL in addition to HTTP, etc.
I don't have to use arptables anymore anyway, thanks to
echo 2>/proc/sys/net/ipv4/conf/all/arp_announce and
echo 1>/proc/sys/net/ipv4/conf/all/arp_ignore on the realservers. I
can't imagine a need for it on the directors.
My iptables configuration remains static (and identical) on both
directors.
--
Casey Zacek
Senior Engineer
NeoSpire, Inc.
|
