Ok, thanks for the input. After playing with it for a while, I have it
working for http and smtp services. I am running the VIP on an alias, so
the IP associated with the default gateway on the director was not the
same as the VIP. As it turns out, not having a default gateway on the
director is more of an inconvenience (not being able to ssh directly in)
than anything else and I am fine without it. However, I do need the
realservers to connect to the world at least until I get all their
services load balanced. I will read the 3-Tier link you sent below.
My only problem now is with the DNS services I am trying to load balance.
For some reason, it's not working while http and smtp are fine. I can run
DNS queries from the director across the local network to each realserver
and get a good response, but when I try to access DNS on the VIP (using
"dig @VIP somedomain.com") I get a server timeout. The only difference I
see is that DNS uses UDP, but I have both TCP and UDP domain services
setup in ipvsadm:
IP Virtual Server version 1.0.12 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP vip2:http rr
-> rs2:http Route 1 0 0
-> rs1:http Route 1 0 0
TCP vip2:smtp wlc
-> rs2:smtp Route 1 12 0
-> rs1:smtp Route 1 12 0
UDP vip2:smtp wlc
-> rs2:smtp Route 1 0 0
-> rs1:smtp Route 1 0 0
TCP vip2:domain wlc
-> rs2:domain Route 1 0 0
-> rs1:domain Route 1 0 0
TCP vip1:domain wlc
-> rs2:domain Route 1 0 0
-> rs1:domain Route 1 0 0
UDP vip1:domain wlc
-> rs2:domain Route 1 0 0
-> rs1:domain Route 1 0 0
UDP vip2:domain wlc
-> rs2:domain Route 1 0 0
-> rs1:domain Route 1 0 0
Is there any reason why DNS would act differently?
Lastly, I wasn't trying to start a war on how to secure a server or
criticize your script writing. I was following the steps in the mini-HOWTO
setting up my director, on a remote ssh session, and as soon as I ran the
setup script I lost connectivity to the box. It was confusing and I
thought I'd done something wrong, but I didn't see any errors in the
output. I would suggest putting something in the mini-HOWTO that says the
default gateway will be removed and remote connections will be lost after
running the script.
Thanks,
--jeff
> Joseph Mack PhD, High Performance Computing & Scientific Visualisation
> LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007 Federal
> Infrastructure Contact-Ravi Nair 919-541-5467 - nair.ravi@xxxxxxx,
> Federal Visualization Contact - Joe Retzer, Ph.D. 919-541-4190 -
> retzer.joseph@xxxxxxx
>
> lvs-users-bounces@xxxxxxxxxxxxxxxxxxxxxx wrote on 04/15/2005 12:12:03
> AM:
>
>> Hi Joe,
>>
>> Actually, no, I'm not very glad my director, and now it seems my
>> realservers, can't connect to the outside world after
>> running the setup
>> script. While I understand the need for security, I have
>> the ability to
>> secure my machines without completely severing them from
>> the internet.
>
> I put some effort into the script to produce a secure LVS.
> You can change the setup any way you like.
>
> How you get your security is a religious issue. However
> I personally wouldn't throw away security that already exists
> just because there is security elsewhere.
>
>> I have read the link you provided below and while it makes
>> sense for a
>> setup where the director and realservers don't need to
>> talk to the world
>
> If the realservers need services on the internet, there's
> a write up on doing this securely in
>
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.3-Tier.html
>
>> my question now is: will adding the default gateway back
>> to the director
>> and realservers actually *hurt* anything in the LVS setup?
>
> No it will be fine.
>
> If you want a default gw I'd suggest you do it through some other
> NIC or IP. The VIP on the director has no business sending packets
> to the outside world.
>
>> Given that I'm
>> using a two network setup, shouldn't LVS work correctly for the load
>> balanced services even if I'm providing other services (on
>> a different IP
>> from the VIP/RIP) to the public on the director/realservers? Or am I
>> missing some arcane ARP/network config problem?
>
> it will work fine.
>
> Joe
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
|