LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

RE: connection sync at failover, email, and using only basic IPmgmt

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: connection sync at failover, email, and using only basic IPmgmt
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Tue, 14 Feb 2006 08:34:28 +0000
On Mon, 2006-02-13 at 16:53 -0600, Richard Pickett wrote:
> Yeah. I've looked on that list. Last email I saw on there was September
> of last year, considering that the last update of keepalived was early
> '05 I figured it had died off.

Hrm... last email I have on the keepalived list was last Friday. It's a
relatively quiet list these days but that's probably because Alexandre
(maintainer) has been working on a commercial version of the code, so
the OSS branch has gone a bit quiet.

> Although I didn't run this through my own email servers (where I have
> access to the logs) the "to" was to a valid email account on the server
> it was sent to. I'll ethereal it and see if I can dig up some more info.
> Maybe I'll end up just having it call shell scripts that will send out
> mail for me.

It strikes me that the SMTP server you're using might be doing *sender*
verification and rejecting the mail because it's using a non-lookup-able
sender. If you're using Exim, this is very likely.

> Cool cool cool. One last item on this particular configuration. These
> boxes use iptables RELATED,EXISTING commands to forward traffic at the
> head of it's rules so existing connections don't have their packets run
> through all the rules every time. Does the lvs_sync_daemon_interface
> populate the iptables connection table, or is it just the vrrp
> connection tables?

the LVS sync daemon synchronises the LVS table - there isn't a VRRP
table.

> The scenario I see is an existing connection that matched firewall rules
> getting dropped by the backup iptables rules when he switches to master
> because his iptables state wasn't aware of the connection. Is that a
> correct assessment?

More than likely, yes. I'm not aware of anything to sync the iptables
conntrack tables (which is what you're talking about).

Personally I think that a connection drop at router failover is
acceptable; it's rather better than having a complete outage.

Graeme


<Prev in Thread] Current Thread [Next in Thread>