LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: A running configuration for a Squid LVS

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: A running configuration for a Squid LVS
From: Francisco Gimeno <kikov@xxxxxxxxx>
Date: Thu, 22 Jun 2006 21:59:02 +0200
Hello Ignacio... 

I really don't remember the mechanism I used to avoid ARP poisoning... The 
best way to see if something is wrong is to see MAC tables in the switches.

The VIP in the passive balancer, should not poison the MAC tables. In RedHat ( 
and friends ) it seems the default behaviour for loopback interfaces is to 
answer to calls in the eth0 ( ie: like if a proxyarp exist between eth0 and 
lo ). I think I finally used the arp_tables, because the proc/sys/net didn't 
work for me ( in Debian it works perfectly ).
Just try it on ( arptables I mean ).
Good Luck

BR,
Francisco Gimeno

> Hello Francisco:
> Squid is not supposed to work in transparent mode (i.e. each browser
> sould have configured the VIP assigned to the proxy).
> And yes: the port is not really important (we use 8080).
>
> Just talking about "the arp issue": do you use any arp filter like
> arptables (arptables_jf).
> Are there additional warnings that should be considered that (for any
> reason) are not in the howto's?
>
> I think that, perhaps, my problem has to do with this topic (ARP).
> So I tryed:
> * net.ipv4.conf.(eth*).arp_ignore = 1
> * net.ipv4.conf.(eth*).arp_announce = 2
> (and then sysctl -p)
>
> I didn't used arptables (like said at UltraMonkey's site), and then
> configured /etc/ha.d/ha.cf and /etc/ha.d/haresources (and authkeys too).
> After starting heartbeat, you can see:
>
> # ipvsadm -L
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
>   -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> TCP  prx:webcache dh persistent 300
>   -> prx01:webcache          Local   100    0          0
>   -> prx02:webcache          Route   100    0          0
> #
>
> You can ping to "prx's" IP address, and no mac address entry is
> displayed issuing an "arp -a" for host "prx", but:
> - you can see prx01's mac address issuing "arp -a" at prx02, and
> - you can see prx02's mac address issuing "arp -a" at prx01.
>
> (!) I think it's fine (isn't it?).
>
>
> After that, I can see connections (active or inact) only to one of the
> nodes (mostly prx02) and when you make prx02 "fail", connections are not
> established to prx01  (and this is my problem...)
>
> Thanks again
>
> Regards
>
> Ignacio


<Prev in Thread] Current Thread [Next in Thread>