On 12/12/06, Joseph Mack NA3T <jmack@xxxxxxxx> wrote:
On Tue, 12 Dec 2006, Bill Omer wrote:
> Currently I am using LVS-DR with much successes. One part I would
> like to build upon is the real's dependencies' on iptables using the
> nat table to accept VIP traffic. I would like to find a way to allow
> the reals to accept VIP traffic without any modifications to the
> real's them selfs.
>
> I am using the following on all of my reals to access traffic with a DST of
> VIP:
> iptables -t nat -A PREROUTING -d VIP -p tcp --dport 0:65535 -j REDIRECT
This may not be doing what you want. As of the 2.4 kernels
the packet doesn't arrive with IP==VIP anymore. See the
HOWTO for transparent proxy. This is OK for squids but not
for LVS.
I'll check the howto.
> Scenario (assuming wlc):
> A real boots but for some reason, the iptables are not applied.
You want LVS to handle both iptables applied/not applied?
You haven't explained why so I don't know how important this
is. If it's an error situation, then you're better off
fixing the error at its cause, than handling it later. No
machine should be in a state where iptables hasn't been run,
if you told it to run.
*Should* be ran, yes, I agree. However I did run in to a situation
where this did happen, which is far from the fault of lvs its self,
but it is reasoning for why I want to find a new solution.
> Now
> mon/keepalived sees the real is now responding again and re-adds the
> server back to the ipvsadm table. Since this real doesn't have any
> active connections, all new connections are routed to this real.
rr helps here. Still the thundering herd problem has to be
handled in user space (until someone writes a fix).
Implementing LVS in this environment was to get around using DNS based
Round Robin, so this would be counter productive.
> Since the iptable rules did not run, now the service the client is
> trying to access is completely unavailable.
>
>
> I am not able use LVS-NAT in my environment. I would like to find a
> way to have VIP traffic routed to the reals without needing any
> modifications to the reals them selfs, much like commercial load
> balancers work.
maybe I don't understand your situation, but unless you
handle the arp problem, traffic will go to the realservers.
Traffic does go to the realservers, but the DST is that of the VIP.
There has to be modifications to the realserver in order for it to
accept that traffic.
> Is LVS-TUN able to do this?
I don't know what "this" is.
I want to find a way for LVS to route traffic to a real server while
the real is operating as a regular, stand alone server, without any
modifications. I dont want to change the default route or add iptable
rules to the real server.
> Would the reals require a tunl0 interface
> as well as the director?
for LVS-Tun, only the realserver requires a tunl0 device
(the director doesn't because traffic is one-way).
Joe
Regards,
-Bill
|