|
All,
I'm lost. Things have... changed since I last used LVS back in '02/'03.
Like someone has re-arranged the furniture and I can't quite figure
out what has moved.
I've spent several of days reading through the HOW-TO, the mini-HOW-TO,
and the configure script perldocs and I can't, for the life of me,
figure out a) why my LVS-DR *is* working and b) why I can't connect to
127.0.0.1 on the real servers without specifically allowing connections
to lo in iptables.
On the director, the VIP is up and running. On the real servers, it
isn't - not on eth0, nor on lo - and yet I _can_ connect from a client
to the VIP and I get directed to a real server. Watching tcpdump on the
director and the real server I see the packets get redirected on the LVS
to the real server and the real server back to the client.
So, here's where it gets weird: if I disable the transparent proxy on
the real servers, I can't connect. Joe says this shouldn't work, yet it is.
I've also configured arptables according to the HOW-TO, but since the TP
is in place, it's probably hard to tell if they are working correctly.
So, the questions I have are these:
Why don't I need to bring up the VIP on the real servers? Is this
normal? Is this expected?
And why can't I connect to 127.0.0.1 on the real server without
specifically allowing connections with iptables?
I put the lvs.cf, director and real server iptables, and real server
arptables in the following directory for people to peruse and comment on:
http://home.fnal.gov/~yocum/lvs-dr-Oct07/
Thanks in advance,
Dan
Dan Yocum wrote:
>
> lists wrote:
>> Joseph Mack NA3T wrote:
>>>> # horm's tranparent proxy for LVS
>>>>
>>> doesn't work anymore.
>>>
>> iptables REDIRECT (horm's method) still works on the real servers (not
>> sure it ever did on the LVS host.)
>> It has more latency than the modern 2.6 sysctl way though.
>
> Oh, interesting. arp_announce and arp_ignore. Thanks for the hint.
> Ah, but those are only for physical interfaces and will even affect
> so-called virtual interfaces (i.e., eth0:0).
>
> How much more latency are you talking about? Using horm's method I was
> able to transfer 9.8Gbps through a whole bunch of gridftp servers back
> in '05 and the traffic on the director only increased 100-200kbps.
> Granted, latency != throughput, all the time.
>
> Ah, yes, now I'm starting to remember why horm's wrote the transparent
> proxy stuff: arptables still wasn't available in RH kernels. Now that
> it is, I may look at. But, I'm rather happy to keep my transparent
> proxy stuff in iptables from days of yore, if it works.
>
> Thanks,
> Dan
>
>
--
Dan Yocum
Fermilab 630.840.6509
yocum@xxxxxxxx, http://fermigrid.fnal.gov
Fermilab. Just zeros and ones.
|
