On Fri, 2008-09-05 at 12:37 -0500, David Dyer-Bennet wrote:
> Maybe I'll understand things well enough when I get this working to deal
> with it. I'm actually a pretty decent technical writer for a software
> engineer. I've thought enough grouchy things about the documentation this
> last month that it makes sense for me to try to get written some of the
> things I've wished existed along the way.
I'm sure we'd be very happy if you'd like to give up some time to
improve things on the documentation front. Although I understand most
(some!) of it, and Joe understands most (all?) of it, this is the one
area I feel things are slightly... well... lacking.
Bear in mind that right now you can count the number of regular
contributors to the LVS project on (rather fewer than) the fingers of
two hands, and most of them are involved in new code for IPv6.
> Tried it. Seems to work like a charm; I can now ping and ssh out from the
> realservers, and incoming requests to the service address still get routed
> through correctly.
Great, that's good to hear.
> If anybody knows some reason this is a bad idea do please mention it
> sooner rather than later though :-) !
See below...
> (Specifically, I did "iptables -t nat -A POSTROUTING -o eth0 -j
> MASQUERADE" on the LVS host; eth0 connects to the corporate LAN, eth1 goes
> to the private LVS lan.)
As long as you aren't masquerading stuff onto the VIP, you're probably
cool. I make a point of not having the VIP doing stuff that isn't VIP
related - if I have a heap of machines behind a NAT setup then I try to
either:
* reserve a single external IP to SNAT realserver-sourced traffic to, or
* reserve a range of IPs and give each realserver a separate SNAT
address.
The first makes your whole pool look like one server *which is not the
VIP* and makes tracking traffic issues on the external side of the LVS
much easier.
The second makes it look like a set of public-reachable servers. In a
hosting or email platform (for example) this means that abuse issues are
way easier to track. I don't believe your environment needs this level
of monitoring or granularity - but if you've got plenty of private
address space available, you might find it useful.
Graeme
|