LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] LVS-DR UDP healthy check problem

To: linbo liao <llbgurs@xxxxxxxxx>
Subject: Re: [lvs-users] LVS-DR UDP healthy check problem
Cc: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Sun, 11 Dec 2016 10:29:43 +0200 (EET)
        Hello,

On Sun, 11 Dec 2016, linbo liao wrote:

> Thanks Julian.
> 
> One more question about bind 2 sockets. For UDP bind RIP and VIP, are they
> two different application? If yes, how to handle application works on RIP,
> but failed on VIP?

        It can be single application which can configure 2
listeners (IP:PORT), as result, 2 sockets are created that
should be polled for evenets.

        Not sure why it does not work for VIP but for DR method
the real servers should configure the VIP as local address
on any interface except the one where ARP broadcast probes
for VIP are received. For example, if traffic from director
is received on eth0 you need to:

1. configure VIP on lo, dummy, etc, even on eth1, if no ARP
        probes for VIP are received there
2. add ARP restrictions for VIP on eth0:

# Do not send ARP replies if someone asks for VIP (any IP
# that is not configured on eth0)
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore

# When sending ARP probes on eth0, always prefer the local
# primary address as source for the probed target address.
# By default, kernel can use source address from IP packet
# that triggers the ARP probe which is bad when this is the VIP.
# As result, do not use VIP as source in ARP probes but the
# IP used to configure the subnet on eth0.
echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce

        Then server applications on the real server
can send replies for VIP without using it in ARP packets.
VIP looks as normal IP, only that we hide it from other
hosts on the LAN because it should be visible only on the
director.

        Someone finds the above settings useful even for
non-IPVS setups because ARP traffic is restricted to
addresses for the specific interface and as result, such
isolation is only for good.

Regards

--
Julian Anastasov <ja@xxxxxx>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>