LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] feedback loop

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] feedback loop
From: Mike Ruskai <thannyd@xxxxxxxxxxxxx>
Date: Fri, 03 Feb 2017 22:06:30 -0500
On 2/3/2017 20:40, Zetan Drableg wrote:
> Hi, I have two nodes running ipvs/keepalived and syslog-ng for the load
> balanced service. Both nodes have a single network interface in production,
> but two in my local test kitchen. (eth0 for vagrant, eth1 for the multi
> node comms).
>
> I have discovered a feedback loop between both directors causing 100%
> network utilization. The same packets are being played over and over again
> (verified by packet contents timestamp).
>
> I have read this, but the solution is not clear.
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.localnode.html
>
> When running both the ipvs director and the real server on the same box, do
> I need to use firewall marks and -t mangle based on mac-source of the other
> box?
>

I have not configured such a setup, but according to the page you 
referenced, as well as the basic logic of the situation, you need to 
change your configuration from IP and port to firewall mark.

You want to mark all traffic on the target ports, UNLESS it's coming 
from the other director, as that would allow the loop condition.

Here's an iptables option string from that page:

-t mangle -I PREROUTING -d $VIP -p tcp -m tcp --dport $VPORT -m mac \ ! 
--mac-source $MAC_NODE2 -j MARK --set-mark 0x6

Here's something that might work for your syslog-tls service (use the 
correct MAC, of course):

-t mangle -I PREROUTING -d 192.168.11.31 -p tcp --dport 6514 -m \! 
--mac-source aa:bb:cc:dd:ee:ff -j MARK --set-mark 6514

Then instead of this:

! tcp 6514 for syslog-tls
virtual_server 192.168.11.31 6514 {

You'd use this:

! tcp 6514 for syslog-tls
virtual_server fwmark 6514 {

On the other director, you'd do the same thing, with the only difference being 
the exclusion of the first director's MAC address in the firewall mark 
statements.

The firewall mark number is arbitrary, of course. Using the port number just 
makes it easy to keep track of things, unless you end up needing multiple IP's 
on the same port.


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>