|
On Thu, 2007-06-14 at 23:27 -0700, Rob wrote:
> <off-topic rant>
Well, it isn't off-topic. But it is a rant! Don't take my reply the
wrong way - I'm just going to show how easy NAT is if you do it right.
> But why? I don't know what it is but it seems like many people make life
> harder for themselves, create more config work and make their LVS setup
> higher
> load by using NAT rather than DR. In an open hosting env where you can't
> control routing, I can see it. But if it is a 10.* set up why not DR?
Because, in the immortal words of the first chapter of the O'Reilly Perl
book, TMTOWTDI. DR, TUN and NAT all have their places.
> It is basically 4 steps:
> 1) Add an alias to the director:
NAT: likewise.
> # ifconfig eth0:1 10.128.1.70 netmask 255.255.255.0
>
> 2) Add the VIP to the real servers:
>
> # ifconfig lo:1 10.128.1.70 255.255.255.255
NAT: not necessary.
> 3) Do some arp voodoo (this part I am never sure what is the "right" thing
> for
> 2.6.20+ kernels... not sure if Debian is near this for kernel version either.)
NAT: not necessary.
> 4) Add the VIP/Reals to the running ipvs config:
>
> ipvsadm -A -t 10.128.1.70:80 -s wlc
> ipvsadm -a -t 10.128.1.70:80 -r 10.128.1.67:80 -g
> ipvsadm -a -t 10.128.1.70:80 -r 10.128.1.61:80 -g
NAT: likewise, with the right forwarding method (-m instead of -g)
> 5) [Optional] Download ipvsman http://sourceforge.net/projects/ipvsman/
> to make life dreamy.
You can if you want, this isn't strictly necessary.
> Sorry to be a broken record (and sorry if this doesn't apply to your
> situation), but I think that people are missing out on the ease of
> deployment,
> beauty, elegance, speed and low resource usage of ipvs that beats everything
> except http://www.resonate.com/ Central Dispatch (which is a very nicely
> crafted ipvs-type system for Solaris and other platforms) because they skip
> over DR and go to straight to NAT and start changing routing and forwarding
> and firewall marks and iptables, etc.
But, strictly speaking, you don't. You need a prepared network (which
you need with DR), you need to understand at the very least the basic
concepts of the forwarding method (which you need with DR), and you need
to make sure your realservers have their default gateway set to be that
of the "internal" interface of the director.
In basic form, you don't need iptables, firewall marks, or routing
tricks. And you don't need to do "arp voodoo" either.
In recent weeks we've seen a number of posters misunderstand the basic
principle of NAT by setting up one network LVS-NAT systems without
realising. One network NAT *does* need some "tricks" - well, slightly
more complex setup details - to make it work, otherwise the three-way
handshake never completes.
It's just as easy to screw up LVS-DR.
The important thing is to understand what it is you're (not you,
clearly!) trying to do. Without that understanding, DR, TUN and NAT are
all equally complex. With it, they're all equally easy!
Graeme
> The only thing that I think some people need that DR can't do, is change
> ports
> - I do this on the firewall for external clients and with port forwarding for
> internal clients.
>
> BTW, if machine count is an issue, we have high usage sites that run with the
> directors on Xen domUs (and others with the directors on dom0s).
>
> </off-topic rant>
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
