[Fedora-directory-users] Multimaster Replication Behind a Load Balancer

Stephen C. Rigler srigler at marathonoil.com
Mon Dec 4 21:00:33 UTC 2006


On Mon, 2006-12-04 at 14:39 -0600, Dave Augustus wrote:
> piranha = LVS I do believe- maybe some management scripts are different.
> I have been using LVS for 5 years now. It works great!

Piranha was the easiest thing for me to grab with YUM.  I tried looking
into the other packages out there and got worried about the amount of
documentation dedicated to 2.2 kernels.

> (Help me understand... I am not an iptables guru but I have done some to
> get done what I needed to)
> 
> your statements:
> -A PREROUTING -d <VIP> -p tcp -m tcp --dport 389 -j REDIRECT
> -A PREROUTING -d <VIP> -p tcp -m tcp --dport 636 -j REDIRECT

Small typo, insert "-t nat" at the beginning of both lines.

> 
> Does this mean?
> -you are assigning an 2 IPs to your LDAP servers, one for loadbalancing
> and one for LDAP server
> -any traffic to the VIP is redirected to the IP that you have told LDAP
> server to use
> 
> Correct?
> 

In my scenario, the real servers are separate from the load balancer.
Only the load balancer is hosting the VIP.  

I borrowed this method from the "HOWTO.direct-routing" that came with
the Piranha docs.  A method that uses arptables was also documented, but
I didn't have much luck with it.

I've pasted what the HOWTO says about iptables below.

-Steve

Setting up the Real Servers, method #2: Use iptables to tell the real
servers to handle the packets.

How it works:
    We use an IP tables rule to create a transparent proxy so that a
node
    will service packets sent to the virtual IP address(es), even though
    the virtual IP address does not exist on the system.

Advantages:
  * Simple to configure.
  * Avoids the LVS "ARP problem" entirely.  Because the virtual IP
    address(es) only exist on the active LVS director, there _is_ no ARP
    problem!

Disadvantages:
  * Performance.  There is overhead in forwarding/masquerading every
    packet.
  * Impossible to reuse ports.  For instance, it is not possible to run
    two separate Apache services bound to port 80, because both must
    bind to INADDR_ANY instead of the virtual IP addresses.

(1) BACK UP YOUR IPTABLES CONFIGURATION.

(2) On each real server, run the following for every VIP / port /
protocol
    (TCP, UDP) combination intended to be serviced for that real server:

        iptables -t nat -A PREROUTING -p <tcp|udp> -d <vip> \
                --dport <port> -j REDIRECT

    This will cause the real servers to process packets destined for the
    VIP which they are handed.

        service iptables save
        chkconfig --level 2345 iptables on

    The second command will cause the system to reload the arptables
    configuration we just made on boot - before the network is started.




More information about the Fedora-directory-users mailing list