[Fedora-directory-users] Multimaster Replication Behind a Load Balancer
Stephen C. Rigler
srigler at marathonoil.com
Mon Dec 4 21:00:33 UTC 2006
On Mon, 2006-12-04 at 14:39 -0600, Dave Augustus wrote:
> piranha = LVS I do believe- maybe some management scripts are different.
> I have been using LVS for 5 years now. It works great!
Piranha was the easiest thing for me to grab with YUM. I tried looking
into the other packages out there and got worried about the amount of
documentation dedicated to 2.2 kernels.
> (Help me understand... I am not an iptables guru but I have done some to
> get done what I needed to)
>
> your statements:
> -A PREROUTING -d <VIP> -p tcp -m tcp --dport 389 -j REDIRECT
> -A PREROUTING -d <VIP> -p tcp -m tcp --dport 636 -j REDIRECT
Small typo, insert "-t nat" at the beginning of both lines.
>
> Does this mean?
> -you are assigning an 2 IPs to your LDAP servers, one for loadbalancing
> and one for LDAP server
> -any traffic to the VIP is redirected to the IP that you have told LDAP
> server to use
>
> Correct?
>
In my scenario, the real servers are separate from the load balancer.
Only the load balancer is hosting the VIP.
I borrowed this method from the "HOWTO.direct-routing" that came with
the Piranha docs. A method that uses arptables was also documented, but
I didn't have much luck with it.
I've pasted what the HOWTO says about iptables below.
-Steve
Setting up the Real Servers, method #2: Use iptables to tell the real
servers to handle the packets.
How it works:
We use an IP tables rule to create a transparent proxy so that a
node
will service packets sent to the virtual IP address(es), even though
the virtual IP address does not exist on the system.
Advantages:
* Simple to configure.
* Avoids the LVS "ARP problem" entirely. Because the virtual IP
address(es) only exist on the active LVS director, there _is_ no ARP
problem!
Disadvantages:
* Performance. There is overhead in forwarding/masquerading every
packet.
* Impossible to reuse ports. For instance, it is not possible to run
two separate Apache services bound to port 80, because both must
bind to INADDR_ANY instead of the virtual IP addresses.
(1) BACK UP YOUR IPTABLES CONFIGURATION.
(2) On each real server, run the following for every VIP / port /
protocol
(TCP, UDP) combination intended to be serviced for that real server:
iptables -t nat -A PREROUTING -p <tcp|udp> -d <vip> \
--dport <port> -j REDIRECT
This will cause the real servers to process packets destined for the
VIP which they are handed.
service iptables save
chkconfig --level 2345 iptables on
The second command will cause the system to reload the arptables
configuration we just made on boot - before the network is started.
More information about the Fedora-directory-users
mailing list