Hi Jerome, Do you have any good reason to setup an active/active "cluster"?
crossed VIPs hosted by VRRP is recommended for "simple" active/active setup then as you mentioned, playing with DNS RR. conntrack is a bad idea with haproxy ;) If you expect a massive traffic, it's better to use a first layer of Layer 4 LoadBalancers using LVS or some routing protocols (or Cisco ECMP). Baptiste On Tue, Mar 19, 2013 at 12:39 AM, Jérôme Benoit <[email protected]> wrote: > Hello, > > I'm starting to think about a way to setup an active/active HAProxy. > > HAProxy can share as of 1.5 its connection table, which is really a > appreciated feature :) > > I've thought of different way to implement such a setup : > > * RR DNS on two VRRP interface (BP is really shared between boxes), > conntrackd permit to also share TCP states between boxes that will > also run iptables. I see no trivial race condition in this setup > between in and out network stateful protocol. > * cluster iptables module to load balance between the 2 HAProxy boxes on > on the VIP and conntrackd. This setup exhibit two main problems : > - network load is not really shared between the boxes, it's the > intented behaviour of the setup; > - HA is not really the primary goal of iptables cluster module > by default, some kind of script should be made or really big > hammer like pacemaker must be used to handle HAProxy or boxes > failure > (not really a big pb); > - race condition might be triggered (depend on the cluster > module configuration, with ARP and ARP cache, that might happen > under very high load but I expect very high load). But the > configuration that will trigger the race condition will unlikely to > happen, I can't use loadbalanding at the layer 2 level. > CARP with load balancing on *BSD and pfsync exibit the same issue on > network load : packets go on the two boxes, which is not really what I > want. > > You might ask why I want this kind of setup : it's because of the > network load on the LB tiers and I can't change the network topology or > network element setup and the backend > application network protocol are not stateless at all (but hopefully not > opening very long TCP session). > > For now, the RR DNS solution with VRRP sound the best but maybe I missed > some other tricks that can be able on the OS network layer (even thought to > play with VIP timer annoucement at layer 2, might work but very > hackish without an hand on the switch). > > Do anyone have already tried to put HAProxy in active/active mode (with > firewalling) ? > > Cheers. > > -- > Jérôme Benoit aka fraggle > La Météo du Net - http://grenouille.com > OpenPGP Key ID : 9FE9161D > Key fingerprint : 9CA4 0249 AF57 A35B 34B3 AC15 FAA0 CB50 9FE9 161D
