Sangeeta -
I'm really looking forward to seeing the combined examples of VRRP
+ ILB.
Here is my wish list (some already mentioned earlier in the email
exchange):
1) Ability to change health-check properties on the fly (such as
timeout, count, interval) without having servers marked offline
2) Ability to change rule properties on the fly (although I understand
we would likely lose any connection stickiness that had accrued)
so that the service is down for no appreciable time
3) Additional load balancing algorithm where you can specify weights
instead of just round-robin (so you could make larger servers take a
bigger share of traffic)
4) VRRP examples showing failover with a minimal amount of time
It would also be nice if all the ILB state could be replicated to
another server (such as another server that is a VRRP peer), so that
if you had to fail over to another machine all the connection
stickiness could be carried over. I understand this is probably a
significant
amount of work.
On Dec 23, 2009, at 11:28 AM, Sangeeta Misra wrote:
> On 12/22/09 16:51, Bill Hathaway wrote:
>> Sangeeta -
>> Thank you for your response. Additional comments in-line.
>>
>> On Dec 22, 2009, at 4:40 PM, Sangeeta Misra wrote:
>>
>>> On 12/22/09 10:23, Bill Hathaway wrote:
>>>> Hi, I have tried using ILB for the last few days and had some
>>>> comments and questions
>>>>
>>>> Background
>>>> -----------------
>>>> I am using a lab environment that consists of the following
>>>> machines:
>>>> x4150 - machine running OpenSolaris b129 with ILB ip=10.250.1.51
>>>>
>>>> web1 - web server ip=10.250.1.12 running apache on port 80
>>>> web2 - web server ip=10.250.1.13 running apache on port 80
>>>>
>>>> My current config is:
>>>> create-servergroup prodweb
>>>> add-server -s server=10.250.1.12:80 prodweb
>>>> add-server -s server=10.250.1.13:80 prodweb
>>>> create-healthcheck -n -h hc-test=TCP,hc-timeout=5,hc-count=3,hc-
>>>> interval=30 webhc
>>>> create-rule -e -i vip=10.250.1.51,port=80,protocol=tcp -m
>>>> lbalg=roundrobin,type=NAT,proxy-src=10.250.1.51-10.250.1.51 -h hc-
>>>> name=webhc,hc-port=ANY -t nat-timeout=120 -o servergroup=prodweb
>>>> prodweb
>>>>
>>>>
>>>> Issues
>>>> ---------
>>>> 1) ilbadm man page wasn't supplied
>>>> I already filed a bug
>>>
>>> THe man page will be available in snv_130( which is not in
>>> Opensolaris yet) . In the meantime, manpage ( and examples) are
>>> available at:
>>> http://wikis.sun.com/display/OpenSolarisInfo/Integrated+Load
>>> +Balancer
>>>
>>>>
>>>> 2) ilbd is missing needed authorizations
>>>> I already files a bug
>>> What authorization are you looking for? See
>>> http://wikis.sun.com/display/OpenSolarisInfo/Setting+up+user+authorization+for+ILB+configuration+commands
>>>
>>> on how to get a user to have authorizations to execute config
>>> commands.
>>> Also make sure you have this line in /etc/user_attr file:
>>>
>>> daemon
>>> ::::auths=solaris.smf.manage.ilb,solaris.smf.modify.application
>>
>> Yes, that daemon line is what I was referring to. That should be
>> taken care of by the IPS package and shouldn't need to be handled
>> manually.
>> I submitted
>> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6910697
>>
>
> Bill,
> When you upgade your setup to b_129, the SUNWcsr package should have
> updated the following files :
> /etc/user_attr
> /etc/security/prof_attr
> /etc/security/auth_attr
>
> I am told that there is a bug where updates to SUNWcsr's RBAC *_attr
> files are not "propagated" to the system when updating to the build.
> I will make changes to ILB's package to have it rbac to make the
> edits instead. So thanks for filing the bug on this. Current
> workaround for it is to manually add the lines in the *_attr files
> as listed in attached txt file.
>>
>> I think it would be more user friendly to have something like:
>> ilbadm: error, the hc-interval must be greater than hc-timeout
>> times hc-count
>>
> Will file a bug and fix this as well to make the command clearer.
> Also note that we do have VRRP, and I will soon add notes to :
>
> http://wikis.sun.com/display/OpenSolarisInfo/Integrated+Load+Balancer
>
> on what ILB failover scenarios can be handled by VRRP.
>
> Lastly please let us know of what other features you would like to
> see in ILB in future(including any L7 features and what perf
> requirements need to be met for that) . We are planning for Phase II
> delivery and we would like feedback from the Opensource community
> on this.
>
> Sangeeta
> /etc/security/prof_attr
> =======================
> Network ILB:::Manage ILB configuration via
> ilbadm:auths
> =
> solaris
> .network.ilb.config,solaris.network.ilb.enable;help=RtNetILB.html
> Network IPsec Management:::Manage IPsec and
> IKE:auths
> =solaris.smf.manage.ipsec,solaris.smf.value.ipsec;help=RtNetIPsec.html
> Network Link Security:::Manage network link
> security:auths=solaris.network.link.security;help=RtNetLinkSecure.html
> Network Management:::Manage the host and network
> configuration:auths=solaris.smf.manage.name-service-
> cache
> ,solaris
> .smf
> .manage
> .bind
> ,solaris
> .smf
> .value
> .routing
> ,solaris
> .smf
> .manage
> .routing
> ,solaris
> .smf
> .value
> .nwam
> ,solaris
> .smf
> .manage
> .nwam
> ,solaris
> .smf
> .manage
> .tnd
> ,solaris
> .smf
> .manage
> .tnctl
> ,solaris
> .smf
> .manage
> .wpa
> ,solaris
> .smf
> .value
> .mdns
> ,solaris
> .smf
> .manage
> .mdns
> ,solaris
> .smf
> .manage
> .ilb
> ,solaris
> .admin
> .dcmgr
> .clients
> ,solaris
> .admin
> .dcmgr.read,solaris.snmp.*,solaris.network.hosts.*;profiles=Network
> Wifi Management,Inetd Management,Network Autoconf,Network
> Observability,Network Wifi Info,Network VRRP;help=RtNetMngmnt.html
>
> /etc/security/auth_attr
> =======================
> solaris.network.ilb.config:::Network ILB
> Configuration::help=NetworkILBconf.html
> solaris.network.ilb.enable:::Network ILB Enable
> Configuration::help=NetworkILBenable.html
> solaris.smf.manage.ilb:::Manage Integrated Load Balancer Service
> States::help=SmfILBStates.html
>
> /etc/security/user_attr
> =======================
> daemon::::auths=solaris.smf.manage.ilb,solaris.smf.modify.application
