All, I'm lost. Things have... changed since I last used LVS back in '02/'03. Like someone has re-arranged the furniture and I can't quite figure out what has moved.
I've spent several of days reading through the HOW-TO, the mini-HOW-TO, and the configure script perldocs and I can't, for the life of me, figure out a) why my LVS-DR *is* working and b) why I can't connect to 127.0.0.1 on the real servers without specifically allowing connections to lo in iptables. On the director, the VIP is up and running. On the real servers, it isn't - not on eth0, nor on lo - and yet I _can_ connect from a client to the VIP and I get directed to a real server. Watching tcpdump on the director and the real server I see the packets get redirected on the LVS to the real server and the real server back to the client. So, here's where it gets weird: if I disable the transparent proxy on the real servers, I can't connect. Joe says this shouldn't work, yet it is. I've also configured arptables according to the HOW-TO, but since the TP is in place, it's probably hard to tell if they are working correctly. So, the questions I have are these: Why don't I need to bring up the VIP on the real servers? Is this normal? Is this expected? And why can't I connect to 127.0.0.1 on the real server without specifically allowing connections with iptables? I put the lvs.cf, director and real server iptables, and real server arptables in the following directory for people to peruse and comment on: http://home.fnal.gov/~yocum/lvs-dr-Oct07/ Thanks in advance, Dan Dan Yocum wrote: > > lists wrote: >> Joseph Mack NA3T wrote: >>>> # horm's tranparent proxy for LVS >>>> >>> doesn't work anymore. >>> >> iptables REDIRECT (horm's method) still works on the real servers (not >> sure it ever did on the LVS host.) >> It has more latency than the modern 2.6 sysctl way though. > > Oh, interesting. arp_announce and arp_ignore. Thanks for the hint. > Ah, but those are only for physical interfaces and will even affect > so-called virtual interfaces (i.e., eth0:0). > > How much more latency are you talking about? Using horm's method I was > able to transfer 9.8Gbps through a whole bunch of gridftp servers back > in '05 and the traffic on the director only increased 100-200kbps. > Granted, latency != throughput, all the time. > > Ah, yes, now I'm starting to remember why horm's wrote the transparent > proxy stuff: arptables still wasn't available in RH kernels. Now that > it is, I may look at. But, I'm rather happy to keep my transparent > proxy stuff in iptables from days of yore, if it works. > > Thanks, > Dan > > -- Dan Yocum Fermilab 630.840.6509 [EMAIL PROTECTED], http://fermigrid.fnal.gov Fermilab. Just zeros and ones. _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
