Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux Virtual Server>
  3. Users
[lvs-users] "selective balancing" - make requests from 1.2.3.4 go to realserver_A, all others - to realserver_B
tch at virtall
Mar 7, 2014, 2:52 AM
Post #1 of 7 (2373 views)
Permalink
I was wondering if I can use ipvsadm not only for load balancing, but
also for "code testing".

Normal scenario (i.e. what I use right now):

- both servers acting as directors and realservers,
- IP failover for HA,
- least connection scheduling, fwm protocol.


"Code testing" scenario:

- we want client traffic from 1.2.3.4, 2.3.4.5 and 3.4.5.6 go to
server_1,
- all other client traffic hits server_2.


Is it possible with ipvsadm / ldirectord? Any hints appreciated!

--
Tomasz Chmielewski
http://wpkg.org

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] "selective balancing" - make requests from 1.2.3.4 go to realserver_A, all others - to realserver_B [ In reply to ]
netdev at bof
Mar 7, 2014, 3:15 AM
Post #2 of 7 (2316 views)
Permalink
Hi Tomasz,

2014-03-07 11:52 GMT+01:00 Tomasz Chmielewski <tch@virtall.com>:
> I was wondering if I can use ipvsadm not only for load balancing, but
> also for "code testing".

The key to such usage, is fwmark based LVS virtual hosts. You then use
the iptables -t mangle PREROUTING to set firewall mark depending on
whatever iptables matches you come up with. Additionally ipset might
come in handy here - write one ipset based match setting your "code
testing" fwmark, then add and delete IPs from that set as needed,
maybe even with a nice web frontend for your developers :)

best regards
Patrick

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] "selective balancing" - make requests from 1.2.3.4 go to realserver_A, all others - to realserver_B [ In reply to ]
tch at virtall
Mar 7, 2014, 3:47 AM
Post #3 of 7 (2320 views)
Permalink
On Fri, 7 Mar 2014 12:15:08 +0100
Patrick Schaaf <netdev@bof.de> wrote:

> Hi Tomasz,
>
> 2014-03-07 11:52 GMT+01:00 Tomasz Chmielewski <tch@virtall.com>:
> > I was wondering if I can use ipvsadm not only for load balancing,
> > but also for "code testing".
>
> The key to such usage, is fwmark based LVS virtual hosts. You then use
> the iptables -t mangle PREROUTING to set firewall mark depending on
> whatever iptables matches you come up with. Additionally ipset might
> come in handy here - write one ipset based match setting your "code
> testing" fwmark, then add and delete IPs from that set as needed,
> maybe even with a nice web frontend for your developers :)

Indeed.

iptables -t mangle -I PREROUTING -s 1.2.3.4 -j ACCEPT

on the realserver does the trick :)

--
Tomasz Chmielewski
http://wpkg.org



_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] "selective balancing" - make requests from 1.2.3.4 go to realserver_A, all others - to realserver_B [ In reply to ]
wferi at niif
Mar 7, 2014, 3:53 AM
Post #4 of 7 (2312 views)
Permalink
Patrick Schaaf <netdev@bof.de> writes:

> 2014-03-07 11:52 GMT+01:00 Tomasz Chmielewski <tch@virtall.com>:
>
>> I was wondering if I can use ipvsadm not only for load balancing, but
>> also for "code testing".
>
> The key to such usage, is fwmark based LVS virtual hosts. You then use
> the iptables -t mangle PREROUTING to set firewall mark [...]

Just a note: you don't *have to* use the mangle table (though oldish
kernels restrict the MARK target to the mangle table), if you don't want
to base your routing decision on fwmarks. For LVS virtual services, you
don't.
--
Regards,
Feri.

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] "selective balancing" - make requests from 1.2.3.4 go to realserver_A, all others - to realserver_B [ In reply to ]
u2sashko at gmail
Mar 7, 2014, 9:18 AM
Post #5 of 7 (2310 views)
Permalink
On Fri, Mar 7, 2014 at 3:53 AM, Ferenc Wagner <wferi@niif.hu> wrote:

> Patrick Schaaf <netdev@bof.de> writes:
>
> > 2014-03-07 11:52 GMT+01:00 Tomasz Chmielewski <tch@virtall.com>:
> >
> >> I was wondering if I can use ipvsadm not only for load balancing, but
> >> also for "code testing".
> >
> > The key to such usage, is fwmark based LVS virtual hosts. You then use
> > the iptables -t mangle PREROUTING to set firewall mark [...]
>
> Just a note: you don't *have to* use the mangle table (though oldish
> kernels restrict the MARK target to the mangle table), if you don't want
> to base your routing decision on fwmarks. For LVS virtual services, you
> don't.
> --
> Regards,
> Feri.
>
>
>
I'm confused how this "iptables -t mangle -I PREROUTING -s 1.2.3.4 -j
ACCEPT" sets a mark? Doesn't Tomasz need to set a mark (*-j MARK --set-mark
1)* and then tell ipvsadm to route based on fwmark? i.e.: ipvsadm -A -f 1
-s wrr -p 80 ?

Cheers,
Alex
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] "selective balancing" - make requests from 1.2.3.4 go to realserver_A, all others - to realserver_B [ In reply to ]
tch at virtall
Mar 7, 2014, 9:26 AM
Post #6 of 7 (2311 views)
Permalink
On Fri, 7 Mar 2014 09:18:48 -0800
Alex Attarian <u2sashko@gmail.com> wrote:

> I'm confused how this "iptables -t mangle -I PREROUTING -s 1.2.3.4 -j
> ACCEPT" sets a mark? Doesn't Tomasz need to set a mark (*-j MARK
> --set-mark 1)* and then tell ipvsadm to route based on fwmark? i.e.:
> ipvsadm -A -f 1 -s wrr -p 80 ?

"iptables -t mangle -I PREROUTING -s 1.2.3.4 -j ACCEPT" doesn't set any
mark, and that's exactly why it works: any rules setting the mark
later on are simply ignored, and requests from 1.2.3.4 hit the
webserver on this director/realserver.

One more thing I had to do was temporarily switching off this
realserver for the ldirectord (by simply setting the testpage/request to
give a bogus answer), but leaving it working otherwise.

This way, all client traffic gets directed to the healthy realserver,
while 1.2.3.4 can test the code on the other (seemingly offline for
ldirectord) realserver.

--
Tomasz Chmielewski
http://wpkg.org

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
Re: [lvs-users] "selective balancing" - make requests from 1.2.3.4 go to realserver_A, all others - to realserver_B [ In reply to ]
u2sashko at gmail
Mar 7, 2014, 9:31 AM
Post #7 of 7 (2309 views)
Permalink
On Fri, Mar 7, 2014 at 9:26 AM, Tomasz Chmielewski <tch@virtall.com> wrote:

> On Fri, 7 Mar 2014 09:18:48 -0800
> Alex Attarian <u2sashko@gmail.com> wrote:
>
> > I'm confused how this "iptables -t mangle -I PREROUTING -s 1.2.3.4 -j
> > ACCEPT" sets a mark? Doesn't Tomasz need to set a mark (*-j MARK
> > --set-mark 1)* and then tell ipvsadm to route based on fwmark? i.e.:
> > ipvsadm -A -f 1 -s wrr -p 80 ?
>
> "iptables -t mangle -I PREROUTING -s 1.2.3.4 -j ACCEPT" doesn't set any
> mark, and that's exactly why it works: any rules setting the mark
> later on are simply ignored, and requests from 1.2.3.4 hit the
> webserver on this director/realserver.
>
> One more thing I had to do was temporarily switching off this
> realserver for the ldirectord (by simply setting the testpage/request to
> give a bogus answer), but leaving it working otherwise.
>
> This way, all client traffic gets directed to the healthy realserver,
> while 1.2.3.4 can test the code on the other (seemingly offline for
> ldirectord) realserver.
>
> --
> Tomasz Chmielewski
> http://wpkg.org
>

Sorry I missed the part where your director is also a real server... My
other thought was also fw marks only exist in the kernel of the machine and
never leave the machine, that's why it confused me why you were doing this
also on the real server. Never mind :)
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal