Mailing List Archive

Hello,

On Sat, 10 Dec 2016, linbo liao wrote:

> Hi,
>
> I want to setup an LVS-DR cluster using keepalived. It will load UDP
> packet to real server. Refer to
> http://kb.linuxvirtualserver.org/wiki/UDP_service_binding_issue_in_LVS/DR_and_LVS/TUN,
> UDP service in Real Server should be bind to VIP, but not to any
> address(0.0.0.0).
>
> If UDP service can't bind to any address in Real server, how Keepalived to
> do healthy check?

UDP application server can set the local address for
outgoing packets by using cmsg SOL_IP/IP_PKTINFO (ipi_spec_dst).
The used local address can be copied from the received request.
As result, binding to 0.0.0.0 should be possible. In any case,
listening to 0.0.0.0 and replying with correct local
address is a common problem for UDP servers and not
related to the fact that VIP is also configured on the
real server. If the UDP server does not use cmsg IP_PKTINFO
then the other solution is to bind 2 sockets, one to VIP
and another to RIP.

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Thanks Julian.

One more question about bind 2 sockets. For UDP bind RIP and VIP, are they
two different application? If yes, how to handle application works on RIP,
but failed on VIP?

2016-12-10 23:34 GMT+08:00 Julian Anastasov <ja@ssi.bg>:

>
> Hello,
>
> On Sat, 10 Dec 2016, linbo liao wrote:
>
> > Hi,
> >
> > I want to setup an LVS-DR cluster using keepalived. It will load UDP
> > packet to real server. Refer to
> > http://kb.linuxvirtualserver.org/wiki/UDP_service_binding_
> issue_in_LVS/DR_and_LVS/TUN,
> > UDP service in Real Server should be bind to VIP, but not to any
> > address(0.0.0.0).
> >
> > If UDP service can't bind to any address in Real server, how Keepalived
> to
> > do healthy check?
>
> UDP application server can set the local address for
> outgoing packets by using cmsg SOL_IP/IP_PKTINFO (ipi_spec_dst).
> The used local address can be copied from the received request.
> As result, binding to 0.0.0.0 should be possible. In any case,
> listening to 0.0.0.0 and replying with correct local
> address is a common problem for UDP servers and not
> related to the fact that VIP is also configured on the
> real server. If the UDP server does not use cmsg IP_PKTINFO
> then the other solution is to bind 2 sockets, one to VIP
> and another to RIP.
>
> Regards
>
> --
> Julian Anastasov <ja@ssi.bg>
>
> _______________________________________________
> Please read the documentation before posting - it's available at:
> http://www.linuxvirtualserver.org/
>
> LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
> Send requests to lvs-users-request@LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Hello,

On Sun, 11 Dec 2016, linbo liao wrote:

> Thanks Julian.
>
> One more question about bind 2 sockets. For UDP bind RIP and VIP, are they
> two different application? If yes, how to handle application works on RIP,
> but failed on VIP?

It can be single application which can configure 2
listeners (IP:PORT), as result, 2 sockets are created that
should be polled for evenets.

Not sure why it does not work for VIP but for DR method
the real servers should configure the VIP as local address
on any interface except the one where ARP broadcast probes
for VIP are received. For example, if traffic from director
is received on eth0 you need to:

1. configure VIP on lo, dummy, etc, even on eth1, if no ARP
probes for VIP are received there
2. add ARP restrictions for VIP on eth0:

# Do not send ARP replies if someone asks for VIP (any IP
# that is not configured on eth0)
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore

# When sending ARP probes on eth0, always prefer the local
# primary address as source for the probed target address.
# By default, kernel can use source address from IP packet
# that triggers the ARP probe which is bad when this is the VIP.
# As result, do not use VIP as source in ARP probes but the
# IP used to configure the subnet on eth0.
echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce

Then server applications on the real server
can send replies for VIP without using it in ARP packets.
VIP looks as normal IP, only that we hide it from other
hosts on the LAN because it should be visible only on the
director.

Someone finds the above settings useful even for
non-IPVS setups because ARP traffic is restricted to
addresses for the specific interface and as result, such
isolation is only for good.

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users