Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux Virtual Server>
  3. Users
some info for DH and SH schedulers (fwd)
wensong at gnuchina
Feb 15, 2001, 6:21 PM
Post #1 of 7 (1032 views)
Permalink
---------- Forwarded message ----------
Date: Fri, 16 Feb 2001 00:14:33 +0800 (CST)
From: Wensong Zhang <wensong@gnuchina.org>
To: lvs-users@LinuxVirtualServer.org
Subject: some info for DH and SH schedulers



Hi,

Please see "man ipvsadm" for short description of DH and SH
schedulers. I think some examples to use those two schedulers.

Example1: cache cluster shared by several load balancers.

Internet
|
|------cache array
|
|-----------------------------
| |
DH DH
| |
Access Access
Network1 Network2

The DH scheduler can keep the two load balancer redirect requests
destined for the same IP address to the same cache server. If the server
is dead or overloaded, the load balancer can use cache_bypass feature to
send requests to the original server directly. (Make sure that the cache
servers are added in the two load balancers in the same order)

Note that the DH development is inspired by the consistent hashing
scheduler patch from Thomas Proell <proellt@gmx.de>


Example2: Firewall Load Balancing

|-- FW1 --|
Internet ----- SH --| |-- DH -- Protected Network
|-- FW2 --|

Make sure that the firewall boxes are added in the load balancers in the
same order. Then, request packets of a session are sent to a firewall,
e.g. FW1, the DH can forward the response packets from protected network
to the FW1 too. However, I don't have enough hardware to test this setup
myself. Please let me know if any of you make it work for you. :)

Cheers,

Wensong
Re: some info for DH and SH schedulers (fwd) [ In reply to ]
matt at box
Feb 16, 2001, 4:02 AM
Post #2 of 7 (1021 views)
Permalink
hi!

--On Friday, February 16, 2001 09:21:29 AM +0800 Wensong Zhang
<wensong@gnuchina.org> wrote:


> Example2: Firewall Load Balancing
>
> |-- FW1 --|
> Internet ----- SH --| |-- DH -- Protected Network
> |-- FW2 --|
>
> Make sure that the firewall boxes are added in the load balancers in the
> same order. Then, request packets of a session are sent to a firewall,
> e.g. FW1, the DH can forward the response packets from protected network
> to the FW1 too. However, I don't have enough hardware to test this setup
> myself. Please let me know if any of you make it work for you. :)

that really sounds interesting to me ... :))

but i guess that this setup will only work if the firewalls are really
transparent for the network traffic, i.e. both load balancers do see the
same addresses in the packets so the hash calculation based on the sourc ip
and destination ip will lead to the same result (=firewall box to use).

if the firewall devices aren't that transparent (consider tunneled traffic
as an option) you won't get the same src/dst addresses on the load
balancers. the SH load balancer would see the src/dst from the tunnel
traffic and the DH load balancer the encapsulated addresses
(the tunnel endpoint is on the firewall boxes). hence the hash calculation
may lead to different results what would be very bad indeed ...
if in addition we have to deal with encrypted tunnel traffic (what happens
to be the case with IPSEC for example) we even don't have a chance to look
into the tunnel packets to look up the encapsulated src/dst addresses.

any ideas on how to handle that?


best regards,
-- matt.


>
> Cheers,
>
> Wensong
Re: some info for DH and SH schedulers (fwd) [ In reply to ]
mack.joseph at epa
Feb 16, 2001, 5:07 AM
Post #3 of 7 (1019 views)
Permalink
Matthias Weidle wrote:

> that really sounds interesting to me ... :))

the netfilter in 2.4 allows filtering on source MAC address I notice.
You might be able to couple this to writing a fwmark rule.

Joe

--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA
Re: some info for DH and SH schedulers (fwd) [ In reply to ]
mack.joseph at epa
Feb 16, 2001, 6:38 AM
Post #4 of 7 (1019 views)
Permalink
>
> Please see "man ipvsadm" for short description of DH and SH
> schedulers. I think some examples to use those two schedulers.


Is this going to be in the 2.2.x series too, or should I forget about
it for 2.2.x?

Joe

--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@epa.gov ph# 919-541-0007, RTP, NC, USA
Re: some info for DH and SH schedulers (fwd) [ In reply to ]
wensong at gnuchina
Feb 16, 2001, 7:49 AM
Post #5 of 7 (1015 views)
Permalink
On Fri, 16 Feb 2001, Joseph Mack wrote:

>
> Is this going to be in the 2.2.x series too, or should I forget about
> it for 2.2.x?
>

I am afraid that it will not, because the cache_bypass feature isn't
available in ipvs for 2.2.x and I want to keep the 2.2.x series stable
and not to change it too much.

Wensong
Re: some info for DH and SH schedulers (fwd) [ In reply to ]
wensong at gnuchina
Feb 16, 2001, 8:07 AM
Post #6 of 7 (1015 views)
Permalink
On Fri, 16 Feb 2001, Matthias Weidle wrote:

>
> > Example2: Firewall Load Balancing
> >
> > |-- FW1 --|
> > Internet ----- SH --| |-- DH -- Protected Network
> > |-- FW2 --|
> >
> > Make sure that the firewall boxes are added in the load balancers in the
> > same order. Then, request packets of a session are sent to a firewall,
> > e.g. FW1, the DH can forward the response packets from protected network
> > to the FW1 too. However, I don't have enough hardware to test this setup
> > myself. Please let me know if any of you make it work for you. :)
>
> that really sounds interesting to me ... :))
>
> but i guess that this setup will only work if the firewalls are really
> transparent for the network traffic, i.e. both load balancers do see the
> same addresses in the packets so the hash calculation based on the sourc ip
> and destination ip will lead to the same result (=firewall box to use).
>

Yeah, you are right. Packets for a connection session must go to the
same firewall box.

> if the firewall devices aren't that transparent (consider tunneled traffic
> as an option) you won't get the same src/dst addresses on the load
> balancers. the SH load balancer would see the src/dst from the tunnel
> traffic and the DH load balancer the encapsulated addresses
> (the tunnel endpoint is on the firewall boxes). hence the hash calculation
> may lead to different results what would be very bad indeed ...
> if in addition we have to deal with encrypted tunnel traffic (what happens
> to be the case with IPSEC for example) we even don't have a chance to look
> into the tunnel packets to look up the encapsulated src/dst addresses.
>

In your example, you want to access a virtual host from the protected
network, the actual host is somewhere in the Internet. So, the
destination address of outgoing packet is changed, and the above
out-SH-FW-DH-in setup is broken. If the source address of outgoing
packet is not changed, the out-DH-FW-SH-in might work. I am not sure on
this.

Regards,

Wensong
Re: some info for DH and SH schedulers (fwd) [ In reply to ]
ratz at tac
Feb 18, 2001, 4:53 AM
Post #7 of 7 (1019 views)
Permalink
Hi Wensong,

> I am afraid that it will not, because the cache_bypass feature isn't
> available in ipvs for 2.2.x and I want to keep the 2.2.x series stable
> and not to change it too much.

Isn't it just another hook to another kernel module? Where do you see
the instability exactly? BTW, don't you want to keep the 2.4.x series
stable? :)

Best regards,
ratz (Always ready for stupid comments ;)

--
mailto: `echo NrOatSz@tPacA.cMh | sed 's/[NOSPAM]//g'`

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal