The Greased Turkey Document [1]
or
How to set up a load-sharing server
Release History: 0.01alpha - Rob Thomas - [email protected]
[Bootstrap of the documentation]
This document was written with [homepage link] ippvs version 0.5
and Linux Kernel [kernel.org link] 2.0.35 in mind.
1: Overview
This document coveres the basics of what ippvs does, how it
works, and how to set it up. I expect it to expand to cover a
decent man(8) page, and a FAQ.
2: What does it do?
ippvs is a kernel modification that offers a NAT-style load
sharing for multiple virtual servers. What we mean by this is
that you have one 'listening' machine, that transparently (and
incredibly quickly) redirect clients connection requests to other
machines. The advantages of doing this is that it allows you to
have huge arrays of redundant and load sharing servers.
A good example of this (and the example that we will be following
through this entire document) is the setting up of a cluster of
load-sharing proxy servers, at a very, very, low cost-per-tps
rate. It's also perfectly suited to serving normal web traffic,
or allmost anything that can be served over TCP or UDP. The only
caveat is that it will NOT work with ftp services, because ftp
services are too smart for their own good. [quick overview of how
ftpd tells the client which ip and port to connect to, and how
that will break the NAT]
3: How does it work?
In this document, as mentioned above, we will be going through
how to set up an array of proxy servers, that appear to the
clients as one physical machine. The first thing you should
realise is how the machines should be wired together. [2]
[ --- HUB --- ]
[proxy server 1]<-eth0------------+ | | | | | | +--------eth0->[proxy server 4]
[proxy server 2]<-eth0--------------+ | | | | +----------eth0->[proxy server 5]
[proxy server 3]<-eth0----------------+ | | +------------eth0->[proxy server 6]
| |
| |
| +--eth1->[ippvs server 0]<-eth0-------...local network...
+----eth1->[ippvs server 1]<-eth0-------...local network...
[I realise that I use a -very- wide screen, so that'll probably
look like crap on a 80x24 display - looks good on a 128x24 8)]
You should have a look at this map, and take notice of a few
things:
1: The proxy servers are -not- connected to your LAN - they're on
their own seperate LAN
2: The machines are connected to the rest of the network THROUGH
the ippvs server. Make sure their default route is set up that
way
In this demonstration, the IP addresses of the machines are:
ippvs server 0:
eth0: 203.1.1.2 [Machine's IP address]
eth0:0 203.1.1.10 [Permanant load-sharing IP address]
eth0:1 203.1.1.11 [Only up if ippvs1 dies - usually DOWN]
eth1: 10.1.1.254 [Private LAN IP address - non routeable, as only the proxy servers see it]
eth1:0 10.1.1.253 [Only up if ippvs1 dies - usually DOWN]
ippvs server 1:
eth0: 203.1.1.3 [Machine's IP address]
eth0:0 203.1.1.11 [Permanant load-sharing IP address]
eth0:1 203.1.1.10 [Only up if ippvs0 dies - usually DOWN]
eth1: 10.1.1.253 [Private LAN IP address - non routeable, as only the proxy servers see it]
eth1:0 10.1.1.254 [Only up if ippvs0 dies - usually DOWN]
proxy server 1:
eth0: 10.1.1.1
default route to 10.1.1.254
proxy server 2:
eth0: 10.1.1.2
default route to 10.1.1.254
proxy server 3:
eth0: 10.1.1.3
default route to 10.1.1.254
proxy server 4:
eth0: 10.1.1.4
default route to 10.1.1.253
proxy server 5:
eth0: 10.1.1.5
default route to 10.1.1.253
proxy server 6:
eth0: 10.1.1.6
default route to 10.1.1.253
This looks a bit complex, but if you're not interested in setting
up a fault-tolerant network you don't need the second ippvs
server, or to have half the servers talking to one machine, and
the other half talking to the other machine.
[XXX - I'm aware that no auto-failover exists, but it'll only be
a few 'ping' scripts to make it work. - XXX]
[XXX - Should I take out the redunancy stuff until I write some
more documentation for it? - XXX]
Lets track a packet that's coming from a client machine, to port
8080 on 203.1.1.10.
Header: Request connection to port 8080 on 203.1.1.10 from
203.2.3.4 port 9999
The first thing that happens, is that 203.1.1.10 looks at the
headers, and realises that it's it's set up as a load sharing
port. ippvs0 picks a machine to send it to, and scribbles over
the headers, changing the DESTINATION address (the SOURCE address
stays the same) of the packet, and fires it out.
Header: Request connection to port 8080 on 10.1.1.2 from
203.2.3.4 port 9999
The machine 10.1.1.2 accepts the connection, and sends the data
back:
Header: Connection accept, 203.2.3.4 port 9999, and here's the
data, love from 10.1.1.2 port 8080.
The packet then heads back along the wire to the default route,
which is ippvs0. The machine then glues the original headers back
on and sends the packet on it's merry way
Header: Connection accept, 203.2.3.4 port 9999, and here's the
data, love from 203.1.1.10 port 8080.
All the client sees is a normal connection to 203.1.1.10:8080, as
though nothing magic was going on behind the scenes.
4: Wow. This rocks. How do I set it up?
The only 'setting up' is done on the actual ippvs server(s) - You
need to pick out your IP addresses for your private LAN,
obviously, and configure the machines. This document will pretend
that you're using the IP addresses specified above - and there's
no reason at all why you shouldn't. This is exactly what 10.x.x.x
and 192.168.x.x is set aside for.
On ippvs0:
ipfwadm -F -a m 10.1.2.0/24 -D 0.0.0.0/0 (?? No descrption of '-a m' in man ipfwadm?)
ippfvsadm -A -t 203.1.1.10:8080 -R 10.1.1.1:8080 - Redirect _T_CP connections to 203.1.1.10:8080 to 10.1.1.1:8080
ippfvsadm -A -t 203.1.1.10:8080 -R 10.1.1.2:8080 - and 10.1.1.2:8080
ippfvsadm -A -t 203.1.1.10:8080 -R 10.1.1.3:8080 - and 10.1.1.3:8080
On ippvs1:
ipfwadm -F -a m 10.1.2.0/24 -D 0.0.0.0/0 (?? No descrption of '-a m' in man ipfwadm?)
ippfvsadm -A -t 203.1.1.11:8080 -R 10.1.1.1:8080 - Redirect _T_CP connections to 203.1.1.11:8080 to 10.1.1.4:8080
ippfvsadm -A -t 203.1.1.11:8080 -R 10.1.1.2:8080 - and 10.1.1.5:8080
ippfvsadm -A -t 203.1.1.11:8080 -R 10.1.1.3:8080 - and 10.1.1.6:8080
That's all you have to do. Now, when you try to make a connection
to 203.1.1.10 or .11 on port 8080, it will be automatically, and
invisibly, redirected to a random machine. There are various
algorithims that are used to balance the load, which are out of
the scope of this document at this stage of play.
5: Things you should be aware of that will bite you if you're not
careful.
Allways make sure that the default route of the client machines
points to the ippvs server.
0.5 supports tunneling, which I haven't played with, so therefore
I don't know how it works yet 8-)
Allways make sure that the default route of the client machines
points to the ippvs server. (Yes, twice. Don't forget!)
6: That hi-av thing looks cool. How does that work?
Hi-av isn't all that hard. When I get some time I'm going to
whack together a couple of scripts and a database that can keep
track of machines and automatically remove them from the
redirection list, and have another machine (ala ippvs1) take over
from a failed other ippvs. It's easy to to it manually. Switch
ippvs0 off, run 'ifup eth0:1' and 'ifup eth1:0' on the other
machine (if you have it set up that way) and then run the
ippfvsadm commands that the other machine used to do, and it'll
take over invisibly. Go look at the IP addresses above if you
don't understand what I mean.
Questions, comments and suggestions about this document, please,
send to [email protected]
The Virtual Server mailing list is currently hosted at
[email protected] - to subscribe to the maling
list, send a message to '[email protected]' with the message
BODY (not subject) of 'subscribe' - it'll all be taken care of
from there. Any messages sent to the list saying 'I'm not
subscribed to this list, so can you email the reply to me
privately' will be ignored, as it's very, very bad manners.
--Robert Thomas - 28/11/98
[1] - Kernel versions 2.1.129 and 2.1.130 have earned themselves
the names of 'Greased Weasel' and 'Basted Turkey', due to some
light-hearted banter of Linus Torvalds in the kernel release
notes. This document was prepared over these two kernel
revisions!
[2] - This is an 'optimal' diagram. There's no -physical- reason
why the ippvs server, the clustered machines, and the clients
can't be on the same segment. It's just nicer this way. Go buy a
$50 hub. Trust us. It's better.