Ultra Monkey: Configuration: High Capacity High Availability and Load Balancing

Ultra Monkey: High Availability and Load Balancing Solution for Linux

English | Japanese
Top | About | Mirrors | History | Contacts
News Archive | Papers | Ultra Monkey L7 [offsite]

Ultra Monkey 3 : Download | Installation | Configuration || Linux Virtual Server | Linux-HA | Ldirectord

Configuration

High Capacity High Availability and Load Balancing

[Network Diagram]

This topology enables the maximum throughput through the network as return traffic no longer has to travel through an Linux-Director. This topology builds on the existing routing infrastructure of a network by allowing existing internal routing policies to dictate the flow of outbound traffic. For a more detailed explanation of the function of each component please see the overview.

The documentation that follows assumes that all nodes on the network are set up with correct interfaces and routes for each network they are connected to as per the diagram above.

Linux-Directors
- Heartbeat
  Heartbeat runs on the two Linux-Directors and handles bringing up the interface for the virtual address. This is the address to which end-users should connect, and is typically advertised using DNS.
  To configure heartbeat /etc/ha.d/ha.cf, /etc/ha.d/haresources and /etc/ha.d/authkeys must be installed. The node names in /etc/ha.d/ha.cf and /etc/ha.d/haresources have to be set according to the output of the uname -n command on each linux-director. The key ultramonkey in /etc/ha.d/authkeys, should be modified to something confidential to the site. The /etc/ha.d/authkeys must be mode 600, this can be done using the chmod command.
  chmod 600 /etc/ha.d/authkeys
  The configuration files supplied expect that the linux-directors are connected via eth0 and by a null modem connected to /dev/ttyS0. This may be modified but it is highly recommended that heartbeat be run over at least two links.
  The monitoring of real-servers, and their insertion and removal from the pool of servers available is controlled by ldirectord which is run by heartbeat. To configure ldirectord /etc/ha.d/ldirectord.cf must be installed. Information on customising this file can be found in the ldirectord(8) man page.
  Ldirectord is run by heartbeat. On supported versions of Red Hat and Fedora to ensure that heartbeat starts up (on run-levels 2, 3, 4 and 5) and that ldirectord does not start on reboot up the chkconfig command is used:
  /sbin/chkconfig --level 2345 heartbeat on /sbin/chkconfig --del ldirectord
  
  On Debian the update-rc.d command is used:
  /usr/sbin/update-rc.d heartbeat start 75 2 3 4 5 . stop 05 0 1 6 . /usr/sbin/update-rc.d -f ldirectord remove
  To ensure that ldirectord is not running and start heartbeat with the new configuration run:
  /etc/init.d/ldirectord stop /etc/init.d/heartbeat start
  
  After a few moments heartbeat should bring add the virtual IP address on the master linux-director. This can be verified using the ip command.
  ip addr sh eth0 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:56:4f:30:07 brd ff:ff:ff:ff:ff:ff inet 192.168.6.2/24 brd 192.168.6.255 scope global eth0 inet 192.168.6.240/24 brd 192.168.6.255 scope global secondary eth0
  
  Heartbeat should also run ldirectord to configure LVS on this node. To check that ldirectord is running use:
  /usr/sbin/ldirectord ldirectord.cf status
  To inspect the current LVS kernel table the ipvsadm command may be used. A sample invocation follows showing that ldirectord found all servers to be available. Note that the FTP virtual service on port 21 is persistent when using direct routing (DR).
  /sbin/ipvsadm -L -n Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.6.240:443 rr -> 192.168.6.4:443 Route 1 0 0 -> 192.168.6.5:443 Route 1 0 0 TCP 192.168.6.240:80 rr -> 192.168.6.4:80 Route 1 0 0 -> 192.168.6.5:80 Route 1 0 0 TCP 192.168.6.240:21 rr persistent 600 -> 192.168.6.4:21 Route 1 0 0 -> 192.168.6.5:21 Route 1 0 0
  
  As well as adding the virtual ipaddresses and running ldirectord, heartbeat should also run the LVS synchronisation daemon. The master daemon should be running on the current master linux-director, and the backup daemon on the other linux-director. You can verify this by inspecting the status of LVSSyncDaemonSwap resource.
  # On the master linux-director /etc/ha.d/resource.d/LVSSyncDaemonSwap master status master running (ipvs_syncmaster pid: 4530) # On the stand-by linux-director /etc/ha.d/resource.d/LVSSyncDaemonSwap master status master stopped (ipvs_syncbackup pid: 3895)
  
  Failover can be tested by stopping heartbeat on the master linux-director which should cause the hot-standby linux-director to become the master.
  /etc/init.d/heartbeat stop
  
  Heartbeat and Ldirectord log debugging and status information to /var/log/messages using syslog. These logs should be inspected if problems occur. Please see notes on logging to ensure that all logs are written to disk for debugging purposes.

Real-Servers

Restricting ARP Advertisments

The real-servers need to be configured to see traffic for the virtual IP address 192.168.6.240 as local. This can be done by making use of an IP alias on the loopback device. But before doing this, ARP Advertisments need to be restricted so that the real servers do not advertise the virtual IP address, which should only be advertised by the active linux-director.

Debian

On Debian, the arp_ignore and arp_announce sysctl flags are used to ensure that the VIP is not announced via ARP on the real-servers, eth0 should be set to only use its addresses for ARP. This is done by adding the following lines to /etc/sysctl.conf. The eth0 lines below should be replicated for any devices that respond to ARP.

# Enable configuration of arp_ignore option
net.ipv4.conf.all.arp_ignore = 1

# When an arp request is received on eth0, only respond if that address is
# configured on eth0. In particular, do not respond if the address is
# configured on lo
net.ipv4.conf.eth0.arp_ignore = 1

# Ditto for eth1, add for all ARPing interfaces
#net.ipv4.conf.eth1.arp_ignore = 1


# Enable configuration of arp_announce option
net.ipv4.conf.all.arp_announce = 2

# When making an ARP request sent through eth0 Always use an address that
# is configured on eth0 as the source address of the ARP request.  If this
# is not set, and packets are being sent out eth0 for an address that is on
# lo, and an arp request is required, then the address on lo will be used.
# As the source IP address of arp requests is entered into the ARP cache on
# the destination, it has the effect of announcing this address.  This is
# not desirable in this case as adresses on lo on the real-servers should
# be announced only by the linux-director.
net.ipv4.conf.eth0.arp_announce = 2

# Ditto for eth1, add for all ARPing interfaces
#net.ipv4.conf.eth1.arp_announce = 2

Red Hat Enterprise Linux

The Red Hat Enterprise Linux kernel does not currently have the arp_ignore and arp_announce flags. This is partly because adding them will break the kernel ABI. If that occurs for another reason, then they may be added, but in the mean time a arptables can be used to obtain mich the same effect. Be for running the commands below, make sure that the the arptables_jf package version >=0.0.7, supplied by Red Hat Enterprise Linux is installed.

# Flush existing rules
/etc/init.d/arptables_jf stop
Flushing all chains:                                       [  OK  ]
Removing user defined chains:                              [  OK  ]
Resetting built-in chains to the default ACCEPT policy:    [  OK  ]

# Drop ARP requests to and from the virtual IP address
/usr/sbin/arptables-noarp-addr 192.168.6.240 start
# This the above command produces the following rules, 
# dropping incoming ARP requests for the VIP (192.168.6.240)
# and mangles outgoing ARP announcements on each ARPing interface (eth0)
# See arptables-noarp-addr(8) for more details
#/sbin/arptables -A IN -j DROP -d 192.168.6.240
#/sbin/arptables -A OUT -j mangle -o eth0 -s 192.168.6.240 --mangle-ip-s 192.168.6.2

# Save the rules
/etc/init.d/arptables_jf save
Saving current rules to /etc/sysconfig/arptables:          [  OK  ]

# Make sure rules are activated on reboot (at run levels 2, 3, 4 and 5)
/sbin/chkconfig --level 2345 arptables_jf on

# Activate the rules
/etc/init.d/arptables_jf start
Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying arptables firewall rules:                         [  OK  ]

You can inspect the arptables rules, and examine many hits they have had, by using the arptables command.

/sbin/arptables -L -v -n
Chain IN (policy ACCEPT 229 packets, 6412 bytes)
 pkts bytes target in out  source-ip     destination-ip source-hw destination-hw hlen op        hrd        pro       
    1    28 DROP   *  *    0.0.0.0/0     192.168.6.240  00/00     00/00          any  0000/0000 0000/0000 0000/0000 

Chain OUT (policy ACCEPT 40 packets, 1120 bytes)
 pkts bytes target in out  source-ip     destination-ip source-hw destination-hw hlen op        hrd        pro       
    0     0 mangle *  eth0 192.168.6.240 0.0.0.0/0      00/00     00/00          any  0000/0000 0000/0000 0000/0000 --mangle-ip-s 192.168.6.5

Configure Loopback Interface
Now that ARP Adviertisments of the virtual IP address have been controlled, it can be added as an alias to the loopback interface to allow the real-server to accept packets for the virutal service.

Red Hat Enterprise Linux
The file /etc/sysconfig/network-scripts/ifcfg-lo:0 configures the lo:0 interface, an example follows:
DEVICE=lo:0 IPADDR=192.168.6.240 NETMASK=255.255.255.255 NETWORK=192.168.0.0 BROADCAST=192.168.0.255 ONBOOT=yes NAME=loopback
To bring up the IP alias the ifup command is used:
/sbin/ifup lo

Debian
The lo:0 interface can be configured by adding an entry to /etc/network/interfaces, an example showing the lo and lo:0 interfaces follows.
auto lo iface lo inet loopback auto lo:0 iface lo:0 inet static address 192.168.6.240 netmask 255.255.255.255 pre-up sysctl -p > /dev/null
To bring up the IP alias the ifup command is used:
/sbin/ifup lo:0

You can verify that the interface came up using the ifconfig command. The following output has been truncated to only show information for lo:0.
ip addr sh lo 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet 192.168.6.240/32 scope global lo:0
Note that a netmask of 255.255.255.255 on the lo:0 interface indicates that this interface will only accept traffic 192.168.6.240.
Default Route
The real-servers need to be set up so that their default route is set to the gateway router's address on the server network and not an address on one of the linux-directors.
- Debian
  The gateway is configured as part of the interface configuation in /etc/network/interfaces. This example interface configuration in /etc/network/interfaces shows how to set a gateway of 192.168.6.254 for eth0.
```
auto eth0
iface eth0 inet static
   address 192.168.6.4
   netmask 255.255.255.0
   gateway 192.168.6.254
```
  To effect this change networking should be restarted:
```
/etc/init.d/networking restart
Reconfiguring network interfaces: done.
```
- Red Hat Enterprise Linux
  Using the simple case of a single gateway with an address on the server network of 192.168.6.254 this can be done by editing the GATEWAY specified in the interface configuration for the interface connected to 192.168.6.0/24. In the case of eth0, this is, /etc/sysconfig/network-scripts/ifcfg-eth0. A sample of this file follows:
```
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.6.5
NETMASK=255.255.255.0
GATEWAY=192.168.6.254
```
  To effect this networking should be restarted:
```
/etc/init.d/network restart
Shutting down interface eth0                               [  OK  ] 
Setting network parameters                                 [  OK  ]
Bringing up interface lo                                   [  OK  ]
Bringing up interface eth0                                 [  OK  ]
```
This change can be verified using the ip command.
```
/sbin/ip route show 0/0
default via 192.168.6.254 dev eth0
```
Network Services
The real-servers should be configured to run the underlying services for their respective virtual services. For instance, an HTTP daemon, such as Apache should be configured on each Real Server if an HTTP virtual service has been set up. In addition the the request URLs as specified in /etc/ha.d/ldirectord.cf should be present and contain the receive string.

Copyright © 2000-2005, Horms
Last Updated: Sat Mar 4 16:33:56 2006 +0900

Debian is a registered trademark of Software in the Public Interest, Inc.
Red Hat, the Red Hat Shadowman logo and Fedora are registered trademarks of Red Hat, Inc.
Red Hat may also be refered to as RedHat on this site.
Linux is a registered trademark of Linus Torvalds.
All other trademarks are the property of their respective owners.