Motivation

When a linux director receives a packet for a new connection it allocates the connection to a real server. This allocation is effected by allocating an ip_vs_conn structure in the kernel which stores the source address and port, the address and port of the virtual service, and the real server address and port of the connection. Each time a subsequent packet for this connection is received, this structure is looked up and the packet is forwarded accordingly. This structure is also used to reverse the translation process which occurs when NAT (Network Address Translation) is used to forward a packet and to store persistence information. Persistence is a feature of LVS whereby subsequent connections from the same end-user are forwarded to the same real server.

The existing LVS connection code relies on a sync-master/sync-slave setup where the sync-master sends synchronisation information and the sync-slaves listen. This means that if a sync-slave linux director becomes the active linux director, then connections made will not be synchronised. This is illustrated by the following scenario.

There are two linux directors, director-a and director-b. Director-A is the LVS sync-master and the active linux director. Director-B is an LVS sync-slave and the stand-by linux director.

1. An end user opens connection-1. Director-A receives this connection, forwards it to a real server and synchronises it to the sync-slave, director-b.

2. A fail-over occurs and director-b becomes the active linux director. Connection-1 is able to continue because of the connection synchronisation that took place in step 1.

3. An end user opens connection-2. Director-B receives this connection, and forwards it to a real server. Connection synchronisation does not take place because director-b is a sync-slave.

4. Another fail-over takes place and director-a is once again the active linux director. Connection-2 is unable to continue because it was not synchronised.

LVS's existing connection synchronisation code uses a very simple packet structure and protocol to transmit synchronisation information. The packet starts with a 4 byte header followed by up to 50 connection entries. The connection entries may be 24 or 48 bytes long. The author has observed that in practice, most synchronisation connection entries are 24 bytes, not 48 bytes. Thus, the 50 connection entry limit results in most packets having 1204 bytes of data.

LVS's existing synchronisation code works by feeding synchronisation information to ipvs syncmaster which in turn sends it out onto the network. ipvs syncslave listens on for synchronisation packets to arrive via multicast and feeds them into the LVS core. ipvs syncmaster and ipvs syncslave should be started on the linux directors using ipvsadm.

By default a connection is passed to ipvs syncmaster once it passes a threshold of 3 packets, and then is resent to ipvs syncmaster at a frequency of once every 50 packets after that. The threshold may be manipulated using the existing /proc/sys/net/vs/sync_threshold. To allow the frequency to be manipulated, LVS has been patched to add the /proc/sys/net/vs/sync_frequency proc entry. As synchronisation information for a given connection is resent every 50 packets it is not considered of particular importance if occasionally the synchronisation packets are dropped. This is important, as multicast UDP which does not have an underlying retransmission method for dropped packets, is used for inter-linux director communication.

The LVS synchronisation code was patched to abstract the sending and receiving of synchronisation packets. This allows different methods of sending and receiving synchronisation packets to be used without further modification to this code. The following hooks are provided:

send_mesg	Used by ipvs syncmaster to send a packet out onto the network.
open_send	Used by ipvs syncmaster to open the socket used to send packets to the network.
close_send	Used by ipvs syncmaster to close the socket used to send packets to the network.
recv_loop	Event loop used by ipvs syncslave to receive packets from the network.
open_recv	Used by ipvs syncslave to open the socket that is used to receive packets from the network.
close_recv	Used by ipvs syncslave to close the socket that is used to receive packets from the network.

The following functions are provided to register functions for these hooks. It is envisaged that the hook functions would be implemented in a separate kernel module. When the module initialises itself ip_vs_sync_table_register should be called. When the module is unregistering itself, ip_vs_sync_table_register_default should be called.

ip_vs_sync_table_register	Used to register the hooks above. If NULL is supplied for any of the hooks, then the hook will have no effect.
ip_vs_sync_table_register_default	Used to register the default hooks, which gives the existing behaviour of of directly sending and receiving multicast packets. This behaviour is registered when LVS is initialised.

Using the hooks that were added to the LVS synchronisation code, a method that sends and receives synchronisation packets via a netlink socket was written. This was implemented as a separate kernel module, ip_vs_user_sync. When this module is inserted into the kernel it registers itself as the synchronisation method and starts the kernel synchronisation daemon ipvs syncmaster. The send_mesg hook registered passes synchronisation packets to user-space. The ip_vs_user_sync module listens for synchronisation information from user-space and passes it directly to the LVS core. Thus there is no need for an ipvs syncslave process and ipvs syncmaster can be run on all linux directors. This is important to allow a peer-to-peer relationship to be established between linux directors in place of a master/slave relationship.

The user-space daemon communicates with its kernel counterpart using an netlink socket. This requires a small patch to the kernel to add the NETLINK_IPVS protocol. Communication using this socket is somewhat analogous to UDP: Packets of up to 64Kbytes may be sent. Packets may be dropped in situations of high load, though unlike UDP this results in an error condition. Unlike UDP the data in packets received can be assumed to be uncorrupted. Unless there is broken memory in the machine, which should result in other, more dire problems. Importantly only local processes owned by root may communicate with the kernel using the netlink socket. Thus there is some level of implicit authenticity of the user-space client.

A user-space synchronisation daemon. It uses libip_vs_user_sync to access a netlink socket to listen for synchronisation information from the kernel. It then sends this information to other linux directors using multicast. The packet format used to send these packets has a version field to allow packets from a different version of the protocol to easily be identified and dropped. All nodes running this daemon can send and receive this synchronisation information. Thus there is no sync-master/sync-slave relationship.

This is intended as a bare-bones synchronisation daemon that illustrates how libip_vs_user_sync can be used in conjunction with ip_vs_user_sync to create a user-space synchronisation daemon. Its key advantage over the existing LVS synchronisation code is that eliminates the sync-master/sync-slave and the problems that can introduce. It is suitable for use in both active/stand-by with two linux directors and active-active configurations with any number of linux directors.

Sample Topology

Packet Forwarding

The linux directors must be able to route traffic from the external network to the server network and vice versa. Specifically, in addition to correctly configuring the interfaces and routes you must enable IPV4 forwarding. This is done by modifying the line containing net.ipv4.ip_forward in /etc/sysctl.conf as follows. Alternatively the corresponding /proc value may be manipulated directly.

net.ipv4.ip_forward = 1

/sbin/ifconfig
eth0:0    Link encap:Ethernet  HWaddr 00:D0:B7:BE:6B:CF  
          inet addr:192.168.6.240  Bcast:192.168.6.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:17 Base address:0xef00 

eth1:0    Link encap:Ethernet  HWaddr 00:90:27:74:84:ED  
          inet addr:192.168.7.240  Bcast:192.168.7.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:18 Base address:0xee80 

/sbin/ipvsadm -L -n
IP Virtual Server version 0.9.16 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port          Forward Weight ActiveConn InActConn
TCP  192.168.7.240:443 rr
  -> 192.168.6.4:443            Masq    1      0          0         
  -> 192.168.6.5:443            Masq    1      0          0         

# Flush existing rules
/sbin/iptables -F

# NAT for 192.168.6.0/24 bound for any host
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -s 192.168.6.0/24

# Log all packets that attempt to be forwarded
# Useful for Debugging. Questionable for Production
#/sbin/iptables -t nat -A POSTROUTING -j LOG

# View the rules
# Truncated to only show only the POSTROUTING chain in the nat table
/etc/init.d/iptables status
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.6.0/24       anywhere

/sbin/modprobe ip_vs_ftp

net.ipv4.vs.sync_msg_max_size = 7200