Re: decent loadbalancing with 2 different ISP's with minimum risks

From: James Couzens (jcouzens_at_obscurity.org)
Date: 05/05/04

  • Next message: Victor Daniel a.k.a the MacNut: "Secure Form Script?"
    To: focus-linux@securityfocus.com
    Date: Wed, 05 May 2004 10:15:02 -0700
    
    
    

    > Le sam 17/04/2004 à 06:46, Ravi a écrit :
    > > -vrrpd if using two gateways
    >
    > VRRP is a failover protocol. I don't see how you can achieve load
    > balancing with.

    What you fellows seek is the Linux Virtual Server ("LVS") project which
    is currently available in both 2.4 and 2.6 linux kernels. LVS turns
    your router into a Layer-3, Layer-4, and Layer-5/7 switch. Setup is
    simplistic and the load balancing functionality is second to none. LVS
    can also be implemented in three different ways, DIRECTOR, NAT, and
    TUNNEL.

    Should you wish to high availability I would recommend the keepalived
    project which offers VRRP support through its independent VRRPv2 stack
    for failover detection and execution, and handles individual service
    checks with the ability to pull individual services or fail over the
    entire server. There is also a keepalived fork which offers "threaded
    plugin" support which adds even more functionality.

    In short keepalived is userspace daemon for LVS cluster nodes
    healthchecks and LVS directors failover.

    Linux Virtual Server Project:
    http://www.linuxvirtualserver.org/

    HealthChecking for LVS & High Availability through keepalived:
    http://keepalived.sourceforge.net/

    keepalived w/ Threaded-Health-Check support:
    http://homes.tiscover.com/jrief/keepalived/

    Linux Kernel routing patch: http://www.ssi.bg/~ja/routes-2.6.4-10.diff

    - Static Routes (remain during failure)
    - Alternative Routes (multipath)
    - Dead Gateway Detection (removes multi-path routes during failure)
    - NAT (correct routing during use of multi-paths)

    Multi-path howto:
    http://www.ssi.bg/~ja/nano.txt

    Dead Gateway Detection explained:
    http://www.ssi.bg/~ja/dgd-usage.txt

    Dead Gateway Detection status:
    http://www.ssi.bg/~ja/dgd.txt

    Julian Anastasov is my hero, grab myriads of other excellent patches
    from his website here, in addition to DGD patches for kernels other than
    2.6.x: http://www.ssi.bg/~ja/

    Having spent a recent weekend with the OpenBSD team at their pf
    Hackathon, I was given an exceptional look into pf's current and future
    status. That being said, you can do load balancing through pf in
    addition to making use of the Common Address Redundancy Protocol
    ("CARP") which is a protocol not myred in the patent problems which have
    plauged VRRP. CARP has been developed by members of the OpenBSD team.
    You can find this all in the just recently released v3.5 (I managed to
    obtain a pre copy at CansecWest/Core04 <3) of OpenBSD available for
    download or purchase from their website.

    Firewall Failover with pfsync and CARP:
    http://www.countersiege.com/doc/pfsync-carp/

    CARP port to FreeBSD 5.x:
    http://pf4freebsd.love2party.net/carp.html

    Although the OpenBSD functionality is not near as mature, or feature
    rich, its well on its way to delivering much needed networking
    functionality to the BSD community. I'm currently in the middle of
    stress testing this code myself, but to date it delivers the goods, and
    I look forward to future enhancements and userland utilities to assist
    in management.

    Cheers,

    James

    -- 
    James Couzens,
    Programmer
    -----------------------------------------------------------------
    http://libspf.org -- ANSI C Sender Policy Framework library
    http://libsrs.org -- ANSI C Sender Rewriting Scehem library
    -----------------------------------------------------------------
    PGP: http://gpg.mit.edu:11371/pks/lookup?op=get&search=0x6E0396B3
    
    



  • Next message: Victor Daniel a.k.a the MacNut: "Secure Form Script?"

    Relevant Pages

    • Re: LVS or Failover : OpenAIS & Pacemaker
      ... Not sure LVS can do it well without director and even with director regarding the mailings lists and its maturity. ... Any cluster solution like Pacemaker won't tread your persistents connections. ... I work on Redhat 5 and I want to make a simple failover on my Web server. ... Post-scriptum La Poste ...
      (RedHat)
    • getting performance statistics from the LVS subsystem
      ... When you run a linux box as an LVS (Linux Virtual Server) director, ... is the recomended way of getting performance statistics out of the kernel? ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: load balancing - email server
      ... >> balancing, on a freebsd box infront of the machines. ... It's just plain vanilla round-robin load ... I also use freevrrpd for failover. ...
      (freebsd-isp)
    • Re: need suggestions for reverse proxy
      ... >> We are using LVS (Linux Virtual Server). ... >> RAM, which could handle more than 10.000 unique ... To unsubscribe, ...
      (freebsd-stable)
    • regarding help on lvs
      ... I am working on lvs(linux virtual server). ... patch version 0.4 was tested on FREE BSD 5.4 RELEASE. ...
      (freebsd-net)