Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Linux Virtual Server: Users

[lvs-users] Standby node in HA connects to its lo:0's instead of the lived server's VIP (CentOS 5)

  

 
Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded


midair77 at gmail

Mar 21, 2008, 5:11 PM

Post #1 of 5 (309 views)
Permalink
[lvs-users] Standby node in HA connects to its lo:0's instead of the lived server's VIP (CentOS 5)
Dear all. I tried to implement HA with 2 CentOS 5 servers (OpenLDAP)
using LVS (Ultramonkey). At this point, I have a weird problem that
when I was in the hot _standby_ real server and tried to ssh to the
VIP using the VIP address, I actually ended up in the same server
instead of the lived _real_ server.

This caused problems because my OpenLdap slave server needs to be able
to connect to the master server (lived server) to replicate but right
now the slave server (hot _standby_) keeps connecting to itself. The
whole things got complicated because of SSL/TLS certificates. This
_standby_ server needs to connect to the VIP address that the master
server uses to connect with start_tls thingy.

I have set up /etc/hosts, arptables, /etc/sysctl.conf,
/etc/sysconfig/network-scripts/ifcfg-lo and I can not think of a way
to do anything else but removing the lo:0. My slave server was able
to replicate and connect to the master server ASAP I removed VIP -
lo:0 and restarted lo.

Hosts on my LAN sshed to the VIP and got in the server (master)
correctly when both servers are up.

Here are the contents of these files:

#/etc/hosts
127.0.0.1 localhost.localdomain localhost

#VIP
192.168.10.15 red.mynetwork.com red
#REAL servers
192.168.0.16 blue.mynetwork.com blue
192.168.0.14 green.mynetwork.com green

#/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.vs.expire_quiescent_template=1

#Centos's kernel seems not to have these
#net.ipv4.conf.all.hidden = 1
#net.ipv4.conf.lo.hidden = 1

#/etc/sysconfig/arptables (on green)
*filter
:IN ACCEPT [37:1036]
:OUT ACCEPT [7:196]
:FORWARD ACCEPT [0:0]
[0:0] -A IN -d 192.168.0.15 -j DROP
[0:0] -A OUT -s 192.168.0.15 -o eth0 -j mangle --mangle-ip-s 192.168.0.14
COMMIT

#/etc/sysconfig/network-scripts/ifcfg-lo
DEVICE=lo
IPADDR=127.0.0.1
NETMASK=255.0.0.0
NETWORK=127.0.0.0
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback

DEVICE=lo:0
IPADDR=192.168.0.15
NETMASK=255.255.255.255
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
ONBOOT=yes
NAME=loopback

#/etc/sysconfig/network-scripts/ifcfg-eth0 (on green)
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:4A:2A:93
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.0.14
GATEWAY=192.168.0.1
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes

#/etc/ha.d/ha.cf
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility local0
mcast eth0 225.0.0.1 694 1 0
auto_failback on
node blue.mynetwork.com
node green.mynetwork.com
ping 192.168.0.1
respawn hacluster /usr/lib64/heartbeat/ipfail
apiauth ipfail gid=haclient uid=hacluster

# /etc/ha.d/haresources
blue.mynetwork.com \
ldirectord::ldirectord.cf \
LVSSyncDaemonSwap::master \
IPaddr2::192.168.0.15/24/eth0/192.168.0.255

#/etc/ha.d/ldirectord.cf
checktimeout=10
checkinterval=60
autoreload=yes
logfile="/var/log/ldirectord.log"
emailalert="mee[at]mynetwork.com"
quiescent=no
virtual=192.168.0.15:389
real=192.168.0.16:389 gate
real=192.168.0.14:389 gate
fallback=127.0.0.1:389
service=ldap
scheduler="rr"
protocol=tcp
checktype=negotiate
checkport=389
login="cn=mee,dc=mynetwork,dc=com"
passwd="onepassword"
request="uid=bogus,dc=mynetwork,dc=com"
receive="uid=bogus,dc=mynetwork,dc=com"

on green server:
ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn

ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 192.168.0.15/32 brd 192.168.0.255 scope global lo:0
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:4a:2a:93 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.14/24 brd 192.168.0.255 scope global eth0
inet6 fe80::20c:29ff:fe4a:2a93/64 scope link tentative
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0

on blue server

ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.15:389 rr
-> 192.168.0.14:389 Route 1 0 0
-> 192.168.0.16:389 Local 1 0 0

ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:7c:1f:66 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.16/24 brd 192.168.0.255 scope global eth0
inet 192.168.0.15/24 brd 192.168.0.255 scope global secondary eth0
inet6 fe80::20c:29ff:fe7c:1f66/64 scope link tentative
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0

chkconfig --list | grep 3:on
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
arptables_jf 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
heartbeat 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ldap 0:off 1:off 2:off 3:on 4:off 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vmware-tools 0:off 1:off 2:on 3:on 4:off 5:on 6:off

Please point me to the right direction as I run out of things to fix
this to work.

Thank you very much.

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users[at]LinuxVirtualServer.org
Send requests to lvs-users-request[at]LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Mar 21, 2008, 5:22 PM

Post #2 of 5 (277 views)
Permalink
Re: [lvs-users] Standby node in HA connects to its lo:0's instead of the lived server's VIP (CentOS 5) [In reply to]
On Fri, 21 Mar 2008, Steven Truong wrote:

> This caused problems because my OpenLdap slave server needs to be able
> to connect to the master server (lived server) to replicate but right
> now the slave server (hot _standby_) keeps connecting to itself. The
> whole things got complicated because of SSL/TLS certificates. This
> _standby_ server needs to connect to the VIP address that the master
> server uses to connect with start_tls thingy.

it's a problem.

Can you connect to the RIP using a self signed certificate?

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users[at]LinuxVirtualServer.org
Send requests to lvs-users-request[at]LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


midair77 at gmail

Mar 21, 2008, 5:33 PM

Post #3 of 5 (277 views)
Permalink
Re: [lvs-users] Standby node in HA connects to its lo:0's instead of the lived server's VIP (CentOS 5) [In reply to]
On Fri, Mar 21, 2008 at 5:11 PM, Steven Truong <midair77[at]gmail.com> wrote:
> Dear all. I tried to implement HA with 2 CentOS 5 servers (OpenLDAP)
> using LVS (Ultramonkey). At this point, I have a weird problem that
> when I was in the hot _standby_ real server and tried to ssh to the
> VIP using the VIP address, I actually ended up in the same server
> instead of the lived _real_ server.
>
> This caused problems because my OpenLdap slave server needs to be able
> to connect to the master server (lived server) to replicate but right
> now the slave server (hot _standby_) keeps connecting to itself. The
> whole things got complicated because of SSL/TLS certificates. This
> _standby_ server needs to connect to the VIP address that the master
> server uses to connect with start_tls thingy.
>
> I have set up /etc/hosts, arptables, /etc/sysctl.conf,
> /etc/sysconfig/network-scripts/ifcfg-lo and I can not think of a way
> to do anything else but removing the lo:0. My slave server was able
> to replicate and connect to the master server ASAP I removed VIP -
> lo:0 and restarted lo.
>
> Hosts on my LAN sshed to the VIP and got in the server (master)
> correctly when both servers are up.
>
> Here are the contents of these files:
>
> #/etc/hosts
> 127.0.0.1 localhost.localdomain localhost
>
> #VIP
> 192.168.10.15 red.mynetwork.com red
> #REAL servers
> 192.168.0.16 blue.mynetwork.com blue
> 192.168.0.14 green.mynetwork.com green
>
> #/etc/sysctl.conf
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.conf.default.accept_source_route = 0
> kernel.sysrq = 0
> net.ipv4.conf.eth0.arp_ignore = 1
> net.ipv4.conf.eth0.arp_announce = 2
> net.ipv4.conf.all.arp_ignore = 1
> net.ipv4.conf.all.arp_announce = 2
> net.ipv4.vs.expire_quiescent_template=1
>
> #Centos's kernel seems not to have these
> #net.ipv4.conf.all.hidden = 1
> #net.ipv4.conf.lo.hidden = 1
>
> #/etc/sysconfig/arptables (on green)
> *filter
> :IN ACCEPT [37:1036]
> :OUT ACCEPT [7:196]
> :FORWARD ACCEPT [0:0]
> [0:0] -A IN -d 192.168.0.15 -j DROP
> [0:0] -A OUT -s 192.168.0.15 -o eth0 -j mangle --mangle-ip-s 192.168.0.14
> COMMIT
>
> #/etc/sysconfig/network-scripts/ifcfg-lo
> DEVICE=lo
> IPADDR=127.0.0.1
> NETMASK=255.0.0.0
> NETWORK=127.0.0.0
> BROADCAST=127.255.255.255
> ONBOOT=yes
> NAME=loopback
>
> DEVICE=lo:0
> IPADDR=192.168.0.15
> NETMASK=255.255.255.255
> NETWORK=192.168.0.0
> BROADCAST=192.168.0.255
> ONBOOT=yes
> NAME=loopback
>
> #/etc/sysconfig/network-scripts/ifcfg-eth0 (on green)
> DEVICE=eth0
> BOOTPROTO=none
> HWADDR=00:0C:29:4A:2A:93
> ONBOOT=yes
> NETMASK=255.255.255.0
> IPADDR=192.168.0.14
> GATEWAY=192.168.0.1
> TYPE=Ethernet
> USERCTL=no
> IPV6INIT=no
> PEERDNS=yes
>
> #/etc/ha.d/ha.cf
> debugfile /var/log/ha-debug
> logfile /var/log/ha-log
> logfacility local0
> mcast eth0 225.0.0.1 694 1 0
> auto_failback on
> node blue.mynetwork.com
> node green.mynetwork.com
> ping 192.168.0.1
> respawn hacluster /usr/lib64/heartbeat/ipfail
> apiauth ipfail gid=haclient uid=hacluster
>
> # /etc/ha.d/haresources
> blue.mynetwork.com \
> ldirectord::ldirectord.cf \
> LVSSyncDaemonSwap::master \
> IPaddr2::192.168.0.15/24/eth0/192.168.0.255
>
> #/etc/ha.d/ldirectord.cf
> checktimeout=10
> checkinterval=60
> autoreload=yes
> logfile="/var/log/ldirectord.log"
> emailalert="mee[at]mynetwork.com"
> quiescent=no
> virtual=192.168.0.15:389
> real=192.168.0.16:389 gate
> real=192.168.0.14:389 gate
> fallback=127.0.0.1:389
> service=ldap
> scheduler="rr"
> protocol=tcp
> checktype=negotiate
> checkport=389
> login="cn=mee,dc=mynetwork,dc=com"
> passwd="onepassword"
> request="uid=bogus,dc=mynetwork,dc=com"
> receive="uid=bogus,dc=mynetwork,dc=com"
>
> on green server:
> ipvsadm -L -n
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
>
> ip addr sh
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet 192.168.0.15/32 brd 192.168.0.255 scope global lo:0
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
> link/ether 00:0c:29:4a:2a:93 brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.14/24 brd 192.168.0.255 scope global eth0
> inet6 fe80::20c:29ff:fe4a:2a93/64 scope link tentative
> valid_lft forever preferred_lft forever
> 3: sit0: <NOARP> mtu 1480 qdisc noop
> link/sit 0.0.0.0 brd 0.0.0.0
>
> on blue server
>
> ipvsadm -L -n
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP 192.168.0.15:389 rr
> -> 192.168.0.14:389 Route 1 0 0
> -> 192.168.0.16:389 Local 1 0 0
>
> ip addr sh
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
> link/ether 00:0c:29:7c:1f:66 brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.16/24 brd 192.168.0.255 scope global eth0
> inet 192.168.0.15/24 brd 192.168.0.255 scope global secondary eth0
> inet6 fe80::20c:29ff:fe7c:1f66/64 scope link tentative
> valid_lft forever preferred_lft forever
> 3: sit0: <NOARP> mtu 1480 qdisc noop
> link/sit 0.0.0.0 brd 0.0.0.0
>
> chkconfig --list | grep 3:on
> acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
> anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> arptables_jf 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
> autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
> cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
> crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
> haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
> heartbeat 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ldap 0:off 1:off 2:off 3:on 4:off 5:on 6:off
> network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> ntpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
> readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> vmware-tools 0:off 1:off 2:on 3:on 4:off 5:on 6:off
>
> Please point me to the right direction as I run out of things to fix
> this to work.
>
> Thank you very much.
>

Oops. Prior to set up arptables, as soon as I removed lo:0, my slave
(standby) server was able to replicate or ssh to VIP address, but
with arptables this is no longer true. Anyway, I still have the
problem without arptables.....

#/etc/sysconfig/arptables (on green)
*filter
:IN ACCEPT [37:1036]
:OUT ACCEPT [7:196]
:FORWARD ACCEPT [0:0]
[0:0] -A IN -d 192.168.0.15 -j DROP
[0:0] -A OUT -s 192.168.0.15 -o eth0 -j mangle --mangle-ip-s 192.168.0.14
COMMIT

Ouch...

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users[at]LinuxVirtualServer.org
Send requests to lvs-users-request[at]LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


midair77 at gmail

Mar 21, 2008, 6:07 PM

Post #4 of 5 (275 views)
Permalink
Re: [lvs-users] Standby node in HA connects to its lo:0's instead of the lived server's VIP (CentOS 5) [In reply to]
On Fri, Mar 21, 2008 at 5:22 PM, Joseph Mack NA3T <jmack[at]wm7d.net> wrote:
> On Fri, 21 Mar 2008, Steven Truong wrote:
>
> > This caused problems because my OpenLdap slave server needs to be able
> > to connect to the master server (lived server) to replicate but right
> > now the slave server (hot _standby_) keeps connecting to itself. The
> > whole things got complicated because of SSL/TLS certificates. This
> > _standby_ server needs to connect to the VIP address that the master
> > server uses to connect with start_tls thingy.
>
> it's a problem.
>
> Can you connect to the RIP using a self signed certificate?
>
> Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
>
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users[at]LinuxVirtualServer.org
> Send requests to lvs-users-request[at]LinuxVirtualServer.org
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
>

Hi, Joseph. I haven't tried to connect to the RIP with the
self-signed certificate because both Real servers currently shared the
same certficate/key. I haven't explored creating different
private/public keys for this scenario yet. However the problem is
that from the standby real server, I simply could not connect to the
VIP (by ssh) of the lived master server. For some unknown reasons
(to me), lo:0 interface got activated and masked the VIP on other
server. I could only connect to it without lo:0 on the standby real
server (and without arptables). I just would like to know if this is
something that I misconfigured somewhere in my setups or it is
something else.

Is there any other workarounds beside removing lo:0 like I did?

Please help.

Thank you very much.

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users[at]LinuxVirtualServer.org
Send requests to lvs-users-request[at]LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users


jmack at wm7d

Mar 21, 2008, 6:08 PM

Post #5 of 5 (276 views)
Permalink
Re: [lvs-users] Standby node in HA connects to its lo:0's instead of the lived server's VIP (CentOS 5) [In reply to]
On Fri, 21 Mar 2008, Steven Truong wrote:

> Oops.

Hmm

You re-posted 11 screens of material from your first post
(which I'd edited out for my reply). None of this was
relevant to your post of 13 lines below, or particularly
relevant to your first posting. There are 1000
people on this list and 3 archivers. Please post only
material relevant to your question.

Joe


> (standby) server was able to replicate or ssh to VIP address, but
> with arptables this is no longer true. Anyway, I still have the
> problem without arptables.....
>
> #/etc/sysconfig/arptables (on green)
> *filter
> :IN ACCEPT [37:1036]
> :OUT ACCEPT [7:196]
> :FORWARD ACCEPT [0:0]
> [0:0] -A IN -d 192.168.0.15 -j DROP
> [0:0] -A OUT -s 192.168.0.15 -o eth0 -j mangle --mangle-ip-s 192.168.0.14
> COMMIT

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users[at]LinuxVirtualServer.org
Send requests to lvs-users-request[at]LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Linux Virtual Server users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.