Hello All.
I want to have 2 hosts that are setup to do multimaster between themselves. Because my application on allows for a single server entry, I want to put both of these behind Linux Virtual Server director, which is a load-balancer that I use for other services currently. With this configuration, I can have either LDAP server go down and my application won't break.
The load balancer requires that I tell the LDAP servers to not respond to arp requests so that the load balancer can. So how can the LDAP servers communicate with each other for updates ? I looked for some information on how to make the LDAP servers use more than one IP for LDAP but could find no answer.
Thanks for your time, Dave
Dave,
We're still in the early stages of looking at doing this, but we're using Piranha doing direct-routing as a load balancer.
On the real servers, we have iptables rules that look like this:
-A PREROUTING -d <VIP> -p tcp -m tcp --dport 389 -j REDIRECT -A PREROUTING -d <VIP> -p tcp -m tcp --dport 636 -j REDIRECT
It also becomes necessary to set nsslapd-idletimout so that you don't end up with tons of idle connections.
-Steve
On Mon, 2006-12-04 at 13:50 -0600, Dave Augustus wrote:
Hello All.
I want to have 2 hosts that are setup to do multimaster between themselves. Because my application on allows for a single server entry, I want to put both of these behind Linux Virtual Server director, which is a load-balancer that I use for other services currently. With this configuration, I can have either LDAP server go down and my application won't break.
The load balancer requires that I tell the LDAP servers to not respond to arp requests so that the load balancer can. So how can the LDAP servers communicate with each other for updates ? I looked for some information on how to make the LDAP servers use more than one IP for LDAP but could find no answer.
Thanks for your time, Dave
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
piranha = LVS I do believe- maybe some management scripts are different. I have been using LVS for 5 years now. It works great!
(Help me understand... I am not an iptables guru but I have done some to get done what I needed to)
your statements: -A PREROUTING -d <VIP> -p tcp -m tcp --dport 389 -j REDIRECT -A PREROUTING -d <VIP> -p tcp -m tcp --dport 636 -j REDIRECT
Does this mean? -you are assigning an 2 IPs to your LDAP servers, one for loadbalancing and one for LDAP server -any traffic to the VIP is redirected to the IP that you have told LDAP server to use
Correct?
On Mon, 2006-12-04 at 14:03 -0600, Stephen C. Rigler wrote:
Dave,
We're still in the early stages of looking at doing this, but we're using Piranha doing direct-routing as a load balancer.
On the real servers, we have iptables rules that look like this:
-A PREROUTING -d <VIP> -p tcp -m tcp --dport 389 -j REDIRECT -A PREROUTING -d <VIP> -p tcp -m tcp --dport 636 -j REDIRECT
It also becomes necessary to set nsslapd-idletimout so that you don't end up with tons of idle connections.
-Steve
On Mon, 2006-12-04 at 13:50 -0600, Dave Augustus wrote:
Hello All.
I want to have 2 hosts that are setup to do multimaster between themselves. Because my application on allows for a single server entry, I want to put both of these behind Linux Virtual Server director, which is a load-balancer that I use for other services currently. With this configuration, I can have either LDAP server go down and my application won't break.
The load balancer requires that I tell the LDAP servers to not respond to arp requests so that the load balancer can. So how can the LDAP servers communicate with each other for updates ? I looked for some information on how to make the LDAP servers use more than one IP for LDAP but could find no answer.
Thanks for your time, Dave
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Mon, 2006-12-04 at 14:39 -0600, Dave Augustus wrote:
piranha = LVS I do believe- maybe some management scripts are different. I have been using LVS for 5 years now. It works great!
Piranha was the easiest thing for me to grab with YUM. I tried looking into the other packages out there and got worried about the amount of documentation dedicated to 2.2 kernels.
(Help me understand... I am not an iptables guru but I have done some to get done what I needed to)
your statements: -A PREROUTING -d <VIP> -p tcp -m tcp --dport 389 -j REDIRECT -A PREROUTING -d <VIP> -p tcp -m tcp --dport 636 -j REDIRECT
Small typo, insert "-t nat" at the beginning of both lines.
Does this mean? -you are assigning an 2 IPs to your LDAP servers, one for loadbalancing and one for LDAP server -any traffic to the VIP is redirected to the IP that you have told LDAP server to use
Correct?
In my scenario, the real servers are separate from the load balancer. Only the load balancer is hosting the VIP.
I borrowed this method from the "HOWTO.direct-routing" that came with the Piranha docs. A method that uses arptables was also documented, but I didn't have much luck with it.
I've pasted what the HOWTO says about iptables below.
-Steve
Setting up the Real Servers, method #2: Use iptables to tell the real servers to handle the packets.
How it works: We use an IP tables rule to create a transparent proxy so that a node will service packets sent to the virtual IP address(es), even though the virtual IP address does not exist on the system.
Advantages: * Simple to configure. * Avoids the LVS "ARP problem" entirely. Because the virtual IP address(es) only exist on the active LVS director, there _is_ no ARP problem!
Disadvantages: * Performance. There is overhead in forwarding/masquerading every packet. * Impossible to reuse ports. For instance, it is not possible to run two separate Apache services bound to port 80, because both must bind to INADDR_ANY instead of the virtual IP addresses.
(1) BACK UP YOUR IPTABLES CONFIGURATION.
(2) On each real server, run the following for every VIP / port / protocol (TCP, UDP) combination intended to be serviced for that real server:
iptables -t nat -A PREROUTING -p <tcp|udp> -d <vip> \ --dport <port> -j REDIRECT
This will cause the real servers to process packets destined for the VIP which they are handed.
service iptables save chkconfig --level 2345 iptables on
The second command will cause the system to reload the arptables configuration we just made on boot - before the network is started.
389-users@lists.fedoraproject.org
-
Dave Augustus -
Steve Rigler