Introduction to Linux Virtual Server and High Availability



Similar documents
Scalable Linux Clusters with LVS

High Availability Low Dollar Load Balancing

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Smoothwall Web Filter Deployment Guide

Load Balancing Smoothwall Secure Web Gateway

Load Balancing McAfee Web Gateway. Deployment Guide

Load Balancing und Load Sharing

Creating Web Farms with Linux (Linux High Availability and Scalability)

Load Balancing Sophos Web Gateway. Deployment Guide

Load Balancing Bloxx Web Filter. Deployment Guide

Load Balancing Trend Micro InterScan Web Gateway

VENKATAMOHAN, BALAJI. Automated Implementation of Stateful Firewalls in Linux. (Under the direction of Ting Yu.)

Firewalls. Chien-Chung Shen

Fault tolerant stateful firewalling with GNU/Linux. Pablo Neira Ayuso Proyecto Netfilter University of Sevilla

Scalable Linux Clusters with LVS

Active-Active Servers and Connection Synchronisation for LVS

Netfilter Failover. Connection Tracking State Replication. Krisztián Kovács

Linux Firewall. Linux workshop #2.

Availability Digest. Redundant Load Balancing for High Availability July 2013

FortiOS Handbook - Load Balancing VERSION 5.2.2

ClusterLoad ESX Virtual Appliance quick start guide v6.3

Red Hat Enterprise Linux 7 Load Balancer Administration

Load Balancing Clearswift Secure Web Gateway

Stateful Firewalls. Hank and Foo

Keepalived for LVS. User Guide Alexandre Cassen.

Load Balancing Barracuda Web Filter. Deployment Guide

How To Understand The Role Of The Lib8000 On A Network (Networking) On A Server Cluster (Netware) On An Ipnet (Netrope) On Ubuntu) On Pcode (Netnet)

How To Build A Virtual Server Cluster In Linux 2003

Linux Virtual Server Clusters

Appliance Quick Start Guide. v7.6

Bridgewalling - Using Netfilter in Bridge Mode

FortiOS Handbook Load Balancing for FortiOS 5.0

Owner of the content within this article is Written by Marc Grote

UNIVERSITY OF OSLO Department of Informatics. Performance Measurement of Web Services Linux Virtual Server. Muhammad Ashfaq Oslo University College

McAfee Web Filter Deployment Guide

Netfilter / IPtables

Implementation, Simulation of Linux Virtual Server in ns-2

Linux Virtual Server Tutorial

CS Computer and Network Security: Firewalls

Load Balancing. FortiOS Handbook v3 for FortiOS 4.0 MR3

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Load Balancing SIP Quick Reference Guide v1.3.1

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

TESTING & INTEGRATION GROUP SOLUTION GUIDE

CSC574 - Computer and Network Security Module: Firewalls

CS Computer and Network Security: Firewalls

Loadbalancer.org. Loadbalancer.org appliance quick setup guide. v6.6

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

High Availability HTTP/S. R.P. (Adi) Aditya Senior Network Architect

TCP Session Load-balancing in Active-Active HA Cluster

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Introduction. Linux Virtual Server for Scalable Network Services. Linux Virtual Server. 3-tier architecture of LVS. Virtual Server via NAT

Firewalls. Pehr Söderman KTH-CSC

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

SonicWALL NAT Load Balancing

STRATO Load Balancing Product description Version: May 2015

Single Pass Load Balancing with Session Persistence in IPv6 Network. C. J. (Charlie) Liu Network Operations Charter Communications

Linux Virtual Server Administration. RHEL5: Linux Virtual Server (LVS)

How To Load Balance On A Cisco Cisco Cs3.X With A Csono Css 3.X And Csonos 3.5.X (Cisco Css) On A Powerline With A Powerpack (C

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Netfilter s connection tracking system

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Stateful Connection Tracking & Stateful NAT

How To Balance A Load Balancer On A Server On A Linux (Or Ipa) (Or Ahem) (For Ahem/Netnet) (On A Linux) (Permanent) (Netnet/Netlan) (Un

MULTI WAN TECHNICAL OVERVIEW

Linux Firewall Wizardry. By Nemus

How to replicate the fire: HA for netfilter based firewalls

CSE543 - Computer and Network Security Module: Firewalls

How To Run A Web Farm On Linux (Ahem) On A Single Computer (For Free) On Your Computer (With A Freebie) On An Ipv4 (For Cheap) Or Ipv2 (For A Free) (For

Active-Active Servers and Connection Synchronisation for LVS

Network Security Management

Loadbalancer.org Appliance Setup v5.9

Load Balancing - Single Multipath Route HOWTO

Definition of firewall

Deployment Guide AX Series with Citrix XenApp 6.5

Linux Virtual Server (LVS) for Red Hat Enterprise Linux 5.0

Managing Multiple Internet Connections with Shorewall

10.4. Multiple Connections to the Internet

INTRODUCTION TO FIREWALL SECURITY

Server Traffic Management. Jeff Chase Duke University, Department of Computer Science CPS 212: Distributed Information Systems

HAProxy. Ryan O'Hara Principal Software Engineer, Red Hat September 17, HAProxy

Configuring the Edgewater 4550 for use with the Bluestone Hosted PBX

Module: Firewalls. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

How To Balance A Web Server With Remaining Capacity

AppDirector Load balancing IBM Websphere and AppXcel

CIS 433/533 - Computer and Network Security Firewalls

Appliance Administration Manual. v7.2

Monitoring Load-Balancing Services

CheckPoint Software Technologies LTD. How to Configure Firewall-1 With Connect Control

Microsoft Office Communications Server 2007 R2

Radware s AppDirector and AppXcel An Application Delivery solution for applications developed over BEA s Weblogic

Exam Name: Foundry Networks Certified Layer4-7 Professional Exam Type: Foundry Exam Code: FN0-240 Total Questions: 267

A Multihoming solution for medium sized enterprises

Appliance Administration Manual. v7.6

Linux Virtual Server Administration. Linux Virtual Server (LVS) for Red Hat Enterprise Linux 5.2

Intro to Linux Kernel Firewall

Transcription:

Outlines Introduction to Linux Virtual Server and High Availability Chen Kaiwang kaiwang.chen@gmail.com December 5, 2011

Outlines If you don t know the theory, you don t have a way to be rigorous. Robert J. Shiller http://www.econ.yale.edu/~shiller/

Outlines Misery stories Jul 2011 Too many connections at zongheng.com Aug 2011 Realserver maintenance at 173.com quiescent persistent connections Nov 2011 Health check at 173.com Nov 2011 Virtual service configuration at 173.com persistent session data

Outlines Outline of Part I Introduction to Linux Virtual Server Configuration Overview Netfilter Architecture Scheduling Basics Scheduling Algorithms Persistence Template Persistence Granularity

Outlines Outline of Part II HA Basics LVS High Avaliablity Realserver Failover Director Failover Solutions Heartbeat Keepalived

LVS Intro Part I Introduction to Linux Virtual Server

LVS Intro Configuration Overview Netfilter Architecture Introduction to Linux Virtual Server Configuration Overview Netfilter Architecture Scheduling Basics Scheduling Algorithms Persistence Template Persistence Granularity

LVS Intro Configuration Overview Netfilter Architecture A Linux Virtual Serverr (LVS) is a group of servers that appear to the client as one large, fast, reliable (highly available) server. The core of the project is the ip vs code, which runs on the LVS director. Layer 4 switch (Director) Backend servers (Realservers)

LVS Configurations LVS Intro Configuration Overview Netfilter Architecture

LVS Intro Configuration Overview Netfilter Architecture A Packet Traversing the Netfilter System --->[1]--->[ROUTE]--->[3]--->[4]---> ^ [ROUTE] v [2] [5] ^ v NF_IP_PRE_ROUTING [1] NF_IP_POST_ROUTING [4] NF_IP_LOCAL_IN [2] NF_IP_LOCAL_OUT [5] NF_IP_FORWARD [3] NF_ACCEPT, NF_DROP, NF_STOLEN, NF_QUEUE, NF_REPEAT

LVS Intro Packet Selection: IP Tables Configuration Overview Netfilter Architecture --->PRE------>[ROUTE]--->FWD---------->POST------> Conntrack Mangle ^ Mangle Mangle Filter NAT (Src) NAT (Dst) Conntrack (QDisc) [ROUTE] v IN Filter OUT Conntrack Conntrack ^ Mangle Mangle NAT (Dst) v Filter

LVS Intro Interaction of LVS with Netfilter Configuration Overview Netfilter Architecture

LVS Intro Configuration Overview Netfilter Architecture Modules register with a priority, the lowest priority getting to look at the packets first. LVS registers itself with a higher priority than iptables rules, and thus iptables will get the packet first and then LVS.

LVS Intro Scheduling Basics Scheduling Algorithms Introduction to Linux Virtual Server Configuration Overview Netfilter Architecture Scheduling Basics Scheduling Algorithms Persistence Template Persistence Granularity

LVS Intro Scheduling Basics Scheduling Algorithms Which realserver to service a new connection request Virtual service, and server pool VIP:PORT, or fwmark Scheduling granularity LVS - network connection-based DNS - host-based, TTL Quiescent feature stop the realserver from being selected by the scheduler

LVS Intro Scheduling Basics Scheduling Algorithms Schedulers RR, WRR, weight and scheduling sequence LC, WLC, estimating realserver connections? TIME WAIT DH, LBLC, LBLCR, by dest ip, aplicable to transparent proxy where the dest ip could be variable. SH, by client ip. Persistent connection

LVS Intro Scheduling Basics Scheduling Algorithms If the realservers are offering different services and some have clients connected for a long time while others are connected for a short time, or some are compute bound, while others are network bound, then none of the schedulers will do a good job of distributing the load between the realservers. LVS doesn t have any load monitoring of the realservers. Ratz Nov 2006 After almost 10 years of my involvement with load balancers, I have to admit that no customer ever truly asked or cared about the scheduling algorithm :). This is academia for the rest of the world.

LVS Intro Persistence Template Persistence Granularity Introduction to Linux Virtual Server Configuration Overview Netfilter Architecture Scheduling Basics Scheduling Algorithms Persistence Template Persistence Granularity

LVS Intro Persistence Template Persistence Granularity The two meanings of persistence Keep-Alive used for clients connecting to webservers and databases Affinity (LVS persistence) used by cisco. Persistance opperates independant of the scheduler It looks up a persistance template and if it finds one, then it uses it, else it asks the scheduler what to do.

LVS Intro Persistence Template Persistence Granularity Persistence Template IP VS connection table <CIP, VIRTUAL SERVICE, RIP:PORT, FLAGS> VIRTUAL SERVICE is either VIP:PORT or fwmark the NONE flag is the trick # ipvsadm -L -n -c grep NONE The two kinds of conneciton tracking IP VS ip vs Netfilter ip conntrack

LVS Intro Persistence Template Persistence Granularity Persistence Granularity Loadbalance all clients from a netmask as one group. Applied to the CIP Works the same whether you are using fwmark or the VIP to setup the LVS

LVS Intro Introduction to Linux Virtual Server Configuration Overview Netfilter Architecture Scheduling Basics Scheduling Algorithms Persistence Template Persistence Granularity

LVS Intro IP VS table entry revisited <CIP, VIRTUAL SERVICE, RIP:PORT, FLAGS> --------------------- -------- ----- ---- \ / \ \ scheduling \ \ NONE refers to templates persistence granularity others trace connections

LVS Intro Clear the table # ipvsadm -C expire nodest conn (destined for a server no longer in the pool) 1: expire entry and reset client 0: keep entry and drop packet Clear quiescent persistent connections expire quiescent template (timeout persistent template when server goes down) ARP problem with LVS-DR

HA Basics Solutions Part II LVS High Availability

HA Basics Solutions LVS High Avaliablity Realserver Failover Director Failover HA Basics LVS High Avaliablity Realserver Failover Director Failover Solutions Heartbeat Keepalived

HA Basics Solutions LVS High Avaliablity Realserver Failover Director Failover A design principle of HA systems is three distinct paths to the servers: resource-path (or public path), heartbeat, and administrative. Single point of failure you can t protect against everything Health check accuracy Stateful failover connection table persistent session data

HA Basics Solutions LVS High Avaliablity Realserver Failover Director Failover Realserver Failover Service check tcp, http, https, smtp,... Server operations Realserver pool Added to pool Quiescent (weight=0) Removed from pool Sorry server Stateful failover conntrackd persistent session data

HA Basics Solutions LVS High Avaliablity Realserver Failover Director Failover Director Failover VRRP, Linux-HA VIP takeover unsolicited ARP Server state sync daemon

HA Basics Solutions Heartbeat Keepalived HA Basics LVS High Avaliablity Realserver Failover Director Failover Solutions Heartbeat Keepalived

HA Basics Solutions Heartbeat Keepalived Heartbeat The heartbeat cluster messaging layer Resource agents Local resource manager, and STONITH

HA Basics Solutions Heartbeat Keepalived Keepalived Keepalived is a userspace daemon for LVS cluster nodes healthchecks and LVS directors failover. PID 111 Keepalived <-- Parent process monitoring childs 112 \_ Keepalived <-- VRRP children 113 \_ Keepalived <-- Healthchecking children

HA Basics Solutions Heartbeat Keepalived Keepalived Global View

HA Basics Solutions Heartbeat Keepalived Keepalived Design

Thanks

References [1] LVS-HOWTO http://www.austintek.com/lvs/lvs-howto/ [2] The Linux Virtual Server Project http://www.linuxvirtualserver.org/ [3] Netfilter workshops http://workshop.netfilter.org [4] Linux netfilter Hacking HOWTO http://netfilter.org/documentation/howto/netfilter-hacking-howto.html [5] Linux Advanced Routing & Traffic Control HOWTO http://lartc.org/howto/lartc.netfilter.html [6] Recent and Future Developments in IPVS http://workshop.netfilter.org/2010/wiki/images/6/6a/lvs.en.pdf [7] Conntrackd: High Availability for stateful Linux firewalls http://workshop.netfilter.org/2007/presentations/conntrackd-nfws.odp [8] Linux-HA project http://linux-ha.org [9] Keepalived for Linux http://www.keepalived.org [10] Alexandre Simon at JRES 2011 http://www.keepalived.org/pdf/asimon-jres-paper.pdf