Am Donnerstag, den 23.08.2007, 09:31 +0800 schrieb Jeff Williams:
> Philippe Teuwen wrote:
> >
> >> Will it be possible to alias these private loopback addresses and still
> >> be private from the other servers? I have some virtual servers sitting
> >> behind a load balancer. They have loopback aliases from the load
> >> balancer virtual IP. However, if I add a alias to the loopback on one
> >> vserver, all of the vservers on that host use that vserver rather than
> >> going through the load balancer. Will private loopbacks fix this?
> >>
> >
> > Personally I use several static tapN interfaces.
> > This can be used to set the equivalent of a loopback interface (one
> > different tap0/tap1/... per vserver) or to set an internal private
> > network between vservers.
> > For info this trick came from the time I was playing with UML
> > (user-mode linux).
> > But maybe it could solve your problem.
> > Note that the host will see all tap interfaces as the host creates all
> > those tap.
> Thanks, but I don't want to create a private network between the
> vservers, rather, I want to assign some ip addresses to one of the
> vservers that none of the other vserver will send to directly (not even
> via the host). I can't see how I can do this.
>
> The scenario is this:
>
> I have a load balanacer (lb) sitting in front of some servers, one of
> which is a vserver host. One of the load balanced services is mail, and
> it has the virtual IP of 4.3.2.1 on lb. The vserver host contains 2
> vservers: one for web with ip 1.2.3.4 and one for mail with ip 1.2.3.5.
> There is a separate mail server with ip 1.2.3.6. Mail traffic coming to
> the ip 4.3.2.1 gets distributed between 1.2.3.5 and 1.2.4.6. These
> servers need to have a hidden interface with the ip 4.3.2.1 so that they
> accept the packets forwarded by lb.
>
> On a regular server, assigning 4.3.2.1 as an alias of the loopback
> interface allows the server to accept packets for 4.3.2.1 while not
> announcing that ip to the rest of the network. However, on the vserver
> host, because the host sees the 4.3.2.1 address, all traffic from other
> vservers (e.g. the web server) for the ip gets routed directly to the
> vserver rather than to the lb.
>
> I can't see any way around this. The lb sends a packet with mac address
> of the vserver host and the address 4.3.2.1. Therefore the host needs to
> be aware of the IP. However, once it is aware of the IP, it routes the
> traffic from all of the other vservers. Any ideas? I can only think of
> playing with iptables rules, but that doesn't seem like fun.
You might also have a look at my thread here
"Avoiding kernel internal routing among vserver clients"
from like 2 or 3 weeks ago.
The problem seems similar to mine and i've got mine (mostly) solved.
Still need to investigate the icmp problem though. Haven't had time to
look at it since.
Tom
Received on Fri Aug 24 03:09:51 2007