On Thu, Aug 23, 2007 at 07:26:25AM -0500, Michael S. Zick wrote:
> On Thu August 23 2007 03:45, Jeff Williams wrote:
> > Philippe Teuwen wrote:
> > >
> > >> Thanks, but I don't want to create a private network between the
> > >> vservers, rather, I want to assign some ip addresses to one of
> > >> the vservers that none of the other vserver will send to directly
> > >> (not even via the host). I can't see how I can do this.
> > >
> > > private adresses not visible even by the host, that's really the
> > > problem...
> > >> The scenario is this:
> > >>
> > >> I have a load balanacer (lb) sitting in front of some servers,
> > >> one of which is a vserver host. One of the load balanced services
> > >> is mail, and it has the virtual IP of 4.3.2.1 on lb. The vserver
> > >> host contains 2 vservers: one for web with ip 1.2.3.4 and one for
> > >> mail with ip 1.2.3.5. There is a separate mail server with ip
> > >> 1.2.3.6. Mail traffic coming to the ip 4.3.2.1 gets distributed
> > >> between 1.2.3.5 and 1.2.4.6. These servers need to have a hidden
> > >> interface with the ip 4.3.2.1 so that they accept the packets
> > >> forwarded by lb.
> > >>
> > > How this distribution is done when you've physical distinct
> > > servers? lb forwards packets to ip 4.3.2.1 and mac of 1.2.3.x?
> > > even if lb has itself such 4.3.2.1 ip?
> >
> > Yes. The lb has the 4.3.2.1 on the customer facing interface and
> > it drop the packets onto the 1.2.3.* network with the dest ip of
> > 4.3.2.1 and the mac address of the dest server. Requires the lb and
> > real server to be on the same layer 2 network.
> > >
> > > Another idea:
> > > Could you do load balancing via ports rather than macs?
> > >
> > > lb, A and B have all the same IP 4.3.2.1
> > > vservers A and B run your mail service respectively on ports 2501 and
> > > 2502.
> > > lb accepts external packets on port 25 and forward them to "itself" on
> > > port 2501 or 2502.
> > This doesn't really work. For the mail vserver to get the packet the
> > vserver host needs to accept packets for 4.3.2.1 and forward them to the
> > mail vserver. Once it does this, it will also route all packets from the
> > other vservers to the mail vserver.
> >
> Do I understand what you are saying?
> The first packet causes the MAC address to be entered in the address
> resolution table, and once that happens (MAC in AR table) that lookup
> becomes the controlling routing?
>
> I think that is the way it is supposed to work, but might be wrong,
> NAE.
>
> It sounds like you need the same mechanism used to spread the load
> between two dial-up lines - both have the same end-point IPs but
> different MAC addresses.
> In addition to assigning an IP(s) to a vserver instance, can you also
> assign MAC(s) to a vserver instance?
nope, Linux-VServer uses IP layer Isolation (not virtualized
interfaces with fake MAC, for a good reason: performance)
so all your setups/problems/whatever are identical to the
ones you have on a normal Linux Server, and thus are solved
in the same ways ...
> Then, if nothing else, use the bridge tables to get the desired
> routing?
> After all, it is the MAC that identifies the machine/interface -
> should it not also identify the machine/vserver?
yes, it identifies the _interface_ not the _ip_ but if you
have plenty of interfaces, you can of course assign one per
guest (by binding an ip to it and giving that to the guest)
note: that will not stop the network stack from _knowing_
that the other IPs are on the same machine ....
> Mike
> >
> > Note that when the packet is addressed to 4.3.2.1 you need to use
> > the mac address, otherwise the packet will not leave the lb.
> >
> > Ports don't help as they only come into it after the the host has
> > been found.
in general, you might want to look into the details for
the linux network stack and rethink your setup, because
it sounds like you actually want higher network overhead
to satisfy a theoretical setup with not too much practical
purpose ... YMMV
best,
Herbert
> > Regards,
> > Jeff
> >
> >
Received on Fri Aug 24 14:48:05 2007