|
Packit Service |
5956c7 |
#######################
|
|
Packit Service |
5956c7 |
Case Study: Healthcheck
|
|
Packit Service |
5956c7 |
#######################
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
As an example we can introduce the following LVS topology:
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
First of all, you need a well-configured LVS topology. In the rest of this document, we will assume that all system configurations have been done. This kind of topology is generally implemented in a DMZ architecture. For more information on LVS NAT topology and system configuration please read the nice Joseph Mack LVS HOWTO.
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
Main architecture components
|
|
Packit Service |
5956c7 |
****************************
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* LVS Router: Owning the load balanced IP Class routed (192.168.100.0/24).
|
|
Packit Service |
5956c7 |
* Network Router: The default router for the entire internal network. All the LAN workstations are handled through this IP address.
|
|
Packit Service |
5956c7 |
* Network DNS Server: Referencing the internal network IP topology.
|
|
Packit Service |
5956c7 |
* SMTP Server: SMTP server receiving the mail alerts.
|
|
Packit Service |
5956c7 |
* SERVER POOL: Set of servers hosting load balanced services.
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
Server pool specifications
|
|
Packit Service |
5956c7 |
**************************
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
In this sample configuration we have 2 server pools:
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* Server pool 1: Hosting the HTTP & SSL services. Each server owns two application servers (IBM WEBSPHERE & BEA WEBLOGIC)
|
|
Packit Service |
5956c7 |
* Server pool 2: Hosting the SMTP service.
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
Keepalived configuration
|
|
Packit Service |
5956c7 |
************************
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
You are now ready to configure the Keepalived daemon according to your LVS topology. The whole configuration is done in the /etc/keepalived/keepalived.conf file. In our case study this file looks like::
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
# Configuration File for keepalived
|
|
Packit Service |
5956c7 |
global_defs {
|
|
Packit Service |
5956c7 |
notification_email {
|
|
Packit Service |
5956c7 |
admin@domain.com
|
|
Packit Service |
5956c7 |
0633225522@domain.com
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
notification_email_from keepalived@domain.com
|
|
Packit Service |
5956c7 |
smtp_server 192.168.200.20
|
|
Packit Service |
5956c7 |
smtp_connect_timeout 30
|
|
Packit Service |
5956c7 |
lvs_id LVS_MAIN
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
virtual_server 192.168.200.15 80 {
|
|
Packit Service |
5956c7 |
delay_loop 30
|
|
Packit Service |
5956c7 |
lb_algo wrr
|
|
Packit Service |
5956c7 |
lb_kind NAT
|
|
Packit Service |
5956c7 |
persistence_timeout 50
|
|
Packit Service |
5956c7 |
protocol TCP
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
sorry_server 192.168.100.100 80
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
real_server 192.168.100.2 80 {
|
|
Packit Service |
5956c7 |
weight 2
|
|
Packit Service |
5956c7 |
HTTP_GET {
|
|
Packit Service |
5956c7 |
url {
|
|
Packit Service |
5956c7 |
path /testurl/test.jsp
|
|
Packit Service |
5956c7 |
digest ec90a42b99ea9a2f5ecbe213ac9eba03
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
url {
|
|
Packit Service |
5956c7 |
path /testurl2/test.jsp
|
|
Packit Service |
5956c7 |
digest 640205b7b0fc66c1ea91c463fac6334c
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
connect_timeout 3
|
|
Packit Service |
5956c7 |
retry 3
|
|
Packit Service |
5956c7 |
delay_before_retry 2
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
real_server 192.168.100.3 80 {
|
|
Packit Service |
5956c7 |
weight 1
|
|
Packit Service |
5956c7 |
HTTP_GET {
|
|
Packit Service |
5956c7 |
url {
|
|
Packit Service |
5956c7 |
path /testurl/test.jsp
|
|
Packit Service |
5956c7 |
digest 640205b7b0fc66c1ea91c463fac6334c
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
connect_timeout 3
|
|
Packit Service |
5956c7 |
retry 3
|
|
Packit Service |
5956c7 |
delay_before_retry 2
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
virtual_server 192.168.200.15 443 {
|
|
Packit Service |
5956c7 |
delay_loop 20
|
|
Packit Service |
5956c7 |
lb_algo rr
|
|
Packit Service |
5956c7 |
lb_kind NAT
|
|
Packit Service |
5956c7 |
persistence_timeout 360
|
|
Packit Service |
5956c7 |
protocol TCP
|
|
Packit Service |
5956c7 |
real_server 192.168.100.2 443 {
|
|
Packit Service |
5956c7 |
weight 1
|
|
Packit Service |
5956c7 |
TCP_CHECK {
|
|
Packit Service |
5956c7 |
connect_timeout 3
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
real_server 192.168.100.3 443 {
|
|
Packit Service |
5956c7 |
weight 1
|
|
Packit Service |
5956c7 |
TCP_CHECK {
|
|
Packit Service |
5956c7 |
connect_timeout 3
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
virtual_server 192.168.200.15 25 {
|
|
Packit Service |
5956c7 |
delay_loop 15
|
|
Packit Service |
5956c7 |
lb_algo wlc
|
|
Packit Service |
5956c7 |
lb_kind NAT
|
|
Packit Service |
5956c7 |
persistence_timeout 50
|
|
Packit Service |
5956c7 |
protocol TCP
|
|
Packit Service |
5956c7 |
real_server 192.168.100.4 25 {
|
|
Packit Service |
5956c7 |
weight 1
|
|
Packit Service |
5956c7 |
TCP_CHECK {
|
|
Packit Service |
5956c7 |
connect_timeout 3
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
real_server 192.168.100.5 25 {
|
|
Packit Service |
5956c7 |
weight 2
|
|
Packit Service |
5956c7 |
TCP_CHECK {
|
|
Packit Service |
5956c7 |
connect_timeout 3
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
According to this configuration example, the Keepalived daemon will drive the kernel using the following information:
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* The LVS server will own the name: LVS_MAIN
|
|
Packit Service |
5956c7 |
* Notification:
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* SMTP server will be: 192.168.200.20
|
|
Packit Service |
5956c7 |
* SMTP connection timeout is set to: 30 seconded
|
|
Packit Service |
5956c7 |
* Notification emails will be: admin@domain.com & 0633225522@domain.com
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* Load balanced services:
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* HTTP: VIP 192.168.200.15 port 80
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* Load balancing: Using Weighted Round Robin scheduler with NAT forwarding. Connection persistence is set to 50 seconds on each TCP service. If you are using Linux kernel 2.2 you need to specify the NAT netmask to define the IPFW masquerade granularity (nat_mask keyword). The delay loop is set to 30 seconds
|
|
Packit Service |
5956c7 |
* Sorry Server: If all real servers are removed from the VS’s server pools, we add the sorry_server 192.168.100.100 port 80 to serve clients requests.
|
|
Packit Service |
5956c7 |
* Real server 192.168.100.2 port 80 will be weighted to 2. Failure detection will be based on HTTP_GET over 2 URLS. The service connection timeout will be set to 3 seconds. The real server will be considered down after 3 retries. The daemon will wait for 2 seconds before retrying.
|
|
Packit Service |
5956c7 |
* Real server 192.168.100.3 port 80 will be weighted to 1. Failure detection will be based on HTTP_GET over 1 URL. The service connection timeout will be set to 3 seconds. The real server will be considered down after 3 retries. The daemon will wait for 2 seconds before retrying.
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* SSL: VIP 192.168.200.15 port 443
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* Load balancing: Using Round Robin scheduler with NAT forwarding. Connection persistence is set to 360 seconds on each TCP service. The delay loop is set to 20 seconds
|
|
Packit Service |
5956c7 |
* Real server 192.168.100.2 port 443 will be weighted to 2. Failure detection will be based on TCP_CHECK. The real server will be considered down after a 3-second connection timeout.
|
|
Packit Service |
5956c7 |
* Real server 192.168.100.3 port 443 will be weighted to 2. Failure detection will be based on TCP_CHECK. The real server will be considered down after a 3-second connection timeout.
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* SMTP: VIP 192.168.200.15 port 25
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
* Load balancing: Using Weighted Least Connection scheduling algorithm in a NAT topology with connection persistence set to 50 seconds. The delay loop is set to 15 seconds
|
|
Packit Service |
5956c7 |
* Real server 192.168.100.4 port 25 will be weighted to 1. Failure detection will be based on TCP_CHECK. The real server will be considered down after a 3-second connection timeout.
|
|
Packit Service |
5956c7 |
* Real server 192.168.100.5 port 25 will be weighted to 2. Failure detection will be based on TCP_CHECK. The real server will be considered down after a 3-second connection timeout.
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
For SSL server health check, we can use SSL_GET checkers. The configuration block for a corresponding real server will look like::
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
virtual_server 192.168.200.15 443 {
|
|
Packit Service |
5956c7 |
delay_loop 20
|
|
Packit Service |
5956c7 |
lb_algo rr
|
|
Packit Service |
5956c7 |
lb_kind NAT
|
|
Packit Service |
5956c7 |
persistence_timeout 360
|
|
Packit Service |
5956c7 |
protocol TCP
|
|
Packit Service |
5956c7 |
real_server 192.168.100.2 443 {
|
|
Packit Service |
5956c7 |
weight 1
|
|
Packit Service |
5956c7 |
SSL_GET
|
|
Packit Service |
5956c7 |
{
|
|
Packit Service |
5956c7 |
url {
|
|
Packit Service |
5956c7 |
path /testurl/test.jsp
|
|
Packit Service |
5956c7 |
digest ec90a42b99ea9a2f5ecbe213ac9eba03
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
url {
|
|
Packit Service |
5956c7 |
path /testurl2/test.jsp
|
|
Packit Service |
5956c7 |
digest 640205b7b0fc66c1ea91c463fac6334c
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
connect_timeout 3
|
|
Packit Service |
5956c7 |
retry 3
|
|
Packit Service |
5956c7 |
delay_before_retry 2
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
real_server 192.168.100.3 443 {
|
|
Packit Service |
5956c7 |
weight 1
|
|
Packit Service |
5956c7 |
SSL_GET
|
|
Packit Service |
5956c7 |
{
|
|
Packit Service |
5956c7 |
url {
|
|
Packit Service |
5956c7 |
path /testurl/test.jsp
|
|
Packit Service |
5956c7 |
digest 640205b7b0fc66c1ea91c463fac6334c
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
connect_timeout 3
|
|
Packit Service |
5956c7 |
retry 3
|
|
Packit Service |
5956c7 |
delay_before_retry 2
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
}
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
To generate a sum over an URL simply proceed as follows::
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
[root@lvs /root]# genhash –s 192.168.100.2 –p 80 –u /testurl/test.jsp
|
|
Packit Service |
5956c7 |
--------------------------[ HTTP Header Buffer ]--------------------------
|
|
Packit Service |
5956c7 |
0000 48 54 54 50 2f 31 2e 31 - 20 34 30 31 20 55 6e 61 HTTP/1.1 401 Una
|
|
Packit Service |
5956c7 |
0010 75 74 68 6f 72 69 7a 65 - 64 0d 0a 44 61 74 65 3a uthorized..Date:
|
|
Packit Service |
5956c7 |
0020 20 4d 6f 6e 2c 20 32 33 - 20 41 70 72 20 32 30 30 Mon, 23 Apr 200
|
|
Packit Service |
5956c7 |
0030 31 20 31 35 3a 34 31 3a - 35 34 20 47 4d 54 0d 0a 1 15:41:54 GMT..
|
|
Packit Service |
5956c7 |
0040 41 6c 6c 6f 77 3a 20 47 - 45 54 2c 20 48 45 41 44 Allow: GET, HEAD
|
|
Packit Service |
5956c7 |
0050 0d 0a 53 65 72 76 65 72 - 3a 20 4f 72 61 63 6c 65 ..Server: Oracle
|
|
Packit Service |
5956c7 |
0060 5f 57 65 62 5f 4c 69 73 - 74 65 6e 65 72 2f 34 2e _Web_Listener/4.
|
|
Packit Service |
5956c7 |
0070 30 2e 38 2e 31 2e 30 45 - 6e 74 65 72 70 72 69 73 0.8.1.0Enterpris
|
|
Packit Service |
5956c7 |
0080 65 45 64 69 74 69 6f 6e - 0d 0a 43 6f 6e 74 65 6e eEdition..Conten
|
|
Packit Service |
5956c7 |
0090 74 2d 54 79 70 65 3a 20 - 74 65 78 74 2f 68 74 6d t-Type: text/htm
|
|
Packit Service |
5956c7 |
00a0 6c 0d 0a 43 6f 6e 74 65 - 6e 74 2d 4c 65 6e 67 74 l..Content-Lengt
|
|
Packit Service |
5956c7 |
00b0 68 3a 20 31 36 34 0d 0a - 57 57 57 2d 41 75 74 68 h: 164..WWW-Auth
|
|
Packit Service |
5956c7 |
00c0 65 6e 74 69 63 61 74 65 - 3a 20 42 61 73 69 63 20 enticate: Basic
|
|
Packit Service |
5956c7 |
00d0 72 65 61 6c 6d 3d 22 41 - 43 43 45 53 20 20 20 20 realm="ACCES
|
|
Packit Service |
5956c7 |
00e0 22 0d 0a 43 61 63 68 65 - 2d 43 6f 6e 74 72 6f 6c "..Cache-Control
|
|
Packit Service |
5956c7 |
00f0 3a 20 70 75 62 6c 69 63 - 0d 0a 0d 0a : public....
|
|
Packit Service |
5956c7 |
------------------------------[ HTML Buffer ]-----------------------------
|
|
Packit Service |
5956c7 |
0000 3c 48 54 4d 4c 3e 3c 48 - 45 41 44 3e 3c 54 49 54 <HTML><HEAD>
|
|
Packit Service |
5956c7 |
0010 4c 45 3e 55 6e 61 75 74 - 68 6f 72 69 7a 65 64 3c LE>Unauthorized<
|
|
Packit Service |
5956c7 |
0020 2f 54 49 54 4c 45 3e 3c - 2f 48 45 41 44 3e 0d 0a /TITLE></HEAD>..
|
|
Packit Service |
5956c7 |
0030 3c 42 4f 44 59 3e 54 68 - 69 73 20 64 6f 63 75 6d <BODY>This docum
|
|
Packit Service |
5956c7 |
0040 65 6e 74 20 69 73 20 70 - 72 6f 74 65 63 74 65 64 ent is protected
|
|
Packit Service |
5956c7 |
0050 2e 20 20 59 6f 75 20 6d - 75 73 74 20 73 65 6e 64 . You must send
|
|
Packit Service |
5956c7 |
0060 0d 0a 74 68 65 20 70 72 - 6f 70 65 72 20 61 75 74 ..the proper aut
|
|
Packit Service |
5956c7 |
0070 68 6f 72 69 7a 61 74 69 - 6f 6e 20 69 6e 66 6f 72 horization infor
|
|
Packit Service |
5956c7 |
0080 6d 61 74 69 6f 6e 20 74 - 6f 20 61 63 63 65 73 73 mation to access
|
|
Packit Service |
5956c7 |
0090 20 69 74 2e 3c 2f 42 4f - 44 59 3e 3c 2f 48 54 4d it.</BODY>
|
|
Packit Service |
5956c7 |
00a0 4c 3e 0d 0a - L>..
|
|
Packit Service |
5956c7 |
-----------------------[ HTML MD5 final resulting ]-----------------------
|
|
Packit Service |
5956c7 |
MD5 Digest : ec90a42b99ea9a2f5ecbe213ac9eba03
|
|
Packit Service |
5956c7 |
|
|
Packit Service |
5956c7 |
The only thing to do is to copy the generated MD5 Digest value generated and paste it into your Keepalived configuration file as a digest value keyword.
|
|
Packit Service |
5956c7 |
|