Hack Admin » Network

IP Failover For Web Cluster

admin — Tue, 23 Feb 2010 00:38:38 +0000

Article by Aashish

keepalived provides a strong and robust health checking for LVS clusters. It nginx implements a framework of health checking on multiple layers for server failover, and VRRPv2 stack to handle director failover. How do I install and configure Keepalived for reverse proxy server such as nginx or lighttpd?

If your are using a LVS director to loadbalance a server pool in a production environment, you may want to have a robust solution for healthcheck & failover. This will also work with reverse proxy server such as nginx.

lb0 – Linux box directly connected to the Internet via eth1. This is master load balancer.
lb1 – Linux box directly connected to the Internet via eth1. This is backup load balancer. This will become active if master networking failed.

202.54.1.1 – This ip moves between lb0 and lb1 server. It is called virtual IP address and it is managed by keepalived.
eth0 is connected to LAN and all other backend software such as Apache, MySQL and so on.

You need to install the following softwares on both lb0 and lb1:

keepalived for IP failover.
iptables to filter traffic
nginx or lighttpd revers proxy server.

DNS settings should be as follows:

hackadmin.in – Our sample domain name.
lb0.hackadmin.in – 202.54.1.11 (real ip assigned to eth1)
lb1.hackadmin.in – 202.54.1.12 (real ip assigned to eth1)
www.hackadmin.com – 202.54.1.1 (VIP for web server) do not assign this IP to any interface.

Install Keepalived

Visit keepalived.org to grab latest source code. You can use the wget command to download the same (you need to install keepalived on both lb0 and lb1):

# cd /opt

# wget http://www.keepalived.org/software/keepalived-1.1.19.tar.gz

# tar -zxvf keepalived-1.1.19.tar.gz

# cd keepalived-1.1.19

Install Kernel Headers

You need to install the following packages:

Kernel-headers – includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package.
kernel-devel – this package provides kernel headers and makefiles sufficient to build modules against the kernel package.

Make sure kernel-headers and kernel-devel packages are installed. If not type the following install the same:

Compile keepalived

Type the following command:
# ./configure –with-kernel-dir=/lib/

modules/$(uname -r)/build

Sample outputs:

checking for gcc… gcc
checking for C compiler default output file name… a.out
checking whether the C compiler works… yes
checking whether we are cross compiling… no
checking for suffix of executables…
checking for suffix of object files… o
…
…..
..
config.status: creating keepalived/check/Makefile
config.status: creating keepalived/libipvs-2.6/Makefile

Keepalived configuration
————————
Keepalived version : 1.1.19
Compiler : gcc
Compiler flags : -g -O2
Extra Lib : -lpopt -lssl -lcrypto
Use IPVS Framework : Yes
IPVS sync daemon support : Yes
Use VRRP Framework : Yes
Use Debug flags : No

Compile and install the same:
# make && make install

Create Required Softlinks

Type the following commands to create service and run it at RHEL / CentOS run level #3 :
# cd /etc/sysconfig
# ln -s /usr/local/etc/sysconfig/keepalived .
# cd /etc/rc3.d/
# ln -s /usr/local/etc/rc.d/init.d/keepalived S100keepalived
# cd /etc/init.d/
# ln -s /usr/local/etc/rc.d/init.d/keepalived .

Configuration

Your main configuration directory is located at /usr/local/etc/keepalived and configuration file name is keepalived.conf. First, make backup of existing configuration:
# cd /usr/local/etc/keepalived
# cp keepalived.conf keepalived.conf.bak
Edit keepalived.conf as follows on lb0:

vrrp_instance VI_1 {
interface eth0
state MASTER
virtual_router_id 51
priority 101
authentication {
auth_type PASS
auth_pass Add-Your-Password-Here
}
virtual_ipaddress {
202.54.1.1/29 dev eth1
}
}

Edit keepalived.conf as follows on lb1 (note priority set to 100 i.e. backup load balancer):

vrrp_instance VI_1 {
interface eth0
state MASTER
virtual_router_id 51
priority 100
authentication {
auth_type PASS
auth_pass Add-Your-Password-Here
}
virtual_ipaddress {
202.54.1.1/29 dev eth1
}
}

Save and close the file. Finally start keepalived on both lb0 and lb1 as follows:
# /etc/init.d/keepalived start

Verify: Keepalived Working Or Not

/var/log/messages will keep track of VIP:
# tail -f /var/log/messages
Sample outputs:

Feb 21 04:06:15 lb0 Keepalived_vrrp: Netlink reflector reports IP 202.54.1.1 added
Feb 21 04:06:20 lb0 Keepalived_vrrp: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth1 for 202.54.1.1

Verify that VIP assigned to eth1:
# ip addr show eth1
Sample outputs:

3: eth1: mtu 1500 qdisc pfifo_fast qlen 10000
link/ether 00:30:48:30:30:a3 brd ff:ff:ff:ff:ff:ff
inet 202.54.1.11/29 brd 202.54.1.254 scope global eth1
inet 202.54.1.1/29 scope global secondary eth1

ping failover test

Open UNIX / Linux / OS X desktop terminal and type the following command to ping to VIP:
# ping 202.54.1.1
Login to lb0 and halt the server or take down networking:
# halt
Within seconds VIP should move from lb0 to lb1 and you should not see any drops in ping. On lb1 you should get the following in /var/log/messages:

Feb 21 04:10:07 lb1 Keepalived_vrrp: VRRP_Instance(VI_1) forcing a new MASTER election
Feb 21 04:10:08 lb1 Keepalived_vrrp: VRRP_Instance(VI_1) Transition to MASTER STATE
Feb 21 04:10:09 lb1 Keepalived_vrrp: VRRP_Instance(VI_1) Entering MASTER STATE
Feb 21 04:10:09 lb1 Keepalived_vrrp: VRRP_Instance(VI_1) setting protocol VIPs.
Feb 21 04:10:09 lb1 Keepalived_healthcheckers: Netlink reflector reports IP 202.54.1.1 added
Feb 21 04:10:09 lb1 Keepalived_vrrp: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth1 for 202.54.1.1

Dell Switches, Digi Console Servers and Linux Serial Ports

admin — Sat, 04 Jul 2009 13:56:01 +0000

What a day… So we have a fancy new(new to us) Dell 6000 series switch, a 6224 actually. As it turns out, our typical remote serial solution won’t work with this switch. Normally we’ll connect the console port of these switches to a Digi Passport Server. The network has 2 entry points, so if we need to work on any device that may cause an outage at either entry point, we have options to maintain connectivity.

At any rate, this sweet little 6000 series switch works fine connected to a PC, but through the Digi we get no love. What does Dell say? Dell says it should be exactly like all of our 5000 series switches and there should be no change in Digi pinouts, they also said, if it doesn’t work now, it never will. Whatever that means.. Well this of course creates a dilemma, we need to modify this thing and it is definitely going to drop the network.

So the short term solution is using a linux box that is connected to one of our entry points. Basically we just plugged the Dell console cable into the serial port of this server. After that you can just use screen from a terminal window to make it all go.

Once you have the Dell console cable connected, open a terminal window to the server that is hooked to the Dell(or whatever device). If you haven’t used sceen before, it’s really quite simple, basically, in your terminal window type the following command:

screen /dev/ttyS0 9600

This opens a console connection to the dell through your serial port at 9600 baud. Once you are in here, it’s life as normal, it’s getting out where you’ll need to know a little about screen.

The easiest way to bail out of this connection is the following sequence:
CTRL + A
K (SHIFT + K)

This will open a dialog at the bottom of the window asking if you are sure that you want to kill this window. Answer ‘y’ and you are back to your original terminal window.

Dat’s it.

Static Routes in CentOS 5.2

admin — Tue, 04 Nov 2008 20:29:08 +0000

To add a static route in CentOS 5.2 create a file specific to the interface in /etc/sysconfig/network-scripts.

For example, if you are adding routes where the route’s gateway will be on the network in use on eth0, you will create the following file: route-eth0

In the file add the following parameters:

GATEWAY0=192.168.195.2 NETMASK0=255.255.255.0 ADDRESS0=10.0.0.0

For each subsequent route statement increment the number that is appended to each parameter.

Test Your Site for Specific SSL Version Support

admin — Mon, 30 Jun 2008 21:08:06 +0000

Ok, so I had a hell of a time with some PCI compliance stuff. I was in somebody else’s config and it was a mess. Basically what I needed was a tool to test for what versions of SSL the server was allowing. Instead, I kept mucking with the config trying to get all the SSLv2 crap out of it… and it kept accepting SSLv2 requests. In order to verify I had failed again, I was waiting for the PCI reports to return (2 or 3 hours). Not very time efficient.

At any rate, here’s what I finally found:

For Windoze Whores:

http://support.microsoft.com/kb/284285

From the command line:

openssl s_client -host localhost -port 443 -ssl2

Of course you can rotate through your protocols and examine the output.

*Sigh*…

Net-SNMP Startup Issues and package updates.

admin — Wed, 16 Apr 2008 22:57:16 +0000

I ran into an issue the other day installing net-snmp-utils via yum on a CentOS 4.5 box and it just happened to me again. This time however, I didn’t install the net-snmp-utils, it was from the original load of net-snmp. Basically, I typically just do a:

yum -y install net-snmp

Then copy over my default snmpd.conf file and fire it up.

In these instances however, snmpd either refused to start or gave the following error in /var/log/messages:

Apr 16 18:14:35 msx-db01 kernel: audit(1208384075.250:6): avc: denied { read } for pid=27712 comm="snmpd" name="snmpd.conf" dev=sda3 ino=7241736 scontext=root:system_r:snmpd_t tcontext=root:object_r:tmp_t tclass=file Apr 16 18:14:35 msx-db01 kernel: audit(1208384075.265:7): avc: denied { read } for pid=27712 comm="snmpd" name="snmpd.conf" dev=sda3 ino=7241736 scontext=root:system_r:snmpd_t tcontext=root:object_r:tmp_t tclass=file Apr 16 18:14:35 msx-db01 snmpd[27712]: Warning: no access control information configured. It's unlikely this agent can serve any useful purpose in this state. Run "snmpconf -g basic_setup" to help you configure the snmpd.conf file for this agent. Apr 16 18:14:35 msx-db01 snmpd[27712]: NET-SNMP version 5.1.2

I tried to use snmpconf as suggested even though I knew my snmpd.conf file was fine. snmpconf was not on the system so I didn’t waste any time trying to find out how to get it.

So the fix is to install the net-snmp-libs package, not sure what it updates but it works.

yum -y install net-snmp-libs

The catch after that is (at least in all 3 of my situations) the following error on the yum install:

Transaction Check Error: file /usr/share/man/man8/ext2online.8.gz from install of e2fsprogs-1.35-12.11.el4_6.1 conflicts with file from package e2fsprogs-1.35-12.4.EL4

So, back to the hack admin package manager of choice *yum* :

yum update e2fsprogs

Once it’s updated, the net-snmp-libs goes in as expected.

So what’s the deal with all this? I dunno, what the hell do utilities for ext2 have to do with my ability to run snmp monitoring? Who gives a shit and if you know, you’re probably on the wrong site. At any rate, my monitoring works and I’ll leave the rest to the server fairies.

Moral of the story: If your shit works, do you really need to understand it?