The LVS (Linux Virtual Server) project was launched in 1998 and is meant to eliminate Single Point of Failures (SPOF). According to the linuxvirtualserver.org website: “LVS is a highly scalable and available server built on a cluster of real servers, with the load balancer running on Linux. The architecture of the server cluster is fully transparent to the end user, and the users interact as if it were a single high-performance virtual server. The real servers and the load balancers may be interconnected by either a high speed LAN or by a geographically dispersed WAN.”
The load balancer is the single entry point into the cluster. The client connects to a single known IP address, and then inside the virtual server the load balancer redirects the incoming connections to the server(s) that actually does the work according to the scheduling algorithm chosen. The nodes of the cluster (real servers) can be transparently added/removed, providing a high level of scalability. The LVS detects node failures on-the-fly and reconfigures the system accordingly, automatically, thus providing high availability. Theoretically, the load balancer can either run IPVS or KTCPVS techniques for load balancing, but owing to a very high stability of IPVS, it is used in almost all the implementations I have seen. See the sidebar titled “IPVS v/s KTCPVS” for a brief note on the differences between the two. IPVS provides Layer 4 load balancing and KTCPVS provides Layer 7 load balancing (see the sidebar).
|IPVS v/s KTCPVS|
|IPVS or IP Virtual Server is an implementation of Layer 4 load balancing inside the Linux kernel. Layer 4 load balancing works on OSI Layer 4 (Transport Layer) and distributes requests to the servers at the transport layer without looking at the content of the packets.
KTCPVS or Kernel TCP Virtual Server is an implementation of Layer 7 load balancing in the Linux kernel. Layer 7 load balancing is also known as application-level load balancing. The load balancer parses requests in the application layer and distributes requests to servers based on the content. The scalability of Layer 7 load balancing is not high because of the overhead of parsing the content.
There are three load balancing techniques used in IPVS:
- LVS/NAT – Virtual Server via NAT
- LVS/TUN – Virtual Server via Tunnelling
- LVS/DR – Virtual Server via Direct Routing
A brief overview of these techniques can be found in the sidebar titled “IPVS Load Balancing Techniques”.
|IPVS Load Balancing Techniques|
| LVS/NAT: This technique is one of the simplest to set up but could present an extra load on the load balancer, because the load balancer needs to rewrite both the request and response packets. The load balancer needs to also act as a default gateway for all the real servers, which does not allow the real servers to be in a geographically different network. The packet flow in this technique is as follows:
LVS/DR: DR stands for Direct Routing. This technique utilises MAC spoofing and demands that at least one of the load balancer’s NIC and real server’s NIC are in the same IP network segment as well as the same physical segment. In this technique, the virtual IP address is shared by the load balancer as well as all the real servers. Each real server has a loop-back alias interface configured with the virtual IP address. This loop-back alias interface must be NOARP so that it does not respond to any ARP requests for the virtual IP. The port number of incoming packets cannot be remapped, so if the virtual server is configured to listen on port 80, then real servers also need to service on port 80. The packet flow in this technique is as follows:
LVS/TUN: This is the most scalable technique. It allows the real servers to be present in different LANs or WANs because the communication happens with the help of the IP tunnelling protocol. The IP tunnelling allows an IP datagram to be encapsulated inside another IP datagram. This allows IP datagrams destined for one IP address to be wrapped and redirected to a different IP address. Each real server must support the IP tunnelling protocol and have one of its tunnel devices configured with the virtual IP. If the real servers are in a different network than the load balancer, then the routers in their network need to be configured to accept outgoing packets with the source address as the virtual IP.
This router reconfiguration needs to be done because the routers are typically configured to drop such packets as part of the anti-spoofing measures. Like the LVS/DR method, the port number of incoming packets cannot be remapped. The packet flow in this technique is as follows:
Since our real servers are located in two different data centres, we will be focusing on LVS/TUN.
Installing and configuring IPVS
Please note that the set-up explained here should only be used as a guideline and for an understanding of how IPVS works. Networking scenarios are different for every case and may demand extra reading and experimentation before getting a working set-up. My advice is that before trying this out in the field, make sure enough experiments have been done in the laboratory. Also, it is advisable to read through the documents in the References section at the end of the article.
On Debian and the likes, issue the following code:
# apt-get install ipvsadm keepalived
On Red Hat and the likes, use the following:
# yum install ipvsadm keepalived
The kernel module
ipip may need to be loaded, but in my experience, these modules were automatically loaded when I used the
To start with, we will consider a scenario that has two data centres. There is one LVS load balancer in each data centre. For the sake of giving them names, we will call them
ipvslb21. Now we will configure the IPIP tunnel between the load balancers and the real servers—
rproxy1 is in the first data centre and
rproxy2 is in the second.
Before we start the command configuration, have a look at Table 1 and Figure 1.
|Data Centre details|
|Data Centre||Host||Interface||IP Address||Role|
|Data Centre 1||ipvslb11||eth0||192.168.1.214/24||VIP|
|Data Centre 1||ipvslb11||eth1||192.168.1.13/24||DIP|
|Data Centre 2||ipvslb21||eth0||192.168.2.214/24||RIP|
|Data Centre 2||ipvslb21||eth1||192.168.2.13/24||DIP|
|Data Centre 1||rproxy1||eth0||192.168.1.14/24||RIP|
|Data Centre 1||rproxy1||tunl0 (no ARP)||192.168.1.214/32||VIP|
|Data Centre 1||rproxy1||tunl1 (no ARP)||192.168.2.214/32||VIP|
|Data Centre 2||rproxy2||eth0||192.168.2.2/24||RIP|
|Data Centre 2||rproxy2||tunl0 (no ARP)||192.168.1.214/32||VIP|
|Data Centre 2||rproxy2||tunl1 (no ARP)||192.168.2.214/32||VIP|
Please look at the following configuration carefully, and look at the host names in the prompt to identify to which server you need to type these commands:
rproxy1# modprobe ipip rproxy1# ip addr add 192.168.1.214/32 dev tunl0 rproxy1# ip addr add 192.168.2.214/32 dev tunl1 rproxy1# ip link set tunl0 up arp off rproxy1# ip link set tunl1 up arp off rproxy2# modprobe ipip rproxy2# ip addr add 192.168.1.214/32 dev tunl0 rproxy2# ip addr add 192.168.2.214/32 dev tunl1 rproxy2# ip link set tunl0 up arp off rproxy2# ip link set tunl1 up arp off
Now let us add two virtual servers—one to serve normal Web traffic and one for secure traffic on Port 443:
ipvslb11# ipvsadm -A -t 192.168.1.214:80 -s wlc ipvslb11# ipvsadm -A -t 192.168.1.214:443 -s wlc ipvslb11# ipvsadm -a -t 192.168.1.214:80 -r 192.168.1.14 -i ipvslb11# ipvsadm -a -t 192.168.1.214:443 -r 192.168.1.14 -i ipvslb11# ipvsadm -a -t 192.168.1.214:80 -r 192.168.2.2 -i ipvslb11# ipvsadm -a -t 192.168.1.214:443 -r 192.168.2.2 -i ipvslb21# ipvsadm -A -t 192.168.2.214:80 -s wlc ipvslb21# ipvsadm -A -t 192.168.2.214:443 -s wlc ipvslb21# ipvsadm -a -t 192.168.2.214:80 -r 192.168.1.14 -i ipvslb21# ipvsadm -a -t 192.168.2.214:443 -r 192.168.1.14 -i ipvslb21# ipvsadm -a -t 192.168.2.214:80 -r 192.168.2.2 -i ipvslb21# ipvsadm -a -t 192.168.2.214:443 -r 192.168.2.2 -i
The various options used with ipvsadm are:
-Aadds a virtual server
-aadds a real server
-tspecifies that the virtual server is a tcp service
-sis a scheduling method
-rrepresents the real server
-iis an option which specifies that an IPIP tunnel is to be used. IPVS will generate the IPIP packets on its own
You can view the IPVS configuration using the
-L option with the
ipvsadm command. The
-n option saves some DNS look-up time in case the real servers do not have a DNS or host file entry.
ipvslb1# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.1.214:https wlc persistent 86400 -> 192.168.1.14:https Tunnel 1 0 0 TCP 192.168.1.214:www rr -> 192.168.1.14:www Tunnel 1 0 0
A similar output is produced at the
Please make sure that the router at the Data Centre 2 (where
rproxy2 is located) is set to allow the spoofed address containing the VIP as the source address to pass through. This is the most common problem people face.
Note: If all the real servers are in the same data centre, then you need not worry about router configuration, but in that case you are better off using LVS/DR, which will give you faster performance.
High availability of load balancers—connection synchronisation in IPVS
ipvsadm command can run in daemon mode either as a master or back-up. The master server synchronises the connection information to the back-up server, thus providing a persistent connection in case the master server needs to be failed over to the back-up server.
The high-speed operation of a load balancer can cause some amount of extra load on the load balancers. So we need to make sure that the connection synchronisation does not become an overhead to the overall operations. According to the linuxvirtualserver.org website, at least the following connection information needs to be passed to the back-up from the master, which is around 24 bytes:
<Protocal, CIP:CPort, VIP:VPort, RIP:RPort, Flags, State>
Efficient synchronisation is done using UDP multicast inside the Linux kernel. The master load balancer runs the IPVS syncmaster daemon inside the kernel, passing the connection information with the UDP multicast to the back-up load balancer(s) accepting the UDP multicast packet.
On the primary load balancers in each data centre, run the following code:
ipvslb11# ipvsadm --start-daemon=master --mcast-interface=eth1 ipvslb21# ipvsadm --start-daemon=master --mcast-interface=eth1
On the back-up load balancer in each data centre, run the following:
ipvslb12# ipvsadm --start-daemon=backup --mcast-interface=eth1 ipvslb22# ipvsadm --start-daemon=backup --mcast-interface=eth1
When you want to stop the daemons, you can just run the command given below:
# ipvsadm --stop-daemon
After starting the daemon on both master and backup, we can now use
Heartbeat to provide high availability in our load balancers. I am not detailing the
Heartbeat set-up since a similar set-up was discussed in an article that appeared earlier. So this has been left as an exercise for readers. The important point here is that when the
Heartbeat failover occurs, the IP address failover script sends out ARP requests to inform the nodes on the network that the VIP has been failed over and that they should update their ARP cache.
This completes the configuration. However, it would have been a lot better if we could use just one program to do all of the above, i.e., create the virtual server, monitor the virtual server and provide for automatic failover to the back-up, do the connection synchronisation, etc. There are a few tools available to do this. Some of these are
Heartbeat, and provides some add-on features),
Piranha (a Red Hat favourite), etc.
Note: If you are planning to use
Piranha, do not execute any of the
ipvsadm commands described above, as these applications take care of all
ipvsdm functionalities. And if you have already executed them, it’s better to give all machines a reboot to clear them.
To start with, add only one real host. In our scenario, I am assuming that you have chosen
rproxy1 (192.168.1.14) as the real host. The client IP for me was
If you can’t see the Web page, then first try ping from the client to the VIP.
client# ping 192.168.1.214
ping works then run the following
tcpdump commands on the various servers:
director# tcpdump -ln -i eth1 host 192.168.1.14
You should see the IPIP tunnel packets here. But if you see any ICMP error packet report that states that it could not connect, then there is a problem at the real server end. Check the tunnel there and make sure that the link status of the
tunl0 interface is marked as UP.
realserver# tcpdump -ln -i eth0 host 192.168.1.13 realserver# tcpdump -ln -i tunl0 host 10.1.1.1 realserver# tcpdump -ln -i eth0 host 10.1.1.1
If all seems to work well and you can see packets flowing across, then run the following traceroute to the client IP address on your real server. The source IP address is spoofed to be the VIP in the packets. If you cannot see the output in this command, then surely your borderline firewall or router is blocking the packets. A sample output is also shown below:
realserver# traceroute -n -s 192.168.1.214 10.1.1.1 traceroute to 10.1.1.1 (10.1.1.1) from 192.168.1.214, 30 hops max, 38 byte packets 1 192.168.1.1 10.280 ms 2.700 ms 2.625 ms 2 10.1.1.1 7.407 ms !C 2.586 ms !C 5.503 ms !C
Try to set this up on a local LAN first before moving the set-up to the data centre scenario. And after moving to the data centre scenario, set up one data centre first. This will make troubleshooting easier.
Moving further on
In this four-part series we have seen the setting-up of various components involved in providing a highly available Web infrastructure. We have also seen how to replicate this set-up in multiple data centres and have attempted to utilise all the available capacity by balancing the traffic as evenly as possible across various components located in different data centres.
This is by no means a perfect architecture and was just an attempt to demonstrate the use of various FLOSS components in running a production infrastructure. I sincerely hope that this series has been useful to you.