Re: [vserver] HA vserver in an active/active configuration:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

Re: [vserver] HA vserver in an active/active configuration

From: Christian Balzer <chibi_at_gol.com>
Date: Wed 06 Feb 2008 - 03:20:49 GMT
Message-ID: <20080206122049.093a9245@batzmaru.gol.ad.jp>

Hello,

On Wed, 06 Feb 2008 11:10:24 +1100 Jason Drage <jasond@ibsglobalweb.com>
wrote:
> Adam Majer wrote:
> > Christian Balzer wrote:
> >
> >> Anyways, I searched the archives and other than this question/quest
> >> from 2006 (without an answer) I came up blank:
> >> --- Alexander Kabanov wrote:
> >> the only reason why I would like to have some kind of local/internal
> >> interface inside a guest - let people bind services to something that
> >> is not accessible from outside and from other guests on the host
> >> server.
> >>
> >
> > I don't think there is a need for lo interface at all. In my case, I've
> > added a local class C network to the dummy interface (ie. packets go
> > though lo).
> Let me make sure I understand. You don't think there is a need for a
> lo interface but then you go and create one because you need it.. Huh?

If I understand him correctly all his vservers are basically NAT'ed.
Which might work quite well in his particular scenario, but would not
for what I have in mind.

I'm currently doing this on my test server and it seems to do the trick:

- 2 interfaces, 0 is a lo variant with 127.n.0.1/24, 1 the real IP.
- Remap source IP address configured in the kernel, so 127.0.0.1 calls
  will bind to the IP of interface 0.
- iptables to seperate the bunch:
[0:0] -A INPUT -i lo -d host -j ACCEPT
[0:0] -A INPUT -i lo -d guest1 -j ACCEPT
[0:0] -A INPUT -i lo -d guest2 -j ACCEPT
[0:0] -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
[0:0] -A INPUT -i lo -s 127.1.0.1 -d 127.1.0.1 -j ACCEPT
[0:0] -A INPUT -i lo -s 127.2.0.1 -d 127.2.0.1 -j ACCEPT
[0:0] -A INPUT -i lo -j LOG
[0:0] -A INPUT -i lo -j REJECT --reject-with icmp-host-unreachable

Yes, I needed to allow the public IPs on lo, apparently DNS plays
silly buggers with that (the guests are configured by resolv.conf
to use a DNS server on the host). If you do have completely external
DNS (or probably just have bind listen on the public IP of the host
only and not also on 127.0.0.1 of the host), the first 3 rules should
not be needed.
With these rules in place guest1 can no longer connect to the lo of
guest2, complete separation of the guest localhosts is achieved.
I know that in theory the whole 127.0.0.1/8 should be accessible for
loopback purposes, but applications seem to be content with just
127.0.0.1/32 in all real life encounters I had so far. (knocks on
fake wood table).

One thing I will definitely do on the real production boxes (with
50 vservers each -> 100 interfaces) is to use openntpd, plain ntpd
attaching itself to all of them gives me the willies and messes up
netstat output. ;)

Regards,

Christian 

-- 
Christian Balzer        Network/Systems Engineer                NOC
chibi@gol.com   	Global OnLine Japan/Fusion Network Services
http://www.gol.com/
Received on Wed Feb 6 03:21:06 2008
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Feb 2008 - 03:21:12 GMT by hypermail 2.1.8