[rhelv6-list] Red Hat 6.4, keepalived and ipv6

Matthias Saou matthias at saou.eu
Tue Jun 25 10:31:07 UTC 2013 

On Mon, 24 Jun 2013 20:45:12 +0000
Martinsson Patrik <patrik.martinsson at smhi.se> wrote:

> Hello, 
> 
> This is not a specific Red Hat 6 question, but there seems to be a
> lot of people with general knowledge here so I'm going to take my
> chances. Already tried keepalived-mailinglist but no answer. 
> 
> 
> I'm really trying to understand how keepalived handles ipv6 VIP's and
> what's the general idea and best practise is, however I seem to miss
> something. I don't understand why you wouldn't want to have
> keepalived to set the preferred_lft to zero when bringing up the
> VIP's, or actually what I don't understand is how to make various
> checks work with the source-address beeing the VIP and not the
> "iron-address". 
> 
> So, here's the simple configuration, 
> 
> # keepalived.conf, 
> global_defs {
>    notification_email_from foo at bar.com
>    smtp_server bar.com
>    smtp_connect_timeout 30
>    lvs_id ER-TST-LD-MASTER
> }
> 
> vrrp_instance VI_1 {
>         state MASTER
>         interface eth0
>         lvs_sync_daemon_interface eth0
>         virtual_router_id 56
>         priority 150
>         advert_int 1
>         smtp_alert
>         authentication {
>                 auth_type PASS
>                 auth_pass example
>         }
>         virtual_ipaddress {
>            XXXX:XXX:XXX:XXXX::46 
>         }
> }
> 
> virtual_server XXXX:XXX:XXX:XXXX::46  0 {
>     delay_loop 10
>     lb_algo rr
>     lb_kind DR
>     persistence_timeout 900
>     protocol TCP
>     real_server XXXX:XXX:XXX:XXXX::17 0 {
>         weight 1
>         inhibit_on_failure
>         MISC_CHECK {
>           misc_path "/etc/keepalived/check_tcp -H
> XXXX:XXX:XXX:XXXX::17 -p 21" misc_timeout 30
>         }
>     }
> }
> # end keepalived.conf 
> 
> 
> So, this would mean that when keepalived performs the check to see if
> the realserver (XX:17 on port 21) is alive, the source-address of
> that packet is the VIP (XX:46), which of course also is up on the
> realserver, which in turns would mean that the packet never returns
> to keepalived. And thus making keepalived to mark the realserver as
> down (since it doesnt get any reply). 
> 
> So, what I'm I missing here, how is this suppose to work ? 
> 
> I've been trying to read the following discussions, they seem to have
> the same problem,
> http://www.ietf.org/mail-archive/web/v6ops/current/msg15266.html
> http://marc.info/?l=keepalived-devel&m=130200733315039 (there's a
> patch that would make sense to me, but never got accepted if I'm not
> mistaken) 

I'm using keepalived on RHEL6 with IPv6 just fine, for both VRRP and
LVS. The main differences I see with your setup is that I'm using
RFC4193 addresses on my private LAN (eth1), that it's for a single port
(80) and that I'm using the HTTP_GET check. I'm also using FWM instead
of the IPv6 address for the virtual server, but I don't think that's
relevant.

Here's my ipvsadm -L -n output :

FWM  2 IPv6 wrr persistent 4
  -> [fdcd:24cd:315e:13::201]:80  Route   100    0          0         
  -> [fdcd:24cd:315e:13::202]:80  Route   100    0          0         
  -> [fdcd:24cd:315e:13::203]:80  Route   100    0          0         
  -> [fdcd:24cd:315e:13::204]:80  Route   100    0          0         
  -> [fdcd:24cd:315e:13::205]:80  Route   100    0          0

Here's my VRRP configuration :

vrrp_instance vlb1 {
    state MASTER
    priority 100
    virtual_router_id 245
    interface eth1
    advert_int 2
    authentication {
        auth_type PASS
        auth_pass foo
    }
    virtual_ipaddress {
        x.x.229.245/26 dev eth0 label eth0:245
        x:x:4020:b010::245/64 dev eth0
    }
}

And the start of the LVS configuration :

! Firewall mark 2 LVS (IPv6)
virtual_server fwmark 2 {
    delay_loop 3
    lb_algo wrr
    lb_kind DR
    protocol TCP
    persistence_timeout 4

    real_server fdcd:24cd:315e:13::201 80 {
        weight 100
        ! inhibit_on_failure
        HTTP_GET {
            url {
                path /my/path/to/info.php
                status_code 200
            }
            connect_timeout 3
            nb_get_retry 2
            delay_before_retry 1
        }
    }

[...]

}

If I were you, I'd start tcpdump'ing traffic to check what's going on
with that port 21 check. Also, I don't think the check will be done
with a source address set to the virtual_server address, but with
the main IPv6 address (at least by default, I think).

Why do you want the checks to be done with the virtual_server address
as the source to begin with? I can only think of possible issues with
that, with no real gain.

And FWIW, this is the version I'm currently running :
keepalived-1.2.7-3.el6.x86_64

Matthias

-- 
            Matthias Saou                  ██          ██
                                             ██      ██
Web: http://matthias.saou.eu/              ██████████████
Mail/XMPP:  matthias at saou.eu             ████  ██████  ████
                                       ██████████████████████
GPG: 4096R/E755CC63                    ██  ██████████████  ██
     8D91 7E2E F048 9C9C 46AF          ██  ██          ██  ██
     21A9 7A51 7B82 E755 CC63                ████  ████

More information about the rhelv6-list mailing list