After two weeks of struggling, I am going to need help with Linux Virtual Server (LVS) setup.

I have a simple setup. I am following “A Basic LVS Configuration” as described in “Linux Virtual Server (LVS) for Red Hat Enterprise Linux 5.2”.

I have setup two Virtual Servers and one Real Server (I will add one more RS after basic testing).

First, I setup one Real Server and tested it. I connected it to the Internet (eth0 => Routable IP) and tested Apache Server. I could display any web site including the one on the Real Server itself (http://www.tib.com).

Then I setup two Virtual Servers (VS) and followed the instructions to configure them up. Here is the LVS configuration file and NET setup.

------- lvs.conf --------

serial_no = 31
primary = 65.103.190.106
primary_private = 192.168.1.1
service = lvs
backup_active = 1
backup = 65.103.190.108
backup_private = 192.168.1.2
heartbeat = 1
heartbeat_port = 539
keepalive = 6
deadtime = 18
network = nat
nat_router = 192.168.1.254 eth1:1
nat_nmask = 255.255.255.255
debug_level = NONE
monitor_links = 0
syncdaemon = 0
virtual HTTP {
active = 1
address = 65.103.190.107 eth0:1
vip_nmask = 255.255.255.248
port = 80
send = "GET / HTTP/1.0rnrn"
expect = "HTTP"
use_regex = 0
load_monitor = none
scheduler = wlc
protocol = tcp
timeout = 6
reentry = 15
quiesce_server = 1
server rs1 {
address = 192.168.1.10
active = 1
weight = 1
}
}

-----

[root@tib ~]# /sbin/route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
65.103.190.104 * 255.255.255.248 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 65.103.190.110 0.0.0.0 UG 0 0 0 eth0
[root@tib ~]#
[root@tib ~]# /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:01:53:81:11:53
inet addr:65.103.190.106 Bcast:65.103.190.111 Mask:255.255.255.248
inet6 addr: fe80::201:53ff:fe81:1153/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:126901 errors:0 dropped:0 overruns:0 frame:0
TX packets:70743 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:185129030 (176.5 MiB) TX bytes:5348672 (5.1 MiB)
Interrupt:201 Base address:0x9000

eth1 Link encap:Ethernet HWaddr 00:30:1B:38:C4:C9
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::230:1bff:fe38:c4c9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:729 errors:0 dropped:0 overruns:0 frame:0
TX packets:784 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:43740 (42.7 KiB) TX bytes:44014 (42.9 KiB)
Interrupt:177

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:184 errors:0 dropped:0 overruns:0 frame:0
TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:85975 (83.9 KiB) TX bytes:85975 (83.9 KiB)

virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:8300 (8.1 KiB)

[root@tib ~]#

-------

PLEASE NOTE: I have NOT selected either “Persistence” or “Firewall Marks” and have made no changes to “IPTABLES”.

My GOAL is to test displaying my test web site, http://www.tib.com and then add other services.

My first test failed; I can’t display my test web site from a Win32 PC!!!!!!

I have checked that HTTP & HTTPS are OPEN on both the VS & RS. At one time I DISABLED the firewall on both VS & RS to test. No Luck!

I have checked “/var/log/messages” and found no errors. I have no idea which other files to look for error! I am what you call a NEWBIE.

In Closing, can somebody help with what I am doing wrong?

Jennifer King

Sounds like you've made a good start, but there's some info missing. You say you've followed the guide for RHEL5.2, but don't say whether or not you're USING RHEL5.2...are you? Also, you say you can't display it from a Win32 PC, but don't say where that is, in relation to the network (internal? On the Internet? Firewalled?), or if you can display your sites from the Linux server itself.

And not to sound like I'm brushing you off...but if you're using RHEL5.2, you're paying for support. They'd be the first people I'd call, since they can and will help you with such things.

This information might help:

I am using CentOS 5.3 & virtualization-en-US-5.2.11.el5.centos.noarch (comes packaged with CentOS 5.3)

This is the procedure I followed to setup the LVS:

1. First I setup a standalone Real Server (RS)with eth0: connecting to the Internet. I opened both HTTP & HTTPS on the RS firewall then setup a test Web page and tested it by displaying it both from the RS and from an external Win32 PC.

2. Then I setup two Virtual Servers (VS),Primary VS & Backup VS. Tested that Backup VS takes over when Primary VS goes down.

These are the settings I used:

Primary Virtual Server:

eth0: 65.103.190.106/29
eth1: 192.168.1.1/24 ; Connecting to RS

Piranha GUI Setup VIP & NAT Floating IP:

eth0:1 65.103.190.107
eth1:1 192.168.1.254

On the Real Server:

Firewall is DISABLED

eth0: 192.168.1.10/24
Gateway: 192.168.1.254

--------------------
After setting up LVS, I did a PING on NIC for VS & RS and they respond (checking Network).

On Primary VS, HTTP & HTTPS are open.

In my previous posy I have listed the lvs.conf setting. Here is the Iptables setting from Primary VS:
-----------------
[root@tib ~]#
[root@tib ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@tib ~]#
-----------------

Now when I try to display the test WEB site "http://www.tib.com" either from the Primary Virtual Server or from an external Win32, it times out and nothing is displayed.

ONE BIG HINT: Last night, I DISABLED the firewall on the Primary Virtual Server and tried displaying the test WEB from it (VS), I got the message from VS Apache verifying that HTTPD was properly installed. What it means is that when the FW was disabled, the web browser request go to the DNS server (at off site location at GODADDY) and then tried to display the web page from the Primary VS.

It seems that the FW needs tweaking or the Primary VS is NOT forwarding the request to the RS! I do not see the request to display the test WEB if passing through the Firewall on the Primary VS. I have looked into LOGS both on VS & RS and see no message that an attempt is made to display the test WEB site.

FYI, 'net.ipv4.ip_forward' is set to '1'.

I sure appreciate any help. If there is any further information is needed, please ask.

Thanks in advance.

Jennifer K.

I had posted this question "Linux Virtual Server (LVS) problems". It was my hunch that the FIREWALL was somehow blocking the Web (test) query!!

My hunch turned out to be true. I am posting this information to help other users.

The problem is that as the firewall is setup, it OPENs & CLOSEs ports on the Virtual Server's physical IP address. However, all traffic is directed to the VIP address. Therefore, PORTS on VIP must be opened for Virtual Server to accept traffic.

I have not figured out how to modify the iptables to accomplish that but I am working on it.