shylent's questions

I am using LVS (ipvsadm) in NAT mode to load balance UDP traffic for a number of "realservers". I am using one-packet-scheduling so that traffic originating from a single source port on the client is distributed to different realservers.

What I see, though, is that the UDP datagrams, that originate on the realservers and are sent back to the client have their source ip / port set to the one of the realserver, which confuses the client, because it expects to receive replies with source ip / port matching the ones, that he sent the original datagram to.

This is very strange indeed, because LVS is supposed to "hide" the realservers behind the virtual ip / port.

It seems, that if I turn off one-packet-scheduling, the source ip / port of outgoing datagrams are rewritten correctly by LVS.

Has anyone encountered this? If so, what is the way around this?

I need to load-balance UDP traffic between a number of "realservers" and do it in a truly round-robin fashion. I've started with keepalived, but unexpectedly discovered, that LVS treats UDP traffic as a "connection" (whatever that is in terms of UDP..). In practice, that means, that all traffic from a particular client goes to the very same "realserver" all the time (this is a big deal, because some clients may generate such an amount of traffic, that the single backend will be overwhelmed).

Apparently, this is expected behaviour, however more recent LVS versions have a "--ops" flag, that makes LVS bypass its aforementioned behaviour so that each UDP datagram is treated independently (this is what I want!). But (there's always a but..) this functionality is not exposed from keepalived.conf.

Is there any solution out there, that will let me

• do a round-robin distribution between backends for UDP
• detect "dead" backends and remove them from round-robin (adding them back when they become "alive" would've been also useful)

Should be Linux-based, obviously. DNS round-robin in any form will not really work here, because the clients are not DNS-aware.

P.S. I am going to try pulse/piranha, but from reading the documentation I've gathered, that it does not expose the "--ops" flag as well. I am also going to give mon a try (make mon check backends and add/remove realservers by invoking ipvsadm directly).

I am observing the following behaviour when logging to syslog from an external application: if I send a well-formed syslog message to a UDP socket, rsyslog correctly parses it, however if the very same message is sent to a UNIX domain socket (/dev/log), it is not parsed at all (rsyslog basically assumes, that everything, that he received, is a message, so no timestamp, no anything).

The message in question is

<142>1 2010-12-29T11:11:11Z foo bar 123 baz - A Message

which is parsed as

Dec 29 11:11:11 foo bar[123] A Message

unless it isn't.

I have a certain distributed (as in, multiple components on multiple machines) service, that should be made available from the outside world. So, in LVS terminology, the clients are "on the internet", while the realservers are in the private network. This, as I understand, is not particulary difficult to set up using LVS.

But (there's always a but!) there are some components on the private network, that should be load balanced (actually, for this part I am not concerned about "load". I just need the failover capability), but their clients are also on the private network. For example, the application server's access to queue brokers must go through a load balancer.

Can I use the same director for both tasks? Obviously, it will have at least two network interfaces (one on the external, one on the private network).

Ideally, I'll need to provide redundancy for the director via VRRP (presumably, utilizing keepalived for that).

Does this setup make any sense? Is it normal at all to do it this way? Perhaps I am better off using a separate load-balancer for internal-only traffic? It is kind of undesirable, though, since it will introduce at least 2 extra machines that will not be used much, since the queue brokers receive minimal traffic (all I need is failover).

We were performing a test deployment of an application, that utilizes DynamoDB for persistency. A number of tables was created in the us-east region. Then we ran some tests against the application, that resulted in a significant number of writes and reads of those tables, exceeding the throughput thresholds. All of a sudden, though, the requests to the DynamoDB stopped coming through at all from that particular machine. We recreated the tables in the eu-west region and ran the tests again. It worked for some time, but in the morning it was discovered, that the same thing happened to the eu-west installation, but at the same time, the requests against the us-west one started coming through.

There's more, after a bit of investigation, it was discovered, that if, at the time, when all requests against some region failed, we could not even open a connection to the DynamoDB endpoint for that region (basically, "wget https://dynamodb.us-west-1.amazonaws.com" failed with a timeout).

Even more, at the time, when we could not connect to a particular DynamoDB endpoint, all other machines could do that just fine. Even the ones, that were in the same subnet with the affected machine and behind the same NAT (therefore, sharing its source IP address!).

All the machines, that I am talking about are actually EC2 instances so there's no real hardware involved on our side.

Any idea, what could be wrong?

We didn't touch the network configuration for the duration of the tests. Could it be some form of throttling that we were experiencing?

I am sorry for not being able to come up with a more descriptive question title.

For getting remote metrics I use nrpe on linux-based machines and nsclient++ on windows-based machines.

If I need to check, for example, if a certain server is reachable from another server, I'd just run an appropriate plugin (like check_http) using nrpe. I've recently faced the need to do the same thing, but the remote server is running windows so I am stuck with nsclient++.

Now, you can run scripts from nsclient++, so you can write a vb/powershell script, that will do that. Before I do that, however, I'd like to know if there are any existing solutions (surely, I am not the only person on Earth who had to deal with this).

At the very least I'd like to have something, like check_http, that I will able to run using nsclient++.

Ok, the title says it all, really.

The end goal is to implement proxy-authentication for end users. Users' systems are mostly (95%) windows-based, the proxy is a Debian Lenny running squid 2.7.

I've investigated possible ways to implement it, first using the ntlm_auth helper, that is shipped with squid2.7 in Lenny and it fails, - some users get authenticated just fine, some don't for some reason. I couldn't find a corellation, I've even inspected the actual smb packet flow with wireshark to no avail - it seems completely random. I've tried it on different physical machines / accounts so that's ruled out.

Then, two possible routes are available, it seems. Using winbind (with samba) and using ldap+kerberos.

I am personally against using samba, because, first it requires you to jump through certain hoops like joining the domain and so on, and second (and this is the cruncher) - I don't need all the functionality offered by samba, it is simply undesired to have all that functionality, like windows-like shares and so on, on that machine. If I have to resort to using samba, I would really like to use only a minimal possible subset of the features, - just enough to get samba's ntlm_auth (with winbind) to authenticate the users. Does anyone have any experience with this kind of setup?

I've read this question (not really a question :P) and I really liked what I've seen, - kerberos seems like a possible solution and the footprint is not that huge. The question is, is it possible to run this on a windows-2000-version domain? And how is the browser support?

First of all, I am fully aware of the existence of this question.

With that out of the way, - I am looking for something to monitor windows-based systems for metrics, that are impractical to collect via snmp (such as the presence of certain substrings in log files).

I've tried to use NSClient++, however it is extremely underdocumented (even the author admits it), so doing something even remotely non-standard is pure trial-and-error, which is unacceptable in the soon-to-be production environment. On top of that, the plugin CheckDisk.dll is supposedly broken in the latest "stable" release (0.3.6?) and reports incorrect results for the CheckFile2 test.

I have lost hope, really, but, nevertheless, perhaps I am missing something? Perhaps there is a working alternative to NSClient++ out there? Preferrably with a comprehensive documentation.

Either way, what do you use for monitoring windows-based hosts via nagios?