High Availability with Novell Cluster Services for Novell Open Enterprise Ser...Novell
High availability provides a safety net for single points of hardware failure. This session will identify the software and hardware requirements for implementing Novell Cluster Services with Novell Open Enterprise Server. We'll cover concepts related to design, installation and monitoring. We'll also show you real-world clustering examples for Novell GroupWise, Novell Teaming and Novell iFolder.
This session will use Novell Open Enterprise Server 2 SP2 to demonstrate how to cluster critical services—from NSS and Novell iPrint to Novell GroupWise, AFP and beyond. We'll cover the new features of Novell Cluster Services in the latest release of Novell Open Enterprise Server, and we'll show you how you can ensure consistency by using AutoYaST to build your nodes. This will be a practical session, so be prepared for a few thrills and spills along the way!
Speakers:
Tim Heywood CTO NDS 8
Mark Robinson CTO Linux NDS8
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...Novell
High availability provides a safety net for single points of hardware failure. This session will identify the software and hardware requirements for implementing Novell Cluster Services with Novell Open Enterprise Server. We'll cover concepts related to design, installation and monitoring. We'll also show you real-world clustering examples for Novell GroupWise, Novell Teaming and Novell iFolder.
This session will use Novell Open Enterprise Server 2 SP2 to demonstrate how to cluster critical services—from NSS and Novell iPrint to Novell GroupWise, AFP and beyond. We'll cover the new features of Novell Cluster Services in the latest release of Novell Open Enterprise Server, and we'll show you how you can ensure consistency by using AutoYaST to build your nodes. This will be a practical session, so be prepared for a few thrills and spills along the way!
Speakers:
Tim Heywood CTO NDS 8
Mark Robinson CTO Linux NDS8
As more businesses explore the benefits of cloud computing, network managers will have to increasingly meet the challenges of redesigning their networks for the cloud. This talk will introduce the basic concepts of Open vSwitch & Openflow and show how these technologies can help satisfy these needs. We will also explain how Open vSwitch fits into XCP and XenServer and routing of dataflows.
First part of talk discussing the networking challenges that cloud implementers face.
- Networking challeges
- Data isolation
Introducing Open vSwitch
- What it is, and its features
- Why it is important in a virtualized environment
Openflow
- Basics of Openflow
- How flows are routed in XenServer & XCP
Advanced cgroups and namespaces
This talk picks up where we left off in the previous cgroups and namespaces talk and dive in even deeper!
Agenda:
* cgroups v2 design (cgroup v2 was started to be merged in the current kernel, 4.4)
* cgroups v2 examples (migrating tasks, enabling and disabling controllers, and more).
* comparison between cgroup v2 unified hierarchy and cgroup v1 legacy hierarchy.
* PIDs namespaces (from kernel 4.3)
* cgroup namespaces (not merged yet)
Databases are a key part of any application. The storage subsystem contributes most to performance of the database. In recent days, new storage technologies like Solid State Storage (SSD) and high performance drives are becoming cheaper and more accessible, but it takes a lot of planning to use these technologies in a cost effective way for best price-performance.
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems?
In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.
As more businesses explore the benefits of cloud computing, network managers will have to increasingly meet the challenges of redesigning their networks for the cloud. This talk will introduce the basic concepts of Open vSwitch & Openflow and show how these technologies can help satisfy these needs. We will also explain how Open vSwitch fits into XCP and XenServer and routing of dataflows.
First part of talk discussing the networking challenges that cloud implementers face.
- Networking challeges
- Data isolation
Introducing Open vSwitch
- What it is, and its features
- Why it is important in a virtualized environment
Openflow
- Basics of Openflow
- How flows are routed in XenServer & XCP
Advanced cgroups and namespaces
This talk picks up where we left off in the previous cgroups and namespaces talk and dive in even deeper!
Agenda:
* cgroups v2 design (cgroup v2 was started to be merged in the current kernel, 4.4)
* cgroups v2 examples (migrating tasks, enabling and disabling controllers, and more).
* comparison between cgroup v2 unified hierarchy and cgroup v1 legacy hierarchy.
* PIDs namespaces (from kernel 4.3)
* cgroup namespaces (not merged yet)
Databases are a key part of any application. The storage subsystem contributes most to performance of the database. In recent days, new storage technologies like Solid State Storage (SSD) and high performance drives are becoming cheaper and more accessible, but it takes a lot of planning to use these technologies in a cost effective way for best price-performance.
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems?
In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.
Docker networking basics & coupling with Software Defined NetworksAdrien Blind
This presentation reminds Docker networking, exposes Software Defined Network basic paradigms, and then proposes a mixed-up implementation taking benefits of a coupled use of these two technologies. Implementation model proposed could be a good starting point to create multi-tenant PaaS platforms.
As a bonus, OpenStack Neutron internal design is presented.
You can also have a look on our previous presentation related to enterprise patterns for Docker:
http://fr.slideshare.net/ArnaudMAZIN/docker-meetup-paris-enterprise-docker
Networking with Neutron is one of the most complex subsystems in Openstack. In this talk we shed light on the key components of Neutron networking and the specialities of the relatively new ML2 core plugin.
Seven years ago at LCA, Van Jacobsen introduced the concept of net channels but since then the concept of user mode networking has not hit the mainstream. There are several different user mode networking environments: Intel DPDK, BSD netmap, and Solarflare OpenOnload. Each of these provides higher performance than standard Linux kernel networking; but also creates new problems. This talk will explore the issues created by user space networking including performance, internal architecture, security and licensing.
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
Architecting a private cloud to meet the use cases of its users can be a daunting task. How do you determine which of the many L2/L3 Neutron plugins and drivers to implement? Does network performance outweigh reliability? Are overlay networks just as performant as VLAN networks? The answers to these questions will drive the appropriate technology choice.
In this presentation, we will look at many of the common drivers built around the ML2 framework, including LinuxBridge, OVS, OVS+DPDK, SR-IOV, and more, and will provide performance data to help drive decisions around selecting a technology that's right for the situation. We will discuss our experience with some of these technologies, and the pros and cons of one technology over another in a production environment.
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
M2M/IoT is rapidly growing and since its early days different “standard” protocols have emerged (e.g. OMA-DM, TR-069, MQTT, …) or are emerging (e.g. CoAP or Lightweight M2M). Understanding which protocol to use for which application can be intimidating, therefore we propose to give an overview of these protocols to help you understand their goals and characteristics. We’ll present common M2M use cases and why they usually require more than just one protocol ; we will also see whether CoAP associated with Lightweight M2M allows to forge “one protocol to rule them all”.
In this session, we walk through the Amazon VPC network presentation and describe the problems we were trying to solve when we created it. Next, we walk through how these problems are traditionally solved, and why those solutions are not scalable, inexpensive, or secure enough for AWS. Finally, we provide an overview of the solution that we've implemented and discuss some of the unique mechanisms that we use to ensure customer isolation, get packets into and out of the network, and support new features like VPC endpoints.
Presentation given at the 2017 LinuxCon China
With the booming of Container technology, it brings obvious advantages for cloud: simple and faster deployment, portability and lightweight cost. But the networking challenges are significant. Users need to restructure their network and support container deployment with current cloud framework, like container and VMs.
In this presentation, we will introduce new container networking solution, which provides one management framework to work with different network componenets through Open/friendly modelling mechnism. iCAN can simplify network deployment and management with most orchestration systems and a variety of data plane components, and design extendsible architect to define and validate Service Level Agreement(SLA) for cloud native applications, which is important factor for enterprise to deliver successful and stable service via containers.
In this session, we walk through the Amazon VPC network presentation and describe the problems we were trying to solve when we created it. Next, we walk through how these problems are traditionally solved, and why those solutions are not scalable, inexpensive, or secure enough for AWS. Finally, we provide an overview of the solution that we've implemented and discuss some of the unique mechanisms that we use to ensure customer isolation, get packets into and out of the network, and support new features like VPC endpoints.
1. CloudStack
仮想ルータの謎に迫る
KVM+NFS環境
⽇日本CloudStackユーザ会
@MayumiK0
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
1
2. さぁ受け取るといい。それが君の運命だ。
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
2
3. CloudStack構成例例
・典型的な構成例例
-‐‑‒Management Server
-‐‑‒NFS Server (Primary/Secondary領領域)
-‐‑‒Compute Node
Compute Compute
Management
NFS
Node
Node
Server
ここは仮想サーバでも可
Primary
(node04)
(node05)
Storage
Secondary
Storage
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
3
4. 仮想ルータの謎に迫る
・仮想ルータにログインしてみる
仮想ルータとCompute NodeはLink Local Networkで通信可能
仮想ルータが起動しているCompute Nodeにログインし
そこから仮想ルータのリンクローカルアドレスにsshする
Compute Compute
Management
NFS
Node
Node
Server
(node04)
インスタンス
(node05
仮想ルータ
Primary
Storage
Secondary
Storage
Link
Local
Network
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
4
6. 仮想ルータの謎に迫る
・ssh鍵認証でログイン
[root@node006
~]#
ssh
-‐i
.ssh/id_rsa.cloud
169.254.3.116
-‐p
3922
Linux
r-‐5-‐VM
2.6.32-‐5-‐686-‐bigmem
#1
SMP
Mon
Jan
16
16:42:05
UTC
2012
i686
The
programs
included
with
the
Debian
GNU/Linux
system
are
ate
;
up]me
root@r-‐5-‐VM:~#
d free
so[ware;
the
exact
distribu]on
terms
for
each
program
are
described
in
the
TC
2012
Mon
Dec
10
15:54:59
U
individual
files
in
/usr/share/doc/*/copyright.
15:54:59
up
1
day,
1:01,
1
user,
load
average:
0.00,
0.00,
0.00
root@r-‐5-‐VM:~#
date;
ifconfig
-‐a
Debian
GNU/Linux
comes
with
ABSOLUTELY
NO
WARRANTY,
to
the
e2012
Mon
Dec
10
15:55:08
UTC
xtent
permihed
by
applicable
law.
eth0
Link
encap:Ethernet
HWaddr
02:00:6b:3d:00:02
inet
addr:10.1.1.1
Bcast:10.1.1.255
Mask:255.255.255.0
Last
login:
Sun
Dec
9
14:20:04
2012
from
169.254.0.1
P
BROADCAST
RUNNING
MULTICAST
MTU:1500
Metric:1
U
Linux
r-‐5-‐VM
2.6.32-‐5-‐686-‐bigmem
#1
SMP
Mon
J
an
1X
p16:42:05
Uerrors:0
dropped:0
overruns:0
frame:0
R 6
ackets:11592
TC
2012
i686
TX
packets:8741
errors:0
dropped:0
overruns:0
carrier:0
collisions:0
txqueuelen:1000
The
programs
included
with
the
Debian
GNU/Linux
s
ystem
are
free
so[ware;
bytes:2582211
(2.4
MiB)
RX
bytes:972709
(949.9
KiB)
TX
the
exact
distribu]on
terms
for
each
program
are
described
in
the
individual
files
in
/usr/share/doc/*/copyright.
eth1
Link
encap:Ethernet
HWaddr
0e:00:a9:fe:03:74
inet
addr:169.254.3.116
Bcast:169.254.255.255
Mask:255.255.0.0
UP
BROADCAST
RUNNING
MULTICAST
MTU:1500
Metric:1
Debian
GNU/Linux
comes
with
ABSOLUTELY
NO
W
ARRANTY,
to
the
rrors:0
dropped:0
overruns:0
frame:0
RX
packets:12285
e extent
permihed
by
applicable
law.
TX
packets:10166
errors:0
dropped:0
overruns:0
carrier:0
collisions:0
txqueuelen:1000
root@r-‐5-‐VM:~#
RX
bytes:1937229
(1.8
MiB)
TX
bytes:1915520
(1.8
MiB)
6
7. 仮想ルータの謎に迫る
・実は再起動するとLinkLocalが変わる
root@node006
~]#
ssh
-‐i
.ssh/id_rsa.cloud
169.254.3.221
-‐p
3922
Last
login:
Mon
Dec
10
16:00:04
2012
from
169.254.0.1
Linux
r-‐5-‐VM
2.6.32-‐5-‐686-‐bigmem
#1
SMP
Mon
Jan
16
16:42:05
UTC
2012
i686
/)(
◕
‿‿
◕
)(\
root@r-‐5-‐VM:~#
date;
up]me
Mon
Dec
10
16:18:29
UTC
2012
知らなければ知らないままで
16:18:29
up
1
min,
1
user,
load
average:
0.00,
0.00,
0.00
何の不都合もないからね
root@r-‐5-‐VM:~#
date
;ifconfig
-‐a
Mon
Dec
10
16:18:34
UTC
2012
でいいのか?
eth0
Link
encap:Ethernet
HWaddr
02:00:6b:3d:00:02
inet
addr:10.1.1.1
Bcast:10.1.1.255
Mask:255.255.255.0
UP
BROADCAST
RUNNING
MULTICAST
MTU:1500
Metric:1
RX
packets:12
errors:0
dropped:0
overruns:0
frame:0
TX
packets:0
errors:0
dropped:0
overruns:0
carrier:0
collisions:0
txqueuelen:1000
RX
bytes:844
(844.0
B)
TX
bytes:0
(0.0
B)
eth1
Link
encap:Ethernet
HWaddr
0e:00:a9:fe:03:dd
inet
addr:169.254.3.221
Bcast:169.254.255.255
Mask:255.255.0.0
UP
BROADCAST
RUNNING
MULTICAST
MTU:1500
Metric:1
RX
packets:3373
errors:0
dropped:0
overruns:0
frame:0
TX
packets:3244
errors:0
dropped:0
overruns:0
carrier:0
collisions:0
txqueuelen:1000
RX
bytes:629043
(614.2
KiB)
TX
bytes:607306
(593.0
KiB)
8. 仮想ルータの謎に迫る
・テスト構成 Public IP : 202.228.225.32
Compute Compute
Management
NFS
Node
Node
Server
(node04)
(node05
Primary
Storage
インスタンス
仮想ルータ
test01:10.1.1.207
r-‐5-‐VM
Secondary
Storage
インスタンス
test02:10.1.1.131
仮想ルータが裏で
どんなコト(処理)を
しているか覗いてみましょう
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
8
9. 仮想ルータの謎に迫る
・起動時に⾏行行なっている処理理
Dec 10 16:16:46 r-‐‑‒5-‐‑‒VM cloud: Starting dnsmasq
Dec 10 16:16:46 r-‐‑‒5-‐‑‒VM cloud: Starting cloud-‐‑‒passwd-‐‑‒srvr
Dec 10 16:16:46 r-‐‑‒5-‐‑‒VM cloud: Starting ssh
仮想インスタンスが2台あり
Dec 10 16:16:46 r-‐‑‒5-‐‑‒VM cloud: Starting haproxy Firewallや負荷分散設定は
Dec 10 16:16:46 r-‐‑‒5-‐‑‒VM cloud: Starting apache2
Dec 10 16:16:46 r-‐‑‒5-‐‑‒VM cloud: Stopping cloud
何もされていない状態での起動
Dec 10 16:16:46 r-‐‑‒5-‐‑‒VM cloud: Stopping nfs-‐‑‒common
Dec 10 16:16:46 r-‐‑‒5-‐‑‒VM cloud: Stopping portmap
Dec 10 16:16:48 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh:Adding first ip 202.228.225.32/26 on interface eth2
Dec 10 16:16:48 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh:Added SourceNAT 202.228.225.32/26 on interface eth2
Dec 10 16:16:48 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh:Added first ip 202.228.225.32/26 on interface eth2
Dec 10 16:16:50 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh:Add routing 202.228.225.32/26 on interface eth2
Dec 10 16:16:51 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh:Add routing 202.228.225.32/26 rules added
Dec 10 16:16:51 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh: created VPN chain for 202.228.225.32
Dec 10 16:16:51 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh: created firewall chain for 202.228.225.32
Dec 10 16:16:51 r-‐‑‒5-‐‑‒VM cloud: edithosts: update 02:00:3e:53:00:01 10.1.1.207 test01 to hosts
Dec 10 16:16:51 r-‐‑‒5-‐‑‒VM cloud: /root/edithosts.sh: setting default router for 10.1.1.207 to 10.1.1.1
Dec 10 16:16:51 r-‐‑‒5-‐‑‒VM cloud: /root/edithosts.sh: setting dns server for 10.1.1.207 to 10.1.1.1
Dec 10 16:16:53 r-‐‑‒5-‐‑‒VM cloud: edithosts: update 02:00:79:6c:00:03 10.1.1.131 test02 to hosts
Dec 10 16:16:53 r-‐‑‒5-‐‑‒VM cloud: /root/edithosts.sh: setting default router for 10.1.1.131 to 10.1.1.1
Dec 10 16:16:53 r-‐‑‒5-‐‑‒VM cloud: /root/edithosts.sh: setting dns server for 10.1.1.131 to 10.1.1.1
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
9
10. 仮想ルータの謎に迫る
・dnsmasq:
DNSサーバのフォワーダとDHCPサーバをもつソフト
root@r-‐‑‒5-‐‑‒VM:~∼# ps afxwwww | grep dnsmasq
2079 ? S 0:00 /usr/sbin/dnsmasq -‐‑‒x /var/run/dnsmasq/dnsmasq.pid -‐‑‒u dnsmasq -‐‑‒7 /etc/dnsmasq.d,.dpkg-‐‑‒
dist,.dpkg-‐‑‒old,.dpkg-‐‑‒new
Dec 10 16:16:55 dnsmasq[2079]: started, version 2.55 cachesize 150
Dec 10 16:16:55 dnsmasq[2079]: compile time options: IPv6 GNU-‐‑‒getopt DBus I18N DHCP TFTP
Dec 10 16:16:55 dnsmasq-‐‑‒dhcp[2079]: DHCP, static leases only on 10.1.1.1, lease time 1h
Dec 10 16:16:55 dnsmasq[2079]: using local addresses only for domain cs2cloud.internal
意外な展開ではないよ
Dec 10 16:16:55 dnsmasq[2079]: reading /etc/dnsmasq-‐‑‒resolv.conf
Dec 10 16:16:55 dnsmasq[2079]: using nameserver 8.8.8.8#53
Dec 10 16:16:55 dnsmasq[2079]: using local addresses only for domain cs2cloud.internal
Dec 10 16:16:55 dnsmasq[2079]: read /etc/hosts -‐‑‒ 15 addresses
Dec 10 16:16:55 dnsmasq-‐‑‒dhcp[2079]: read /etc/dhcphosts.txt
Dec 10 16:16:55 dnsmasq-‐‑‒dhcp[2079]: read /etc/dhcpopts.txt
root@r-‐‑‒5-‐‑‒VM:/etc# cat /etc/dhcpopts.txt
10_̲1_̲1_̲207,3,10.1.1.1
10_̲1_̲1_̲207,6,10.1.1.1
10_̲1_̲1_̲131,3,10.1.1.1
10_̲1_̲1_̲131,6,10.1.1.1
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
10
11. 仮想ルータの謎に迫る
・haproxy:
L7ロードバランサ
root@r-‐‑‒5-‐‑‒VM:~∼# ps afxwwww | grep haproxy
1501 ? Ss 0:00 /usr/sbin/haproxy -‐‑‒f /etc/haproxy/haproxy.cfg -‐‑‒D -‐‑‒p /var/run/haproxy.pid
root@r-‐‑‒5-‐‑‒VM:~∼# cat /etc/haproxy/haproxy.cfg
global
願い事(設定)を決めるんだ
log 127.0.0.1:3914 local0 warning 早く!
maxconn 4096
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
option dontlognull
(中略略)
listen vmops 0.0.0.0:9
option transparent
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
11
12. 仮想ルータの謎に迫る
・仮想ルータで実⾏行行されているsh
root@r-5-VM:~#
pwd
/root
■firewall_rule.shの一部
ゴリゴリ
root@r-5-VM:~#
ls
-rwxr-xr-x
1
root
root
824
Oct
24
05:25
bumpup_priority.sh
root@r-5-VM:~#
cat
firewall_rule.sh
#!/usr/bin/env
bash
iptableに
-rwxr-xr-x
1
root
root
1462
Oct
24
05:25
clearUsageRules.sh
-rwxr-xr-x
1
root
root
3545
Oct
24
05:25
edithosts.sh
書いてる模様
fw_chain_for_ip
()
{
-rwxr-xr-x
1
root
root
6332
Oct
24
05:25
firewall_rule.sh
local
pubIp=$1
fw_remove_backup
$1
-rwxr-xr-x
1
root
root
12404
Oct
24
05:25
firewall.sh
sudo
iptables
-t
mangle
-E
FIREWALL_$pubIp
_FIREWALL_$pubIp
2>
/dev/
-rwxr-xr-x
1
root
root
2429
Oct
24
05:25
func.sh
null
-rw-r--r--
1
root
root
13600
Feb
6
2012
ipassoc.sh
sudo
iptables
-t
mangle
-N
FIREWALL_$pubIp
2>
/dev/null
#
drop
if
no
rules
match
(this
will
be
the
last
rule
in
the
chain)
-rwxr-xr-x
1
root
root
8239
Oct
24
05:25
loadbalancer.sh
sudo
iptables
-t
mangle
-A
FIREWALL_$pubIp
-j
DROP>
/dev/null
-rw-r--r--
1
root
root
3464
Feb
6
2012
netusage.sh
#
ensure
outgoing
connections
are
maintained
(first
rule
in
chain)
sudo
iptables
-t
mangle
-I
FIREWALL_$pubIp
-m
state
--state
-rwxr-xr-x
1
root
root
1667
Oct
24
05:25
reconfigLB.sh
RELATED,ESTABLISHED
-j
ACCEPT>
/dev/null
drwxr-xr-x
2
root
root
4096
Nov
25
09:28
redundant_router
#ensure
that
this
table
is
after
VPN
chain
sudo
iptables
-t
mangle
-I
PREROUTING
2
-d
$pubIp
-j
FIREWALL_$pubIp
-rwxr-xr-x
1
root
root
1441
Oct
24
05:25
savepassword.sh
success=$?
-rwxr-xr-x
1
root
root
2497
Oct
24
05:25
userdata.py
if
[
$success
-gt
0
]
-rwxr-xr-x
1
root
root
3235
Oct
24
05:25
userdata.sh
then
#
if
VPN
chain
is
not
present
for
various
reasons,
try
to
add
in
to
the
first
slot
*/
sudo
iptables
-t
mangle
-I
PREROUTING
-d
$pubIp
-j
FIREWALL_$pubIp
fi
}
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
12
13. 仮想ルータの謎に迫る
・新規インスタンス作成
root@r-‐‑‒5-‐‑‒VM:/var/log# cat dnsmasq.log
Dec 11 17:11:09 dnsmasq[8541]: started, version 2.55 cachesize 150
Dec 11 17:11:09 dnsmasq[8541]: compile time options: IPv6 GNU-‐‑‒
getopt DBus I18N DHCP TFTP
Dec 11 17:11:09 dnsmasq-‐‑‒dhcp[8541]: DHCP, static leases only on
10.1.1.1, lease time 1h
Dec 11 17:11:09 dnsmasq[8541]: using local addresses only for
domain cs2cloud.internal
Dec 11 17:11:09 dnsmasq[8541]: reading /etc/dnsmasq-‐‑‒resolv.conf
Dec 11 17:11:09 dnsmasq[8541]: using nameserver 8.8.8.8#53
Dec 11 17:11:09 dnsmasq[8541]: using local addresses only for
domain cs2cloud.internal
Dec 11 17:11:09 dnsmasq[8541]: read /etc/hosts -‐‑‒ 16 addresses
Dec 11 17:11:09 dnsmasq-‐‑‒dhcp[8541]: read /etc/dhcphosts.txt
Dec 11 17:11:09 dnsmasq-‐‑‒dhcp[8541]: read /etc/dhcpopts.txt
Dec 11 17:12:04 dnsmasq-‐‑‒dhcp[8541]: DHCPDISCOVER(eth0)
10.0.2.15 02:00:62:c8:00:04
dnsmasqが
Dec 11 17:12:04 dnsmasq-‐‑‒dhcp[8541]: DHCPOFFER(eth0) 10.1.1.100
02:00:62:c8:00:04
インスタンスにIPを
Dec 11 17:12:04 dnsmasq-‐‑‒dhcp[8541]: DHCPREQUEST(eth0)
払い出す
10.1.1.100 02:00:62:c8:00:04
Dec 11 17:12:04 dnsmasq-‐‑‒dhcp[8541]: DHCPACK(eth0)
10.1.1.100 02:00:62:c8:00:04 test03
13
14. 仮想ルータの謎に迫る
・Firewall設定
■/var/log/messages
設定スクリプト
ipassoc.sh Dec 11 17:18:54 r-‐‑‒5-‐‑‒VM cloud: FirewallRule public interfaces = eth2
firewall.sh Dec 11 17:18:54 r-‐‑‒5-‐‑‒VM cloud: firewall_̲rule.sh: enter apply firewall rules for
firewall_rule.sh public ip 202.228.225.32:tcp:10001:10003:0.0.0.0/0
Dec 11 17:18:54 r-‐‑‒5-‐‑‒VM cloud: firewall_̲rule.sh: exit apply firewall rules for public
ip 202.228.225.32
Dec 11 17:18:54 r-‐‑‒5-‐‑‒VM cloud: firewall_̲rule.sh: successful in applying fw rules for
Firewall設定
ip 202.228.225.32
Dec 11 17:18:54 r-‐‑‒5-‐‑‒VM cloud: firewall_̲rule.sh: deleting backup for ip:
202.228.225.32
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
14
15. 仮想ルータの謎に迫る
・ポートフォワーディング設定
■/var/log/messages
Dec 11 17:29:30 r-‐‑‒5-‐‑‒VM cloud: firewall.sh: creating port fwd entry for PAT: public
設定スクリプト ip=202.228.225.32 instance ip=10.1.1.207 proto=tcp port=10001:10001
ipassoc.sh dport=22-‐‑‒22 op=-‐‑‒A
firewall.sh Dec 11 17:29:30 r-‐‑‒5-‐‑‒VM cloud: firewall.sh: creating port fwd entry for PAT: public
ip=202.228.225.32 instance ip=10.1.1.207 proto=tcp port=10001:10001
dport=22-‐‑‒22 op=-‐‑‒D
Dec 11 17:29:30 r-‐‑‒5-‐‑‒VM cloud: firewall.sh: create HairPin entry : public
ip=202.228.225.32 instance ip=10.1.1.207 proto=tcp portRange=22-‐‑‒22 op=-‐‑‒D
ポートフォワーディ Dec 11 17:29:30 r-‐‑‒5-‐‑‒VM cloud: firewall.sh: done port fwd entry for PAT: public
ip=202.228.225.32 op=-‐‑‒D result=1
ング設定
Dec 11 17:29:30 r-‐‑‒5-‐‑‒VM cloud: firewall.sh: create HairPin entry : public
ip=202.228.225.32 instance ip=10.1.1.207 proto=tcp portRange=22-‐‑‒22 op=-‐‑‒A
Dec 11 17:29:30 r-‐‑‒5-‐‑‒VM cloud: firewall.sh: done port fwd entry for PAT: public
Copyright (C) 2012 Japan CloudStack User Group All Rights
ip=202.228.225.32 op=-‐‑‒A result=0
Reserved.
15
16. 仮想ルータの謎に迫る
・負荷分散設定 ■/var/log/messages
Dec 11 17:37:22 r-‐‑‒5-‐‑‒VM cloud: Loadbalancer public interfaces = eth2
Dec 11 17:37:24 r-‐‑‒5-‐‑‒VM cloud: New haproxy instance successfully
loaded, stopping previous one.
Dec 11 17:37:25 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh:Adding first ip
202.228.225.32/26 on interface eth2
Dec 11 17:37:25 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh:Added SourceNAT
202.228.225.32/26 on interface eth2
Dec 11 17:37:25 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh:Added first ip
202.228.225.32/26 on interface eth2
Dec 11 17:37:27 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh:Add routing 202.228.225.32/26
on interface eth2
Dec 11 17:37:27 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh: VPN chain for 202.228.225.32
already exists
root@r-‐‑‒5-‐‑‒VM:/var/log# cat /etc/haproxy/haproxy.cfg
Dec 11 17:37:27 r-‐‑‒5-‐‑‒VM cloud: ipassoc.sh: firewall chain for
global
202.228.225.32 already exists
log 127.0.0.1:3914 local0 warning
(中略略)
listen 202_̲228_̲225_̲32-‐‑‒80 202.228.225.32:80
balance roundrobin
server 202_̲228_̲225_̲32-‐‑‒80_̲0 10.1.1.207:80 check
haproxy.cfgに設定
server 202_̲228_̲225_̲32-‐‑‒80_̲1 10.1.1.131:80 check
mode http
option httpclose
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
16
17. 仮想ルータの謎に迫る
・負荷分散設定
root@r-‐‑‒5-‐‑‒VM:/var/log# cat haproxy.log
Dec 10 14:44:02 localhost haproxy[1486]: Pausing proxy cloud-‐‑‒default.
Dec 10 14:44:04 localhost haproxy[8711]: Server 202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲0 is DOWN, reason:
Layer4 connection problem, info: "No route to host", check duration: 3ms.
Dec 10 14:44:04 localhost haproxy[8711]: proxy 202_̲228_̲225_̲32-‐‑‒80 has no server available!
Dec 10 14:44:19 localhost haproxy[8712]: Pausing proxy stats_̲on_̲public.
Dec 10 14:44:19 localhost haproxy[8712]: Pausing proxy 202_̲228_̲225_̲32-‐‑‒80.
Dec 10 14:44:21 localhost haproxy[9064]: Server 202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲0 is DOWN, reason:
Layer4 connection problem, info: "No route to host", check duration: 0ms.
Dec 10 14:44:22 localhost haproxy[9065]: Server 202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲1 is DOWN, reason:
Layer4 connection problem, info: "No route to host", check duration: 5ms.
Dec 10 14:44:22 localhost haproxy[9065]: proxy 202_̲228_̲225_̲32-‐‑‒80 has no server available!
Dec 10 15:58:10 localhost haproxy[1527]: Server 202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲1 is DOWN, reason:
Layer4 connection problem, info: "No route to host", check duration: 5ms.
Dec 10 15:58:10 localhost haproxy[1527]: proxy 202_̲228_̲225_̲32-‐‑‒80 has no server available!
Dec 10 15:58:16 localhost haproxy[1527]: Pausing proxy stats_̲on_̲public.
Dec 10 15:58:16 localhost haproxy[1527]: Pausing proxy 202_̲228_̲225_̲32-‐‑‒80.
Dec 10 15:58:18 localhost haproxy[2432]: Server 202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲0 is DOWN, reason:
ヘルスチェックの
Layer4 connection problem, info: "No route to host", check duration: 0ms.
Dec 10 15:58:19 localhost haproxy[2433]: Server 202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲1 is DOWN, reason:
ログも出る
Layer4 connection problem, info: "No route to host", check duration: 0ms.
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
17
18. 仮想ルータの謎に迫る
・iptables
root@r-5-VM:/etc/init.d#
/etc/init.d/iptables-persistent
status
Filter
Rules:
--------------
Chain
INPUT
(policy
DROP
2503
packets,
101K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
64324
6276K
NETWORK_STATS
all
--
any
any
anywhere
anywhere
0
0
ACCEPT
all
--
any
any
anywhere
vrrp.mcast.net
0
0
ACCEPT
all
--
any
any
anywhere
225.0.0.50
37401
3291K
ACCEPT
all
--
eth0
any
anywhere
anywhere
state
RELATED,ESTABLISHED
14833
2394K
ACCEPT
all
--
eth1
any
anywhere
anywhere
state
RELATED,ESTABLISHED
390
34943
ACCEPT
all
--
eth2
any
anywhere
anywhere
state
RELATED,ESTABLISHED
453
38052
ACCEPT
icmp
--
any
any
anywhere
anywhere
13
1401
ACCEPT
all
--
lo
any
anywhere
anywhere
2
656
ACCEPT
udp
--
eth0
any
anywhere
anywhere
udp
dpt:bootps
1961
133K
ACCEPT
udp
--
eth0
any
anywhere
anywhere
udp
dpt:domain
719
43140
ACCEPT
tcp
--
eth1
any
anywhere
anywhere
state
NEW
tcp
dpt:3922
0
0
ACCEPT
tcp
--
eth0
any
anywhere
anywhere
state
NEW
tcp
dpt:http-alt
0
0
ACCEPT
tcp
--
eth0
any
anywhere
anywhere
state
NEW
tcp
dpt:www
0
0
load_balancer_eth0
tcp
--
eth0
any
anywhere
anywhere
0
0
load_balancer_eth2
tcp
--
eth2
any
anywhere
anywhere
0
0
lb_stats
tcp
--
any
any
anywhere
anywhere
18
19. 仮想ルータの謎に迫る
・iptables
Chain
FORWARD
(policy
DROP
0
packets,
0
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
10587
7297K
NETWORK_STATS
all
--
any
any
anywhere
anywhere
0
0
ACCEPT
all
--
eth0
eth1
anywhere
anywhere
state
RELATED,ESTABLISHED
0
0
ACCEPT
all
--
eth0
eth0
anywhere
anywhere
state
NEW
0
0
ACCEPT
all
--
eth0
eth0
anywhere
anywhere
state
RELATED,ESTABLISHED
528
106K
ACCEPT
tcp
--
any
any
anywhere
test01
state
RELATED,ESTABLISHED
/*
202.228.225.32:10001:10001
*/
0
0
ACCEPT
tcp
--
any
any
anywhere
test01
tcp
dpt:ssh
state
NEW
/*
202.228.225.32:10001:10001
*/
2195
4043K
ACCEPT
all
--
eth2
eth0
anywhere
anywhere
state
RELATED,ESTABLISHED
2062
142K
ACCEPT
all
--
eth0
eth2
anywhere
anywhere
Chain
OUTPUT
(policy
ACCEPT
41154
packets,
2856K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
54494
5162K
NETWORK_STATS
all
--
any
any
anywhere
anywhere
Chain
NETWORK_STATS
(3
references)
pkts
bytes
target
prot
opt
in
out
source
destination
4863
349K
all
--
eth0
eth2
anywhere
anywhere
5724
6948K
all
--
eth2
eth0
anywhere
anywhere
0
0
tcp
--
!eth0
eth2
anywhere
anywhere
0
0
tcp
--
eth2
!eth0
anywhere
anywhere
19
20. 仮想ルータの謎に迫る
・iptables
Chain
lb_stats
(1
references)
pkts
bytes
target
prot
opt
in
out
source
destination
0
0
ACCEPT
tcp
--
any
any
anywhere
202.228.225.32
state
NEW
tcp
dpt:tproxy
Chain
load_balancer_eth0
(1
references)
pkts
bytes
target
prot
opt
in
out
source
destination
0
0
ACCEPT
tcp
--
any
any
anywhere
202.228.225.32
tcp
dpt:www
Chain
load_balancer_eth2
(1
references)
pkts
bytes
target
prot
opt
in
out
source
destination
0
0
ACCEPT
tcp
--
any
any
anywhere
202.228.225.32
tcp
dpt:www
NAT
Rules:
-------------
Chain
PREROUTING
(policy
ACCEPT
41247
packets,
1685K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
0
0
DNAT
tcp
--
eth2
any
anywhere
202.228.225.32
tcp
dpt:10001
to:10.1.1.207:22
0
0
DNAT
tcp
--
eth0
any
anywhere
202.228.225.32
tcp
dpt:10001
to:10.1.1.207:22
Chain
POSTROUTING
(policy
ACCEPT
37392
packets,
2244K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
0
0
SNAT
tcp
--
any
eth0
10.1.1.0/24
test01
tcp
dpt:10001
to:10.1.1.1
581
35575
SNAT
all
--
any
eth2
anywhere
anywhere
to:202.228.225.32
Chain
OUTPUT
(policy
ACCEPT
37543
packets,
2253K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
0
0
DNAT
tcp
--
any
any
anywhere
202.228.225.32
tcp
dpt:10001
to:10.1.1.207:22
20
21. 仮想ルータの謎に迫る
Mangle
Rules:
----------------
Chain
PREROUTING
(policy
ACCEPT
84426
packets,
5631K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
6411
7002K
VPN_202.228.225.32
all
--
any
any
anywhere
202.228.225.32
81
4769
FIREWALL_202.228.225.32
all
--
any
any
anywhere
202.228.225.32
55712
5951K
CONNMARK
all
--
any
any
anywhere
anywhere
state
RELATED,ESTABLISHED
CONNMARK
restore
0
0
MARK
tcp
--
eth2
any
anywhere
202.228.225.32
tcp
dpt:10001
MARK
set
0x2
0
0
CONNMARK
tcp
--
eth2
any
anywhere
202.228.225.32
tcp
dpt:10001
state
NEW
CONNMARK
save
Chain
INPUT
(policy
ACCEPT
44607
packets,
3987K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
Chain
FORWARD
(policy
ACCEPT
4785
packets,
4291K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
Chain
OUTPUT
(policy
ACCEPT
41524
packets,
2927K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
Chain
POSTROUTING
(policy
ACCEPT
46309
packets,
7218K
bytes)
pkts
bytes
target
prot
opt
in
out
source
destination
2
670
CHECKSUM
udp
--
any
any
anywhere
anywhere
udp
dpt:bootpc
CHECKSUM
fill
Chain
FIREWALL_202.228.225.32
(1
references)
pkts
bytes
target
prot
opt
in
out
source
destination
0
0
ACCEPT
all
--
any
any
anywhere
anywhere
state
RELATED,ESTABLISHED
0
0
RETURN
tcp
--
any
any
anywhere
anywhere
tcp
dpts:10001:10003
81
4769
DROP
all
--
any
any
anywhere
anywhere
Chain
VPN_202.228.225.32
(1
references)
pkts
bytes
target
prot
opt
in
out
source
destination
6123
6984K
ACCEPT
all
--
any
any
anywhere
anywhere
state
RELATED,ESTABLISHED
288
18062
RETURN
all
--
any
any
anywhere
anywhere
21
22. 仮想ルータの謎に迫る
わけがわからないよ
仮想ルータの謎に
⽣生々しく迫る予定でしたが
諸般の事情により
仮想ルータ内で実⾏行行されている処理理の
ほんのサワリだけでした
ごめんなさい
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
22
23. 仮想ルータの謎に迫る
ありがとうございました
See You Next Time !
Some Time Some Where
Copyright (C) 2012 Japan CloudStack User Group All Rights
Reserved.
23