Re: [Keepalived-devel] vrrp_strict option breaks LVS
Status: Beta
Brought to you by:
acassen
Menu
▾
▴
Re: [Keepalived-devel] vrrp_strict option breaks LVS
|
From: Quentin A. <qu...@ar...> - 2018-10-26 17:15:07
|
Ryan, My recollection is that vrrp_strict only affects vrrp and not LVS. However, as you have noticed it does add iptables/ipset entries for the vrrp virtual addresses. vrrp_strict is meant to enforce strict compliance with the VRRP RFC (RFC5798). This states in section 6.4.3: (650) - MUST accept packets addressed to the IPvX address(es) associated with the virtual router if it is the IPvX address owner or if Accept_Mode is True. Otherwise, MUST NOT accept these packets. So if you set vrrp_strict, and accept_mode is not set and the vrrp instance is not the address owner (i.e. priority is not 255), then iptables/ipsets entries are added to stop packets with a destination address of the virtual ip addresses being accepted by the host (it will still forward packets sent to those addresses). If the LVS virtual servers are using ip addresses that are vrrp virtual ip addresses, the the vrrp instance is not priority 255, then the system will be configured not to accept the packets, and so LVS will not work when the virtual routers are using VRRP VIPs. VRRPv2 does not have an accept mode, and so keepalived when strict mode is set does not allow accept to be set on a VRRP instance. The solution to your problem is either not to set strict_mode, or use VRRPv3 and set accept on the vrrp instances that have virtual IP addresses which are LVS virtual server IP addresses. If what I have described above is correct, then I believe that keepalived is working correctly. If not, then could you please forward a copy of the configuration. I hope that helps, Quentin On Fri, 2018-10-26 at 11:26 -0500, Ryan O'Hara wrote: > Hi all. > > I was asked about vrrp_strict behavior for LVS in DR more, so I threw > together a since configuration (LVS-DR) and made sure it was working > properly. Then I added 'vrrp_strict' option to global_defs and > restarted, now I am not able to reach the real servers via VIP. > > I notice that vrrp_strict creates an iptables entry and an ipset > (keepalived), so I have to think that this has something to do with > it. Thoughts? Is vrrp_strict known to *not* work with LVS-DR? > > Ryan > |
