LVS-NAT one arm
LVS-NATで、real serverをいじらないで済む一本腕な構成を考えて見ました。
CONFIG_IP_VS_NFCT = y なカーネルが必要です。
real serverでは、directorサーバからのアクセスに見えます。
- 構成
client: 192.168.1.1 director: 172.16.1.2 (VIP: 172.16.1.1) realserver: 10.1.1.1
- directorで設定
- sysctl
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/vs/conntrack
- vipの設定
ip addr add 172.16.1.1 label eth0:1 dev eth0 arping -U -c 1 -I eth0 172.16.1.1
- ipvsadm
ipvsadm -A -t 172.16.1.1:80 -s rr ipvsadm -a -t 172.16.1.1:80 -r 10.1.1.1:80 -m
iptables -t nat -A POSTROUTING -m ipvs --vaddr 172.16.1.1 --vport 80 -j SNAT --to-source 172.16.1.2
これだけです。
どいひーな greasemonkey
// ==UserScript==
// @name 503 Auto Reloader
// @description Auto Page Reload on Busy Servers
// @author WhiteAnthrax
// @version 201201090239
// @include *
// ==/UserScript==
(function ()
{
if (document.title == '503 Service Temporarily Unavailable' )
{window.location.reload(true);}
else if (document.title == '503 Service Unavailable' )
{window.location.reload(true);}
else if (document.getElementsByTagName('h1')[0].innerHTML == 'Error 503')
{window.location.reload(true);}
})();
LinuxのTCP/IPの実装について調べてみた
結論
- アプリごとにbacklogの制限があるので設定してやること
- ApacheならListenBacklogで設定できる(デフォルト511)
- nginxならlisten 80 backlog=1024;のように設定する
linux kernel 3.0.6の関係しそうな所を覗いてみた
int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb) { struct tcp_extend_values tmp_ext; struct tcp_options_received tmp_opt; u8 *hash_location; struct request_sock *req; struct inet_request_sock *ireq; struct tcp_sock *tp = tcp_sk(sk); struct dst_entry *dst = NULL; __be32 saddr = ip_hdr(skb)->saddr; __be32 daddr = ip_hdr(skb)->daddr; __u32 isn = TCP_SKB_CB(skb)->when; #ifdef CONFIG_SYN_COOKIES int want_cookie = 0; #else #define want_cookie 0 /* Argh, why doesn't gcc optimize this :( */ #endif /* Never answer to SYNs send to broadcast or multicast */ if (skb_rtable(skb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) goto drop; /* TW buckets are converted to open requests without * limitations, they conserve resources and peer is * evidently real one. */ if (inet_csk_reqsk_queue_is_full(sk) && !isn) { if (net_ratelimit()) syn_flood_warning(skb); #ifdef CONFIG_SYN_COOKIES if (sysctl_tcp_syncookies) { want_cookie = 1; } else #endif goto drop; }
- inet_csk_reqsk_queue_is_full()
- include/net/inet_connection_sock.h
static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) { return reqsk_queue_is_full(&inet_csk(sk)->icsk_accept_queue); }
- reqsk_queue_is_full()
- include/net/request_sock.h
static inline int reqsk_queue_is_full(const struct request_sock_queue *queue)
{
return queue->listen_opt->qlen >> queue->listen_opt->max_qlen_log;
}
- listen_opt
- include/net/request_sock.h
/** struct listen_sock - listen state
*
* @max_qlen_log - log_2 of maximal queued SYNs/REQUESTs
*/
struct listen_sock {
u8 max_qlen_log;
/* 3 bytes hole, try to use */
int qlen;
int qlen_young;
int clock_hand;
u32 hash_rnd;
u32 nr_table_entries;
struct request_sock *syn_table[0];
};
/** struct request_sock_queue - queue of request_socks
*
* @rskq_accept_head - FIFO head of established children
* @rskq_accept_tail - FIFO tail of established children
* @rskq_defer_accept - User waits for some data after accept()
* @syn_wait_lock - serializer
*
* %syn_wait_lock is necessary only to avoid proc interface having to grab the main
* lock sock while browsing the listening hash (otherwise it's deadlock prone).
*
* This lock is acquired in read mode only from listening_get_next() seq_file
* op and it's acquired in write mode _only_ from code that is actively
* changing rskq_accept_head. All readers that are holding the master sock lock
* don't need to grab this lock in read mode too as rskq_accept_head. writes
* are always protected from the main sock lock.
*/
struct request_sock_queue {
struct request_sock *rskq_accept_head;
struct request_sock *rskq_accept_tail;
rwlock_t syn_wait_lock;
u8 rskq_defer_accept;
/* 3 bytes hole, try to pack */
struct listen_sock *listen_opt;
};
- net/socket.c
* Perform a listen. Basically, we allow the protocol to do anything
* necessary for a listen, and if that works, we mark the socket as
* ready for listening.
*/
SYSCALL_DEFINE2(listen, int, fd, int, backlog)
{
struct socket *sock;
int err, fput_needed;
int somaxconn;
sock = sockfd_lookup_light(fd, &err, &fput_needed);
if (sock) {
somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn;
if ((unsigned)backlog > somaxconn)
backlog = somaxconn;
err = security_socket_listen(sock, backlog);
if (!err)
err = sock->ops->listen(sock, backlog);
fput_light(sock->file, fput_needed);
}
return err;
}
- net/ipv4/af_inet.c
/*
* Move a socket into listening state.
*/
int inet_listen(struct socket *sock, int backlog)
{
struct sock *sk = sock->sk;
unsigned char old_state;
int err;
lock_sock(sk);
err = -EINVAL;
if (sock->state != SS_UNCONNECTED || sock->type != SOCK_STREAM)
goto out;
old_state = sk->sk_state;
if (!((1 << old_state) & (TCPF_CLOSE | TCPF_LISTEN)))
goto out;
/* Really, if the socket is already in listen state
* we can only allow the backlog to be adjusted.
*/
if (old_state != TCP_LISTEN) {
err = inet_csk_listen_start(sk, backlog);
if (err)
goto out;
}
sk->sk_max_ack_backlog = backlog;
err = 0;
out:
release_sock(sk);
return err;
}
EXPORT_SYMBOL(inet_listen);
- net/ipv4/inet_connection_sock.c
int inet_csk_listen_start(struct sock *sk, const int nr_table_entries) { struct inet_sock *inet = inet_sk(sk); struct inet_connection_sock *icsk = inet_csk(sk); int rc = reqsk_queue_alloc(&icsk->icsk_accept_queue, nr_table_entries); if (rc != 0) return rc; sk->sk_max_ack_backlog = 0; sk->sk_ack_backlog = 0; inet_csk_delack_init(sk); /* There is race window here: we announce ourselves listening, * but this transition is still not validated by get_port(). * It is OK, because this socket enters to hash table only * after validation is complete. */ sk->sk_state = TCP_LISTEN; if (!sk->sk_prot->get_port(sk, inet->inet_num)) { inet->inet_sport = htons(inet->inet_num); sk_dst_reset(sk); sk->sk_prot->hash(sk); return 0; } sk->sk_state = TCP_CLOSE; __reqsk_queue_destroy(&icsk->icsk_accept_queue); return -EADDRINUSE; } EXPORT_SYMBOL_GPL(inet_csk_listen_start);
- net/core/request_sock.c
/* * Maximum number of SYN_RECV sockets in queue per LISTEN socket. * One SYN_RECV socket costs about 80bytes on a 32bit machine. * It would be better to replace it with a global counter for all sockets * but then some measure against one socket starving all other sockets * would be needed. * * It was 128 by default. Experiments with real servers show, that * it is absolutely not enough even at 100conn/sec. 256 cures most * of problems. This value is adjusted to 128 for very small machines * (<=32Mb of memory) and to 1024 on normal or better ones (>=256Mb). * Note : Dont forget somaxconn that may limit backlog too. */ int sysctl_max_syn_backlog = 256; EXPORT_SYMBOL(sysctl_max_syn_backlog); int reqsk_queue_alloc(struct request_sock_queue *queue, unsigned int nr_table_entries) { size_t lopt_size = sizeof(struct listen_sock); struct listen_sock *lopt; nr_table_entries = min_t(u32, nr_table_entries, sysctl_max_syn_backlog); nr_table_entries = max_t(u32, nr_table_entries, 8); nr_table_entries = roundup_pow_of_two(nr_table_entries + 1); lopt_size += nr_table_entries * sizeof(struct request_sock *); if (lopt_size > PAGE_SIZE) lopt = vzalloc(lopt_size); else lopt = kzalloc(lopt_size, GFP_KERNEL); if (lopt == NULL) return -ENOMEM; for (lopt->max_qlen_log = 3; (1 << lopt->max_qlen_log) < nr_table_entries; lopt->max_qlen_log++); get_random_bytes(&lopt->hash_rnd, sizeof(lopt->hash_rnd)); rwlock_init(&queue->syn_wait_lock); queue->rskq_accept_head = NULL; lopt->nr_table_entries = nr_table_entries; write_lock_bh(&queue->syn_wait_lock); queue->listen_opt = lopt; write_unlock_bh(&queue->syn_wait_lock); return 0; }
- roundup_pow_of_two は 近くの2の累乗の値にする(include/linux/log2.h)
somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn;
if ((unsigned)backlog > somaxconn)
backlog = somaxconn;
- nr_table_entries = backlog (somaxconn以上ならsomaxconn)
- もし somaxconn = 128 backlog = 511 なら nr_table_entries = 128
- nr_table_entries = min_t(u32, nr_table_entries, sysctl_max_syn_backlog);
- nr_table_entries = 128
- nr_table_entries = max_t(u32, nr_table_entries, 8);
- nr_table_entries = 128
- nr_table_entries = roundup_pow_of_two(nr_table_entries + 1);
- nr_table_entries = roundup_pow_of_two(128 + 1) = 256
for (lopt->max_qlen_log = 3; (1 << lopt->max_qlen_log) < nr_table_entries; lopt->max_qlen_log++);
-
- max_qlen_log = 8
- これはつまりlog2256 を計算している。nr_table_entries = max_t(u32, nr_table_entries, 8) なので、3からスタートしている。
- max_qlen_log = 8
static inline int reqsk_queue_is_full(const struct request_sock_queue *queue)
{
return queue->listen_opt->qlen >> queue->listen_opt->max_qlen_log;
}
if (inet_csk_reqsk_queue_is_full(sk) && !isn) { if (net_ratelimit()) syn_flood_warning(skb);
tcp_max_syn_backlog の 値って?
/* Kill the following clause, if you dislike this way. */
else if (!sysctl_tcp_syncookies &&
(sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) <
(sysctl_max_syn_backlog >> 2)) &&
(!peer || !peer->tcp_ts_stamp) &&
(!dst || !dst_metric(dst, RTAX_RTT))) {
/* Without syncookies last quarter of
* backlog is filled with destinations,
* proven to be alive.
* It means that we continue to communicate
* to destinations, already remembered
* to the moment of synflood.
*/
LIMIT_NETDEBUG(KERN_DEBUG "TCP: drop open request from %pI4/%u\n",
&saddr, ntohs(tcp_hdr(skb)->source));
goto drop_and_release;
- (sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) < (sysctl_max_syn_backlog >> 2))
- sysctl_max_syn_backlogが
- 512のとき : (512 - X) < 128 ⇒ X = 384
- 1024のとき : (1024 - X) < 256 ⇒ X = 768
- 2048のとき : (2048 - X) < 512 ⇒ X = 1536
- 4096のとき : (4096 - X) < 1024 ⇒ X = 3072
- sysctl_max_syn_backlogが
- 要するに、だいたい int(X * 0.75) が 実効値
epgdump
ちょろちょろsegfaultがでてるのでパッチをあてた
--- ts.c.orig 2011-08-21 21:00:29.000000000 +0900
+++ ts.c 2011-08-21 18:11:17.000000000 +0900
@@ -320,6 +320,9 @@
int checkcrc(SECcache *secs) {
+ if(secs->seclen > MAXSECLEN) {
+ return 0;
+ }
/* セクションの終りに置かれる4バイトのCRC32は、
CRC計算の結果0になるように設定される。
いまのところでなくなった模様
udevが/dev/sd*を消してしまう
カーネルはちゃんと/dev/sd*を認識してるのに、udevが上がったとたん/dev/sd*を消しちゃう状態になってハマりました。
どうやら/usr/share/doc/udev-151-r4/README.bz2によると、カーネルのconfigを以下のようにする必要があるそうです
CONFIG_HOTPLUG=y
CONFIG_UEVENT_HELPER_PATH=""
CONFIG_NET=y
CONFIG_UNIX=y
CONFIG_SYSFS=y
CONFIG_SYSFS_DEPRECATED*=n
CONFIG_PROC_FS=y
CONFIG_TMPFS=y
CONFIG_INOTIFY_USER=y
CONFIG_SIGNALFD=y
CONFIG_TMPFS_POSIX_ACL=y (user ACLs for device nodes)
CONFIG_BLK_DEV_BSG=y (SCSI devices)これでOKでした。
CONFIG_SYSFS_DEPRECATED*=n について言及してる人はいるんだけど、それ以外はあまり見かけませんでした。ググる前にちゃんとREADMEみないといけないね。
