From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Mailings'AT'netzwerk.cc" Subject: Re: Login load balancing Date: Wed, 26 Apr 2006 20:03:52 +0200 Message-ID: <444FB608.10009@netzwerk.cc> References: <444FAEFF.1040100@uvic.ca> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <444FAEFF.1040100@uvic.ca> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Drew Leske Cc: netfilter@lists.netfilter.org Drew Leske wrote: > Hi all, > > I'm looking for a solution (and I'm not afraid of devving one if necessary) > to load-balance SSH logins over several mostly identical systems. So far > the closest I have come is a solution using iptables, but I'm not sure it > will work, and I may well be overlooking some other solution. Any ideas > would be appreciated. My research has so far turned up little. > > We have several systems that are, from a user's perspective, identical. > Their home directories are network mounted, libraries are synchronised, and > so on, so they don't really care which system they log in to. Their work on > these systems can be quite intensive and may consume quite a few resources, > but must remain interactive (so a batch system running on a cluster won't do > it). > > For the users it's a guessing game as to which of the machines they should > log in to at any point. They may log in to the first and find it's heavily > loaded, and so log in to another, until they find the best. A second > difficulty with this is the users have be aware of which machines are > available--and they are named, due to historical reasons, using a > non-contiguous numbering scheme. > > So instead of the users logging in to bob3, bob6 or bob8, I'd like for them > to be able to simply log in to "bob" and be directed to the least-loaded > machine. > > Round-robining on the switch won't do it, because if one of the systems is > absolutely pinned, every Nth login will still wind up there. > > Determining which machines are least loaded will not be a problem. The > metrics may be gathered using SNMP or some other means from the > participating hosts. The problem is entirely in the redirection from 'bob' > to 'bob3', 'bob6', 'bob8'. > > Logins are exclusively through SSH. There is no need, and I don't > anticipate one (which means there will be some fantastic new request coming > in tomorrow) to support other protocols in this manner. > > The only half-solution I have come up with so far is to define a 'director' > box with the 'bob' alias, and then periodically grab load metrics from the > participating hosts, determine of the 'bob's which is the least loaded, and > then *cough* update a DNAT rule to redirect requests coming in for 'bob' to > the least-loaded 'bobX'. > > The last part feels horky, and I'm not even sure it will work, since later > packets coming in may be DNAT'ed to a different machine. Also, the director > then routes all the packets for logins to all the boxes. I can't see any > way to redirect the initial connection that won't cause all sorts of > problems with the client's firewalls. > > Any ideas? > > Thanks, > Drew. > Hi Drew, maybe you should take a look on "iptables random" - target. Something like iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ -m random --average $[100/$howmuchserveryouvegot] \ -j DNAT --to $server1 iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ -m random --average $[100/$howmuchserveryouvegot] \ -j DNAT --to $server2 ... Only one idea, but remember "the last rule should realy match" ;-) Hope this is the right syntax. Best Sven