$ pen -l pen.log -p pen.pid lbhost:80 host1:80 host2:80
If pen is running on one of the web servers, it might seem like a good idea to simply use an alternative port for the web server process, reusing the IP address. Unfortunately, that doesn't work very well. Look at this (simplified) example:
sh-2.05# pen lbhost:80 lbhost:8080 sh-2.05# telnet lbhost 80 Trying 127.0.0.1... Connected to lbhost. Escape character is '^]'. GET /bb <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>301 Moved Permanently</TITLE> </HEAD><BODY> <H1>Moved Permanently</H1> The document has moved <A HREF="http://lbhost:8080/bb/">here</A>.<P> <HR> <ADDRESS>Apache/1.3.14 Server at lbhost Port 8080</ADDRESS> </BODY></HTML> Connection closed by foreign host.
This will cause the client to attempt to contact the web server directly, which may not be possible depending on firewall configuration and is certainly not desirable since it defeats any load balancing attempts from pen.
The solution is to bind two addresses to the server running pen, and use one address for pen and the other for the web server. Like this:
$ pen address1:80 address2:80 server2:80
Here, address1 and address2 refer to the same server, while server2 refers to another server.
The programs penlog and penlogd are used to combine the web server logs into a single file which can be used to calculate statistics. Penlog runs on each of the web servers. It reads log entries from stdin and sends them over the network to the host running penlogd. For Apache, this is accomplished by adding a line similar to this to httpd.conf:
CustomLog "|/usr/local/bin/penlog loghost 10000" common
For other web servers, the procedure is different. If the server cannot write its logs to a pipe, this kludge may actually work:
$ tail -f /path/to/logfile | penlogd loghost 10000
The command line to pen must also be altered to indicate that the logs should go to the penlogd server rather than a file. This is accomplished using the:
-l loghost:10000
option.
The log file pen.log is used to combine the web server logs into a single file which can be used to calculate statistics. Example:
$ mergelogs -p pen.log \
10.0.0.1:access_log.host1 10.0.0.2:access_log.host2 \
> access_log
The program mergelogs is distributed with pen. Use matching versions of pen and mergelogs to ensure that the log file format is compatible. 10.0.0.1 and 10.0.0.2 are the IP addresses of host1 and host2. The log files access_log.host1 and access_log.host2 are Apache access log files in combined or common format. The resulting access_log is in the same format as the input files.
If the log file will be used to calculate visitor statistics, you probably want host names rather than IP addresses. This can be accomplished by forcing the web server to do hostname lookups on the clients. This harms performance since the lookups are slow.
A better solution is to use a separate program to process the log file. One such program is webresolve, which is usually run from the splitwr script to perform many lookups in parallel. Example:
$ splitwr access_log > access_log.resolved
Webresolve is available from http://siag.nu/webresolve/.
$ pen -l pen.log -p pen.pid lbhost:443 host1:443 host2:443
Otherwise identical to http (for our purposes), https uses port 443.
Using pen for the ssl encapsulation:
$ pen -l pen.log -p pen.pid -E mycert.pem lbhost:443 host1:80 host2:80
$ pen -l pen80.log -p pen80.pid -h lbhost:80 host1:80 host2:80 $ pen -l pen443.log -p pen443.pid -h lbhost:443 host1:443 host2:443
If we are using http and https in parallel for a single site and need to make sure that requests go to the same server for both protocols, we use the -h (hash) option. Note that it is still possible for a client to end up with a split connection if e.g. http is down on host1 and https is down on host2.
The server selection can be made completely deterministic by adding the -s option. Pen will then stubbornly refuse to fail over to another server if the first choice is unavailable. Obviously, this means the site will fail for some clients if either http or https is down on any server, which is unsatisfactory.
A better solution is to use a single protocol for all communication, or design the application such that split connections do not matter. For example, serve static content such as images over http.
$ pen -l pen.log -p pen.pid -r lbhost:25 host1:25 host2:25
This is straightforward enough, with the added twist that all connections to host1 and host2 appear to come from lbhost. It is therefore important that care be taken so that the setup can't be used as an open relay for spam.
An example use for load balancing with smtp is for large sites with a high volume of outgoing mail.
$ pen -l pen.log -p pen.pid lbhost:21 host1:21 host2:21
The ftp protocol has quirks that makes load balancing more difficult than many other protocols. Details in RFC959, but here is an example from a pen debug session:
copy_up(0) 23: PORT 127,0,0,1,12,212 copy_down(0) 30: 200 PORT command successful. copy_up(0) 18: RETR loadlin.exe copy_down(0) 72: 150 Opening BINARY mode data connection for loadlin.exe (32177 bytes). copy_down(0) 24: 226 Transfer complete.
Notice how the last two entries claim that the transfer is first "opening", and then "complete" with no intermediary step.
In other words, the initial connection is just a command telnet stream. For the data transfer, the client opens a port of its own and the server connects directly there, bypassing the load balancer.
There isn't necessarily anything particularly wrong about that, except that the server will connect from an address that the client doesn't expect, and it will have to connect to an address that is different from the peer in the command stream. In addition, it may not work if the server is behind a firewall and it most certainly won't work if pen is acting as the firewall.
A solution would be to intercept the PORT command, open a connection there, listen to a socket of our own and send a new PORT command to the server instead of the one the client sent. We would also need to track the command stream during the data transfer, and check for things like ABOR and STAT. And we'd have to implements all kinds of workarounds for buggy clients and servers.
Messy indeed, and pen doesn't even try. Browse through an ftp client some time; it's entertaining to see what programmers think of the protocol.
Here is a recipe for ftp load balancing that is portable, works and is easy to implement.
First a snippet from /etc/hosts. The IP addresses are supposed to be public addresses. It is possible to play tricks with NAT to remove that requirement, but that is beyond the scope of this document.
123.123.123.1 lbhost 123.123.123.2 host1 123.123.123.3 host2
ftp servers are running on host1 and host2. Use this command to start pen on lbhost:
$ pen -l pen.log -p pen.pid lbhost:21 host1:21 host2:21
Incoming connections from clients are distributed to host1 and host2, transparently to the user. Outgoing connections from host1 and host2 bypass lbhost. If there is a firewall between the servers and the Internet, it must permit incoming traffic to lbhost on port 21 and outgoing traffic from host1 and host2.
This can be prevented from working if the client is behind a firewall that does its own stateful session tracking (for example, setting up temporary rules that let the server access the client on the port given in the PORT command), but there's little or nothing we can do about that. Such schemes break anyway if the server has multiple IP addresses, load balancing or not.
Picky servers that refuse to set up data streams that bypass the load balancer won't work either, but then we at least have the option to replace the server. The stock Solaris ftpd is fine; wu-ftpd 2.6.0 is not.
The pop3 service normally runs from inetd. In that case, it is not possible to use multiple IP addresses to allow pen and the pop3 server to run on the same host. However, there's nothing to stop us from using multiple ports. Add this to /etc/services:
pop3-pen 1110/tcp
And change /etc/inetd.conf like this:
# pop3 stream tcp nowait root /usr/sbin/tcpd in.pop3d pop3-pen stream tcp nowait root /usr/sbin/tcpd in.pop3d
Note how the old entry for pop3 is commented out. Restart inetd and run:
$ pen -p pen.pid pop3 localhost:1110 otherhost:pop3
Pen will listen to the pop3 port and distribute incoming requests to the local pop3 server running on port 1110 and to the pop3 server running on "otherhost" on the standard port.
(This was sent as a reply to a question is pen could handle load balancing and failover for a group of ldap servers.)
As far as I know, LDAP is a simple tcp based protocol. The following experiment on my laptop was successful:
Install OpenLDAP
Run slapd like this:
$ /usr/local/libexec/slapd -d 255
Run pen like this:
$ pen -d -d -f 3890 localhost:389
Run ldapsearch like this:
$ ldapsearch -H ldap://localhost:3890 \ -x -b '' -s base '(objectclass=*)' namingContexts
Slapd and pen spewed lots of debugging info and ldapsearch returned:
8<--- # # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: o=Qbranch,c=SE # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 8<---
which was what I expected.
Inspired by this success, I repeated the test:
8<---
/usr/local/libexec/slapd -d 255 -h ldap://localhost:389/
/usr/local/libexec/slapd -d 255 -h ldap://localhost:390/
pen -d -d -f 3890 localhost:389 localhost:390
ldapsearch -H ldap://localhost:3890 \
-x -b '' -s base '(objectclass=*)' namingContexts
8<---
Got a reply. Repeated a few times, then pressed Ctrl-C on the slapd that was serving the replies. Did another ldapsearch and got a reply from the other slapd.
As far as I can see, pen handles LDAP load balancing and failover just fine.
It is possible to install pen on two load balancers and use vrrp to get failover in case one of them goes down. To do this, you need two servers (obviously), pen and Jerome Etienne's vrrpd for Linux.
Install pen and vrrpd on both servers. Start pen on both servers, using all the same parameters and listening on all addresses. Finally start vrrpd, again using the same parameters on both hosts. Example, using debugging output to show what is going on:
$ pen -df 2323 192.168.1.240:23 $ vrrpd -i eth0 -v 1 192.168.1.199
Now try telnetting to 192.168.1.199 on port 2323. You should get connected through pen on one of the servers. Log out and stop vrrpd on the active server. Again telnet to 192.168.1.199 port 2323. You should get connected again, this time through pen on the other server.
Note that this doesn't provide perfect fault tolerance. Vrrpd only checks if the other server is alive, but it doesn't care if pen is responding.
Also note that the legal status of vrrp is unclear, as both Cisco and IBM claim to hold patents on the technology.