1IPVSADM(8) Linux Administrator's Guide IPVSADM(8)
2
3
4
6 ipvsadm - Linux Virtual Server administration
7
9 ipvsadm -A|E -t|u|f service-address [-s scheduler]
10 [-p [timeout]] [-M netmask]
11 ipvsadm -D -t|u|f service-address
12 ipvsadm -C
13 ipvsadm -R
14 ipvsadm -S [-n]
15 ipvsadm -a|e -t|u|f service-address -r server-address
16 [-g|i|m] [-w weight] [-x upper] [-y lower]
17 ipvsadm -d -t|u|f service-address -r server-address
18 ipvsadm -L|l [options]
19 ipvsadm -Z [-t|u|f service-address]
20 ipvsadm --set tcp tcpfin udp
21 ipvsadm --start-daemon state [--mcast-interface interface]
22 [--syncid syncid]
23 ipvsadm --stop-daemon state
24 ipvsadm -h
25
27 Ipvsadm(8) is used to set up, maintain or inspect the virtual server
28 table in the Linux kernel. The Linux Virtual Server can be used to
29 build scalable network services based on a cluster of two or more
30 nodes. The active node of the cluster redirects service requests to a
31 collection of server hosts that will actually perform the services.
32 Supported features include two protocols (TCP and UDP), three packet-
33 forwarding methods (NAT, tunneling, and direct routing), and eight load
34 balancing algorithms (round robin, weighted round robin, least-connec‐
35 tion, weighted least-connection, locality-based least-connection,
36 locality-based least-connection with replication, destination-hashing,
37 and source-hashing).
38
39 The command has two basic formats for execution:
40
41 ipvsadm COMMAND [protocol] service-address
42 [scheduling-method] [persistence options]
43
44 ipvsadm command [protocol] service-address
45 server-address [packet-forwarding-method]
46 [weight options]
47
48 The first format manipulates a virtual service and the algorithm for
49 assigning service requests to real servers. Optionally, a persistent
50 timeout and network mask for the granularity of a persistent service
51 may be specified. The second format manipulates a real server that is
52 associated with an existing virtual service. When specifying a real
53 server, the packet-forwarding method and the weight of the real server,
54 relative to other real servers for the virtual service, may be speci‐
55 fied, otherwise defaults will be used.
56
57 COMMANDS
58 ipvsadm(8) recognises the commands described below. Upper-case commands
59 maintain virtual services. Lower-case commands maintain real servers
60 that are associated with a virtual service.
61
62 -A, --add-service
63 Add a virtual service. A service address is uniquely defined by
64 a triplet: IP address, port number, and protocol. Alternatively,
65 a virtual service may be defined by a firewall-mark.
66
67 -E, --edit-service
68 Edit a virtual service.
69
70 -D, --delete-service
71 Delete a virtual service, along with any associated real
72 servers.
73
74 -C, --clear
75 Clear the virtual server table.
76
77 -R, --restore
78 Restore Linux Virtual Server rules from stdin. Each line read
79 from stdin will be treated as the command line options to a sep‐
80 arate invocation of ipvsadm. Lines read from stdin can option‐
81 ally begin with "ipvsadm". This option is useful to avoid exe‐
82 cuting a large number or ipvsadm commands when constructing an
83 extensive routing table.
84
85 -S, --save
86 Dump the Linux Virtual Server rules to stdout in a format that
87 can be read by -R|--restore.
88
89 -a, --add-server
90 Add a real server to a virtual service.
91
92 -e, --edit-server
93 Edit a real server in a virtual service.
94
95 -d, --delete-server
96 Remove a real server from a virtual service.
97
98 -L, -l, --list
99 List the virtual server table if no argument is specified. If a
100 service-address is selected, list this service only. If the -c
101 option is selected, then display the connection table. The exact
102 output is affected by the other arguments given.
103
104 -Z, --zero
105 Zero the packet, byte and rate counters in a service or all ser‐
106 vices.
107
108 --set tcp tcpfin udp
109 Change the timeout values used for IPVS connections. This com‐
110 mand always takes 3 parameters, representing the timeout
111 values (in seconds) for TCP sessions, TCP sessions after receiv‐
112 ing a FIN packet, and UDP packets, respectively. A timeout
113 value 0 means that the current timeout value of the correspond‐
114 ing entry is preserved.
115
116 --start-daemon state
117 Start the connection synchronization daemon. The state is to
118 indicate that the daemon is started as master or backup. The
119 connection synchronization daemon is implemented inside the
120 Linux kernel. The master daemon running at the primary load bal‐
121 ancer multicasts changes of connections periodically, and the
122 backup daemon running at the backup load balancers receives mul‐
123 ticast message and creates corresponding connections. Then, in
124 case the primary load balancer fails, a backup load balancer
125 will takeover, and it has state of almost all connections, so
126 that almost all established connections can continue to access
127 the service.
128
129 The sync daemon currently only supports IPv4 connections.
130
131 --stop-daemon
132 Stop the connection synchronization daemon.
133
134 -h, --help
135 Display a description of the command syntax.
136
137 PARAMETERS
138 The commands above accept or require zero or more of the following
139 parameters.
140
141 -t, --tcp-service service-address
142 Use TCP service. The service-address is of the form host[:port].
143 Host may be one of a plain IP address or a hostname. Port may be
144 either a plain port number or the service name of port. The Port
145 may be omitted, in which case zero will be used. A Port of zero
146 is only valid if the service is persistent as the -p|--persis‐
147 tent option, in which case it is a wild-card port, that is con‐
148 nections will be accepted to any port.
149
150 -u, --udp-service service-address
151 Use UDP service. See the -t|--tcp-service for the description of
152 the service-address.
153
154 -f, --fwmark-service integer
155 Use a firewall-mark, an integer value greater than zero, to
156 denote a virtual service instead of an address, port and proto‐
157 col (UDP or TCP). The marking of packets with a firewall-mark is
158 configured using the -m|--mark option to iptables(8). It can be
159 used to build a virtual service associated with the same real
160 servers, covering multiple IP address, port and protocol
161 triplets. If IPv6 addresses are used, the -6 option must be
162 used.
163
164 Using firewall-mark virtual services provides a convenient
165 method of grouping together different IP addresses, ports and
166 protocols into a single virtual service. This is useful for both
167 simplifying configuration if a large number of virtual services
168 are required and grouping persistence across what would other‐
169 wise be multiple virtual services.
170
171 -s, --scheduler scheduling-method
172 scheduling-method Algorithm for allocating TCP connections and
173 UDP datagrams to real servers. Scheduling algorithms are imple‐
174 mented as kernel modules. Ten are shipped with the Linux Virtual
175 Server:
176
177 rr - Round Robin: distributes jobs equally amongst the available
178 real servers.
179
180 wrr - Weighted Round Robin: assigns jobs to real servers propor‐
181 tionally to there real servers' weight. Servers with higher
182 weights receive new jobs first and get more jobs than servers
183 with lower weights. Servers with equal weights get an equal dis‐
184 tribution of new jobs.
185
186 lc - Least-Connection: assigns more jobs to real servers with
187 fewer active jobs.
188
189 wlc - Weighted Least-Connection: assigns more jobs to servers
190 with fewer jobs and relative to the real servers' weight
191 (Ci/Wi). This is the default.
192
193 lblc - Locality-Based Least-Connection: assigns jobs destined
194 for the same IP address to the same server if the server is not
195 overloaded and available; otherwise assign jobs to servers with
196 fewer jobs, and keep it for future assignment.
197
198 lblcr - Locality-Based Least-Connection with Replication:
199 assigns jobs destined for the same IP address to the least-con‐
200 nection node in the server set for the IP address. If all the
201 node in the server set are over loaded, it picks up a node with
202 fewer jobs in the cluster and adds it in the sever set for the
203 target. If the server set has not been modified for the speci‐
204 fied time, the most loaded node is removed from the server set,
205 in order to avoid high degree of replication.
206
207 dh - Destination Hashing: assigns jobs to servers through look‐
208 ing up a statically assigned hash table by their destination IP
209 addresses.
210
211 sh - Source Hashing: assigns jobs to servers through looking up
212 a statically assigned hash table by their source IP addresses.
213
214 sed - Shortest Expected Delay: assigns an incoming job to the
215 server with the shortest expected delay. The expected delay that
216 the job will experience is (Ci + 1) / Ui if sent to the ith
217 server, in which Ci is the number of jobs on the the ith server
218 and Ui is the fixed service rate (weight) of the ith server.
219
220 nq - Never Queue: assigns an incoming job to an idle server if
221 there is, instead of waiting for a fast one; if all the servers
222 are busy, it adopts the Shortest Expected Delay policy to assign
223 the job.
224
225 -p, --persistent [timeout]
226 Specify that a virtual service is persistent. If this option is
227 specified, multiple requests from a client are redirected to the
228 same real server selected for the first request. Optionally,
229 the timeout of persistent sessions may be specified given in
230 seconds, otherwise the default of 300 seconds will be used. This
231 option may be used in conjunction with protocols such as SSL or
232 FTP where it is important that clients consistently connect with
233 the same real server.
234
235 Note: If a virtual service is to handle FTP connections then
236 persistence must be set for the virtual service if Direct Rout‐
237 ing or Tunnelling is used as the forwarding mechanism. If Mas‐
238 querading is used in conjunction with an FTP service than per‐
239 sistence is not necessary, but the ip_vs_ftp kernel module must
240 be used. This module may be manually inserted into the kernel
241 using insmod(8).
242
243 -M, --netmask netmask
244 Specify the granularity with which clients are grouped for per‐
245 sistent virtual services. The source address of the request is
246 masked with this netmask to direct all clients from a network to
247 the same real server. The default is 255.255.255.255, that is,
248 the persistence granularity is per client host. Less specific
249 netmasks may be used to resolve problems with non-persistent
250 cache clusters on the client side. IPv6 netmasks should be
251 specified as a prefix length between 1 and 128. The default
252 prefix length is 128.
253
254 -r, --real-server server-address
255 Real server that an associated request for service may be
256 assigned to. The server-address is the host address of a real
257 server, and may plus port. Host can be either a plain IP address
258 or a hostname. Port can be either a plain port number or the
259 service name of port. In the case of the masquerading method,
260 the host address is usually an RFC 1918 private IP address, and
261 the port can be different from that of the associated service.
262 With the tunneling and direct routing methods, port must be
263 equal to that of the service address. For normal services, the
264 port specified in the service address will be used if port is
265 not specified. For fwmark services, port may be omitted, in
266 which case the destination port on the real server will be the
267 destination port of the request sent to the virtual service.
268
269 [packet-forwarding-method]
270
271 -g, --gatewaying Use gatewaying (direct routing). This is the
272 default.
273
274 -i, --ipip Use ipip encapsulation (tunneling).
275
276 -m, --masquerading Use masquerading (network access transla‐
277 tion, or NAT).
278
279 Note: Regardless of the packet-forwarding mechanism specified,
280 real servers for addresses for which there are interfaces on the
281 local node will be use the local forwarding method, then packets
282 for the servers will be passed to upper layer on the local node.
283 This cannot be specified by ipvsadm, rather it set by the kernel
284 as real servers are added or modified.
285
286 -w, --weight weight
287 Weight is an integer specifying the capacity of a server rela‐
288 tive to the others in the pool. The valid values of weight are 0
289 through to 65535. The default is 1. Quiescent servers are speci‐
290 fied with a weight of zero. A quiescent server will receive no
291 new jobs but still serve the existing jobs, for all scheduling
292 algorithms distributed with the Linux Virtual Server. Setting a
293 quiescent server may be useful if the server is overloaded or
294 needs to be taken out of service for maintenance.
295
296 -x, --u-threshold uthreshold
297 uthreshold is an integer specifying the upper connection thresh‐
298 old of a server. The valid values of uthreshold are 0 through to
299 65535. The default is 0, which means the upper connection
300 threshold is not set. If uthreshold is set with other values, no
301 new connections will be sent to the server when the number of
302 its connections exceeds its upper connection threshold.
303
304 -y, --l-threshold lthreshold
305 lthreshold is an integer specifying the lower connection thresh‐
306 old of a server. The valid values of lthreshold are 0 through to
307 65535. The default is 0, which means the lower connection
308 threshold is not set. If lthreshold is set with other values,
309 the server will receive new connections when the number of its
310 connections drops below its lower connection threshold. If
311 lthreshold is not set but uthreshold is set, the server will
312 receive new connections when the number of its connections drops
313 below three forth of its upper connection threshold.
314
315 --mcast-interface interface
316 Specify the multicast interface that the sync master daemon
317 sends outgoing multicasts through, or the sync backup daemon
318 listens to for multicasts.
319
320 --syncid syncid
321 Specify the syncid that the sync master daemon fills in the Syn‐
322 cID header while sending multicast messages, or the sync backup
323 daemon uses to filter out multicast messages not matched with
324 the SyncID value. The valid values of syncid are 0 through to
325 255. The default is 0, which means no filtering at all.
326
327 -c, --connection
328 Connection output. The list command with this option will list
329 current IPVS connections.
330
331 --timeout
332 Timeout output. The list command with this option will display
333 the timeout values (in seconds) for TCP sessions, TCP sessions
334 after receiving a FIN packet, and UDP packets.
335
336 --daemon
337 Daemon information output. The list command with this option
338 will display the daemon status and its multicast interface.
339
340 --stats
341 Output of statistics information. The list command with this
342 option will display the statistics information of services and
343 their servers.
344
345 --rate Output of rate information. The list command with this option
346 will display the rate information (such as connections/second,
347 bytes/second and packets/second) of services and their servers.
348
349 --thresholds
350 Output of thresholds information. The list command with this
351 option will display the upper/lower connection threshold infor‐
352 mation of each server in service listing.
353
354 --persistent-conn
355 Output of persistent connection information. The list command
356 with this option will display the persistent connection counter
357 information of each server in service listing. The persistent
358 connection is used to forward the actual connections from the
359 same client/network to the same server.
360
361 The list command with the -c, --connection option and this
362 option will include persistence engine data, if any is present,
363 when listing connections.
364
365 --sort Sort the list of virtual services and real servers. The virtual
366 service entries are sorted in ascending order by <protocol,
367 address, port>. The real server entries are sorted in ascending
368 order by <address, port>. (default)
369
370 --nosort
371 Do not sort the list of virtual services and real servers.
372
373 -n, --numeric
374 Numeric output. IP addresses and port numbers will be printed
375 in numeric format rather than as as host names and services
376 respectively, which is the default.
377
378 --exact
379 Expand numbers. Display the exact value of the packet and byte
380 counters, instead of only the rounded number in K's (multiples
381 of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
382 This option is only relevant for the -L command.
383
384 -6, --ipv6
385 Use with -f to signify fwmark rule uses IPv6 addresses.
386
387 -o, --ops
388 One-packet scheduling. Used in conjunction with a UDP virtual
389 service or a fwmark virtual service that handles only UDP pack‐
390 ets. All connections are created such that they only schedule
391 one packet.
392
394 The following commands configure a Linux Director to distribute incom‐
395 ing requests addressed to port 80 on 207.175.44.110 equally to port 80
396 on five real servers. The forwarding method used in this example is
397 NAT, with each of the real servers being masqueraded by the Linux
398 Director.
399
400 ipvsadm -A -t 207.175.44.110:80 -s rr
401 ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.1:80 -m
402 ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.2:80 -m
403 ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.3:80 -m
404 ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.4:80 -m
405 ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.5:80 -m
406
407 Alternatively, this could be achieved in a single ipvsadm command.
408
409 echo "
410 -A -t 207.175.44.110:80 -s rr
411 -a -t 207.175.44.110:80 -r 192.168.10.1:80 -m
412 -a -t 207.175.44.110:80 -r 192.168.10.2:80 -m
413 -a -t 207.175.44.110:80 -r 192.168.10.3:80 -m
414 -a -t 207.175.44.110:80 -r 192.168.10.4:80 -m
415 -a -t 207.175.44.110:80 -r 192.168.10.5:80 -m
416 " | ipvsadm -R
417
418 As masquerading is used as the forwarding mechanism in this example,
419 the default route of the real servers must be set to the linux direc‐
420 tor, which will need to be configured to forward and masquerade pack‐
421 ets. This can be achieved using the following commands:
422
423 echo "1" > /proc/sys/net/ipv4/ip_forward
424
426 The following commands configure a Linux Director to distribute incom‐
427 ing requests addressed to any port on 207.175.44.110 or 207.175.44.111
428 equally to the corresponding port on five real servers. As per the pre‐
429 vious example, the forwarding method used in this example is NAT, with
430 each of the real servers being masqueraded by the Linux Director.
431
432 ipvsadm -A -f 1 -s rr
433 ipvsadm -a -f 1 -r 192.168.10.1:0 -m
434 ipvsadm -a -f 1 -r 192.168.10.2:0 -m
435 ipvsadm -a -f 1 -r 192.168.10.3:0 -m
436 ipvsadm -a -f 1 -r 192.168.10.4:0 -m
437 ipvsadm -a -f 1 -r 192.168.10.5:0 -m
438
439 As masquerading is used as the forwarding mechanism in this example,
440 the default route of the real servers must be set to the linux direc‐
441 tor, which will need to be configured to forward and masquerade pack‐
442 ets. The real server should also be configured to mark incoming packets
443 addressed to any port on 207.175.44.110 and 207.175.44.111 with fire‐
444 wall-mark 1. If FTP traffic is to be handled by this virtual service,
445 then the ip_vs_ftp kernel module needs to be inserted into the kernel.
446 These operations can be achieved using the following commands:
447
448 echo "1" > /proc/sys/net/ipv4/ip_forward
449 modprobe ip_tables
450 iptables -A PREROUTING -t mangle -d 207.175.44.110/31 -j MARK --set-mark 1
451 modprobe ip_vs_ftp
452
454 IPv6 addresses should be surrounded by square brackets ([ and ]).
455
456 ipvsadm -A -t [2001:db8::80]:80 -s rr
457 ipvsadm -a -t [2001:db8::80]:80 -r [2001:db8::a0a0]:80 -m
458
459 fwmark IPv6 services require the -6 option.
460
462 The Linux Virtual Server implements three defense strategies against
463 some types of denial of service (DoS) attacks. The Linux Director cre‐
464 ates an entry for each connection in order to keep its state, and each
465 entry occupies 128 bytes effective memory. LVS's vulnerability to a DoS
466 attack lies in the potential to increase the number entries as much as
467 possible until the linux director runs out of memory. The three defense
468 strategies against the attack are: Randomly drop some entries in the
469 table. Drop 1/rate packets before forwarding them. And use secure tcp
470 state transition table and short timeouts. The strategies are con‐
471 trolled by sysctl variables and corresponding entries in the /proc
472 filesystem:
473
474 /proc/sys/net/ipv4/vs/drop_entry /proc/sys/net/ipv4/vs/drop_packet
475 /proc/sys/net/ipv4/vs/secure_tcp
476
477 Valid values for each variable are 0 through to 3. The default value is
478 0, which disables the respective defense strategy. 1 and 2 are auto‐
479 matic modes - when there is no enough available memory, the respective
480 strategy will be enabled and the variable is automatically set to 2,
481 otherwise the strategy is disabled and the variable is set to 1. A
482 value of 3 denotes that the respective strategy is always enabled. The
483 available memory threshold and secure TCP timeouts can be tuned using
484 the sysctl variables and corresponding entries in the /proc filesystem:
485
486 /proc/sys/net/ipv4/vs/amemthresh /proc/sys/net/ipv4/vs/timeout_*
487
489 /proc/net/ip_vs
490 /proc/net/ip_vs_app
491 /proc/net/ip_vs_conn
492 /proc/net/ip_vs_stats
493 /proc/sys/net/ipv4/vs/am_droprate
494 /proc/sys/net/ipv4/vs/amemthresh
495 /proc/sys/net/ipv4/vs/drop_entry
496 /proc/sys/net/ipv4/vs/drop_packet
497 /proc/sys/net/ipv4/vs/secure_tcp
498 /proc/sys/net/ipv4/vs/timeout_close
499 /proc/sys/net/ipv4/vs/timeout_closewait
500 /proc/sys/net/ipv4/vs/timeout_established
501 /proc/sys/net/ipv4/vs/timeout_finwait
502 /proc/sys/net/ipv4/vs/timeout_icmp
503 /proc/sys/net/ipv4/vs/timeout_lastack
504 /proc/sys/net/ipv4/vs/timeout_listen
505 /proc/sys/net/ipv4/vs/timeout_synack
506 /proc/sys/net/ipv4/vs/timeout_synrecv
507 /proc/sys/net/ipv4/vs/timeout_synsent
508 /proc/sys/net/ipv4/vs/timeout_timewait
509 /proc/sys/net/ipv4/vs/timeout_udp
510
512 The LVS web site (http://www.linuxvirtualserver.org/) for more documen‐
513 tation about LVS.
514
515 ipvsadm-save(8), ipvsadm-restore(8), iptables(8),
516 insmod(8), modprobe(8)
517
519 ipvsadm - Wensong Zhang <wensong@linuxvirtualserver.org>
520 Peter Kese <peter.kese@ijs.si>
521 man page - Mike Wangsmo <wanger@redhat.com>
522 Wensong Zhang <wensong@linuxvirtualserver.org>
523 Horms <horms@verge.net.au>
524
525
526
5274th Berkeley Distribution 5th July 2003 IPVSADM(8)