Drew Leske wrote:
Hi all, I'm looking for a solution (and I'm not afraid of devving one if necessary) to load-balance SSH logins over several mostly identical systems. So far the closest I have come is a solution using iptables, but I'm not sure it will work, and I may well be overlooking some other solution. Any ideas would be appreciated. My research has so far turned up little. We have several systems that are, from a user's perspective, identical. Their home directories are network mounted, libraries are synchronised, and so on, so they don't really care which system they log in to. Their work on these systems can be quite intensive and may consume quite a few resources, but must remain interactive (so a batch system running on a cluster won't do it). For the users it's a guessing game as to which of the machines they should log in to at any point. They may log in to the first and find it's heavily loaded, and so log in to another, until they find the best. A second difficulty with this is the users have be aware of which machines are available--and they are named, due to historical reasons, using a non-contiguous numbering scheme. So instead of the users logging in to bob3, bob6 or bob8, I'd like for them to be able to simply log in to "bob" and be directed to the least-loaded machine. Round-robining on the switch won't do it, because if one of the systems is absolutely pinned, every Nth login will still wind up there. Determining which machines are least loaded will not be a problem. The metrics may be gathered using SNMP or some other means from the participating hosts. The problem is entirely in the redirection from 'bob' to 'bob3', 'bob6', 'bob8'. Logins are exclusively through SSH. There is no need, and I don't anticipate one (which means there will be some fantastic new request coming in tomorrow) to support other protocols in this manner. The only half-solution I have come up with so far is to define a 'director' box with the 'bob' alias, and then periodically grab load metrics from the participating hosts, determine of the 'bob's which is the least loaded, and then *cough* update a DNAT rule to redirect requests coming in for 'bob' to the least-loaded 'bobX'. The last part feels horky, and I'm not even sure it will work, since later packets coming in may be DNAT'ed to a different machine. Also, the director then routes all the packets for logins to all the boxes. I can't see any way to redirect the initial connection that won't cause all sorts of problems with the client's firewalls. Any ideas? Thanks, Drew.
Hi Drew, maybe you should take a look on "iptables random" - target. Something like iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ -m random --average $[100/$howmuchserveryouvegot] \ -j DNAT --to $server1 iptables -t nat -A PREROUTING -p tcp --dport 22 -i $whatever \ -m random --average $[100/$howmuchserveryouvegot] \ -j DNAT --to $server2 ... Only one idea, but remember "the last rule should realy match" ;-) Hope this is the right syntax. Best Sven
