Special configuration steps on SuSE's colocated servers

This document is designed to track the special differences and tweaks which diverge from a standard SuSE installation to prepare a machine for our colocated environment. Some changes may be generic server-oriented settings, wheras others are specific to networking behind the ServerIron load balancing box.

Path MTU Discovery

Issue:

The linux kernel has a feature known as Path MTU Discovery, which avoids fragmentation of packets anywhere along the path of an IP connection. Unfortunately, this feature is dependent upon the receipt of ICMP errors, and ServerIron has no ability to pass ICMP messages through a virtual server connection to the correct real server.

Action:

Disable PMTUD on all machines acting as part of a virtual server. This can be done globally on a linux machine through the proc interface. Add the following line to /sbin/init.d/boot.local

echo "1" > /proc/sys/net/ipv4/ip_no_mtu_disc

TCP Wrapper configuration

Issue:

TCP wrappers are programs designed to be used during the launch of tcp-type servers. The wrappers make various checks on the connection in progress before deciding whether to launch the actual network daemon to accept the connection.

The default SuSE configuration of tcp_wrappers have the unfortunate behavior or attempting to use RFC 931 authorization checking to verify the username of the connecting party. In the modern age of personal computers (Windows, Macs, and personal Linux boxes), this information is completely untrustworthy. Furthermore, in our virtual server configuration where the 'real servers' receive connections on private internal addresses, the authorization checks are attempted from the unreachable internal addresses. This causes bogusly sourced packets to reach all connecting clients, which can never be responded to in a valid fashion.

Action:

tcp_wrappers must be compiled without the ALWAYS_USE_931 feature. This can be optionally reenabled on a service-by-service in the tcp_wrappers configuration files, such as /etc/hosts.allow.

A tarball containing the correct build environment for these changes and installation on SuSE Linux can be found under the name jsr-tcpwrap7.6.tar.gz in several places. The most reliable is /home/shared/is/software/jsr-tcpwrap7.6.tar.gz. To build this software for a given machine follow the steps outlined below.

  1. Use scp to copy the tar file to the machine you wish to use it on.
  2. Unpack it with tar xvzf jsr-tcpwrap7.6.tar.gz
  3. Go into the unpacked directory: cd tcp_wrappers_7.6
  4. Build the software: make linux
  5. Do basic sanity checks. For example rewrite /etc/inetd.conf to use the newly built tcpd for some service, send inetd a hup and verify functionality. Then return inetd.conf and inetd to previous operation.
  6. Install the software: make -f Makefile.install install

Created mar.11.2000 / Joshua Rodman <jrodman@suse.com>