[lvs-users] LVS vs commercial LB in critical environment

Tobias Klausmann klausman at schwarzvogel.de
Fri Nov 20 17:05:00 GMT 2009


On Fri, 20 Nov 2009, Siim Põder wrote:
> > surprised to still see it. Hasn't Apache, Linux, and other, almost
> > standard open source technologies killed off that argument?
> Apparently not. As far as I understood:
> 1. commercial vendors have certifications
> 2. commercial vendors can be pressured to provide patches to problems
> 3. commercial vendors are used more often in critical envs and thus
> better tested in environments similar to ours
> 1. is not a real argument, unless you are required by law to use
> certified products. certification may prove something but lack of
> certification certainly does not.

We have passed PCI DSS certifications with 0 issues regarding the
load balancers. Nobody asked for vendor certifications on those.

We have also passed several other certifications. I don't
remember which, but there were several that the less technically
inclined people where very worried about. The question if our
load balancers and packet filters have some certification or not
never even came up.

> 2 may very well be the other way around, the vendor may leave you
> cleaning up their mess. there are probably more options of getting
> problems resolved with open source products.

Yes, with OSS you can simply hire a consultant to fix it for you
and he will not charge an arm and a leg (or you can just hire
somebody else). Vendor lock-in is nonexistant.

> 3 can hopefully be alleviated with a few examples (thanks for those).

We run around 200 server farms with close to 1500 realservers
without any issues. We look at commercial solutions from time to
time but we never have seen the kind of flexibility/hackability
that we have now (and depend upon).

The same goes for the packet filter/firewall are: we have several
packet filters with up to 35000 rules each, all based on
Netfilter/IPTables and a self-made configuration and management
infrastructure. A similar kind of setup based on (say)
Checkpoint's offerings would be several orders of magnitude more
expensive in licensing and training - not to mention having to do
everything the way the vendor thinks is right.

I see no reason to use a packetfilter that is not open source
based - except for small companies that can't afford the know-how
building (but then again, they could hire a consultant).


printk("whoops, seeking 0\n");

More information about the lvs-users mailing list