1、简述lvs四种集群特点及使用场景
LVS工作在内核的PREROUTING和INPUT链之间,当请求经过PREROUTING链时,llvs发现请求是自己,会截取请求不在往INPUT链转发,而是查询路由表经过POSTROUTING链将请求转发给后端的real server
LVS-NAT模型
NAT模型是多目标IP的DNAT,通过将请求报文中的目标地址和目标端口修改为某挑
出的RS的RIP和PORT实现转发
(1)RIP和DIP应在同一个IP网络,且应使用私网地址,RS的网关要指向DIP
(2)请求报文和响应报文都必须经由Director转发,高并发场景下Director易于成为整个集群的性能瓶颈
(3)支持端口映射,可修改请求报文的目标PORT
(4)VS必须是Linux系统,RS可以是任意OS系统
LVS-DR:Direct Routing,直接路由,LVS默认模式,应用最广泛,通过为请求报
文重新封装一个MAC首部进行转发,源MAC是DIP所在的接口的MAC,目标
MAC是某挑选出的RS的RIP所在接口的MAC地址;源IP/PORT,以及目标
IP/PORT均保持不变
(1) Director和各RS都配置有VIP
(2) 确保前端路由器将目标IP为VIP的请求报文发往Director
在前端网关做静态绑定VIP和Director的MAC地址
在RS上使用arptables工具
arptables -A IN -d $VIP -j DROP
arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP
在RS上修改内核参数以限制arp通告及应答级别
/proc/sys/net/ipv4/conf/all/arp_ignore
/proc/sys/net/ipv4/conf/all/arp_announce
(3)RS的RIP可以使用私网地址,也可以是公网地址;RIP与DIP在同一IP网络;
RIP的网关不能指向DIP,以确保响应报文不会经由Director
(4)RS和Director要在同一个物理网络
(5)请求报文要经由Director,但响应报文不经由Director,而由RS直接发往
Client,该方案在高并发场景下不会造成Director的性能瓶颈
(6)不支持端口映射(端口不能修败)
(7)RS可使用大多数OS系统
LVS-TUN模型
转发方式:不修改请求报文的IP首部(源IP为CIP,目标IP为VIP),而在原IP报文
之外再封装一个IP首部(源IP是DIP,目标IP是RIP),将报文发往挑选出的目标RS;RS直接响应给客户端(源IP是VIP,目标IP是CIP)
(1) DIP, VIP, RIP都应该是公网地址
(2) RS的网关一般不能指向DIP
(3) 请求报文要经由Director,但响应不经由Director
(4) 不支持端口映射
(5) RS的OS须支持隧道功能
lvs-fullnat模式
lvs-fullnat:通过同时修改请求报文的源IP地址和目标IP地址进行转发
CIP --> DIP
VIP --> RIP
(1) VIP是公网地址,RIP和DIP是私网地址,且通常不在同一IP网络;因此,
RIP的网关一般不会指向DIP
(2) RS收到的请求报文源地址是DIP,因此,只需响应给DIP;但Director还
要将其发往Client
(3) 请求和响应报文都经由Director,在高并发场景下Director同样会成为整个集群的性能瓶颈
(4) 支持端口映射
(5) 此类型kernel默认不支持
LVS工作模式总结
lvs-nat与lvs-fullnat:请求和响应报文都经由Director
lvs-nat:RIP的网关要指向DIP
lvs-fullnat:RIP和DIP未必在同一IP网络,但要能通信
lvs-dr与lvs-tun:请求报文要经由Director,但响应报文由RS直接发往Client
lvs-dr:通过封装新的MAC首部实现,通过MAC网络转发,Director和RS要在同一物理网络
lvs-tun:通过在原IP报文外封装新IP头实现转发,支持远距离通信
2、描述LVS-DR工作原理,并配置实现。
DR模型是LVS默认工作模型,生产中应用最广泛,通过为请求报文重新封装一个MAC首部进行转发,源MAC是DIP所在的接口的MAC,目标MAC是某挑选出的RS的RIP所在接口的MAC地址;源IP/PORT,以及目标IP/PORT均保持不变
client 10.0.35.52 GW:10.0.35.16
route 10.0.35.16,192.168.10.10
LVS DIP:192.168.10.20/24 GW:192.168.10.10 VIP:192.168.10.100/32
realserver1 DIP:192.168.10.11/24 GW:192.168.10.10 VIP:192.168.10.100/32
realserver2 DIP:192.168.10.11/24 GW:192.168.10.10 VIP:192.168.10.100/32
1)配置两台realserver
RS1
在回环网卡上添加vip
ifconfig lo:1 192.168.10.100/32
在RS上修改内核参数以限制arp通告及应答级别,内核转发
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
安装httpd,并分别创建网页文件
yum -y install httpd
echo "real server 1" > /var/www/html/index.html
RS2
在回环网卡上添加vip
ifconfig lo:1 192.168.10.100/32
在RS上修改内核参数以限制arp通告及应答级别
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
安装httpd,并分别创建网页文件
yum -y install httpd
echo "real server 1" > /var/www/html/index.html
2)LVS server配置
安装ipvsadm包
yum -y install ipvsadm
添加VIP
ifconfig lo:1 192.168.10.100/32
添加lvs集群规则
ipvsadm -A -t 192.168.10.100:80 -s rr
ipvsadm -a -t 192.168.10.100:80 -r 192.168.10.11
ipvsadm -a -t 192.168.10.100:80 -r 192.168.1.12
查看规则
ipvsadm -Ln
3)客户端访问验证lvs集群服务
while true;do crul 192.168.10.100; sleep 0.5;done
3、实现LVS+Keepalived高可用
10.0.30.120 client
10.0.30.122 lvs1+keepalived-master
10.0.30.123 lvs1+keepalived-slave
10.0.30.124 realserver1
10.0.30.125 realserver2
10.0.30.130 VIP
部署前各节点配置IP,关闭防火墙,iptables,同步时间
1)配置两台realserver
RS1
在回环网卡上添加vip
ifconfig lo:1 10.0.30.130
在RS上修改内核参数以限制arp通告及应答级别
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
安装httpd,并分别创建网页文件
yum -y install httpd
echo "real server 1" > /var/www/html/index.html
RS2
在回环网卡上添加vip
ifconfig lo:1 10.0.30.130
在RS上修改内核参数以限制arp通告及应答级别
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
安装httpd,并分别创建网页文件
yum -y install httpd
echo "real server 1" > /var/www/html/index.html
2)配置keepalived和lvs
keepalived-master 主节点配置
开启内核转发功能
echo 1 > /rpoc/sus/net/ipv4/ip_forward
安装keepalive和ipvsadm
yum -y install keepalived ipvsadm httpd
配置keepalived
vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from keepalived@localhost
smtp_server localhost
smtp_connect_timeout 30
router_id keepalived-master #必须唯一
}
vrrp_instance web {
state MASTER
interface ens192
virtual_router_id 51 #keepalived集群同一实例中的节点该项必须相同
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.30.130
}
}
virtual_server 10.0.30.130 80 {
delay_loop 6
lb_algo rr
lb_kind DR
#persistence_timeout 50
protocol TCP
sorry_server 127.0.0.1 80
real_server 10.0.30.124 80 {
weight 1
HTTP_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 10.0.30.125 80 {
weight 1
HTTP_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
keepalive-slave 从节点配置
开启内核转发功能
echo 1 > /rpoc/sus/net/ipv4/ip_forward
安装keepalive和ipvsadm
yum -y install keepalived ipvsadm httpd
配置keepalived
vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from keepalived@localhost
smtp_server localhost
smtp_connect_timeout 30
router_id keepalived-slave #必须唯一
}
vrrp_instance web {
state BACKUP
interface ens192
virtual_router_id 51 #keepalived集群同一实例中的节点该项必须相同
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.30.130
}
}
virtual_server 10.0.30.130 80 {
delay_loop 6
lb_algo rr
lb_kind DR
#persistence_timeout 50
protocol TCP
sorry_server 127.0.0.1 80
real_server 10.0.30.124 80 {
weight 1
HTTP_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 10.0.30.125 80 {
weight 1
HTTP_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
3)lvs节点上启动httpd服务配置集群的sorry server,目的是当后端所有的realserver服务不可用时,给客户端返回自定义错误页面。
keepalived-master 主节点
echo "sorry, webserver is not available, keepalived-master!" > /var/www/html/index.html
systemctl start httpd
keepalived-master 主节点
echo "sorry, webserver is not available, keepalived-slave!" > /var/www/html/index.html
systemctl start httpd
4)验证keepalived+LVS集群
启动keepalived主从节点上的服务,并且验证keeplived的高可用性
systemctl start keepalived
查看vip绑定情况
模拟keepalived主节点服务down机vip漂移
5)验证web集群服务
查看lvs规则(当在配置文件中配置好realserver后,keepalived会根据后端realserver的监控状态自动添加或者删除lvs规则)
客户端访问验证后端web服务
while true;do curl 10.0.30.130;sleep 0.5;done
验证lvs自定义错误页面,停止所有realserver的httpd服务
查看ipvs规则
6)配置keepalived服务发生主备切换时,邮件通知
配置发送邮件的邮箱设置:
vim ~/.mailrc 或 /etc/mail.rc
set from=515505634@qq.com
set smtp=smtp.qq.com
set smtp-auth-user=515505634@qq.com
set smtp-auth-password=gphyesscchclbhfh
set smtp-auth=login
set ssl-verify=ignore
配置keepalived调用通知脚本:
编写邮件通知脚本并添加执行权限:
vim /etc/keepalived/notify.sh
#!/bin/bash
#
contact='root@localhost'
notify() {
mailsubject="1, vip floating"
mailbody="(hostname) changed to be mailbody" | mail -s "contact
}
case (basename $0) {master|backup|fault}"
exit 1
;;
esac
在global_defs语句块最后添加如下两行,设置keepalived执行脚本的用户
script_user root
enable_script_security
在vrrp_instance web 语句块最后面加下面行,主从节点配置相同
notify_master "/etc/keepalived/notify.sh master"
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
重启主从节点keepalived服务,模拟一个节点keepalived服务故障,验证邮件通知功能
