搭建LVS-DR負載均衡叢集、Keepalived-LVS高可用負載均衡叢集
阿新 • • 發佈:2019-01-05
LVS DR模式搭建
準備工作
三臺機器, 三臺機器均有公網IP。
- 排程器(director)
IP:192.168.8.133 - real server1(real1)
IP:192.168.8.134 - real server2(real2)
IP:192.168.8.135 - VIP:192.168.8.100
開始搭建
配置director
[[email protected] ~]# vim /usr/local/sbin/lvs_dr.sh
#! /bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
#開啟埠轉發
ipv=/usr/sbin/ipvsadm
vip=192.168.8.100
rs1=192.168.8.134
rs2=192.168.8.135
#注意這裡的網絡卡名字 注: VIP繫結到了ens33網絡卡上。
配置real server
分別在real1、real2配置下面的指令碼:
[[email protected] ~]# vim /usr/local/sbin/lvs_rs.sh
#/bin/bash
vip=192.168.8.100
#把vip繫結在lo上,是為了實現rs直接把結果返回給客戶端
ifdown lo
ifup lo
ifconfig lo:0 $vip broadcast $vip netmask 255.255.255.255 up
route add -host $vip lo:0
#以下操作為更改arp核心引數,目的是為了讓rs順利傳送mac地址給客戶端
#參考文件www.cnblogs.com/lgfeng/archive/2012/10/16/2726308.html
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
[[email protected] ~]# sh /usr/local/sbin/lvs_rs.sh
[[email protected] ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.8.2 0.0.0.0 UG 100 0 0 ens33
192.168.8.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
192.168.8.100 0.0.0.0 255.255.255.255 UH 0 0 0 lo
[[email protected] ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.8.100/32 brd 192.168.8.100 scope global lo:0
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
注: VIP繫結到了lo上。
測試
在瀏覽器訪問VIP:192.168.8.100,重新整理網頁,訪問結果由real1、real2交替回覆。
關於arp_ignore & arp_announce
arp_ignore:
arp_ignore - INTEGER
Define different modes for sending replies in response to
received ARP requests that resolve local target IP addresses:
0 - (default): reply for any local target IP address, configured
on any interface
1 - reply only if the target IP address is local address
configured on the incoming interface
2 - reply only if the target IP address is local address
configured on the incoming interface and both with the
sender's IP address are part from same subnet on this interface
3 - do not reply for local addresses configured with scope host,
only resolutions for global and link addresses are replied
4-7 - reserved
8 - do not reply for all local addresses
The max value from conf/{all,interface}/arp_ignore is used
when ARP request is received on the {interface}
以上內容來自官方網站。
譯:
arp_ignore:定義對目標地址為本地IP的ARP詢問不同的應答模式。
- 0 - (預設值): 迴應任何網路介面上對任何本地IP地址的arp查詢請求
- 1 - 只回答目標IP地址是來訪網路介面本地地址的ARP查詢請求
- 2 -只回答目標IP地址是來訪網路介面本地地址的ARP查詢請求,且來訪IP必須在該網路介面的子網段內
- 3 - 不迴應該網路介面的arp請求,而只對設定的唯一和連線地址做出迴應
- 4-7 - 保留未使用
- 8 -不迴應所有(本地地址)的arp查詢
arp_announce:
arp_announce - INTEGER
Define different restriction levels for announcing the local
source IP address from IP packets in ARP requests sent on
interface:
0 - (default) Use any local address, configured on any interface
1 - Try to avoid local addresses that are not in the target's
subnet for this interface. This mode is useful when target
hosts reachable via this interface require the source IP
address in ARP requests to be part of their logical network
configured on the receiving interface. When we generate the
request we will check all our subnets that include the
target IP and will preserve the source address if it is from
such subnet. If there is no such subnet we select source
address according to the rules for level 2.
2 - Always use the best local address for this target.
In this mode we ignore the source address in the IP packet
and try to select local address that we prefer for talks with
the target host. Such local address is selected by looking
for primary IP addresses on all our subnets on the outgoing
interface that include the target IP address. If no suitable
local address is found we select the first local address
we have on the outgoing interface or on all other interfaces,
with the hope we will receive reply for our request and
even sometimes no matter the source IP address we announce.
The max value from conf/{all,interface}/arp_announce is used.
Increasing the restriction level gives more chance for
receiving answer from the resolved target while decreasing
the level announces more valid sender's information.
以上內容來自官方網站。
譯:
arp_announce:對網路介面上,本地IP地址的發出的,ARP迴應,作出相應級別的限制:確定不同程度的限制,宣佈對來自本地源IP地址發出Arp請求的介面。
- 0 - (預設) 配置在任意介面的(eth0,eth1,lo)任何本地地址
- 1 -儘量避免不在該網路介面子網段的本地地址做出arp迴應. 當發起ARP請求的源IP地址是被設定應該經由路由達到此網路介面的時候很有用.此時會檢查來訪IP是否為所有介面上的子網段內ip之一.如果改來訪IP不屬於各個網路介面上的子網段內,那麼將採用級別2的方式來進行處理.
- 2 - 對查詢目標使用最適當的本地地址.在此模式下將忽略這個IP資料包的源地址並嘗試選擇與能與該地址通訊的本地地址.首要是選擇所有的網路介面的子網中外出訪問子網中包含該目標IP地址的本地地址. 如果沒有合適的地址被發現,將選擇當前的傳送網路介面或其他的有可能接受到該ARP迴應的網路介面來進行傳送.
補充:
Assume that a linux box X has three interfaces - eth0, eth1 and eth2. Each interface has an IP address IP0,
IP1 and IP2. When a local application tries to send an IP packet with IP0 through the eth2. Unfortunately,
the target node’s mac address is not resolved. Thelinux box X will send the ARP request to know
the mac address of the target(or the gateway). In this case what is the IP source address of the
“ARP request message”? The IP0- the IP source address of the transmitting IP or IP2 - the outgoing
interface? Until now(actually just 3 hours before) ARP request uses the IP address assigned to
the outgoing interface(IP2 in the above example) However the linux’s behavior is a little bit
different. Actually the selection of source address in ARP request is totally configurable
bythe proc variable “arp_announce”
If we want to use the IP2 not the IP0 in the ARP request, we should change the value to 1 or 2.
The default value is 0 - allow IP0 is used for ARP request.
譯:
假設一臺Linux機器有三個網絡卡——eth0, eth1 and eth2。每個網絡卡對應一個IP地址——IP0,IP1 and IP2。 當本地應用通過eth2傳送一個對IP0的請求時,目標節點Mac無法解析該請求,Linux機器將把該arp請求轉發到能解析其Mac地址的網絡卡。這樣一來,哪個才是這個arp請求資訊的源IP呢?是傳遞源IP的IP0還是內網發出的IP2呢?到目前為止,ARP請求一直使用分配到輸出介面的IP地址(IP2)仍然和Linux內網IP有點不同。其實arp請求中的源IP的配置完全取決於變數“arp_announce”。如果我們想在arp請求中使用IP2而不是IP0,需要我們把該變數的值由1改成2。預設值0的含義是允許arp請求使用IP0。
其實就是路由器的問題,因為路由器一般是動態學習ARP包的(一般動態配置DHCP的話),當內網的機器要傳送一個到外部的ip包,那麼它就會請求 路由器的Mac地址,傳送一個arp請求,這個arp請求裡面包括了自己的ip地址和Mac地址,而linux預設是使用ip的源ip地址作為arp裡面 的源ip地址,而不是使用傳送裝置上面的 ,這樣在lvs這樣的架構下,所有傳送包都是同一個VIP地址,那麼arp請求就會包括VIP地址和裝置 Mac,而路由器收到這個arp請求就會更新自己的arp快取,這樣就會造成ip欺騙了,VIP被搶奪,所以就會有問題。
arp快取為什麼會更新了,什麼時候會更新呢,為了減少arp請求的次數,當主機接收到詢問自己的arp請求的時候,就會把源ip和源Mac放入自 己的arp表裡面,方便接下來的通訊。如果收到不是詢問自己的包(arp是廣播的,所有人都收到),就會丟掉,這樣不會造成arp表裡面無用資料太多導致 有用的記錄被刪除。
在設定引數的時候將arp_ignore 設定為1,意味著當別人的arp請求過來的時候,如果接收的裝置上面沒有這個ip,就不做出響應,預設是0,只要這臺機器上面任何一個裝置上面有這個ip,就響應arp請求,併發送mac地址。
Keepalived LVS
完整的架構需要兩臺伺服器(角色為dir),分別安裝Keepalived工具,目的是實現高可用,但Keepalived本身也有負載均衡功能,所以本次使用可以只安裝一臺Keepalived。Keepalived內建了ipvsadm的功能,所以不需要安裝ipvsadm包,也不用編寫和執行lvs_dr指令碼。
準備工作
三臺機器:
- 排程器director:
IP:192.168.8.133;安裝Keepalived - real server(real1):
IP:192.168.8.134 - real server(real2):
IP:192.168.8.135 - VIP:192.168.8.100
開始搭建
配置director
[[email protected] sbin]# yum install -y keepalived
自定義Keepalived配置檔案:
[[email protected] ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
#備用伺服器上為 BACKUP
state MASTER
#繫結vip的網絡卡為ens33,你的網絡卡和阿銘的可能不一樣,這裡需要你改一下
interface ens33
virtual_router_id 51
#備用伺服器上為90
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 123456
}
virtual_ipaddress {
192.168.8.100
}
}
virtual_server 192.168.8.100 80 {
#(每隔10秒查詢realserver狀態)
delay_loop 10
#(lvs 演算法)
lb_algo wlc
#演算法(DR模式)
lb_kind DR
#(同一IP的連線60秒內被分配到同一臺realserver)
persistence_timeout 0
#(用TCP協議檢查realserver狀態)
protocol TCP
real_server 192.168.8.134 80 {
#(權重)
weight 100
TCP_CHECK {
#(10秒無響應超時)
connect_timeout 10
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 192.168.8.135 80 {
weight 100
TCP_CHECK {
connect_timeout 10
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
啟動Keepalived服務:
[[email protected] ~]# systemctl start keepalived
檢視網絡卡資訊:
[[email protected] ~]# ip add
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:be:0e:17 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.133/24 brd 192.168.8.255 scope global ens33
valid_lft forever preferred_lft forever
inet 192.168.8.100/32 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::592f:39cc:1b50:1d07/64 scope link
valid_lft forever preferred_lft forever
#虛擬IP(VIP)在ens33網絡卡上
檢視ipvsadm規則:
[[email protected] ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.8.100:80 wlc
-> 192.168.8.134:80 Route 100 0 0
-> 192.168.8.135:80 Route 100 0 0
配置real server
配置路由轉發指令碼:
[[email protected] ~]# vim /usr/local/sbin/lvs_rs.sh
#/bin/bash
vip=192.168.8.100
#把vip繫結在lo上,是為了實現rs直接把結果返回給客戶端
ifconfig lo:0 $vip broadcast $vip netmask 255.255.255.255 up
route add -host $vip lo:0
#以下操作為更改arp核心引數,目的是為了讓rs順利傳送mac地址給客戶端
#參考文件www.cnblogs.com/lgfeng/archive/2012/10/16/2726308.html
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
[[email protected] ~]# sh /usr/local/sbin/lvs_rs.sh
配置完成!
測試
在瀏覽器訪問VIP:192.168.8.100,重新整理網頁,訪問結果由real1、real2交替回覆。
Keepalived+LVS作用
- Keepalived搭建高可用保證LVS中director宕機後伺服器不癱瘓
- 如果只使用LVS,那麼當LVS架構中某個real server宕機後,director仍然會繼續向其傳送請求,新增Keepalived後會自動將宕機的real server清除出rs列表。
haproxy+keepalived http://blog.csdn.net/xrt95050/article/details/40926255
nginx、lvs、haproxy比較 http://www.csdn.net/article/2014-07-24/2820837
keepalived中自定義指令碼 vrrp_script http://my.oschina.net/hncscwc/blog/158746
lvs dr模式只使用一個公網ip的實現方法 http://storysky.blog.51cto.com/628458/338726