搭建LVS-DR负载均衡集群、Keepalived-LVS高可用负载均衡集群
博客专区 > 阿dai 的博客 > 博客详情
搭建LVS-DR负载均衡集群、Keepalived-LVS高可用负载均衡集群
阿dai 发表于2个月前
搭建LVS-DR负载均衡集群、Keepalived-LVS高可用负载均衡集群
  • 发表于 2个月前
  • 阅读 34
  • 收藏 0
  • 点赞 0
  • 评论 0

腾讯云 学生专属云服务套餐 10元起购>>>   

18.21 LVS DR模式搭建

准备工作

三台机器, 三台机器均有公网IP。

  • 调度器(director)
    IP:192.168.8.133
  • real server1(real1)
    IP:192.168.8.134
  • real server2(real2)
    IP:192.168.8.135
  • VIP:192.168.8.100

开始搭建

配置director

[root@director ~]# vim /usr/local/sbin/lvs_dr.sh
#! /bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
#开启端口转发
ipv=/usr/sbin/ipvsadm
vip=192.168.8.100
rs1=192.168.8.134
rs2=192.168.8.135
#注意这里的网卡名字
ifdown ens33
ifup ens33
#在此重启网卡的目的是避免重复设置命令行提供的IP
ifconfig ens33:2 $vip broadcast $vip netmask 255.255.255.255 up
#绑定VIP到dir的虚拟网卡ens33:2
route add -host $vip dev ens33:2
#添加网关
$ipv -C
$ipv -A -t $vip:80 -s wrr
$ipv -a -t $vip:80 -r $rs1:80 -g -w 1
$ipv -a -t $vip:80 -r $rs2:80 -g -w 1
#设置ipvsadm规则,-g=gateway:使用默认网关(DR模式)

[root@director ~]# sh /usr/local/sbin/lvs_dr.sh
成功断开设备 'ens33'。
成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/2)

[root@director ~]# ip add
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:be:0e:17 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.133/24 brd 192.168.8.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet 192.168.8.100/32 brd 192.168.8.100 scope global ens33:2
       valid_lft forever preferred_lft forever
    inet6 fe80::592f:39cc:1b50:1d07/64 scope link 
       valid_lft forever preferred_lft forever

注: VIP绑定到了ens33网卡上。

配置real server

分别在real1、real2配置下面的脚本:

[root@real1 ~]# vim /usr/local/sbin/lvs_rs.sh
#/bin/bash
vip=192.168.8.100
#把vip绑定在lo上,是为了实现rs直接把结果返回给客户端
ifdown lo
ifup lo
ifconfig lo:0 $vip broadcast $vip netmask 255.255.255.255 up
route add -host $vip lo:0
#以下操作为更改arp内核参数,目的是为了让rs顺利发送mac地址给客户端
#参考文档www.cnblogs.com/lgfeng/archive/2012/10/16/2726308.html
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce

[root@real1 ~]# sh /usr/local/sbin/lvs_rs.sh

[root@real1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.8.2     0.0.0.0         UG    100    0        0 ens33
192.168.8.0     0.0.0.0         255.255.255.0   U     100    0        0 ens33
192.168.8.100   0.0.0.0         255.255.255.255 UH    0      0        0 lo

[root@real1 ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.8.100/32 brd 192.168.8.100 scope global lo:0
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

注: VIP绑定到了lo上。

测试

在浏览器访问VIP:192.168.8.100,刷新网页,访问结果由real1、real2交替回复。

关于arp_ignore & arp_announce

arp_ignore:

arp_ignore - INTEGER
	Define different modes for sending replies in response to
	received ARP requests that resolve local target IP addresses:
	0 - (default): reply for any local target IP address, configured
	on any interface
	1 - reply only if the target IP address is local address
	configured on the incoming interface
	2 - reply only if the target IP address is local address
	configured on the incoming interface and both with the
	sender's IP address are part from same subnet on this interface
	3 - do not reply for local addresses configured with scope host,
	only resolutions for global and link addresses are replied
	4-7 - reserved
	8 - do not reply for all local addresses

	The max value from conf/{all,interface}/arp_ignore is used
	when ARP request is received on the {interface}

以上内容来自官方网站。

译:
arp_ignore:定义对目标地址为本地IP的ARP询问不同的应答模式。

  • 0 - (默认值): 回应任何网络接口上对任何本地IP地址的arp查询请求
  • 1 - 只回答目标IP地址是来访网络接口本地地址的ARP查询请求
  • 2 -只回答目标IP地址是来访网络接口本地地址的ARP查询请求,且来访IP必须在该网络接口的子网段内
  • 3 - 不回应该网络界面的arp请求,而只对设置的唯一和连接地址做出回应
  • 4-7 - 保留未使用
  • 8 -不回应所有(本地地址)的arp查询

arp_announce:

arp_announce - INTEGER
	Define different restriction levels for announcing the local
	source IP address from IP packets in ARP requests sent on
	interface:
	0 - (default) Use any local address, configured on any interface
	1 - Try to avoid local addresses that are not in the target's
	subnet for this interface. This mode is useful when target
	hosts reachable via this interface require the source IP
	address in ARP requests to be part of their logical network
	configured on the receiving interface. When we generate the
	request we will check all our subnets that include the
	target IP and will preserve the source address if it is from
	such subnet. If there is no such subnet we select source
	address according to the rules for level 2.
	2 - Always use the best local address for this target.
	In this mode we ignore the source address in the IP packet
	and try to select local address that we prefer for talks with
	the target host. Such local address is selected by looking
	for primary IP addresses on all our subnets on the outgoing
	interface that include the target IP address. If no suitable
	local address is found we select the first local address
	we have on the outgoing interface or on all other interfaces,
	with the hope we will receive reply for our request and
	even sometimes no matter the source IP address we announce.

	The max value from conf/{all,interface}/arp_announce is used.

	Increasing the restriction level gives more chance for
	receiving answer from the resolved target while decreasing
	the level announces more valid sender's information.

以上内容来自官方网站。

译:
arp_announce:对网络接口上,本地IP地址的发出的,ARP回应,作出相应级别的限制:确定不同程度的限制,宣布对来自本地源IP地址发出Arp请求的接口。

  • 0 - (默认) 配置在任意接口的(eth0,eth1,lo)任何本地地址
  • 1 -尽量避免不在该网络接口子网段的本地地址做出arp回应. 当发起ARP请求的源IP地址是被设置应该经由路由达到此网络接口的时候很有用.此时会检查来访IP是否为所有接口上的子网段内ip之一.如果改来访IP不属于各个网络接口上的子网段内,那么将采用级别2的方式来进行处理.
  • 2 - 对查询目标使用最适当的本地地址.在此模式下将忽略这个IP数据包的源地址并尝试选择与能与该地址通信的本地地址.首要是选择所有的网络接口的子网中外出访问子网中包含该目标IP地址的本地地址. 如果没有合适的地址被发现,将选择当前的发送网络接口或其他的有可能接受到该ARP回应的网络接口来进行发送.

补充:

Assume that a linux box X has three interfaces - eth0, eth1 and eth2. Each interface has an IP address IP0, 

IP1 and IP2. When a local application tries to send an IP packet with IP0 through the eth2.  Unfortunately, 

the target node’s mac address is not resolved. Thelinux box X will send the ARP request to know 

the mac address of the target(or the gateway). In this case what is the IP source address of the 

“ARP request message”? The IP0- the IP source address of the transmitting IP or IP2 - the outgoing

 interface?  Until now(actually just 3 hours before) ARP request uses the IP address assigned to 

the outgoing interface(IP2 in the above example) However the linux’s behavior is a little bit 

different. Actually the selection of source address in ARP request is totally configurable 

bythe proc variable “arp_announce”  

If we want to use the IP2 not the IP0 in the ARP request, we should change the value to 1 or 2. 

The default value is 0 - allow IP0 is used for ARP request.  

译:
假设一台Linux机器有三个网卡——eth0, eth1 and eth2。每个网卡对应一个IP地址——IP0,IP1 and IP2。 当本地应用通过eth2发送一个对IP0的请求时,目标节点Mac无法解析该请求,Linux机器将把该arp请求转发到能解析其Mac地址的网卡。这样一来,哪个才是这个arp请求信息的源IP呢?是传递源IP的IP0还是内网发出的IP2呢?到目前为止,ARP请求一直使用分配到输出接口的IP地址(IP2)仍然和Linux内网IP有点不同。其实arp请求中的源IP的配置完全取决于变量“arp_announce”。如果我们想在arp请求中使用IP2而不是IP0,需要我们把该变量的值由1改成2。默认值0的含义是允许arp请求使用IP0。

其实就是路由器的问题,因为路由器一般是动态学习ARP包的(一般动态配置DHCP的话),当内网的机器要发送一个到外部的ip包,那么它就会请求 路由器的Mac地址,发送一个arp请求,这个arp请求里面包括了自己的ip地址和Mac地址,而linux默认是使用ip的源ip地址作为arp里面 的源ip地址,而不是使用发送设备上面的 ,这样在lvs这样的架构下,所有发送包都是同一个VIP地址,那么arp请求就会包括VIP地址和设备 Mac,而路由器收到这个arp请求就会更新自己的arp缓存,这样就会造成ip欺骗了,VIP被抢夺,所以就会有问题。

arp缓存为什么会更新了,什么时候会更新呢,为了减少arp请求的次数,当主机接收到询问自己的arp请求的时候,就会把源ip和源Mac放入自 己的arp表里面,方便接下来的通讯。如果收到不是询问自己的包(arp是广播的,所有人都收到),就会丢掉,这样不会造成arp表里面无用数据太多导致 有用的记录被删除。

在设置参数的时候将arp_ignore 设置为1,意味着当别人的arp请求过来的时候,如果接收的设备上面没有这个ip,就不做出响应,默认是0,只要这台机器上面任何一个设备上面有这个ip,就响应arp请求,并发送mac地址。

18.22 Keepalived LVS

完整的架构需要两台服务器(角色为dir),分别安装Keepalived工具,目的是实现高可用,但Keepalived本身也有负载均衡功能,所以本次使用可以只安装一台Keepalived。Keepalived内置了ipvsadm的功能,所以不需要安装ipvsadm包,也不用编写和执行lvs_dr脚本。

准备工作

三台机器:

  • 调度器director:
    IP:192.168.8.133;安装Keepalived
  • real server(real1):
    IP:192.168.8.134
  • real server(real2):
    IP:192.168.8.135
  • VIP:192.168.8.100

开始搭建

配置director

[root@director sbin]# yum install -y keepalived

自定义Keepalived配置文件:
[root@director ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
    #备用服务器上为 BACKUP
    state MASTER
    #绑定vip的网卡为ens33,你的网卡和阿铭的可能不一样,这里需要你改一下
    interface ens33
    virtual_router_id 51
    #备用服务器上为90
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        192.168.8.100
    }
}
virtual_server 192.168.8.100 80 {
    #(每隔10秒查询realserver状态)
    delay_loop 10
    #(lvs 算法) 
    lb_algo wlc 
    #算法(DR模式)
    lb_kind DR
    #(同一IP的连接60秒内被分配到同一台realserver)
    persistence_timeout 0 
    #(用TCP协议检查realserver状态)
    protocol TCP 
    real_server 192.168.8.134 80 {
        #(权重) 
        weight 100
        TCP_CHECK {
        #(10秒无响应超时)
        connect_timeout 10
        nb_get_retry 3
        delay_before_retry 3
        connect_port 80
        }
    }   
    real_server 192.168.8.135 80 {
        weight 100
        TCP_CHECK {
        connect_timeout 10
        nb_get_retry 3
        delay_before_retry 3
        connect_port 80
        }
     }  
}    

启动Keepalived服务:
[root@director ~]# systemctl start keepalived

查看网卡信息:
[root@director ~]# ip add
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:be:0e:17 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.133/24 brd 192.168.8.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet 192.168.8.100/32 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::592f:39cc:1b50:1d07/64 scope link 
       valid_lft forever preferred_lft forever
#虚拟IP(VIP)在ens33网卡上

查看ipvsadm规则:
[root@director ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.8.100:80 wlc
  -> 192.168.8.134:80             Route   100    0          0         
  -> 192.168.8.135:80             Route   100    0          0         

配置real server

配置路由转发脚本:
[root@real2 ~]# vim /usr/local/sbin/lvs_rs.sh
#/bin/bash
vip=192.168.8.100
#把vip绑定在lo上,是为了实现rs直接把结果返回给客户端
ifconfig lo:0 $vip broadcast $vip netmask 255.255.255.255 up
route add -host $vip lo:0
#以下操作为更改arp内核参数,目的是为了让rs顺利发送mac地址给客户端
#参考文档www.cnblogs.com/lgfeng/archive/2012/10/16/2726308.html
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce


[root@real2 ~]# sh /usr/local/sbin/lvs_rs.sh

配置完成!

测试

在浏览器访问VIP:192.168.8.100,刷新网页,访问结果由real1、real2交替回复。

Keepalived+LVS作用

  • Keepalived搭建高可用保证LVS中director宕机后服务器不瘫痪
  • 如果只使用LVS,那么当LVS架构中某个real server宕机后,director仍然会继续向其发送请求,添加Keepalived后会自动将宕机的real server清除出rs列表。
共有 人打赏支持
粉丝 37
博文 156
码字总数 224524
×
阿dai
如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!
* 金额(元)
¥1 ¥5 ¥10 ¥20 其他金额
打赏人
留言
* 支付类型
微信扫码支付
打赏金额:
已支付成功
打赏金额: