lvs-dr实现:
1个Director + 2个Real Server:
在lvs-dr类型的集群中,各个主机(包括Director和各RS)都需要配置VIP;为了解决IP地址冲突的问题,通常有以下几种方法:
1.在前端路由器上静态绑定VIP和MAC地址的对应关系;
2.在各个RS中使用arptables对ARP报文进行过滤;
3.在各个RS中修改对应的内核参数,以此来限制ARP报文的通告和应答级别;
arp_ignore
0:默认值;
1:
2:
arp_announce
0:默认值;
1:
2:
常用的内核参数设定值的选择:
arp_ignore = 1
arp_announce =2
lvs-dr实现的简单示例:
三台虚拟机
Director(CentOS 7.2A):
DIP:172.16.72.1
//在eno16777736网卡接口上
VIP:172.16.72.254
//在eno16777736网卡接口的label(标签)上
Real Server1(CentOS 7.2B):
DIP:172.16.72.2
//在eno16777736网卡接口上
VIP:172.16.72.254
//在lo(环回接口)的label(标签)上
Real Server2(CentOS 7.2C):
DIP:172.16.72.3
//在eno16777736网卡接口上
VIP:172.16.72.254
//在lo(环回接口)的label(标签)上
1.修改对应的主机名
Director(CentOS 7.2A)
~]# hostnamectl set-hostname drct1
Real Server1(CentOS 7.2B)
~]# hostnamectl set-hostname rs1
Real Server2(CentOS 7.2C)
~]# hostnamectl set-hostname rs2
2.在Director(CentOS 7.2A)查看DIP,在DIP对应的网络接口上设置VIP
~]# ifconfig
~]# ifconfig eno16777736:0 172.16.72.254 netmask 255.255.255.255 broadcast 172.16.72.254 up
3.在RS1(CentOS 7.2B)、RS2(CentOS 7.2C)上利用脚本进行的配置;
#!/bin/bash
#
VIP=172.16.72.254
MASK=255.255.255.255
case $1 in
setup)
#调整ARP相关的内核参数:
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
#在lo的标签接口上配置VIP
ifconfig lo:0 $VIP netmask $MASK broadcast $VIP up
#为了能够使响应报文从lo:0标签接口向外封装发送数据,需要指定一条特殊的静态路由:
route add -host $VIP dev lo:0
;;
delete)
ifconfig lo:0 down
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
;;
*)
echo "Usage: $(basename $0) { setup | delete }"
;;
esac
4.向Director(CentOS 7.2A)的集群服务添加集群RS:
~]# ipvsadm -A -t 172.16.72.254:80 -s rr
~]# ipvsadm -E -t 172.16.72.254:80 -s wrr
~]# ipvsadm -a -t 172.16.72.254:80 -r 172.16.72.2 -g -w 1
~]# ipvsadm -a -t 172.16.72.254:80 -r 172.16.72.3 -g -w 2
~]# ipvsadm -l
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.72.254:http rr
-> 172.16.72.2:http Route 1 0 0
-> 172.16.72.3:http Route 2 0 0
5.在客户端(CentOS 7.2D)测试
~]# for i in {1..10}; do curl http://172.16.72.254 ;done
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
This is CentOS 7.2B for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
This is CentOS 7.2B for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
This is CentOS 7.2B for /var/www/html/
this is CentOS 7.2C for /var/www/html/
使用FWM(Firewall Mark)的方式定义集群服务:
优势:可以实现多个服务的集群服务同时定义;
在netfilter上,为某些匹配规则所匹配到的数据报文添加对应的标记;因此需要在mangle表上进行设置;为了配合工作于INPUT链上的ipvs的工作,只能在netfilter的PREROUTING链上对数据报文进行标记;
1.打标记的方法:
~]# ipvsadm -C
~]# iptables -t mangle -A PREROUTING -d 172.16.72.254 -p tcp --dport 80 -j MARK --set-mark 15
或者
~]# iptables -t mangle -A PREROUTING -d 172.16.72.254 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 10
2.lvs集群定义方法:lvs-dr类型实现:
~]# ipvsadm -A -f 15 -s wrr
~]# ipvsadm -a -f 15 -r 172.16.72.3 -g -w 3
~]# ipvsadm -a -f 15 -r 172.16.72.2 -g -w 1
~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 15 wrr
-> 172.16.72.2:0 Route 1 0 0
-> 172.16.72.3:0 Route 3 0 0
3.客户端(CentOS 7.2D)测试
~]# for i in {1..10}; do curl http://172.16.72.254 ;done
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
This is CentOS 7.2B for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
This is CentOS 7.2B for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
lvs persistence:lvs的持久连接;
当客户端和RS建立连接时,会创建一个持久连接的模版;基于此模版实现无论使用任何调度算法,都会在一段时间内将来自于同一个源IP地址的请求始终调度至后端同一台RS上,只有第一次调度是根据算法来进行选择;
可以将持久链接理解为:带有时间限制的SH算法;
三种可以选择的持久连接的方案:
1.每端口持久连接:仅在一段时间内,将来自于同一源IP地址的访问某一特定服务的请求调度转发至后端的同一台RS上;
调度标准:VIP:PORT
2.每客户端持久连接:仅在一段时间内,将来自于同一源IP地址的访问请求,统一调度至后端同一台RS上,更像是SH算法的应用;
调度标准:VIP:0
3.每防火墙标记持久连接:仅在一段时间内,将对于绑定在同一个FWM的所有请求,调度至后端同一台RS;
调度标准;FWM
持久连接+防火墙标记:端口姻亲关系(Port Affinity)
最常见的端口姻亲关系就是:80 + 443
1.做防火墙标记,在基于防护墙标记建立lvs集群服务并开启持久连接:
~]# iptables -t mangle -A PREROUTING -d 172.16.72.254 -p tcp --dport 80 -j MARK --set-mark 15
或者
~]# iptables -t mangle -A PREROUTING -d 172.16.72.254 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 10
2.lvs集群定义方法:lvs-dr类型实现,添加持久连接时长:
~]# ipvsadm -A -f 15 -s wrr
~]# ipvsadm -a -f 15 -r 172.16.72.3 -g -w 3
~]# ipvsadm -a -f 15 -r 172.16.72.2 -g -w 1
~]# ipvsadm -E -f 15 -s wrr -p 30
//30s的持久连接时长,不写-p后面的值默认360秒
~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 15 wrr persistent 30
-> 172.16.72.2:0 Route 1 0 0
-> 172.16.72.3:0 Route 3 0 0
3.客户端(CentOS 7.2D)测试
首次测试:
~]# for i in {1..10}; do curl http://172.16.72.254 ;done
This is CentOS 7.2B for /var/www/html/
This is CentOS 7.2B for /var/www/html/
This is CentOS 7.2B for /var/www/html/
This is CentOS 7.2B for /var/www/html/
This is CentOS 7.2B for /var/www/html/
This is CentOS 7.2B for /var/www/html/
This is CentOS 7.2B for /var/www/html/
This is CentOS 7.2B for /var/www/html/
This is CentOS 7.2B for /var/www/html/
This is CentOS 7.2B for /var/www/html/
等待一段时间过后测试:
~]# for i in {1..10}; do curl http://172.16.72.254 ;done
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/
this is CentOS 7.2C for /var/www/html/