1、ipvsadm命令工具
在配置实现lvs-nat和lvs-dr模型之前,我们先来学习ipvsadmin命令工具。ipvsadm命令工具是Lvs在应用层的管理命令,我们可以通过此命令工具来管理lvs的配置。
- ipvsadm的用法
ipvsadm -A|E -t|u|f service-address [-s scheduler] [-p [timeout]] [-M netmask] [--pe persistence_engine] [-b sched-flags]
ipvsadm -D -t|u|f service-address
ipvsadm -C
ipvsadm -R
ipvsadm -S [-n]
ipvsadm -a|e -t|u|f service-address -r server-address [options]
ipvsadm -d -t|u|f service-address -r server-address
ipvsadm -L|l [options]
ipvsadm -Z [-t|u|f service-address]
其中相关命令选项的解释为:
-A,--add-service:添加一个虚拟服务,即添加一个需要被负载均衡的虚拟地址。
-E,--edit-service:修改一个虚拟服务;
-D,--delete-service:删除一个虚拟服务;
-C,--clear:清楚所有虚拟服务;
-R,--restore:从标准输入中获取ipvsadm规则进行恢复;
-S,--save:从标准输出中输出ipvsadm规则,能将规则保存到指定文件,在以后通过-R恢复。
-a,--add-server:为虚拟服务添加一个real server;
-e,--edit-server:修改real server的配置;
-d,--delete-server:删除real server;
-L,-l,--list:列出ipvsadm配置的所有虚拟服务,可结合-c显示连接表;
-Z,--zero:将虚拟服务的相关数据记录清零;
以下参数可跟在命令选项后使用:
-t,--tcp-service service-address:指定虚拟服务为tcp服务,service-address是host[:port]的形式,端口为0时表示任意端口,但需要加上-p选项才能使用;
-u,--udp-service service-address:指定虚拟服务的udp服务;
-f,--fwmark-service integer:指定firewall mark标记的不同的地址和端口的虚拟地址整合为一个虚拟服务。firewall mark可以通过iptables命令指定;
-s,--scheduler scheduling-method:指定调度算法,调度算法包括:rr,wrr,lc,wlc,lbcl,lblcr,dh,sh,sed,nq;
-p,--persistent [timeout]:设置持久连接,这个模式可以使得来自同一个Ip的多个请求被送往同一个RS中;
-r,--real-server server-address:为虚拟服务指定数据可以转发到的真实服务器的地址,可添加端口号,若没指定端口号,则调用虚拟地址的端口号;
-g,--gatewaying:dr模式,指定lvs的工作模式,此模式为默认模式;
-i,--ipip:使用tun模式;
-m,--masquerading:使用NAT模式;
-w,--weight weight:设置权重,范围为0-65535,0表示该RS不会受到新的连接;
-x, --u-threshold uthreshold:设置一个服务器可以维持的连接上限。0~65535。设置为0表示没有上限。
-y, --l-threshold lthreshold:设置一个服务器的连接下限。当服务器的连接数低于此值的时候服务器才可以重新接收连接。如果此值未设置,则当服务器的连接数连续三次低于uthreshold时服务器才可以接收到新的连接。
以下参数可用是显示服务的状态信息:
-c, --connection:列出当前的IPVS连接。
--timeout:列出超时
--stats:状态信息
--rate:传输速率
--thresholds:列出阈值
--persistent-conn:坚持连接
--sor:把列表排序。
--nosort:不排序
-n, --numeric:不对ip地址进行dns查询
--exact:单位
2、ipvsadm使用实例:lvs-nat和lvs-dr集群的实现
- nat
按照上图部署lvs-nat集群,系统为Centos 7.4,假设VIP为192.168.0.99,DIP为10.10.10.254,RIP为10.10.10.11和10.10.10.12,在RS1和RS2 上部署httpd服务,监听8080端口;在Director上启动lvs虚拟服务,使用client 访问192.168.0.99:80的连接请求能够负载到RS1和RS2上。
1、配置RS1
在RS1上安装httpd服务:
[root@rs1 ~]# yum install -y httpd mod_ssl
修改接口Ip为指定RIP:
#设置指定的RIP
[root@rs1 ~]# ifconfig ens33 10.10.10.11/24 up
#指定网关地址为DIP
[root@rs1 ~]# route add default gw 10.10.10.254
编辑生成httpd服务的index页面:
[root@rs1 ~]# vim /var/www/html/index.html
This is RS1 10.10.10.11
修改httpd服务配置文件,监听8080端口:
[root@rs1 ~]# vim /etc/httpd/conf/httpd.conf
Listen 8080
启动httpd服务:
[root@rs1 ~]# systemctl start httpd
编辑iptables放开8080端口:
[root@rs1 ~]# iptables -I INPUT -d 10.10.10.11 -p tcp --dport 8080 -j ACCEPT
[root@rs1 ~]# iptables -I OUTPUT -s 10.10.10.11 -p tcp --sport 8080 -j ACCEPT
2、配置RS2
配置步骤类似于RS1,此处不再重复
3、配置Director
首先安装ipvsadm工具:
[root@director ~]# yum install -y ipvsadm
......
已安装:
ipvsadm.x86_64 0:1.27-7.el7
完毕!
然后在Director上启动双网卡,在其中一个接口上配置上VIP地址,另一个接口配置为内网互联的DIP:
#配置子接口IP为VIP
[root@director ~]# ifconfig eno16777736:0 192.168.0.99/24 up
[root@director ~]# ifconfig eno33554984 10.10.10.254/24 up
[root@director ~]# ifconfig
eno16777736: flags=4163 mtu 1500
inet 192.168.0.81 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fe21:59b9 prefixlen 64 scopeid 0x20
ether 00:0c:29:21:59:b9 txqueuelen 1000 (Ethernet)
RX packets 6433 bytes 8332396 (7.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1544 bytes 144496 (141.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736:0: flags=4163 mtu 1500
inet 192.168.0.99 netmask 255.255.255.0 broadcast 192.168.0.255
ether 00:0c:29:21:59:b9 txqueuelen 1000 (Ethernet)
eno33554984: flags=4163 mtu 1500
inet 10.10.10.254 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::20c:29ff:fe21:59c3 prefixlen 64 scopeid 0x20
ether 00:0c:29:21:59:c3 txqueuelen 1000 (Ethernet)
RX packets 104 bytes 8225 (8.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 68 bytes 8642 (8.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
在Director上开启路由转发功能:
[root@director ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
使用ipvsadm命令工具配置lvs虚拟服务:
#指定lvs虚拟服务
[root@director ~]# ipvsadm -A -t 192.168.0.99:80 -s rr
#指定lvs虚拟服务对应的Real server
[root@director ~]# ipvsadm -a -t 192.168.0.99:80 -r 10.10.10.11:8080 -m
[root@director ~]# ipvsadm -a -t 192.168.0.99:80 -r 10.10.10.12:8080 -m
[root@director ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.99:80 rr
-> 10.10.10.11:8080 Masq 1 0 0
-> 10.10.10.12:8080 Masq 1 0 0
在client测试访问:
[root@localhost ~]# for i in {1..20}; do curl http://192.168.0.99;done
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
#能正常转发轮询到给定的Real server
此时查看Director 的ipvsadm的状态:
[root@director ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.99:80 rr
#因为使用的调度算法为rr轮询,因此两个RS负载的连接数接近一比一
-> 10.10.10.11:8080 Masq 1 0 10
-> 10.10.10.12:8080 Masq 1 0 11
更改Director的调度算法为加权wrr测试:
[root@director ~]# ipvsadm -E -t 192.168.0.99:80 -s wrr
[root@director ~]# ipvsadm -e -t 192.168.0.99:80 -r 10.10.10.11:8080 -m -w 5
[root@director ~]# ipvsadm -e -t 192.168.0.99:80 -r 10.10.10.12:8080 -m -w 10
[root@director ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.99:80 wrr
-> 10.10.10.11:8080 Masq 5 0 0
-> 10.10.10.12:8080 Masq 10 0 0
在client端的测试结果:
[root@localhost ~]# for i in {1..15}; do curl http://192.168.0.99;done
This is RS2 10.10.10.12
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS2 10.10.10.12
This is RS1 10.10.10.11
This is RS2 10.10.10.12
This is RS2 10.10.10.12
This is RS1 10.10.10.11
#负载访问的比例为1:2
- dr
在此拓扑基础上,实现vip与dip、rip在同一个网段的lvs-dr集群,要求client能正常访问vip相关的lvs虚拟服务。
1、配置Director
首先安装ipvsadm工具:
[root@director ~]# yum install -y ipvsadm
配置虚拟IP:
[root@director ~]# ifconfig eno16777736:0 192.168.0.99 netmask 255.255.255.255 broadcast 192.168.0.99 up
配置lvs虚拟服务:
[root@director ~]# ipvsadm -A -t 192.168.0.99:80 -s rr
[root@director ~]# ipvsadm -a -t 192.168.0.99:80 -r 192.168.0.83:80 -g
[root@director ~]# ipvsadm -a -t 192.168.0.99:80 -r 192.168.0.84:80 -g
[root@director~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.99:80 rr
-> 192.168.0.83:80 Route 1 0 0
-> 192.168.0.84:80 Route 1 0 0
关闭iptables:
[root@director ~]# systemctl stop firewalld
2、配置RS1
在RS1上安装httpd服务:
[root@rs1 ~]# yum install -y httpd mod_ssl
在本地环回接口上配置VIP并指定路由:
[root@rs1 ~]# ifconfig lo:0 192.168.0.99 netmask 255.255.255.255 broadcast 192.168.0.99
[root@rs1 ~]# route add 192.168.0.99 dev lo:0
修改内核参数,限制ARP响应:
[root@rs1 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@rs1 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@rs1 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@rs1 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
编辑生成httpd服务的index页面:
[root@rs1 ~]# vim /var/www/html/index.html
This is RS1 192.168.0.83
启动httpd服务:
[root@rs1 ~]# systemctl start httpd
关闭iptables
[root@rs1 ~]# systemctl stop firewalld
重复以上步骤配置RS2。
3、访问测试
在client端访问lvs虚拟服务:
[root@localhost ~]# for i in {1..10};do curl http://192.168.0.99;done
This is RS1 192.168.0.83
This is RS1 192.168.0.84
This is RS1 192.168.0.83
This is RS1 192.168.0.84
This is RS1 192.168.0.83
This is RS1 192.168.0.84
This is RS1 192.168.0.83
This is RS1 192.168.0.84
This is RS1 192.168.0.83
This is RS1 192.168.0.84
附上lvs-dr集群的配置脚本:
RS:
#!/bin/bash
#
vip=192.168.0.99
mask='255.255.255.255'
case $1 in
start)
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig lo:0 $vip netmask $mask broadcast $vip up
route add -host $vip dev lo:0
;;
stop)
ifconfig lo:0 down
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
;;
*)
echo "Usage $(basename $0) start|stop"
exit 1
;;
esac
Director:
#!/bin/bash
#
vip='192.168.0.99'
iface='eno16777736:0'
mask='255.255.255.255'
port='80'
rs1='192.168.0.83'
rs2='192.168.0.84'
scheduler='rr'
type='-g'
case $1 in
start)
ifconfig $iface $vip netmask $mask broadcast $vip up
iptables -F
ipvsadm -A -t ${vip}:${port} -s $scheduler
ipvsadm -a -t ${vip}:${port} -r ${rs1} $type -w 1
ipvsadm -a -t ${vip}:${port} -r ${rs2} $type -w 1
;;
stop)
ipvsadm -C
ifconfig $iface down
;;
*)
echo "Usage $(basename $0) start|stop"
exit 1
;;
esac