k8s的IPVS(陆续整理中)
文章目录
- 1. 概念
-
- 1.1 简述
- 1.2 轮询策略
- 2. ipvsadm 命令
-
- 2.1 --help
- 2.2 常用组合
-
- 2.2.1 ipvsadm -ln
- 2.2.2 ipvsadm -l --rate
- 2.2.3 ipvsadm -l --stats
- 2.2.4 超时时间
- 3. k8s的应用
1. 概念
1.1 简述
IPVS:IP虚拟服务器(IP Virtual Server)。是运行在LVS下的提供负载平衡功能的一种技术。
作为传输层(四层)负载均衡,可以将基于TCP和UDP的服务请求转发到真实服务器上,并使真实服务器的服务在单个 IP 地址上显示为虚拟服务。
1.2 轮询策略
实际就是lvs的轮询策略
-
轮询调度 rr
这种算法是最简单的,就是按依次循环的方式将请求调度到不同的服务器上,该算法最大的特点就是简单。轮询算法假设所有的服务器处理请求的能力都是一样的,调度器会将所有的请求平均分配给每个真实服务器,不管后端 RS 配置和处理能力,非常均衡地分发下去。 -
加权轮询 wrr
这种算法比 rr 的算法多了一个权重的概念,可以给 RS 设置权重,权重越高,那么分发的请求数越多,权重的取值范围 0 – 100。主要是对rr算法的一种优化和补充, LVS 会考虑每台服务器的性能,并给每台服务器添加要给权值,如果服务器A的权值为1,服务器B的权值为2,则调度到服务器B的请求会是服务器A的2倍。权值越高的服务器,处理的请求越多。 -
最少链接 lc
这个算法会根据后端 RS 的连接数来决定把请求分发给谁,比如 RS1 连接数比 RS2 连接数少,那么请求就优先发给 RS1 -
加权最少链接 wlc
这个算法比 lc 多了一个权重的概念。 -
基于局部性的最少连接调度算法 lblc
这个算法是请求数据包的目标 IP 地址的一种调度算法,该算法先根据请求的目标 IP 地址寻找最近的该目标 IP 地址所有使用的服务器,如果这台服务器依然可用,并且有能力处理该请求,调度器会尽量选择相同的服务器,否则会继续选择其它可行的服务器 -
复杂的基于局部性最少的连接算法 lblcr
记录的不是要给目标 IP 与一台服务器之间的连接记录,它会维护一个目标 IP 到一组服务器之间的映射关系,防止单点服务器负载过高。 -
目标地址散列调度算法 dh
该算法是根据目标 IP 地址通过散列函数将目标 IP 与服务器建立映射关系,出现服务器不可用或负载过高的情况下,发往该目标 IP 的请求会固定发给该服务器。 -
源地址散列调度算法 sh
与目标地址散列调度算法类似,但它是根据源地址散列算法进行静态分配固定的服务器资源。
2. ipvsadm 命令
2.1 --help
[root@DoM01 ~]# ipvsadm --help
ipvsadm v1.27 2008/5/15 (compiled with popt and IPVS v1.2.1)
Usage:
ipvsadm -A|E -t|u|f service-address [-s scheduler] [-p [timeout]] [-M netmask] [--pe persistence_engine] [-b sched-flags]
ipvsadm -D -t|u|f service-address
ipvsadm -C
ipvsadm -R
ipvsadm -S [-n]
ipvsadm -a|e -t|u|f service-address -r server-address [options]
ipvsadm -d -t|u|f service-address -r server-address
ipvsadm -L|l [options]
ipvsadm -Z [-t|u|f service-address]
ipvsadm --set tcp tcpfin udp
ipvsadm --start-daemon state [--mcast-interface interface] [--syncid sid]
ipvsadm --stop-daemon state
ipvsadm -h
Commands:
Either long or short options are allowed.
--add-service -A add virtual service with options
--edit-service -E edit virtual service with options
--delete-service -D delete virtual service
--clear -C clear the whole table
--restore -R restore rules from stdin
--save -S save rules to stdout
--add-server -a add real server with options
--edit-server -e edit real server with options
--delete-server -d delete real server
--list -L|-l list the table
--zero -Z zero counters in a service or all services
--set tcp tcpfin udp set connection timeout values
--start-daemon start connection sync daemon
--stop-daemon stop connection sync daemon
--help -h display this help message
Options:
--tcp-service -t service-address service-address is host[:port]
--udp-service -u service-address service-address is host[:port]
--fwmark-service -f fwmark fwmark is an integer greater than zero
--ipv6 -6 fwmark entry uses IPv6
--scheduler -s scheduler one of rr|wrr|lc|wlc|lblc|lblcr|dh|sh|sed|nq,
the default scheduler is wlc.
--pe engine alternate persistence engine may be sip,
not set by default.
--persistent -p [timeout] persistent service
--netmask -M netmask persistent granularity mask
--real-server -r server-address server-address is host (and port)
--gatewaying -g gatewaying (direct routing) (default)
--ipip -i ipip encapsulation (tunneling)
--masquerading -m masquerading (NAT)
--weight -w weight capacity of real server
--u-threshold -x uthreshold upper threshold of connections
--l-threshold -y lthreshold lower threshold of connections
--mcast-interface interface multicast interface for connection sync
--syncid sid syncid for connection sync (default=255)
--connection -c output of current IPVS connections
--timeout output of timeout (tcp tcpfin udp)
--daemon output of daemon information
--stats output of statistics information
--rate output of rate information
--exact expand numbers (display exact values)
--thresholds output of thresholds information
--persistent-conn output of persistent connection info
--nosort disable sorting output of service/server entries
--sort does nothing, for backwards compatibility
--ops -o one-packet scheduling
--numeric -n numeric output of addresses and ports
--sched-flags -b flags scheduler flags (comma-separated)
2.2 常用组合
2.2.1 ipvsadm -ln
[root@DoM01 ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 127.0.0.1:30011 rr
-> 10.244.3.5:6380 Masq 1 0 0
-> 10.244.6.83:6380 Masq 1 0 0
-> 10.244.8.140:6380 Masq 1 0 0
TCP 127.0.0.1:30521 rr
-> 10.244.4.34:30521 Masq 1 0 0
TCP 127.0.0.1:30569 rr
-> 10.244.6.165:80 Masq 1 0 0
TCP 127.0.0.1:30572 rr
-> 10.244.9.20:8720 Masq 1 0 0
TCP 172.17.0.1:30006 rr
-> 10.244.5.159:3306 Masq 1 0 0
-> 10.244.8.229:3306 Masq 1 0 0
-> 10.244.10.236:3306 Masq 1 0 0
......
下边以 30006 这一条为例说明
172.17.0.1
访问的IP,这里是docker0 网卡的
[root@DoM01 ~]# ip a
......
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:dc:95:0b:b3 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:dcff:fe95:bb3/64 scope link
valid_lft forever preferred_lft forever
......
30006
这个是nodePort的端口,我们查看一下:
[root@DoM01 ~]# kubectl get service -A|grep 30006
mysql mysqlha-readonly NodePort 10.1.61.20 <none> 3306:30006/TCP 155d
定位到了mysql这各namespace 下的 mysqlha-readonly 这个service。
-
rr
轮巡方式,见 1 -
10.244.5.159:3306
后边3行是后端 3个pod的 ip:端口
[root@DoM01 ~]# kubectl get pod -n mysql -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mysqld-exporter-657cd49787-bg228 1/1 Running 0 62d 10.244.10.234 don08 <none> <none>
mysqlha-0 2/2 Running 0 3d2h 10.244.10.236 don08 <none> <none>
mysqlha-1 2/2 Running 0 22d 10.244.8.229 don06 <none> <none>
mysqlha-2 2/2 Running 0 21d 10.244.5.159 don03 <none> <none>
phpmyadmin-579d966787-9gcpr 1/1 Running 1 155d 10.244.8.139 don06 <none> <none>
2.2.2 ipvsadm -l --rate
[root@DoM01 ~]# ipvsadm -l --rate
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port CPS InPPS OutPPS InBPS OutBPS
-> RemoteAddress:Port
TCP 10.10.239.100:30018 0 37 29 11695 8651
-> 10.244.4.68:8848 0 32 26 10726 7469
TCP 10.10.239.100:30019 0 0 0 0 0
-> 10.244.4.68:7848 0 0 0 0 0
TCP 10.10.239.100:30020 0 1 1 48 499
-> 10.244.8.143:6379 0 1 1 36 375
......
说明:
CPS(current connection rate) 每秒连接数
InPPS(current in packet rate) 每秒的入包个数
OutPPS(current out packet rate) 每秒的出包个数
InBPS(current in byte rate) 每秒入流量(字节)
OutBPS(current out byte rate) 每秒入流量(字节)
2.2.3 ipvsadm -l --stats
[root@DoM01 ~]# ipvsadm -l --stats
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes
-> RemoteAddress:Port
......
TCP 10.10.239.100:30018 1640595 174592K 140093K 54052M 42661M
-> 10.244.4.68:8848 921414 114163K 92214336 35976M 28035M
TCP 10.10.239.100:30019 0 0 0 0 0
-> 10.244.4.68:7848 0 0 0 0 0
TCP 10.10.239.100:30020 197157 3886077 3422894 247816K 2565M
-> 10.244.8.143:6379 197157 3886077 3422894 247816K 2565M
TCP 10.10.239.100:30021 0 0 0 0 0
-> 10.244.8.143:26379 0 0 0 0 0
TCP 10.10.239.100:30022 197165 4075671 3501341 257677K 2500M
-> 10.244.6.80:6379 197166 4075691 3501358 257678K 2500M
......
说明:
Conns(connections scheduled) 已经转发过的连接数
InPkts(incoming packets) 入包个数
OutPkts(outgoing packets) 出包个数
InBytes(incoming bytes) 入流量(字节)
OutBytes(outgoing bytes) 出流量(字节
2.2.4 超时时间
- 查看超时时间
[root@DoM01 ~]# ipvsadm -ln --timeout
Timeout (tcp tcpfin udp): 900 120 300
说明:
tcpfin, 对于本端断开的socket连接,TCP保持在FIN_WAIT_2状态的时间。
- 设置超时时间
# ipvsadm --set 900 60 300
3. k8s的应用
[root@DoM01 ~]# ipvsadm -ln |grep 30006 -A 1
TCP 172.17.0.1:30006 rr
-> 10.244.5.159:3306 Masq 1 0 0
--
TCP 10.10.239.100:30006 rr
-> 10.244.5.159:3306 Masq 1 0 2
--
TCP 10.10.239.101:30006 rr
-> 10.244.5.159:3306 Masq 1 0 0
--
TCP 10.244.0.0:30006 rr
-> 10.244.5.159:3306 Masq 1 0 0
--
TCP 10.244.0.1:30006 rr
-> 10.244.5.159:3306 Masq 1 0 0
--
TCP 127.0.0.1:30006 rr
-> 10.244.5.159:3306 Masq 1 0 0
--
TCP 172.18.0.1:30006 rr
-> 10.244.5.159:3306 Masq 1 0 0
我们可以看到,这些转发策略都是转发到后端的一个service上的(见 “2.2.1 ipvsadm -ln”)
- 我们分析一下这些转发策略:
[root@DoM01 ~]# ipvsadm -ln |grep 30006
TCP 172.17.0.1:30006 rr
TCP 10.10.239.100:30006 rr
TCP 10.10.239.101:30006 rr
TCP 10.244.0.0:30006 rr
TCP 10.244.0.1:30006 rr
TCP 127.0.0.1:30006 rr
TCP 172.18.0.1:30006 rr
查看一下网卡
[root@DoM01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 52:54:00:77:17:a2 brd ff:ff:ff:ff:ff:ff
inet 10.10.239.101/24 brd 10.10.239.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.10.239.100/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe77:17a2/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:dc:95:0b:b3 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:dcff:fe95:bb3/64 scope link
valid_lft forever preferred_lft forever
4: br-3e07572b19cd: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:8c:9d:81:c1 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-3e07572b19cd
valid_lft forever preferred_lft forever
inet6 fe80::42:8cff:fe9d:81c1/64 scope link
valid_lft forever preferred_lft forever
6: veth070e6f2@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ba:a3:31:23:7f:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::b8a3:31ff:fe23:7f02/64 scope link
valid_lft forever preferred_lft forever
8: vetha8b1148@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3e07572b19cd state UP group default
link/ether 82:94:d5:0c:b4:db brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::8094:d5ff:fe0c:b4db/64 scope link
valid_lft forever preferred_lft forever
9: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether d6:52:52:b7:f2:84 brd ff:ff:ff:ff:ff:ff
10: kube-ipvs0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
link/ether e2:d4:0f:41:0c:0c brd ff:ff:ff:ff:ff:ff
inet 10.1.254.181/32 brd 10.1.254.181 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.1.70.180/32 brd 10.1.70.180 scope global kube-ipvs0
valid_lft forever preferred_lft forever
inet 10.1.75.85/32 brd 10.1.75.85 scope global kube-ipvs0
valid_lft forever preferred_lft forever
......
11: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether a6:2d:18:e6:c5:8d brd ff:ff:ff:ff:ff:ff
inet 10.244.0.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::a42d:18ff:fee6:c58d/64 scope link
valid_lft forever preferred_lft forever
12: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether d2:80:77:46:f1:e4 brd ff:ff:ff:ff:ff:ff
inet 10.244.0.1/24 brd 10.244.0.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::d080:77ff:fe46:f1e4/64 scope link
valid_lft forever preferred_lft forever
13: veth5c34a586@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
link/ether 4e:05:f6:58:a4:13 brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet6 fe80::4c05:f6ff:fe58:a413/64 scope link
valid_lft forever preferred_lft forever