LVS:
LVS,全称Linux Virtual Server,是一款基于Linux实现的高性能、可伸缩、可靠的服务器集群软件。
一、NAT集群实践:
准备工作:准备四台主机(客户端、LVS调度器、RS1、RS2)
关闭防火墙、关闭SELinux.
LVS调度器使用NAT相互转换间外网的IP与内网IP、怎么来怎么回
客户端配置:设置对应IP
LVS调度器
#安装软件包
yum install ipvsadm -y
vim /etc/sysctl.conf
#添加内核转发选项
#添加一条
net.ipv4.ip_forward = 1
#重载
sysctl -p
#添加转发策略: -A添加集群 、-t TCP 、 -s 策略为轮循
ipvsadm -A -t 10.211.55.100:80 -s rr
# -m表示 NAT
ipvsadm -a -t 10.211.55.100:80 -r 192.168.0.10 -m
ipvsadm -a -t 10.211.55.100:80 -r 192.168.0.20 -m
ipvsadm -Ln #查看添加的策略
ipvsadm-save > /etc/sysconfig/ipvsadm x#写入磁盘文件
systemctl start ipvsadm
RS1、RS2添加httpd服务
IP设置、网关为LVS的eth1端口
#添加Web测试服务
yum install -y httpd
echo Welcome to 192.168.0.10[/20] ! > /var/www/html/index.html
systemctl restart httpd
测试结果
root@MacBook-Pro ~ % for i in {1..6}; do curl 192.168.0.200; done
Welcome to 192.168.0.10 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.10 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.10 !
Welcome to 192.168.0.20 !
结果10,20 依次轮循负载
二、RD集群实践:
准备工作:准备五台主机(一台客户端、一个充当路由器、一个LVS调度器、两台RS Web服务器)
关闭防火墙、关闭SELinux.
客户端可以是多个,这里用一台主机代替、路由主要是起转发作用、然后LVS添加调度策略,把访问给RS1、2主机,RS1、2直接给向Roter返回到客户端
客户端配置:
#NAT网卡配置文件
[root@Client ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
id=eth0
type=ethernet
interface-name=eth0
[ipv4]
address1=10.211.55.200/24,10.211.55.100
method=manual
#重载网卡
[root@Client ~]# nmcli connection reload ;nmcli connection up eth0
#查看路由表
[root@Client ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.211.55.100 0.0.0.0 UG 100 0 0 eth0
10.211.55.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
Router配置:
#网卡配置
[root@Router ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
id=eth0
type=ethernet
interface-name=eth0
[ipv4]
address1=10.211.55.100/24
method=manual
[root@Router ~]# cat /etc/NetworkManager/system-connections/eth1.nmconnection
[connection]
id=eth1
uuid=1df463d5-4c20-431a-95ef-da8c99fd0326
type=ethernet
interface-name=eth1
[ethernet]
[ipv4]
address1=192.168.0.100/24
method=manual
#重载网卡
[root@Router ~]# nmcli connection reload ;nmcli connection up eth0;nmcli connection up eth1
#开启内核路由转发
[root@Router ~]# cat /etc/sysctl.conf
#添加一条
net.ipv4.ip_forward = 1
#重载
sysctl -p
LVS配置:
#网卡配置
[root@LVS ~]# cat /etc/NetworkManager/system-connections/eth1.nmconnection
[connection]
id=eth1
uuid=d7eee6eb-d09d-44fe-b82f-2db206ddc154
type=ethernet
interface-name=eth1
timestamp=1722912286
[ethernet]
[ipv4]
address1=192.168.0.50/24,192.168.0.100
method=manual
#同样重载网卡
[root@LVS ~]# nmcli connection reload ;nmcli connection up eth0;nmcli connection up eth1
#查看路由表
[root@LVS ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 30 0 0 lo
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
#添加VIP (使用回环网卡)
[root@LVS ~]# ip a a 192.168.0.200/32 device lo
#安装ipvsadm软件包
[root@LVS ~]# yum install -y pvsadm
#临时添加LVS策略
[root@LVS ~]# ipvsadm -A -t 192.168.0.200:80 -s wrr
[root@LVS ~]# ipvsadm -a -t 192.168.0.200:80 -r 192.168.0.10:80 -g -w 1
[root@LVS ~]# ipvsadm -a -t 192.168.0.200:80 -r 192.168.0.20:80 -g -w 2
[root@LVS ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.200:80 wrr
-> 192.168.0.10:80 Route 1 0 0
-> 192.168.0.20:80 Route 2 0 0
[root@LVS ~]# ipvsadm-save > /etc/sysconfig/ipvsadm #保存策略
[root@LVS ~]# ipvsadm-restore < /etc/sysconfig/ipvsadm #载入策略
[root@LVS ~]# systemctl stop ipvsadm.service
[root@LVS ~]# systemctl start ipvsadm.service #重新启动ipvsamd服务
#开启内核路由转发同理(Router)
[root@LVS ~]# cat /etc/sysctl.conf
#添加条
net.ipv4.ip_forward = 1
#重载
sysctl -p
RS1配置:
#配置网卡:
[root@RS1 ~]# cat /etc/NetworkManager/system-connections/eht1.nmconnection
[connection]
id=eth1
uuid=31219edb-b042-43f8-9135-2c807a825196
type=ethernet
interface-name=eth1
[ipv4]
method=manual
address=192.168.0.10/24,192.168.0.100
#重载网卡
[root@RS1 ~]# nmcli connection reload ;nmcli connection up eth1
#查看路由表
[root@RS1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 30 0 0 lo
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
#关闭ARP接受
[root@RS1 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@RS1 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@RS1 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@RS1 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_ignore
#临时添加VIP (使用回环网卡)
[root@RS1 ~]# ip a a 192.168.0.200/32 device lo
#添加Web测试服务
yum install -y httpd
echo Welcome to 192.168.0.10 ! > /var/www/html/index.html
systemctl restart httpd
RS2配置:
#配置网卡
[root@RS2 ~]# cat /etc/NetworkManager/system-connections/有线连接\ 1.nmconnection
[connection]
id=eth1
uuid=1df463d5-4c20-431a-95ef-da8c99fd0326
type=ethernet
interface-name=eth1
[ipv4]
address1=192.168.0.20/24,192.168.0.100
method=manual
#重载网卡
[root@RS2 ~]# nmcli connection reload ;nmcli connection up eth1
#查看路由表
[root@RS2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 101 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 30 0 0 lo
192.168.0.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
#关闭ARP接受
[root@RS2 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@RS2 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@RS2 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@RS2 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_ignore
#临时添加VIP (使用回环网卡)
[root@RS2 ~]# ip a a 192.168.0.200/32 device lo
#添加Web测试服务
yum install -y httpd
echo Welcome to 192.168.0.20 ! > /var/www/html/index.html
systemctl restart httpd
测试结果:
#在客户端访问Web服务,转发到RS1和RS2,根据权重不同.资源调度也不同
[root@Client ~]# for i in {1..20}; do curl 192.168.0.200; done
Welcome to 192.168.0.20 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.10 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.10 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.10 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.10 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.10 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.10 !
Welcome to 192.168.0.20 !
Welcome to 192.168.0.20 !
查看rate信息:
[root@LVS ~]# watch -n1 ipvsadm -Ln --rate
使用wireshark抓包查看20–>100
三、防火墙标记
RS1、RS2 都配置http和https服务
#如果没有https支持、安装一下
yum install -y mod_ssl
普通配置如下:
[root@LVS ~]# ipvsadm -A -t 192.168.0.200:443
[root@LVS ~]# ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.10:443 -g
[root@LVS ~]# ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.20:443 -g
[root@LVS ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.200:80 wrr
-> 192.168.0.10:80 Route 1 0 0
-> 192.168.0.20:80 Route 2 0 0
TCP 192.168.0.200:443 wlc
-> 192.168.0.10:443 Route 1 0 0
-> 192.168.0.20:443 Route 1 0 0
测试,但发现问题,rr轮询 本该是10 20 依次一次轮训
但这里是一次80一次443在同一台主机上,为解决这个问题我们采用防火墙标记方法
[root@Client ~]#for i in {1..5}; do curl 192.168.0.200 ; curl -khttps://192.168.0.200; done
Welcome to 192.168.0.20!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.20!
#清空ipvsadm表
[root@LVS ~]# ipvsadm -C
[root@LVS ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
#添加标记🏷️
[root@LVS ~]# iptables -t mangle -A PREROUTING -d 192.168.0.200 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 88
#查看iptables mangle 表中的 PREROUTING 链
[root@LVS ~]# iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK 6 -- 0.0.0.0/0 192.168.0.200 multiport dports 80,443 MARK set 0x58
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
#使用-f 添加防火墙标记号
[root@LVS ~]# ipvsadm -A -f 88 -s rr
[root@LVS ~]# ipvsadm -a -f 88 -r 192.168.0.10 -g
[root@LVS ~]# ipvsadm -a -f 88 -r 192.168.0.20 -g
[root@LVS ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 88 rr
-> 192.168.0.10:0 Route 1 0 0
-> 192.168.0.20:0 Route 1 0 0
客户端测试结果:
[root@Client ~]# for i in {1..10}; do curl 192.168.0.200 ; curl -k https://192.168.0.200; done
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!
Welcome to 192.168.0.20!
Welcome to 192.168.0.10!