lvs集群配置

最新推荐文章于 2024-08-09 21:51:26 发布

寒江雪linux

最新推荐文章于 2024-08-09 21:51:26 发布

阅读量662

点赞数

本文链接：https://blog.csdn.net/qq_36023121/article/details/117912822

版权

本文档详细介绍了Linux Virtual Server（LVS）集群的配置过程，包括NAT模式和DR模式。首先，通过关闭防火墙、创建证书并分发以确保安全通信。接着，在NAT模式下，配置了IPVSadm，添加了VIP并开启了IP转发。在DR模式中，重点在于RS上的ARP设置，配置VIP和DIP，并添加规则。整个过程详细展示了每个步骤，为LVS集群搭建提供了清晰的指南。

摘要由CSDN通过智能技术生成

lvs集群配置

NAT模式

关闭防火墙

[root@lvs ~]# setenforce 0
[root@lvs ~]# systemctl disable --now firewalld
[root@r1 ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@r1 ~]# setenforce 0
[root@r2 ~]# setenforce 0
[root@r2 ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

创建证书

//生成秘钥
[root@lvs ~]# mkdir /etc/pki/CA/
[root@lvs ~]# cd /etc/pki/CA/
[root@lvs CA]# mkdir private
[root@lvs CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
..+++++
e is 65537 (0x010001)

//生成自签署证书
[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.hzy.com
Organizational Unit Name (eg, section) []:www.hzy.com
Common Name (eg, your name or your server's hostname) []:www.hzy.com
Email Address []:123@qq.com

//在RS生成证书签署请求，并发送给DR
[root@r1 ~]# mkdir /etc/httpd/ssl
[root@r1 ~]# cd /etc/httpd/ssl
[root@r1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
...........+++++
e is 65537 (0x010001)
[root@r1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.hzy.com
Organizational Unit Name (eg, section) []:www.hzy.com
Common Name (eg, your name or your server's hostname) []:www.hzy.com
Email Address []:123@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@r1 ssl]# scp httpd.csr root@192.168.207.131:/root/
root@192.168.207.131's password: 
httpd.csr                            100% 1025   324.0KB/s   00:00  

//CA签署证书
[root@lvs ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Jun 14 09:21:44 2021 GMT
            Not After : Jun 14 09:21:44 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = www.hzy.com
            organizationalUnitName    = www.hzy.com
            commonName                = www.hzy.com
            emailAddress              = 123@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                0C:A3:12:64:2F:69:79:F8:E7:20:11:7E:7C:7F:FF:61:9E:9C:92:0C
            X509v3 Authority Key Identifier: 
                keyid:1C:3D:8F:18:95:EB:03:58:E5:7A:B8:83:61:D4:93:B0:B3:17:7C:3F

Certificate is to be certified until Nov 11 15:51:55 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@lvs ~]# ls
anaconda-ks.cfg  httpd.crt  httpd.csr

发送证书

[root@lvs ~]# scp httpd.crt root@192.168.207.137:/etc/httpd/ssl/
root@192.168.207.137's password: 
httpd.crt                            100% 4539     1.4MB/s   00:00    
[root@lvs ~]# scp httpd.crt root@192.168.207.136:/etc/httpd/ssl/
root@192.168.207.136's password: 
httpd.crt                            100% 4539     1.6MB/s   00:00    
[root@lvs ~]# scp /etc/pki/CA/cacert.pem root@192.168.207.137:/etc/httpd/ssl
root@192.168.207.137's password: 
cacert.pem                           100% 1383   712.1KB/s   00:00  
[root@lvs ~]# scp /etc/pki/CA/cacert.pem root@192.168.207.136:/etc/httpd/ssl
root@192.168.207.136's password: 
cacert.pem                           100% 1383   613.4KB/s   00:00    
[root@r1 ~]# echo "<h1>r1_test</h1>" >/usr/local/apache/htdocs/index.html 
[root@r2 ~]# echo "<h1>r2_test</h1>" >/usr/local/apache/htdocs/index.html

安装ipvsadm

[root@lvs ~]# dnf -y install ipvsadm

添加一张网卡，模拟VIP

[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:8f:ed:d0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.207.131/24 brd 192.168.207.255 scope global dynamic noprefixroute ens33
       valid_lft 1761sec preferred_lft 1761sec
    inet6 fe80::825d:8cb3:9d2b:703f/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:8f:ed:da brd ff:ff:ff:ff:ff:ff
    inet 192.168.233.128/24 brd 192.168.233.255 scope global dynamic noprefixroute ens37
       valid_lft 1761sec preferred_lft 1761sec
    inet6 fe80::2364:856c:cb52:c4cb/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

开启ip转发功能

[root@lvs ~]# vi /etc/sysctl.conf 
net.ipv4.ip_forward = 1
[root@lvs ~]# sysctl -p
net.ipv4.ip_forward = 1

配置

[root@lvs ~]# ipvsadm -A -t 192.168.233.128:80 -s rr
[root@lvs ~]# ipvsadm -a -t 192.168.233.128:80 -r 192.168.207.137:80 -m
[root@lvs ~]# ipvsadm -a -t 192.168.233.128:80 -r 192.168.207.136:80 -m
[root@lvs ~]# ipvsadm -l
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  lvs:http rr
  -> 192.168.207.136:http         Masq    1      0          0         
  -> 192.168.207.137:http         Masq    1      0          0   
[root@r1 html]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.207.137
NETMASK=255.255.255.0
GATEWAY=192.168.207.131
[root@r1 html]# systemctl restart NetworkManager
[root@r1 html]# ifdown ens33;ifup ens33
[root@r2 html]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEFROUTE=yes
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.207.136
NETMASK=255.255.255.0
GATEWAY=192.168.207.131
DNS1=114.114.114.114
[root@r2 html]# systemctl restart NetworkManager
[root@r2 html]# ifdown ens33;ifup ens33

测试

保存配置

[root@lvs ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm

读取配置

[root@lvs ~]# reboot
[root@lvs ~]# ipvsadm -R < /etc/sysconfig/ipvsadm

DR模式

创建证书

[root@r1 apache]# mkdir /etc/pki/CA
[root@r1 apache]# cd /etc/pki/CA
[root@r1 CA]# mkdir private
[root@r1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) 
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
....................................................+++++
e is 65537 (0x010001)
[root@r1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:hzy
Organizational Unit Name (eg, section) []:com
Common Name (eg, your name or your server's hostname) []:hzy.com
Email Address []:123@qq.com
[root@r1 CA]# mkdir certs newcerts crl
[root@r1 CA]# touch index.txt && echo 01 > serial
[root@r1 CA]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
.................+++++
e is 65537 (0x010001)
[root@r1 CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:hzy
Organizational Unit Name (eg, section) []:com
Common Name (eg, your name or your server's hostname) []:hzy.com
Email Address []:123@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@R1 CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 14 12:21:17 2021 GMT
            Not After : Jun 14 12:21:17 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = hzy
            organizationalUnitName    = com
            commonName                = hzy.com
            emailAddress              = 123@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B1:16:DF:69:E3:BE:CC:DA:F7:46:6F:98:33:4F:2F:52:87:47:D6:FC
            X509v3 Authority Key Identifier: 
                keyid:DC:5C:6E:05:C8:3A:37:ED:74:81:D8:C1:66:52:2A:AB:F0:80:8A:78

Certificate is to be certified until Jun 12 06:14:14 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@r1 CA]# mv httpd.key httpd.crt /etc/httpd/
[root@r1 CA]# scp /etc/httpd/httpd.key 192.168.207.136:/etc/httpd/
root@192.168.207.136's password: 
httpd.key                                100% 1675   624.7KB/s   00:00    
[root@r1 CA]# scp /etc/httpd/httpd.crt 192.168.207.137:/etc/httpd/
root@192.168.207.137's password: 
httpd.crt                                100% 4495     1.5MB/s   00:00    
[root@r1 ~]# echo "<h1>r1_test</h1>" >/usr/local/apache/htdocs/index.html 
[root@r2 ~]# echo "<h1>r2_test</h1>" >/usr/local/apache/htdocs/index.html

配置VIP和DIP

[root@lvs ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR0=192.168.207.131
PREFIX0=24
IPADDR1=192.168.207.2
PREFIX1=24
GATEWAY=192.168.207.3
DNS1=114.114.114.114

在RS上先关闭arp包的通告和响应然后配置RIP和VIP

[root@r1 httpd]# cat >> /etc/sysctl.conf <<EOF
> net.ipv4.conf.all.arp_ignore=1
> net.ipv4.conf.all.arp_announce=2
> EOF
[root@r1 httpd]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@r2 apache]# cat >> /etc/sysctl.conf <<EOF
> net.ipv4.conf.all.arp_ignore=1
> net.ipv4.conf.all.arp_announce=2
> EOF
[root@r2 apache]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@r1 httpd]# ifconfig lo:0 192.168.207.128/32 broadcast 192.168.233.255 up
[root@r1 httpd]# route add -host 192.168.207.128 dev lo:0
[root@r1 httpd]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.207.131
PREFIX=24
GATEWAY=192.168.207.2
DNS1=114.114.114.114
[root@r2 apache]# ifconfig lo:0 192.168.207.128/32 broadcast 192.168.207.128 up
[root@r2 apache]# route add -host 192.168.207.128 dev lo:0
[root@r2 apache]# cat  /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.207.137
PREFIX=24
GATEWAY=192.168.207.2
DNS1=114.114.114.114

添加规则

[root@lvs ~]# ipvsadm -A -t 192.168.207.128:80 -s rr
[root@lvs ~]# ipvsadm -a -t 192.168.207.128:80 -r 192.168.207.137:80 -g
[root@lvs ~]# ipvsadm -a -t 192.168.207.128:80 -r 192.168.247.136:80 -g
[root@lvs ~]# ipvsadm -A -t 192.168.207.128:443 -s rr
[root@lvs ~]# ipvsadm -a -t 192.168.207.128:443 -r 192.168.207.137:443 -g
[root@lvs ~]# ipvsadm -a -t 192.168.233.128:443 -r 192.168.207.136:443 -g
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.233.128:80 rr
  -> 192.168.207.137:80           Route   1      0          0         
  -> 192.168.207.136:80           Route   1      0          0         
TCP  192.168.233.128:443 rr
  -> 192.168.207.137:443          Route   1      0          0         
  -> 192.168.207.136:443          Route   1      0          0         
  ipvsadm -Sn > /etc/sysconfig/ipvsadm

设置开机自动读取规则

[root@lvs ~]# echo "ipvsadm -Sn > /etc/sysconfig/ipvsadm" >>/etc/rc.d/rc.local

在这里插入图片描述

寒江雪linux

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫