拓扑环境:
实施要求:
1.所有群集禁止关闭防火墙,需手动开放端口2.搭建LVS服务器群集,负载web群集
3.配置keepalived高可用服务,实现LVS高可用
4.搭建web服务器群集(apache),配置相同
5.在web服务器上搭建Logstash来获取日志信息,传递到内网EK服务器
6.搭建Elasticsearch+Kibana服务器,来查看web服务的日志信息
7.搭建GFS储存服务器(分布式复制卷),给web服务器提供网站信息,支持冗余
8.搭建zabbix监控服务,监控web服务器的资源占用情况,出现问题即使处理
9.外网所有的服务器为zabbix管理服务器做密钥对验证,方便统一管理
注:如有忽略地方 请实施部门自行添加
保证整体服务高可用,高负载,高安全性!!!
目录
实验服务器分配:
centos7-1-LVS(DR)-keepalived:202.202.2.1
centos7-2-LVS(DR)-keepalived:202.202.2.2
centos7-3-web-logstash:192.168.3.1
centos7-4-web-logstash:192.168.3.2
centos7-5-GFS:192.168.3.3
centos7-6-GFS:192.168.3.4
centos7-7-Elasticsearch-Kibana:192.168.3.5
centos7-8-zabbix:202.202.2.3,192.168.3.6
一,部署两台keepalived服务器群集
将两台LVS服务的IP地址配置完成
[root@localhost ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 202.202.2.1 netmask 255.255.255.0 broadcast 202.202.2.255
inet6 fe80::20c:29ff:fe15:e99e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:15:e9:9e txqueuelen 1000 (Ethernet)
RX packets 1488 bytes 227261 (221.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 845 bytes 128422 (125.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 202.202.2.2 netmask 255.255.255.0 broadcast 202.202.2.255
inet6 fe80::20c:29ff:fe95:af58 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:95:af:58 txqueuelen 1000 (Ethernet)
RX packets 720 bytes 155002 (151.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 378 bytes 63798 (62.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
部署(主)keepalived
[root@localhost ~]# yum -y install keepalived ipvsadm
[root@localhost ~]# cd /etc/keepalived/
[root@localhost keepalived]# cp keepalived.conf keepalived.conf.bak
[root@localhost keepalived]# vim keepalived.conf
global_defs {
router_id LVS_HA_R1
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
202.202.2.254
}
}
[root@localhost keepalived]# systemctl start keepalived
部署(从)keepalived,配置不同(路由器的名称,优先级,以及热备状态不同)
[root@localhost network-scripts]# cd /etc/keepalived/
[root@localhost keepalived]# cp keepalived.conf keepalived.conf.bak
[root@localhost keepalived]# vi keepalived.conf
global_defs {
router_id LVS_HA_R2
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
202.202.2.254
}
}
[root@localhost keepalived]# systemctl start keepalived
调整/proc的参数(关闭内核的重定向参数)
[root@localhost network-scripts]# vi /etc/sysctl.conf
[root@localhost network-scripts]# sysctl -p
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.ens33.send_redirects = 0
二,部署两台web(apache)群集
配置两台的IP地址,内网和外网,双网卡
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 202.202.2.3 netmask 255.255.255.0 broadcast 202.202.2.255
inet6 fe80::20c:29ff:fe1c:a1a4 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:1c:a1:a4 txqueuelen 1000 (Ethernet)
RX packets 777 bytes 163737 (159.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 278 bytes 36258 (35.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::20c:29ff:fe1c:a1ae prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:1c:a1:ae txqueuelen 1000 (Ethernet)
RX packets 243 bytes 33270 (32.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 168 bytes 28988 (28.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 202.202.2.4 netmask 255.255.255.0 broadcast 202.202.2.255
inet6 fe80::20c:29ff:feb5:b978 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b5:b9:78 txqueuelen 1000 (Ethernet)
RX packets 1468 bytes 242924 (237.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 827 bytes 86606 (84.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.2 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::20c:29ff:feb5:b982 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b5:b9:82 txqueuelen 1000 (Ethernet)
RX packets 157 bytes 19848 (19.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 178 bytes 34316 (33.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
安装apache(两台相同),开放80端口
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# firewalld-cmd --add-port=80/tcp
三,配置LVS+keepalived高可用群集
编辑web服务器池的配置,两台配置相同
[root@localhost ~]# vim /etc/keepalived/keepalived.conf
virtual_server 202.202.2.254 80 { #虚拟机服务器地址(VIP)
delay_loop 6
lb_algo rr
lb_kind DR
protocol TCP
real_server 202.202.2.3 80 { #第一个web节点的地址和端口
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 4
}
}
real_server 202.202.2.4 80 { #第二个web节点的地址和端口
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 4
}
}
}
[root@localhost ~]# systemctl restart keepalived
配置web,两台配置相同
[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# cp ifcfg-lo ifcfg-lo:0
[root@localhost network-scripts]# vi ifcfg-lo:0
DEVICE=lo:0
IPADDR=202.202.2.254
NETMASK=255.255.255.255
ONBOOT=yes
NAME=loopback:0
[root@localhost network-scripts]# ifup lo:0
[root@localhost network-scripts]# route add -host 202.202.2.254 dev lo:
[root@localhost network-scripts]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.arp_ignore = 1
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
现在已经实现了LVS(DR) 负载均衡和高可用了。
之后配置GFS为web服务器提供统一的web文件
四,配置GFS群集为web服务器提供文件
注:为GFS服务器各添加两块硬盘,大小根据实际情况,我以实验为目的各给两个G
配置初始化环境
[root@localhost ~]# vi /etc/hosts
192.168.3.3 gfs-01
192.168.3.4 gfs-02
为每一台GFS服务器创建主分区,格式化,挂载分区(两台相同)
[root@localhost ~]# fdisk /dev/sdb
[root@localhost ~]# fdisk /dev/sdc
[root@localhost ~]# mkfs.xfs /dev/sdb1
[root@localhost ~]# mkfs.xfs /dev/sdc1
[root@localhost ~]# mkdir -p /www/html-01
[root@localhost ~]# mkdir -p /www/html-02
[root@localhost ~]# mount /dev/sdb1 /www/html-01
[root@localhost ~]# mount /dev/sdc1 /www/html-02
[root@localhost ~]# vi /etc/fstab
/dev/sdb1 /www/html-01 xfs default 0 0
/dev/sdc1 /www/html-02 xfs default 0 0
安装glusfs软件包
[root@localhost ~]# yum -y install glusterfs glusterfs-server glusterfs-fuse glusterfs-rdma
启动GlusterFS
[root@localhost ~]# systemctl start glusterd
[root@localhost ~]# systemctl enable glusterd
Created symlink from /etc/systemd/system/multi-user.target.wants/glusterd.service to /usr/lib/systemd/system/glusterd.service.
添加节点,在gfs-01上添加gfs-02节点
[root@localhost ~]# gluster peer probe gfs-01
peer probe: success. Probe on localhost not needed
[root@localhost ~]# gluster peer probe gfs-02
peer probe: success.
常见分布式复制卷
[root@localhost ~]# gluster volume create dis-rep replica 2 gfs-01:/www/html-01 gfs-01:/www/html-02 gfs-02:/www/html-01 gfs-02:/www/html-02 force
volume create: dis-rep: success: please start the volume to access data
[root@localhost ~]# gluster volume start dis-rep
volume start: dis-rep: success
在两台web服务器上安装Gluster客户端,挂载dis-rep卷
[root@localhost network-scripts]# yum -y install glusterfs glusterfs-fuse
[root@localhost ~]# vim /etc/hosts
192.168.3.3 gfs-01
192.168.3.4 gfs-02
[root@localhost network-scripts]# mount -t glusterfs gfs-01:dis-rep /var/www/html/
[root@localhost network-scripts]# vi /etc/fstab
gfs-01:dis-rep /var/www/html glusterfs default,_netdev 0 0
到此,web服务器的存储高可用完成。
五,配置Elasticsearch+Kibana服务器
配置EK服务器的地址
[root@localhost ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.5 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::20c:29ff:fe38:64dc prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:38:64:dc txqueuelen 1000 (Ethernet)
RX packets 1591 bytes 241540 (235.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1024 bytes 129928 (126.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
安装Elasticsearch软件
[root@localhost ~]# rpm -ihv /mnt/elasticsearch-5.5.0.rpm
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
更改Elasticsearch主配置文件
node.name: node-1
path.data: /data/elk_data
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
创建数据存放路径并授权
[root@localhost ~]# mkdir -p /data/elk_data
[root@localhost ~]# chown elasticsearch:elasticsearch /data/elk_data/
启动elasticsearch并查看是否成功开启
[root@node1 ~]# systemctl start elasticsearch
[root@node1 ~]# netstat -natp | grep 9200
tcp6 0 0 :::9200 :::* LISTEN 11437/java
[root@node1 ~]#
安装kibana程序
[root@node1 ~]# rpm -ihv /mnt/kibana-5.5.1-x86_64.rpm
警告:/mnt/kibana-5.5.1-x86_64.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:kibana-5.5.1-1 ################################# [100%]
[root@node1 ~]# systemctl enable kibana
设置kibana的主配置文件/etc/kibana/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://192.168.3.5:9200"
kibana.index: ".kibana"
启动kibana服务
[root@node1 ~]# systemctl start kibana
[root@node1 ~]# netstat -antp | grep 5601
tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 11586/node
六,在web服务器上部署logstash服务
安装logstash程序,两台web服务器配置相同
[root@localhost ~]# rpm -ihv /mnt/logstash-5.5.1.rpm
警告:/mnt/logstash-5.5.1.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:logstash-1:5.5.1-1 ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
Successfully created system startup script for Logstash
[root@localhost ~]# systemctl start logstash
编写logstash配置文件apache_log.conf
[root@localhost ~]# cd /etc/logstash/conf.d/
[root@localhost conf.d]# vi apache_log.conf
input {
file{
path => "/etc/httpd/logs/access_log"
type => "access"
start_position => "beginning"
}
file{
path => "/etc/httpd/logs/error_log"
type => "error"
start_position => "beginning"
}
}
output {
if [type] == "access" {
elasticsearch {
hosts => ["192.168.3.5:9200"]
index => "apache_access-%{+YYYY.MM,dd}"
}
}
if [type] == "error" {
elasticsearch {
hosts => ["192.168.3.5:9200"]
index => "apache_error-%{+YYYY.MM,dd}"
}
}
}
[root@localhost conf.d]# /usr/share/logstash/bin/logstash -f apache_log.conf
[root@localhost conf.d]# systemctl restart logstash
登录Kibana,添加索引查看日志
七,安装zabbix服务器,监控LVS和Web服务器的状态
配置地址
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 202.202.2.3 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::20c:29ff:fec4:811 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:c4:08:11 txqueuelen 1000 (Ethernet)
RX packets 1745 bytes 254881 (248.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1058 bytes 135790 (132.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.6 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::20c:29ff:fec4:811 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:c4:08:11 txqueuelen 1000 (Ethernet)
RX packets 1745 bytes 254881 (248.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1058 bytes 135790 (132.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
安装mariadb数据库
[root@localhost ~]# yum -y install mariadb mariadb-server
[root@localhost ~]# systemctl start mariadb
mysq[root@localhost ~]# mysqladmin -u root password "123456"
安装zabbix
[root@localhost ~]# yum install -y zabbix-server-mysql zabbix-web-mysql zabbix-agent
安装zabbix之后需要配置数据库,并赋予权限,增加数据库的安全性
[root@localhost ~]# mysql -u root -p
Enter password:
MariaDB [(none)]> create database zabbix character set utf8 collate utf8_bin;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on zabbix.* to zabbix@localhost identified by '123456';
Query OK, 0 rows affected (0.00 sec)
导入数据库SQL脚本
[root@localhost ~]# zcat /usr/share/doc/zabbix-server-mysql-3.4.1/create.sql.gz | mysql -uzabbix -p zabbix
Enter password:
检查编辑配置文件,指定一下用户密码
[root@localhost ~]# vim /etc/zabbix/zabbix_server.conf
DBPassword=123456
开启zabbix服务
[root@localhost ~]# systemctl start zabbix-server.service
[root@localhost ~]# systemctl start zabbix-agent.service #开启客户端
[root@localhost ~]# systemctl enable zabbix-server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/zabbix-server.service to /usr/lib/systemd/system/zabbix-server.service.
配置zabbix web接口
[root@localhost ~]# vim /etc/httpd/conf.d/zabbix.conf
php_value date.timezone Asia/Shangshai
[root@localhost ~]# systemctl start httpd
网页访问192.168.2.6/zabbix/setup.php 安装zabbix服务
八,为lvs和Web服务器安装zabbix客户端
Zabbix添加被监控设备
[root@localhost ~]# yum -y install zabbix-agent
修改agent的配置文件/etc/zabbix/zabbix_agentd.conf。指定Server与ServerActive配置项指定zabbix服务器地址。
[root@localhost ~]# vim /etc/zabbix/zabbix_agentd.conf
Server = 192.168.2.1
ServerActive = 192.168.2.1
Hostname = LVS-01
开启agent服务器,默认端口为10050,如果开启防火墙,需要开放响应端口
[root@localhost ~]# systemctl start zabbix-agent.service
[root@localhost ~]# netstat -anpt | grep "agent"
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 14766/zabbix_agentd
tcp6 0 0 :::10050 :::* LISTEN 14766/zabbix_agentd
在zabbix服务器上添加主机,配置--》主机--》创建主机--》添加主机名为”LVS-01“,群组为”Linux LVS“的主机。
在zabbix服务器上添加主机,配置--》主机--》创建主机--》添加主机名为”Web-01“,群组为”Linux Web“的主机。
九,zabbix服务器远程控制LVS群集和web群集
在咋zabbix服务器上创建密钥对
[root@localhost ~]# ssh-keygen -t rsa #生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #密钥对存放路径
Created directory '/root/.ssh'.
#输入私钥保护密码,直接Enter键表示无密码
Enter passphrase (empty for no passphrase):
Enter same passphrase again: #再次输入
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
bb:9a:1a:a0:f4:46:e8:cd:57:94:61:27:1a:79:19:7d root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| ..=+. |
| .+o=. E |
| ..o . |
| . . |
| o.. .S |
|o.=. . . |
|.. =.. . |
| . .. . . |
| ..o.. |
+-----------------+
将密钥对上传到LVS和Web群集中,实现免密钥登录
[root@localhost ~]# ssh-copy-id root@202.202.2.1 #将密钥对复制到192.168.2.2服务器
The authenticity of host '192.168.2.2 (192.168.2.2)' can't be established.
ECDSA key fingerprint is 78:fe:b4:ad:7d:20:29:d4:e4:33:f8:f8:9e:a1:37:c7.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.2.2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.2.2'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost ~]# ssh-copy-id root@202.202.2.2 #将密钥对复制到192.168.2.3服务器马上
The authenticity of host '192.168.2.3 (192.168.2.3)' can't be established.
ECDSA key fingerprint is 92:38:19:c6:28:50:1b:f5:60:5f:04:54:8d:2c:27:81.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.2.3's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.2.3'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost ~]# ssh 202.202.2.1 #实现免密码登录202.202.2.1
Last login: Fri Sep 9 13:36:18 2022 from 192.168.2.88
[root@localhost ~]# exit #退出202.202.2.1服务器
登出
Connection to 202.202.2.6 closed.
[root@localhost ~]# ssh 202.202.2.2 #实现免密码登录202.202.2.2
Last login: Fri Sep 9 13:36:43 2022 from 192.168.2.88
[root@localhost ~]# exit #退出202.202.2.2服务器
登出
Connection to 202.202.2.6 closed
所有配置到此完成!!!