实验环境
实验环境中lvs主机的环境搭建
调度器lVS的搭建和服务器RS的搭建
两台服务器RS网卡选择相同都是仅主机模式
具体配置
配置lvs主机IP
先写一个脚本以方便后续配置环境中使用 这是在配置过程中的vmset.sh
#!/bin/bash
rm -fr /etc/NetworkManager/system-connections/$1.nmconnection
cat > /etc/NetworkManager/system-connections/$1.nmconnection <<EOF
[connection]
id=$1
type=ethernet
interface-name=$1
[ipv4]
address1=$2/24,172.25.254.2
method=manual
dns=114.114.114.114;
EOF
chmod 600 /etc/NetworkManager/system-connections/$1.nmconnection
nmcli connection reload
nmcli connection up $1
hostnamectl hostname $3
cat > /etc/hosts <<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
$2 $3
EOF
配置网卡nat模式的IP为172.25.254.100并改主机名为lvs
vmset.sh eth0 172.25.254.100 lvs.timing.org
配置网卡仅主机模式的IP为192.168.0.100并改主机名为lvs
vmset.sh eth1 192.168.0.100 lvs.timing.org
配置完成后需要重启网卡
nmcli connection reload
nmcli connection up eth0
nmcli connection up eth1
client:查看网卡IP和路由
[root@client system-connections]# cat ens160.nmconnection
[connection]
id=ens160
type=ethernet
interface-name=ens160
[ipv4]
#IP和网关
address1=172.25.254.200/24,172.25.254.100
method=manual
dns=114.114.114.114;
#查看路由
[root@client ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.25.254.100 0.0.0.0 UG 100 0 0 ens160
172.25.254.0 0.0.0.0 255.255.255.0 U 100 0 0 ens160
router:查看网卡IP,并配置路由内核功能net.ipv4.ip_forward = 1
[root@router system-connections]# cat ens160.nmconnection
[connection]
id=ens160
type=ethernet
interface-name=ens160
[ipv4]
address1=172.25.254.100/24,172.25.254.2
method=manual
dns=114.114.114.114;
[root@router system-connections]# cat ens224.nmconnection
[connection]
id=ens224
type=ethernet
interface-name=ens224
[ipv4]
address1=192.168.0.100/24
method=manual
#路由内核功能添加net.ipv4.ip_forward = 1
[root@router ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
lvs:查看网卡IP和路由
[root@lvs system-connections]# cat ens224.nmconnection
[connection]
id=ens224
type=ethernet
interface-name=ens224
[ipv4]
address1=192.168.0.50/24,192.168.0.100
method=manual
dns=114.114.114.114;
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 ens224
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens224
web1:查看网卡IP和路由
[root@web1 system-connections]# cat ens224.nmconnection
[connection]
id=ens224
type=ethernet
interface-name=ens224
[ipv4]
address1=192.168.0.10/24,192.168.0.100
method=manual
dns=114.114.114.114;
[root@web1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 ens224
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens224
web2:查看网卡IP和路由
[root@web2 system-connections]# cat ens224.nmconnection
[connection]
id=ens224
type=ethernet
interface-name=ens224
[ipv4]
address1=192.168.0.20/24,192.168.0.100
method=manual
dns=114.114.114.114;
[root@web1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 ens224
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens224
2、下载需要的服务,并启动
(1)在lvs上面下载 ipvsadm
#下载服务
[root@lvs ~]#yum install ipvsadm -y
[root@lvs ~]# systemctl enable --now ipvsadm.service
(2)在web1,web2上安装配置httpd服务
#web1上面,
[root@web1 ~]#dnf install httpd -y
[root@web1 ~]# echo web1 10 > /var/www/html/index.html
[root@web1 ~]# systemctl enable --now httpd
#web2上面,
[root@web2 ~]#dnf install httpd -y
[root@web2 ~]# echo web2 20 > /var/www/html/index.html
[root@web2 ~]# systemctl enable --now httpd
3、设置VIP,并解决vip响应问题
先在lvs,web1,web2上设置环回网卡的虚拟IP(vip)
[root@lvs ~]# ip a a 192.168.0.200/32 dev lo
[root@web1 ~]# ip a a 192.168.0.200/32 dev lo
[root@web2 ~]# ip a a 192.168.0.200/32 dev lo
[root@lvs ~]# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.0.200/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
配置arp限制来解决VIP响应的问题:
在web1和web2中解决响应问题
[root@web1 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@web1 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@web1 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@web1 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@web2 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@web2 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@web2 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@web2 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
3、在lvs上配置ipvsadm策略负载均衡—直连路由
在lvs中配置策略
[root@lvs ~]# ipvsadm -A -t 192.168.0.200:80 -s rr
[root@lvs ~]# ipvsadm -a -t 192.168.0.200:80 -r 192.168.0.10:80 -g -w 1
[root@lvs ~]# ipvsadm -a -t 192.168.0.200:80 -r 192.168.0.20:80 -g -w 1
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.200:80 rr
-> 192.168.0.10:80 Route 1 0 0
-> 192.168.0.20:80 Route 1 0 0
在client上进行测试,,以下就是我们测试成功的页面,但是不能具体看到其mac地址的变化,具体我们可以是使用wireshark进行抓包分析。并且通过抓包可以看出全程源目IP并没有发生变化,只有mac地址在不断变化,mac地址都是通过路由器进行转发。
防火墙标签解决轮询错误
以http和https为例,当我们在RS中同时开放80和443端口,那么默认控制是分开轮询的,这样我们就出现了一个轮询错乱的问题当我第一次访问80被轮询到RS1,然后下次访问443仍然可能还被轮询到RS1上。这样我们设置的轮询就没有作用了,为了解决这个问题我们可以使用防火墙标签来解决,将80和443端口一起合并为一个服务来进行轮询。
1、出现的错误
实验环境就用上面lvs的dr模式的5个Linux虚拟机,只需要在web1,web2上添加配置https,并在lvs上面添加443端口的策略。
1、web1,web2安装mod_ssl,配置https服务
#安装
[root@web1 ~]# dnf install mod_ssl -y
[root@web2 ~]# dnf install mod_ssl -y
#重启查看服务
[root@web1 ~]# systemctl restart httpd
[root@web1 ~]# netstat -lntup | grep httpd
tcp6 0 0 :::443 :::* LISTEN 3202/httpd
tcp6 0 0 :::80 :::* LISTEN 3202/httpd
#重启查看服务
[root@web2 ~]# systemctl restart httpd
[root@web2 ~]# netstat -lntup | grep httpd
tcp6 0 0 :::443 :::* LISTEN 3261/httpd
tcp6 0 0 :::80 :::* LISTEN 3261/httpd
2、添加ipvsadm的443端口策略,
#添加443端口的策略,80我们在上面已经写过了这里就可以直接使用
[root@lvs ~]# ipvsadm -A -t 192.168.0.200:443 -s rr
[root@lvs ~]# ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.10:443 -g -w 1
[root@lvs ~]# ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.20:443 -g -w 1
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.200:80 rr
-> 192.168.0.10:80 Route 1 0 0
-> 192.168.0.20:80 Route 2 0 0
TCP 192.168.0.200:443 rr
-> 192.168.0.10:443 Route 1 0 0
-> 192.168.0.20:443 Route 1 0 0
3、测试查看,就出现了问题,我们的轮询就没有起到作用。
#使用 -k访问https,可以忽略加密
[root@client ~]# curl 192.168.0.200;curl -k https://192.168.0.200
web2 20
web2 20
[root@client ~]# curl 192.168.0.200;curl -k https://192.168.0.200
web2 20
web2 20
2、使用防火墙标记来解决
主要是在lvs调度器上配置,让80和443成为一个整体。
语法:
iptables -t mangle -A PREROUTING -d $vip -p $proto -m multiport --dports
p o r t l , portl , portl,port2 ,… -i MARK --set-mark NUMBER
我们可以先查看一下 mangle表的规则如下:
[root@lvs ~]# iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
添加一条防火墙标记规则:
#443和80一起,MARK target 可用于给特定的报文打标记,--set-mark value
[root@lvs ~]# iptables -t mangle -A PREROUTING -d 192.168.0.200 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 66
[root@lvs ~]# iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- 0.0.0.0/0 192.168.0.200 multiport dports 80,443 MARK set 0x42
最后在修改ipvsadm策略,使用该标记策略:
#清空之前的
[root@lvs ~]# ipvsadm -C
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
#添加新的
[root@lvs ~]# ipvsadm -A -f 66 -s rr
[root@lvs ~]# ipvsadm -a -f 66 -r 192.168.0.10 -g
[root@lvs ~]# ipvsadm -a -f 66 -r 192.168.0.20 -g
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 66 rr
-> 192.168.0.10:0 Route 1 0 0
-> 192.168.0.20:0 Route 1 0 0
测试,然后我们现在就解决了轮询的问题了。