特别申明:内容出自《跟老男孩学Linux:Web集群实战》
文章目录
Nginx负载均衡器高可用逻辑图
软硬件准备
1.硬件准备
准备4台VM虚拟机,两台做负载均衡(Keepalived服务器),两台做RS。
HOSTNAME | IP | 说明 |
---|---|---|
lb01 | 192.168.55.7 | Nginx主负载均衡器(Keepalived主服务器) |
lb02 | 192.168.55.8 | Nginx辅负载均衡器(Keepalived备服务器) |
web01 | 192.168.55.9 | web01服务器 |
web02 | 192.168.55.10 | web02服务器 |
2.软件准备
系统:CentOS 7
Nginx:Nginx-1.13.1,源码安装,/application/nginx
Keepalived:1.3.5,yum安装
3.Nginx配置
主负载均衡器lb01、备用负载均衡器lb02服务器上Nginx负载均衡环境一模一样。
参考:Nginx反向代理-1-实践简单的负载均衡[DB|OL]. https://blog.csdn.net/zhou16333/article/details/98094467
在lb01和lb02上配置Nginx负载均衡
lb01、lb02 Nginx配置
vim /application/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile off;
keepalive_timeout 65;
upstream www_server_pools{
server 192.168.55.9:80 weight=1;
server 192.168.55.10:80 weight=1;
}
server {
listen 192.168.55.12:80;
server_name www.etiantian.org;
location / {
proxy_pass http://www_server_pools;
include proxy.conf;
}
}
}
vim /application/nginx/conf/proxy.conf
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 60;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
提示:此配置仅代理了www.etiantian.org域名
在lb01和lb02上配置Keepalived服务
Keepalived yum安装,及相关配置,
参考 Keepalved高可用服务实例[DB|OL]. https://blog.csdn.net/zhou16333/article/details/98179341
说明:此处使用单实例为例进行配置说明。
lb01上Keepalived服务单实例主节点的配置如下:
[root@lb01 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
123@qq.com
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id lb01
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface eth1
virtual_router_id 55
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.55.12/24 dev eth1 label eth1:1
}
}
提示:VIP为192.168.55.12,即工作时需要把Nginx负载均衡代理的www.etiantian.org解析到这个VIP。
lb02上Keepalived服务单实例备节点的配置如下:
[root@lb02 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
1633307645@qq.com
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id lb02
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state BACKUP
interface eth1
virtual_router_id 55
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.55.12/24 dev eth1 label eth1:1
}
}
用户访问准备及模拟实际访问
1)在客户端hosts文件里把www.etiantian.org域名解析到VIP 192.168.55.12上,正式场景需通过DNS解析。
2)两台服务器配好Nginx负载均衡服务,并且确保后面代理的Web节点可以测试访问。
Nginx反向代理服务宕机实现IP漂移
默认情况下Keepalived软件仅仅在对方机器宕机或Keepalived停掉的时候才会接管业务。但在实际工作中,有业务服务停止而Keepalived服务还在工作的情况,这就会导致用户访问的VIP无法找到对应的服务,那么,如何解决业务服务宕机可以将IP漂移到备节点使之接管提供服务呢?
第一个方法:守护进程脚本来处理
当Nginx业务有问题时,就停掉本地的Keepalived服务,实现IP漂移到对端继续提供服务。实际工作中部署及开发的示例脚本如下:
[root@lb01 script]# cat /server/script/check_nginx.sh
# !/bin/bash
while true
do
if [ `netstat -lntup|grep nginx|wc -l` -ne 1 ]; then
systemctl stop keepalived
fi
sleep 5
done
此脚本的基本思想是若没有80端口存在,就停掉Keepalived服务实现释放本地的VIP。
在后台执行上述脚本并检查:
[root@lb01 script]# /bin/bash /server/script/check_nginx.sh &
[1] 7536
[root@lb01 script]# ps -ef|grep check_nginx|grep -v grep
root 7536 3527 0 16:48 pts/0 00:00:00 /bin/bash /server/script/check_nginx.sh
确认Nginx以及Keepalived服务是正常的:
[root@lb01 script]# netstat -lntup|grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3326/nginx: master
[root@lb01 script]# systemctl status keepalived
然后模拟Nginx服务挂掉,看IP是否发生切换:
[root@lb01 script]# /application/nginx/sbin/nginx -s stop
[root@lb01 script]# netstat -lntup|grep nginx
[root@lb01 script]# systemctl status keepalived
[root@lb01 ~]# jobs
[1]+ Running /bin/bash /server/script/check_nginx.sh & (wd: /server/script)
[root@lb01 ~]# ps -ef|grep check_nginx|grep -v grep
root 7536 3527 0 16:48 pts/0 00:00:00 /bin/bash /server/script/check_nginx.sh
[root@lb01 ~]# kill -9 7536
[root@lb01 ~]# ps -ef|grep check_nginx|grep -v grep
[1]+ Killed /bin/bash /server/script/check_nginx.sh (wd: /server/script)
(wd now: ~)
注意:jobs命令只看当前终端生效的,关闭终端后,在另一个终端jobs已经无法看到后台跑得程序了,此时利用ps(进程查看命令)
第二个方法:Keepalived配置文件参数触发写好的监测服务脚本
注意:第二个方法,只需要在 Keepalived主服务器 上进行配置。
首先要开发监测服务脚本:
[root@lb01 ~]# vim /server/script/chk_nginx_proxy.sh
#! /bin/bash
if [ `netstat -lntup|grep nginx|wc -l` -ne 1 ]; then
systemctl stop keepalived
fi
修改 Keepalived主服务器 配置:
[root@lb01 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
123@qq.com
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id lb01
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_script chk_nginx_proxy {
script "/server/script/chk_nginx_proxy.sh"
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER
interface eth1
virtual_router_id 55
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.55.12/24 dev eth1 label eth1:1
}
track_script {
chk_nginx_proxy
}
}
vrrp_script检测脚本不执行
检查一
脚本有问题吗?
检查二
vrrp_script 名称
与{
之间要有空格,或者{
放在下一行顶行;
vrrp_script
要放在vrrp_instance
前面;
track_script名称
与{
之间要有空格;
track_script
要放在virtual_ipaddress
后面;
检查三
要关闭SELinux
查看SELinux状态
[root@lb01 ~]# getenforce
Enforcing
[root@lb01 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
临时关闭
setenforce 0
永久关闭
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
查看状态
[root@lb01 ~]# getenforce
Permissive
[root@lb01 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: disabled
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
参考文献
[1] 老男孩. 跟老男孩学Linux:Web集群实战[M]. 机械工业出版社,2016-03-01。
[2] [DB|OL]. http://nginx.org/en/docs/http/ngx_http_proxy_module.html
[3] 初涉CentOS 7,关闭缠人的selinux[DB|OL]. https://blog.51cto.com/hongdouzi555/2073445