西安哪里做网站最大,安徽专业网站建设,wordpress管理主体,2021年4月重大新闻事件摘抄LVS知识点整理及实践 LVSlvs集群概念lvs概念lvs集群类型lvs-nat模型数据逻辑: lvs-DR模式数据传输和过程:特点: lvs-tun模式数据传输过程:特点: lvs-fullnet模式数据传输过程 lvs调度算法lvs调度算法类型lvs静态调度算法lvs动态调度算法4.15版本内核以后新增调度算法 ipvsadm命… LVS知识点整理及实践 LVSlvs集群概念lvs概念lvs集群类型lvs-nat模型数据逻辑: lvs-DR模式数据传输和过程:特点: lvs-tun模式数据传输过程:特点: lvs-fullnet模式数据传输过程 lvs调度算法lvs调度算法类型lvs静态调度算法lvs动态调度算法4.15版本内核以后新增调度算法 ipvsadm命令lvs集群中的增删改 实操实验:lvs-nat模拟实验lvs:webserver1webserver2clent lvs-DR模拟实验解决vip响应问题设备设置:webserver1:webserver2:lvs:route:client: lvs-火墙标记解决调度问题注意: LVS
lvs集群概念
LVS(Linux Virtual Server):负责调度器,内核集成的虚拟服务器,主要用于多服务器的负载均衡,工作于网络层,可以实现高性能,高可用的服务集群技术,可以把许多服务器结合在一起形成一个更高性能的服务器
lvs概念
VSVirtual ServerRSReal ServerCIPClient IPVIPVirtual server IPDIPDirectory IPRIPReal server IP
访问流程: CIP----VIPDIP----RIP
lvs集群类型
集群类型说明lvs-nat修改请求报文的目标ip,多目标IP的DANTlvs-dr操作封装新的MAC地址lvs-tun在原请求IP报文之外新加一个IP首部lvs-fullmat修改请求报文的源和目标ip
lvs-nat模型
本质是多目标IP的DNAT.通过将请求报文中的目标地址和目标端口修改为某挑出的RS和RIP和POST实现转发RIP和DIP应在同意个ip网络,且应使用私网地址,RS的网关要指向DIP请求报文和相应报文都必须经由Director转发,Director易于成为系统瓶颈支持端口映射,可修改请求报文的目标PORTVS必须是linux系统,RS可以是任意OS系统
数据逻辑: 客户端发送访问请求,请求数据包中含有请求来源(CIP),访问目标地址(VIP)访问目标端口(9000port)VS服务器接收到访问请求做DNAT把请求数据包中的目的地由VIP换成RS的RIP和相应端口RS1相应请求,发送相应数据包.包中的相应包为数据来源(RIP1)相应目标(CIP)相应端口(9000port)VS服务器接收到相应数据包,改变包中的数据来源(RIP1–VIP),相应目标端口(9000-80)VS服务器把修改过报文的相应数据包回传给客户端lvs的NAT模式接收和返回客户端数据包时都要经过lvs的调度机,所以lvs的调度机容易阻塞
lvs-DR模式
数据传输和过程: 客户端发送数据帧给vs调度主机帧中内容为客户端IP客户端的MACVIPVIP的MACVS调度主机接受到数据帧后把帧中的VIP的MAC改为了RS1中的MAC,此时帧中的数据为客户端IP客户端的MACVIPRS1的MACRS1得到2中的数据包做出响应回传数据包,数据包中的内容为VIPRS1的MAC客户端IP客户端IP的MAC
特点: Directory和各RS都配置有VIP 确保前端路由器将目标IP为VIP的请求报文发往Director 在全段网关做静态帮定VIP和Directory的MAC地址 在RS上使用arptables工具 arptables -A IN -d $VIP -j DROP
arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP在RS上修改内核参数以限制arp通告及应答级别 /proc/sys/net/ipv4/conf/all/arp_ignore
/proc/sys/net/ipv4/conf/all/arp_announceRS的RIP可以使用私网地址,也可以是公网地址,RIP与DIP在同一IP网络 RIP的网关不能指向DIP,以确保响应报文不会经由Director RS的Director要在同一网络 请求报文要经由Director,但响应报文不经由Director,而由RS直接发往Client 不支持端口映射(端口不能修改) RS可适用大多数OS系统
lvs-tun模式
转发方式不修改请求报文的IP首部源IP为CIP目标IP为VIP而在原IP报文之外再封装一个IP首部 源IP是DIP目标IP是RIP将报文发往挑选出的目标RSRS直接响应给客户端源IP是VIP目标IP 是CIP
数据传输过程: 客户端发送请求数据包包内有源IPvipdport到达vs调度器后对客户端发送过来的数据包重新封装添加IP报文头新添加的IP报文头中包含 TUNSRCIP(DIP)TUNDESTIP(RSIP1)并发送到RS1RS收到VS调度器发送过来的数据包做出响应生成的响应报文中包含SRCIP(VIP)DSTIPCIP port响应数据包通过网络直接回传给client
特点:
DIP, VIP, RIP都应该是公网地址RS的网关一般不能指向DIP请求报文要经由Director但响应不能经由Director不支持端口映射RS的OS须支持隧道功能
lvs-fullnet模式
数据传输过程 fullnat通过同时修改请求报文的源IP地址和目标IP地址进行转发
CIP -- DIP
VIP -- RIP
VIP是公网地址RIP和DIP是私网地址且通常不在同一IP网络因此RIP的网关一般不会指向DIPRS收到的请求报文源地址是DIP因此只需响应给DIP但Director还要将其发往Client请求和响应报文都经由Director支持端口映射
注意: 此类型kernel默认不支持
lvs调度算法
lvs调度算法类型
ipvs scheduler:根据其调度时是否考虑各RS当前的负载均衡状态被分为两种:静态方法和动态方法
静态方法:仅根据算法本身进行调度,不考虑RS的负载情况
动态方法:主要根据每RS当前的负载状态及调度算法进行调度Overheadvalue较小的RS将被调度
lvs静态调度算法
RR:roundrobin轮询,RS分别被调用,当RS配置有差别时不推荐WRR:Weighted RR,加权轮询根据RS的配置进行加权调度,性能差的RS被调度的次数少SH:Source Hashing,实现session sticky,源地址hash;将来自于同一个IP地址的请求始终发往第一次挑中的RS,从而实现会话绑定DH:Destination Hashing,目标地址hash,第一次轮询调整度至RS,后续将发往同一个目标地址的请求始终发至第一次挑中的RS,典型使用场景是正向代理缓存场景中的负载均衡,如:宽带运营商
lvs动态调度算法
主要是根据当前的负载状态及调度算法进行调度Overheadvalue较小的RS会被调度
LC:最少连接(least connection) 适用于长连接应用:负载值(Overhead)活动链接数(activeconns)x256非活动链接数(inactiveconns) WLC:权重最少连接(Weighted LC) 初始链接高权重优先Overhead(activeconns1inactiveconns)x256/weight但是,当node1的权重为1,node2的权重为10,经过运算前几次调度都会被node2承接 SED:最短期望延迟(Shortest Expection Delay)NQ:第一轮询均匀分配,后续SED(Never Queue)LBLC:(Lacality-Based LC)动态的DH算法,使用场景:根据负载状态实现正向代理LBLCR:(LBLC with Replication)带复制功能的LBLC,解决LBLC负载不均衡的问题,从负载重的复制到负载轻的RS
4.15版本内核以后新增调度算法
FO(Weighted Fai Over)调度算法常用作灰度发布 在此FO算法中遍历虚拟服务所关联的真实服务器链表找到还未过载(未设置IP_VS_DEST_F OVERLOAD标志)的且权重最高的真实服务器进行调度当服务器承接大量链接我们可以对此服务器进行过载标记IP_VS_DEST_F OVERLOAD那么vs调度 器就不会把链接调度到有过载标记的主机中。 OVF(Overflow-connection)调度算法:基于真实服务器的活动连接数量和权重值实现。将新连接调度到权重值最高的真实服务器直到其活动 连接数量超过权重值之后调度到下一个权重值最高的真实服务器,在此OVF算法中遍历虚拟服务相关 联的真实服务器链表找到权重值最高的可用真实服务器。一个可用的真实服务器需要同时满足以下条 件: 未过载(未设置IP_VS_DEST_F OVERLOAD标志)真实服务器当前的活动连接数量小于其权重值其权重值不为零
ipvsadm命令
核心功能:
集群服务管理:增删改集群服务的RS管理:增删改
lvs集群中的增删改
1.管理集群服务中的增删改
ipvsadm -A|E -t|u|f service-address [-s scheduler] [-p [timeout]]
选项说明-A添加-E修改-ttcp服务-uudp服务-s指定调度算法默认为WLC-p设置持久连接超时,持久连接可以理解为在同一个时间段同一个来源的请求调度到同一个Reslserver-ffirewall mask火墙标记,是一个数字
2.管理集群中ReslServer的增删改查
ipvsadm -a|e -t|u|f service-address -r reslserver-address [-g|i|m] [-w weight]
选项说明-a添加realserver-e更改realserver-ttcp协议-uudp协议-f火墙标记-rrealserver地址-g直连路由模式-iipip隧道模式-mnat模式-w设定权重-Z清空计数器-C清空lvs策略-L查看lvs策略-n–rate输出速率信息
实操实验:
lvs-nat模拟实验
环境:
lvs:
网卡:
eth0:nat模式 vip:172.25.254.100/24
eth1:仅主机 ip:192.168.0.100/24
[rootlocalhost ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
ideth0
typeethernet
interface-nameeth0[ipv4]
address1172.25.254.100/24,172.25.254.2
methodmanual
dns114.114.114.114
[rootlocalhost ~]# cat /etc/NetworkManager/system-connections/eth1.nmconnection
[connection]
ideth1
typeethernet
interface-nameeth1[ipv4]
address1192.168.0.100/24
methodmanual
[rootlocalhost ~]# nmcli connection reload
[rootlocalhost ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[rootlocalhost ~]# nmcli connection up eth1
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)
[rootlocalhost ~]#
#查看内核路由功能是否打开
[rootlocalhost ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward 0
net.ipv4.ip_forward_update_priority 1
net.ipv4.ip_forward_use_pmtu 0
[rootlocalhost ~]#
#打开内核路由功能
[rootlocalhost ~]# vim /etc/sysctl.conf
[rootlocalhost ~]# cat /etc/sysctl.conf | grep ip_forward
net.ipv4.ip_forward1
[rootlocalhost ~]#
#使设置生效
[rootlocalhost ~]# sysctl -p
net.ipv4.ip_forward 1
#关闭防火墙和SELinux
[rootlocalhost ~]# systemctl stop firewalld
[rootlocalhost ~]# setenforce 0
[rootlocalhost ~]#
#安装ipvs软件ipvsadm
[rootlocalhost ~]# dnf install ipvsadm -y
#加入调度策略
#增加虚拟服务器这里没有加入权重,如果需要加入权重则需要使用wrr
[rootlocalhost ~]# ipvsadm -A -t 172.25.254.100:80 -s rr
#添加调度策略
[rootlocalhost ~]# ipvsadm -a -t 172.25.254.100:80 -r 192.168.0.10 -m
[rootlocalhost ~]# ipvsadm -a -t 172.25.254.100:80 -r 192.168.0.20 -m
[rootlocalhost ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.25.254.100:80 rr- 192.168.0.10:80 Masq 1 0 0 - 192.168.0.20:80 Masq 1 0 0
[rootlocalhost ~]#
#保存ipvsadm策略
[rootlocalhost ~]# ipvsadm -Sn /etc/sysconfig/ipvsadm-config
[rootlocalhost ~]# cat /etc/sysconfig/ipvsadm-config
-A -t 192.168.0.200:80 -s rr
-a -t 192.168.0.200:80 -r 192.168.0.10:80 -g
-a -t 192.168.0.200:80 -r 192.168.0.20:80 -g webserver1
网卡:
eth0:仅主机 192.168.0.10 网关:192.168.0.100
[rootlocalhost ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
ideth0
typeethernet
interface-nameeth0[ipv4]
methodmanual
address192.168.0.10/24,192.168.0.100
dns1114.114.114.114
#重启网卡
[rootlocalhost ~]# nmcli connection reload
[rootlocalhost ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
#查看路由
[rootlocalhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
#查看路由
[rootlocalhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.25.254.2 0.0.0.0 UG 102 0 0 eth0
172.25.254.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 103 0 0 eth1
[rootlocalhost ~]#
#下载web服务编辑配置文件以供验证
[rootlocalhost ~]# dnf install httpd -y
[rootlocalhost ~]# echo webserver1:192.168.0.10 /var/www/html/index.html
[rootlocalhost ~]# cat /var/www/html/index.html
webserver1:192.168.0.10
#重启httpd服务关闭防火墙和SELinux,之后可以在client中使用curlip测试能否访问
[rootlocalhost ~]# systemctl restart httpd
[rootlocalhost ~]# systemctl stop firewalld
[rootlocalhost ~]# setenforce 0
[rootlocalhost ~]# webserver2
eth0:仅主机 192.168.0.20 网关:192.168.0.100
[rootlocalhost ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
ideth0
typeethernet
interface-nameeth0[ipv4]
methodmanual
address192.168.0.20/24,192.168.0.100
dns114.114.114.114
#重启网卡
[rootlocalhost ~]# nmcli connection reload
[rootlocalhost ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
#查看路由
[rootlocalhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[rootlocalhost ~]#
#下载web服务编辑配置文件以供验证
[rootlocalhost ~]# dnf install httpd -y
[rootlocalhost ~]# echo webserver2:192.168.0.20 /var/www/html/index.html
[rootlocalhost ~]# cat /var/www/html/index.html
webserver2:192.168.0.20
#重启httpd服务关闭防火墙和SELinux
[rootlocalhost ~]# systemctl restart httpd
[rootlocalhost ~]# systemctl stop firewalld
[rootlocalhost ~]# setenforce 0
[rootlocalhost ~]# clent
网卡: etho NAT模式 172.25.254.200/24
[rootlocalhost ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
ideth0
typeethernet
interface-nameeth0[ipv4]
address1172.25.254.200/24,172.25.254.100
methodmanual
[rootlocalhost ~]#
#在server1和server2设置完httpd后的测试,lva并没有加入ipvsadm
[rootlocalhost ~]# curl 192.168.0.10
webserver1:192.168.0.10
[rootlocalhost ~]# curl 192.168.0.20
webserver2:192.168.0.20
[rootlocalhost ~]#
#在lvs中计入ipvs后的测试
[rootlocalhost ~]# for i in {1..10}docurl 172.25.254.100done
webserver1:192.168.0.10
webserver2:192.168.0.20
webserver1:192.168.0.10
webserver2:192.168.0.20
webserver1:192.168.0.10
webserver2:192.168.0.20
webserver1:192.168.0.10
webserver2:192.168.0.20
webserver1:192.168.0.10
webserver2:192.168.0.20
[rootlocalhost ~]# lvs-DR模拟实验
解决vip响应问题
在DR模型上各主机上均需要配置VIP,解决地址冲突的方式有三种:
(1),在前端网关做静态绑定
(2),在各rs使用arptables
(3),在各RS修改内核参数,来限制arp响应的通告的级别
限制响级别:arp_ignore
0:默认值:表示可使用本地任意接口上配置的任意地址进行响应1:仅在请求的目标IP配置在本地主机的接受的请求报文的接口上时,才给予响应
限制通告级别:
0:默认值:把本机所有接口的所有信息向每个接口的网络进行通告1:尽量避免将接口信息向非直接连接网络进行通告2:必须避免将接口信息向非本网络进行通告
设备设置:
这里的web服务和lvs-nat模式的web服务一样,关闭了防火墙和SELinux
webserver1:
eth0:仅主机 192.168.0.10 网关:192.168.0.100
lo:充当vip 192.168.0.200/32
[rootlocalhost ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
ideth0
typeethernet
interface-nameeth0[ipv4]
methodmanual
address192.168.0.10/24,192.168.0.100
dns1114.114.114.114
#添加vip也可以添加到其他网卡中
[rootwebserver1 ~]# ip a a 192.168.0.200/32 dev lo
#重启网卡
[rootlocalhost ~]# nmcli connection reload
[rootwebserver1 ~]# nmcli connection up lo
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[rootlocalhost ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[rootwebserver1 ~]# ip a
1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet 192.168.0.200/32 scope global lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc mq state UP group default qlen 1000link/ether 00:0c:29:fb:af:a1 brd ff:ff:ff:ff:ff:ffaltname enp3s0altname ens160inet 192.168.0.10/24 brd 192.168.0.255 scope global noprefixroute eth0valid_lft forever preferred_lft foreverinet6 fe80::131d:4d9:4af3:d18d/64 scope link noprefixroute valid_lft forever preferred_lft forever
#查看路由
[rootlocalhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
#配置vip不对外响应
[rootwebserver1 ~]# echo 1 /proc/sys/net/ipv4/conf/all/arp_ignore
[rootwebserver1 ~]# echo 2 /proc/sys/net/ipv4/conf/all/arp_announce
[rootwebserver1 ~]# echo 2 /proc/sys/net/ipv4/conf/lo/arp_announce
[rootwebserver1 ~]# echo 1 /proc/sys/net/ipv4/conf/lo/arp_ignore
#配置http服务和关闭SELinux参考lvs-nat实验webserver2:
eth0:仅主机 192.168.0.20 网关:192.168.0.100
lo:充当vip 192.168.0.200/32
[rootlocalhost ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
ideth0
typeethernet
interface-nameeth0[ipv4]
methodmanual
address192.168.0.20/24,192.168.0.100
dns114.114.114.114
#添加vip也可以添加到其他网卡中
[rootwebserver2 ~]# ip a a 192.168.0.200/32 dev lo
#重启网卡
[rootlocalhost ~]# nmcli connection reload
[rootwebserver2 ~]# nmcli connection up lo
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[rootlocalhost ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[rootwebserver2 ~]# ip a
1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet 192.168.0.200/32 scope global lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc mq state UP group default qlen 1000link/ether 00:0c:29:c9:3d:50 brd ff:ff:ff:ff:ff:ffaltname enp3s0altname ens160inet 192.168.0.20/24 brd 192.168.0.255 scope global noprefixroute eth0valid_lft forever preferred_lft foreverinet6 fe80::fa32:faf:d238:9326/64 scope link noprefixroute valid_lft forever preferred_lft forever
#查看路由
[rootlocalhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
#配置vip不对外响应
[rootwebserver2 ~]# echo 1 /proc/sys/net/ipv4/conf/all/arp_ignore
[rootwebserver2 ~]# echo 2 /proc/sys/net/ipv4/conf/all/arp_announce
[rootwebserver2 ~]# echo 2 /proc/sys/net/ipv4/conf/lo/arp_announce
[rootwebserver2 ~]# echo 1 /proc/sys/net/ipv4/conf/lo/arp_ignore
#配置http服务和关闭SELinux参考lvs-nat实验lvs:
eth0:仅主机 192.168.0.50/24 gateway:192.168.0.100
lo:充当vip 192.168.0.200/32
#设置ip
[rootlvs ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
ideth0
typeethernet
interface-nameeth0[ipv4]
address192.168.0.50/24,192.168.0.100
methodmanual
#添加vip也可以添加到其他网卡中
[rootlvs ~]# ip a a 192.168.0.200/32 dev lo
#重启网卡
[rootlocalhost ~]# nmcli connection reload
[rootlvs ~]# nmcli connection up lo
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8)
[rootlocalhost ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[rootlvs ~]# ip a
1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet 192.168.0.200/32 scope global lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc mq state UP group default qlen 1000link/ether 00:0c:29:fd:a6:ea brd ff:ff:ff:ff:ff:ffaltname enp3s0altname ens160inet 192.168.0.50/24 brd 192.168.0.255 scope global noprefixroute eth0valid_lft forever preferred_lft foreverinet6 fe80::bbb1:4d5d:560:2123/64 scope link noprefixroute valid_lft forever preferred_lft forever
[rootlvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
#加入ipvsadm调度策略
[rootlvs ~]# ipvsadm -A -t 192.168.0.200:80 -s wrr
[rootlvs ~]# ipvsadm -a -t 192.168.0.200:80 -r 192.168.0.10:80 -g -w 1
[rootlvs ~]# ipvsadm -a -t 192.168.0.200:80 -r 192.168.0.20:80 -g -w 2
[rootlvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.200:80 wrr- 192.168.0.10:80 Route 1 0 0 - 192.168.0.20:80 Route 2 0 0
[rootlvs ~]# route:
eth0: NAT模式 172.25.254.100 gateway:172.25.254.2
eth1:仅主机模式 192.168.0.100
#配置网卡内容
[rootrouter ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
ideth0
typeethernet
interface-nameeth0[ipv4]
address1172.25.254.100/24,172.25.254.2
methodmanual
dns114.114.114.114
[rootrouter ~]# cat /etc/NetworkManager/system-connections/eth1.nmconnection
[connection]
ideth1
typeethernet
interface-nameeth1[ipv4]
address1192.168.0.100/24
methodmanual
#重启网卡
[rootrouter ~]# nmcli connection reload
[rootrouter ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[rootrouter ~]# nmcli connection up eth1
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7)
#查看网络信息
[rootrouter ~]# ip a
1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc mq state UP group default qlen 1000link/ether 00:0c:29:d0:65:d2 brd ff:ff:ff:ff:ff:ffaltname enp3s0altname ens160inet 172.25.254.100/24 brd 172.25.254.255 scope global noprefixroute eth0valid_lft forever preferred_lft foreverinet6 fe80::bf7:7246:70e2:bb83/64 scope link noprefixroute valid_lft forever preferred_lft forever
3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc mq state UP group default qlen 1000link/ether 00:0c:29:d0:65:dc brd ff:ff:ff:ff:ff:ffaltname enp19s0altname ens224inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute eth1valid_lft forever preferred_lft foreverinet6 fe80::312a:e80c:80f6:2ca0/64 scope link noprefixroute valid_lft forever preferred_lft forever
[rootrouter ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.25.254.2 0.0.0.0 UG 102 0 0 eth0
172.25.254.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 103 0 0 eth1
[rootrouter ~]#
#打开内核路由
#检查是否打开了内核路由
[rootrouter ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward 0
net.ipv4.ip_forward_update_priority 1
net.ipv4.ip_forward_use_pmtu 0
#编辑配置文件
[rootrouter ~]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward1
[rootrouter ~]# sysctl -p
net.ipv4.ip_forward 1
[rootrouter ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward 1
net.ipv4.ip_forward_update_priority 1
net.ipv4.ip_forward_use_pmtu 0
[rootrouter ~]# client:
eth0:NAT模式 172.25.254.200 gateway:172.25.254.100
[rootclient ~]# cat /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
ideth0
typeethernet
interface-nameeth0[ipv4]
address1172.25.254.200/24,172.25.254.100
methodmanual
#重启网卡
[rootclient ~]# nmcli connection reload
[rootclient ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[rootclient ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.25.254.100 0.0.0.0 UG 100 0 0 eth0
172.25.254.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
#测试
[rootclient ~]# for i in {1..10}; do curl 192.168.0.200; done
webserver1:192.168.0.10
webserver2:192.168.0.20
webserver2:192.168.0.20
webserver1:192.168.0.10
webserver2:192.168.0.20
webserver2:192.168.0.20
webserver1:192.168.0.10
webserver2:192.168.0.20
webserver2:192.168.0.20
webserver1:192.168.0.10
[rootclient ~]#lvs-火墙标记解决调度问题
在webserver1和webserver2安装mod_ssl模块让他们支持https
webserver1
[rootwebserver1 ~]# dnf install mod_ssl -y
#重启httpd服务
[rootwebserver1 ~]# systemctl restart httpdwebserver2
[rootwebserver2 ~]# dnf install mod_ssl -y
#重启httpd服务
[rootwebserver2 ~]# systemctl restart httpd在lvs中追加加入调度策略
[rootlvs ~]# ipvsadm -A -t 192.168.0.200:443 -s rr
[rootlvs ~]# ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.10:443 -g
[rootlvs ~]# ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.20:443 -g
[rootlvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.200:80 wrr- 192.168.0.10:80 Route 1 0 0 - 192.168.0.20:80 Route 2 0 0
TCP 192.168.0.200:443 rr- 192.168.0.10:443 Route 1 0 0 - 192.168.0.20:443 Route 1 0 0
[rootlvs ~]# 未加火墙前的测试:
client
这时候前一条是正确的当时后面应该是10
[rootclient ~]# curl 192.168.0.200;curl -k https://192.168.0.200
webserver2:192.168.0.20
webserver2:192.168.0.20
[rootclient ~]# lvs中为端口做标记,清空ipvsadm调度策略,写入火墙的策略
[rootlvs ~]# iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination Chain INPUT (policy ACCEPT)
target prot opt source destination Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[rootlvs ~]# iptables -t mangle -A PREROUTING -d 192.168.0.200 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 666
[rootlvs ~]# iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK 6 -- 0.0.0.0/0 192.168.0.200 multiport dports 80,443 MARK set 0x42Chain INPUT (policy ACCEPT)
target prot opt source destination Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[rootlvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.200:80 wrr- 192.168.0.10:80 Route 1 0 0 - 192.168.0.20:80 Route 2 0 0
TCP 192.168.0.200:443 rr- 192.168.0.10:443 Route 1 0 0 - 192.168.0.20:443 Route 1 0 0
[rootlvs ~]# ipvsadm -C
[rootlvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
[rootlvs ~]# ipvsadm -A -f 66 -s rr
[rootlvs ~]# ipvsadm -a -f 66 -r 192.168.0.10 -g
[rootlvs ~]# ipvsadm -a -f 66 -r 192.168.0.20 -g
[rootlvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 66 rr- 192.168.0.10:0 Route 1 0 0 - 192.168.0.20:0 Route 1 0 0
[rootlvs ~]# 测试:
clietn
[rootclient ~]# curl 192.168.0.200;curl -k https://192.168.0.200
webserver2:192.168.0.20
webserver1:192.168.0.10
[rootclient ~]# curl 192.168.0.200;curl -k https://192.168.0.200
webserver2:192.168.0.20
webserver1:192.168.0.10
[rootclient ~]# curl 192.168.0.200;curl -k https://192.168.0.200
webserver2:192.168.0.20
webserver1:192.168.0.10
[rootclient ~]# 注意:
在配置vip不对外响应的时候需要永久设置的话可以使用sysctl -a | grep arp_ignore查看,把需要的内容写入到/etc/sysctl.conf中,然后再输入sysctl -p保存设定
[rootwebserver1 ~]# sysctl -a | grep arp_ignore
net.ipv4.conf.all.arp_ignore 1
net.ipv4.conf.default.arp_ignore 0
net.ipv4.conf.eth0.arp_ignore 0
net.ipv4.conf.lo.arp_ignore 1
[rootwebserver1 ~]#
