DR模型的工作过程:
Client向VIP发起请求,请求被路由器接收到,转发给不同网段的Director的VIP,Director再通过私有网络转给RS服务器,RS服务器处理请求并通过自身配置的VIP直接将响应发给Client.
要点:
关键点是在集群内部,Director和RS服务器都要配置相同的VIP,这就要解决IP冲突的问题,有三种方法:
1,在路由器中绑定Director的MAC与VIP,各RS还要添加arptables拒绝网络通告
2,在RS中使用arptables解决
3,RS服务器对于路由器发起寻找VIP的广播不予回应,修改内核参数即可.
每台主机只需一块网卡,并处于同一个物理网络,请求到达Director之后会把报文重新封装目标MAC为选择的其中一台RS,这样就可以把报文发送给这台RS来响应.
所有RS通过修改内核参数屏蔽arp通告.把VIP配置在lo:0这个别名上,再添加入栈路由,让报文经过lo:0,这样报文出栈时,源IP才能改成VIP.
请求报文经过Director,响应报文不经过Director,RS网关只能指向路由器,不能指向DIP,无法实现端口映射.
实验环境:
假设:
Client网络为172.18.7.0
服务器公网:10.0.0.0
服务器内网(主机模式):192.168.7.0
准备五台CentOS 7虚拟机,
Director:
一块网卡,仅主机模式
VIP:10.0.0.100
网关:10.0.0.200 实际上随意填一个网关都可以.因为并不真的需要使用这个网关,但是不写又不行.
DIP:192.168.7.30
网关:192.168.7.200
RS1:
一块网卡,仅主机模式
RIP:192.168.7.10
网关:192.168.7.200
VIP:10.0.0.100
RS1:
一块网卡,仅主机模式
RIP:192.168.7.20
网关:192.168.7.200
VIP:10.0.0.100
网关:10.0.0.200
Router:
两块网卡,ens33桥接,ens37仅主机模式,不需要网关
公网IP(ens33):172.18.7.200
内网IP1(ens37):192.168.7.200
模拟另一公网网关IP(ens37:1):10.0.0.200
Client:
一块网卡,桥接
CIP:172.18.7.70
网关:172.18.0.1
配置Router:
Router需要两块网卡,ens33和ens37
ens33:
配置地址172.18.7.200,由于是路由器,所以不需要网关
]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 BOOTPROTO="static" DEVICE="ens33" ONBOOT="yes" IPADDR=172.18.7.200 PREFIX=16
ens37:
配置地址192.168.7.200和10.0.0.200
]# cd /etc/sysconfig/network-scripts/ ]# vim ifcfg-ens37 BOOTPROTO="static" DEVICE="ens37" ONBOOT="yes" IPADDR=192.168.7.200 PREFIX=24
]# vim ifcfg-ens37:1 BOOTPROTO="static" DEVICE="ens37:1" ONBOOT="yes" IPADDR=10.0.0.200 PREFIX=8
开启ip地址转发
]# cat /proc/sys/net/ipv4/ip_forward ]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 ]# sysctl -p net.ipv4.ip_forward = 1 ]# cat /proc/sys/net/ipv4/ip_forward 1
这样可以让RS服务器能够连通Client.
]# systemctl restart network
查看一下
Client:
客户端ip地址172.18.7.70,网关指向路由器172.18.7.200
]# nmcli connection modify System ens33 ipv4.addresses 172.18.7.70/16 ipv4.gateway 172.18.7.200 ipv4.method manual ]# nmcli connection up System ens33 ]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.18.7.200 0.0.0.0 UG 100 0 0 ens33 172.18.0.0 0.0.0.0 255.255.0.0 U 100 0 0 ens33
测试ping 另外两个网段是否通
]# ping 192.168.7.200 PING 192.168.7.200 (192.168.7.200) 56(84) bytes of data. 64 bytes from 192.168.7.200: icmp_seq=1 ttl=64 time=3.31 ms ]# ping 10.0.0.200 PING 10.0.0.200 (10.0.0.200) 56(84) bytes of data. 64 bytes from 10.0.0.200: icmp_seq=1 ttl=64 time=3.47 ms
Director
作为Director,只需要与RS服务器通讯,由于Director与RS服务器在同网段,所以实际上并不需要配置网关
暂时修改网关为192.168.7.200
]# nmcli connection modify System ens33 ipv4.addresses 192.168.7.30/24 ipv4.gateway 192.168.7.200 ipv4.method manual ]# nmcli connection up System ens33
运行以下脚本.
]# vim lvs_dr_vs.sh
#!/bin/bash
vip='10.0.0.100'
iface='ens33:1'
mask='255.255.255.255'
port='80'
rs1='192.168.7.10'
rs2='192.168.7.20'
scheduler='wrr'
type='-g'
rpm -q ipvsadm &> /dev/null || yum -y install ipvsadm &> /dev/null
case $1 in
start)
ifconfig $iface $vip netmask $mask broadcast $vip up
iptables -F
ipvsadm -A -t ${vip}:${port} -s $scheduler
ipvsadm -a -t ${vip}:${port} -r ${rs1} $type -w 1
ipvsadm -a -t ${vip}:${port} -r ${rs2} $type -w 2
echo "The VS Server is Ready!"
;;
stop)
ipvsadm -C
ifconfig $iface down
echo "The VS Server is Canceled!"
;;
*)
echo "Usage: $(basename $0) start|stop"
exit 1
;;
esac]# bash lvs_dr_vs.sh start
脚本中给ens33:1网卡别名添加了VIP10.0.0.100,然后通过yum安装了ipvsadm,并添加了规则.
查看.
]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:80 wrr -> 192.168.7.10:80 Route 1 0 0 -> 192.168.7.20:80 Route 2 0 0
RS1
配置ip地址
]# nmcli connection modify System ens33 ipv4.addresses 192.168.7.10/24 ipv4.gateway 192.168.7.200 ipv4.method manual ]# nmcli connection up System ens33
测试ping Client
]# ping 172.18.7.70 PING 172.18.7.70 (172.18.7.70) 56(84) bytes of data. 64 bytes from 172.18.7.70: icmp_seq=1 ttl=63 time=1.64 ms
准备预配置脚本,用于配置VIP,修改内核参数,安装httpd和测试页面等,要事先配置好yum原,我这里使用本地光盘作为yum源.
]# cat lvs_dr_rs.sh
#!/bin/bash
vip=10.0.0.100
mask='255.255.255.255'
dev=lo:1
rpm -q httpd &> /dev/null || yum -y install httpd &>/dev/null
service httpd start &> /dev/null && echo "The httpd Server is Ready!"
echo "<h1>`hostname`</h1>" > /var/www/html/index.html
case $1 in
start)
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig $dev $vip netmask $mask #broadcast $vip up
echo "The RS Server is Ready!"
;;
stop)
ifconfig $dev down
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
echo "The RS Server is Canceled!"
;;
*)
echo "Usage: $(basename $0) start|stop"
exit 1
;;
esac运行脚本
]# bash lvs_dr_rs.sh start
把VIP地址绑定到了本地回环网卡lo的别名lo:1上.这样RS会使用lo:1发送响应报文,源地址也就变成了VIP.
]# scp lvs_dr_rs.sh 192.168.7.20:/root/
RS2
配置ip地址配置
]# nmcli connection modify System ens33 ipv4.addresses 192.168.7.20/24 ipv4.gateway 192.168.7.200 ipv4.method manual ]# nmcli connection up System ens33 ]# ping 172.18.7.70 PING 172.18.7.70 (172.18.7.70) 56(84) bytes of data. 64 bytes from 172.18.7.70: icmp_seq=1 ttl=63 time=2.80 ms
跑脚本.
测试:
Client :
如果出现下面的情况
]# curl 10.0.0.100 curl: (7) Failed connect to 10.0.0.100:80; No route to host
可以尝试:
给Director添加gateway
重启网络服务
]# bash lvs_dr_vs.sh stop ]# bash lvs_dr_vs.sh start
还不行就重启Director.
ldirectord
LVS虽然调度效率极强,但也存在缺点.
1,一旦Director不可用,整个系统将不可用.
解决方案,配合高可用
2,某RS不可用时,Director依然会调度请求至此RS.
解决方案:由Director对各RS健康状态进行检查,失败时禁用,成功时启用
此时就要借助其他工具来实现.类似工具有keepalived,heartbeat/corosync,ldirectord等,本次实验以ldirectord为例.
directord: 监控和控制LVS守护进程,可管理LVS规则
对于健康检查,有以下几种方式:
(a) 网络层检测,icmp
(b) 传输层检测,端口探测
(c) 应用层检测,请求某关键资源
RS全都不可用时:将访问调度到backup server或叫做 sorry server,用于反馈用户提示信息.
ldirecord支持包括https,firewall mark ,ftp,smtp,submission,pop,imap,ldap,UDP DNS,MySQL,PostgreSQL,Oracle等多种协议以及ipv6.
ldrectord下载地址
http://download.opensuse.org/repositories/network:/ha-clustering:/Stable/
按照系统版本和架构选择下载
这里选择页面中Centos 7下的x86_64下的ldirectord-3.9.6-0rc1.1.2.x86_64.rpm
在Director中安装ldirector:
之前要先清空ipvsadm创建的规则
]# ipvsadm -C
yum安装ldirectord
]# yum -y install ldirectord-3.9.6-0rc1.1.2.x86_64.rpm ]# rpm -ql ldirectord /etc/ha.d /etc/ha.d/resource.d /etc/ha.d/resource.d/ldirectord /etc/logrotate.d/ldirectord /usr/lib/ocf/resource.d/heartbeat/ldirectord /usr/lib/systemd/system/ldirectord.service /usr/sbin/ldirectord /usr/share/doc/ldirectord-3.9.6 /usr/share/doc/ldirectord-3.9.6/COPYING /usr/share/doc/ldirectord-3.9.6/ldirectord.cf /usr/share/man/man8/ldirectord.8.gz
修改配置
]# cp /usr/share/doc/ldirectord-3.9.6/ldirectord.cf /etc/ha.d/ ]# vim /etc/ha.d/ldirectord.cf checktimeout=3 #每次检测超时时长 checkinterval=1 #每次检测间隔时间 fallback=127.0.0.1:80 #sorry_server,此处设置为本机.需要在本机开启http服务. autoreload=yes #修改配置文件自动生效,无需手动reload logfile="/var/log/ldirectord.log" quiescent=no virtual=10.0.0.100:80 #VIP real=192.168.7.1:80 gate 1 #RS服务器,gate表示dr模式,数字为权重. real=192.168.7.2:80 gate 3 service=http scheduler=wrr #权重轮询 persistent=600 checktype=negotiate checkport=80 request="test.html" #用于检测的页面 receive="test" #检测关键字,如果检测得到,则认为RS还活着
real参数还支持范围写法如real=192.168.6.2->192.168.6.7:80 gate.
安装httpd,准备测试页面,测试结果.
]# yum install httpd -y ]# echo 'sorry server' > /var/www/html/index.html ]# systemctl start httpd ]# curl 10.0.0.100 sorry server
两个RS服务器建立测试页面
]# echo 'test' > /var/www/html/test.html
Director开启Ldirectord服务
]# systemctl start ldirectord
查看ipvsadmin状态
]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:80 wrr -> 192.168.7.10:80 Route 1 0 0 -> 192.168.7.20:80 Route 3 0 0
规则已经配好
Client测试:
模拟RS宕机
停止RS1的httpd服务
]# systemctl stop httpd
Director中看ipvsadm规则
]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:80 wrr -> 192.168.7.20:80 Route 3 0 13
显示只有RS2在.
回到CLient看结果,只剩下RS2了
模拟RS2也宕机
]# systemctl stop httpd
Director中看ipvsadm规则
]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:80 wrr -> 127.0.0.1:80 Route 1 0 0
RS服务器都不在,被sorry server代替
回到CLient看结果,结果显示sorry server已经启用
现在恢复RS1.和RS2
]# systemctl start httpd
Director查看规则
]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:80 wrr -> 192.168.7.10:80 Route 1 0 3 -> 192.168.7.20:80 Route 3 0 7
回到CLient看结果,已经恢复
测试结束.
可见,LVS配合ldirectord之后,功能性大大加强了.