title: ldirectord+ipvsadm之nat/dr模型的实现
date: 2017-10-26 15:37:29
tags:
ldirectord 结合ipvsadm 配置nat,dr模型
一、nat模型
- drector
# wget ftp://172.16.0.1/pub/Sources/7.x86_64/crmsh/ldirectord-3.9.6-0rc1.1.1.x86_64.rpm
# yum -y install nginx (同时用于做为sorry主机)
# yum -y install ldirectord-3.9.6-0rc1.1.1.x86_64.rpm
# echo “sorry, the service is down for maintenance, is recovering” > /usr/share/nginx/html/index.html
主机为两块网卡, 一个是桥接,一个仅主机 (其中仅主机的配置静态地址为192.16.0.5)
- 开启核心转发功能
# echo 1 > /proc/sys/net/ipv4/ip_forward
nodeff1
# yum -y install httpd
# echo “<h1>RS1</h1>” > /var/www/html/index.html
主机为一块网卡,仅主机(配置静态地址为192.16.0.2)
网关指向 192.16.0.5
# route add default gw 192.16.0.5
node2
# yum -y install nginx
# echo “<h1>RS2</h1>” > /var/www/html/index.html
主机为一块网卡,仅主机(配置静态地址为192.16.0.3)
网关指向 192.16.0.5
# route add default gw 192.16.0.5
directory 此时:可以在drector主机上进行测试,
# curl 192.16.0.2 返回RS1
# curl 192.16.0.3 返回RS2
directory 使用ipvsadm指定调度算法及调度主机;
# ipvsadm -A -t 172.16.250.89:80 -wrr
# ipvsadm -a -t 172.16.250.89:80 -r 192.16.0.2:80 -m -w 3
# ipvsadm -a -t 172.16.250.89:80 -r 192.16.0.3:80 -m -w 1
在别的主机中测试结果
# for i in {1..4} ; do curl 172.16.250.89; done
<h1>RS1</h1>
<h1>RS2</h2>
<h1>RS1</h1>
<h1>RS1</h1>
# 将规则保存 ipvsadm -S > /etc/sysconfig/ipvsadm
- directory 配置ldirectord
# cp /usr/share/doc/ldirectord-3.9.6/ldirectord.cf /etc/ha.d/ldirectord.cf
# vim /etc/ha.d/ldirectord.cf
checktimeout=3
checkinterval=1
fallback=127.0.0.1:80
autoreload=yes
logfile=”/var/log/ldirectord.log”
quiescent=no
virtual=172.16.250.89:80
real=192.16.0.2:80 masq 1
real=192.16.0.3:80 masq 3
fallback=127.0.0.1:80 masq
service=http
scheduler=wrr
protocol=tcp
checktype=negotiate
checkport=80
注:virtual:172.16.250.89:80 ,后面需要指定端口,否则protocol=tcp指定启动时会报错
real=192.16.0.2:80 masq 因为上面配置的为nat模型,所以此处使用masq
fallback=172.0.0.1:80 此处便是nginx的sorry server,但所有结点都停掉时,会向用户提供一个sorry server
# systemctl start ldirectord
# ipvsadm -Ln 查看结点
在别的主机中测试
#for i in {1..4} ; do curl 172.16.250.89; done
<h1>RS2</h2>
<h1>RS1</h1>
<h1>RS2</h2>
<h1>RS2</h2>
node1,node2 将两个结点手动停掉
# systemctl stop httpd 在测试主机中会返回sorry信息
二、dr 模型
- directory ,node1 ,node2 三台主机都是一块网块, 并且网卡都为桥接,且node1,nod2,不需要指定网关
编写脚本
#vim setkp.sh
#!/bin/bash
vip=172.16.252.166
mask=255.255.255.255
interface=’lo:0′
eth=’eno16777736:0′
case $1 in
start)
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig $interface $vip netmask $mask broadcast $vip up
route add -host $vip dev $interface
;;
dstart)
ifconfig $eth $vip/32 netmask $mask broadcast $vip up
;;
dstop)
ifconfig $eth down
;;
stop)
ifconfig $interface down
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
;;
status)
ifconfig
cat /proc/sys/net/ipv4/conf/all/arp_ignore
cat /proc/sys/net/ipv4/conf/lo/arp_ignore
cat /proc/sys/net/ipv4/conf/all/arp_announce
cat /proc/sys/net/ipv4/conf/lo/arp_announce
;;
*)
echo “Usage: $(basename $0) {dstart|dstop|start|stop}”
exit 1
esac
在director主机中执行
# sh setkp.sh dstart
# sh setkp.sh status 查看状态
# scp setkp.sh 172.16.251.232:/root
# scp setkp.sh 172.16.251.191:/root
# ipvsadm -A -t 172.16.252.166:http -s wrr
# ipvsadm -a -t 172.16.252.166:http -r 172.16.251.232:http -g -w 1
# ipvsadm -a -t 172.16.252.166:http -r 172.16.251.191:http -g -w 3
# systemctl start nginx
# echo “Sorry Page” > /usr/share/nginx/html/index.html
在node1主机中执行
# sh setkp.sh start
# sh setkp.sh status
# systemctl start httpd
echo “<h1>NODE1</h1>” > /var/www/html/index.html
在node2主机中执行
# sh setkp.sh start
# sh setkp.sh status
# systemctl start httpd
echo “<h2>NODE2</h2>” > /var/www/html/index.html
在其它主机中进行测试
#for i in {1..4} ; do curl 172.16.252.166; done
<h1>RS1</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
- ldirectord配置
# cat /etc/ha.d/ldirectord.cf | grep -v “^[[:space:]]*#” | grep -v “^[[:space:]]*$”
# vim /etc/ha.d/ldirectord.cf
checktimeout=3
checkinterval=1
fallback=127.0.0.1:80
autoreload=yes
logfile=”/var/log/ldirectord.log”
quiescent=no
virtual=172.16.252.166:80
real=172.16.251.191:80 gate 1
real=172.16.251.232:80 gate 3
fallback=127.0.0.1:80 gate
service=http
scheduler=wrr
protocol=tcp
checktype=negotiate
checkport=80
# systemctl start ldirectord
在其它主机中进行测试
# for i in {1..4} ; do curl 172.16.252.166; done
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS2</h2>
<h1>RS1</h2>
当主机所有结点都停止服务时 (node1,node2)
# systemctl stop httpd
# for i in {1..4} ; do curl 172.16.252.166; done
Sorry Page
Sorry Page
Sorry Page
Sorry Page
- 借助防火墙标记来分类报文,而后标记定义集群服务,这样不同的服务可以使用一个集群进行调度,并启用持久连接
- 将两台node结点启动
# systemctl start httpd
在director主机中配置
# iptables -t mangle -A PREROUTING -d 172.16.252.166 -p tcp -m multiport –dport 80,443 -j MARK –set-mark 10 为端口打标记
# ipvsadm -A -f 10 -s rr -p 360
# ipvsadm -a -f 10 -r 172.16.251.191:0 -g -w 1
# ipvsadm -a -f 10 -r 172.16.251.232:0 -g -w 1
在其它主机中进行测试
# for i in {1..5} ; do curl 172.16.252.166; done
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS1</h2>
在两台node结点上建立https服务
nod1
# mkdir /etc/httpd/cacert
# cd /etc/httpd/cacert
# (umask 066;openssl genrsa -out httpd.key 1024)
# openssl req -new -key httpd.key -out httpd.crt -days 7200
# scp httpd.csr 172.16.252.162:/root
在director主机中生成自签证书
# echo 01 > /etc/pki/CA/serial
# touch /etc/pki/CA/index.txt
# cd /etc/pki/CA/
# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
# openssl ca -in /root/httpd.csr -out /tmp/httpd.crt
# scp /tmp/httpd.crt 172.16.251.232:/root
# scp /etc/pki/CA/cacert.pem 172.16.250.69:/root
node2
# mkdir /etc/httpd/cacert
node1
# cd /etc/httpd/cacert/ && scp * 172.16.251.191:/etc/httpd/cacert/
nod1,node1
# vim /etc/httpd/conf.d/ssl.conf
修改 : SSLCertificateFile /etc/httpd/cacert/httpd.crt
SSLCertificateKeyFile /etc/httpd/cacert/httpd.key
# systemctl restart httpd
在其它主机中进行测试:
# vim /etc/hosts
加入 : 172.16.252.166 www.rj.com
测试https与http的持久连接
# for i in {1..4} ;do curl –cacert /root/cacert.pem https://www.rj.com && curl http://www.rj.com ; done
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
在 ldirectord 中实现
driector
# vim /etc/ha.d/ldirectord.cf
checktimeout=3
checkinterval=1
fallback=127.0.0.1:80
autoreload=yes
logfile=”/var/log/ldirectord.log”
quiescent=no
virtual=10
real=172.16.251.191:80 gate 1
real=172.16.251.232:80 gate 3
fallback=127.0.0.1:80 gate
service=http
scheduler=wrr
checktype=negotiate
checkport=80
# systemctl start ldirectord
# ipvsadm -Ln
在其它主机中进行测试
# for i in {1..4} ;do curl –cacert /root/cacert.pem https://www.rj.com && curl http://www.rj.com ; done
<h1>RS1</h2>
<h1>RS2</h2>
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS2</h2>
<h1>RS1</h2>
<h1>RS1</h2>