文章类别:

   2018-07-10 11:41:52    2019-11-14 14:34:32   

Keepalived 高可用 LVS 负载均衡
### LVS+NAT **`通过网络地址转换,调度器重写请求报文的目标地址,根据预设的调度算法,将请求分派给后端的RS;RS的响应报文通过调度器时,报文的源地址被重写,再返回给客户,完成整个负载调度过程。`** #### 准备环境 ```bash LVS主机: 192.168.50.253 Real Server: 192.168.50.251/192.168.50.252 网络模式:NAT ``` #### **DR配置** #### 安装ipvsadm ```bash yum install ipvsadm -y ``` #### 设置ipv4转发 ```bash sysctl -w net.ipv4.ip_forward=1 ``` #### 关selinux,firewall,iptables ```bash setenforce 0 systemctl stop firewall iptables -F ``` #### 设置ipvsadm ```bash ipvsadm -A -t 192.168.50.253:80 -s rr ipvsadm -a -t 192.168.50.253:80 -r 192.168.50.251:80 -m ipvsadm -a -t 192.168.50.253:80 -r 192.168.50.252:80 -m ipvsadm -S # -A 添加虚拟服务 # -a 添加一个真是的主机到虚拟服务 # -S 保存 # -s 选择调度方法 # rr 轮训调度 # -m 网络地址转换NAT ``` #### **RS配置** 安装web ```bash yum install nginx -y ``` 修改网关 ```bash vim /etc/sysconfig/network-scripts/ifcfg-enp0s3 ``` ```ini GATEWAY0=192.168.50.253 ``` #### 测试(外网机器) `注意:外网测试,同网段直接访问192.168.50.253,LVS仅修改目的地址成RS,当RS应答给客户端,发现为同网段,不会经过LVS去做SNAT,客户端发送的DEST地址和收到的应答包的SRC地址不一致丢弃` 路由器上面做个端口映射 113.119.xx.xx:8999->192.168.50.253:80 ```bash curl http://113.119.xx.xx:8999/ ```   ### LVS+DR(`无VIP`) **`VS/DR通过改写请求报文的MAC地址,将请求发送到RS,而RS将响应直接返回给客户。同VS/TUN技术一样,VS/DR技术可极大地 提高集群系统的伸缩性。这种方法没有IP隧道的开销,对集群中的RS也没有必须支持IP隧道协议的要求,但是要求调度器与RS都有一块网卡连 在同一物理网段上。`** #### 准备环境 ```bash LVS主机: 192.168.50.253 08:00:27:e6:f4:0a Real Server: 192.168.50.251 08:00:27:8a:58:c1 192.168.50.252 08:00:27:29:31:d8 网络模式:DR ``` #### **DR配置** #### 安装ipvsadm ```bash yum install ipvsadm -y ``` #### 设置ipv4转发 ```bash sysctl -w net.ipv4.ip_forward=1 ``` #### 关selinux,firewall,iptables ```bash setenforce 0 systemctl stop firewall iptables -F ``` #### 设置ipvsadm ```bash ipvsadm -A -t 192.168.50.253:8080 -s rr #虚拟服务端口需要和真实服务端口一致 ipvsadm -a -t 192.168.50.253:8080 -r 192.168.50.251:8080 -g -w 1 ipvsadm -a -t 192.168.50.253:8080 -r 192.168.50.252:8080 -g -w 1 ipvsadm -S # -A 添加虚拟服务 # -a 添加一个真是的主机到虚拟服务 # -S 保存 # -s 选择调度方法 # -g DR模式 # rr 轮训调度 ``` 配置RS MAC静态绑定 `因为负载均衡服务器使用的是真实IP 192.168.50.253,当查询ARP,因为RS回环接口配置192.168.50.253,所以不会应答ARP,相反,如果配置VIP,那么回环地址配置VIP,192.168.50.253请求ARP的时候,RS会应答ARP` ```bash arp -s 192.168.50.251 08:00:27:8a:58:c1 arp -s 192.168.50.252 08:00:27:29:31:d8 ``` #### **RS配置** 启动web服务 ```bash python -m SimpleHTTPServer 8080 ``` 修改内核参数 ```bash echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce ``` 逻辑网卡添加ip地址192.168.50.253 ```bash ifconfig lo:0 192.168.50.253 netmask 255.255.255.255 broadcast 192.168.50.255 ``` 添加路由(确保请求的IP是192.168.50.253,出去的数据包也为192.168.50.253) ```bash route add -host 192.168.50.253 dev lo:0 ```   ### LVS+DR(`有VIP`) #### 准备环境 ```bash VIP: 192.168.50.240 LVS主机: 192.168.50.253 08:00:27:e6:f4:0a Real Server: 192.168.50.251 08:00:27:8a:58:c1 192.168.50.252 08:00:27:29:31:d8 网络模式:DR ``` #### **DR配置** #### 安装ipvsadm ```bash yum install ipvsadm -y ``` #### 设置ipv4转发 ```bash sysctl -w net.ipv4.ip_forward=1 ``` #### 关selinux,firewall,iptables ```bash setenforce 0 systemctl stop firewall iptables -F ``` #### 配置VIP ```bash ifconfig eth0:0 192.168.50.240 netmask 255.255.255.255 broadcast 192.168.50.255 ``` #### 设置ipvsadm ```bash ipvsadm -A -t 192.168.50.240:8080 -s rr #虚拟服务端口需要和真实服务端口一致 ipvsadm -a -t 192.168.50.240:8080 -r 192.168.50.251:8080 -g -w 1 ipvsadm -a -t 192.168.50.240:8080 -r 192.168.50.252:8080 -g -w 1 ipvsadm -S # -A 添加虚拟服务 # -a 添加一个真是的主机到虚拟服务 # -S 保存 # -s 选择调度方法 # -g DR模式 # rr 轮训调度 ``` #### **RS配置** 启动web服务 ```bash python -m SimpleHTTPServer 8080 ``` 修改内核参数 ```bash echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce ``` 添加VIP ```bash ifconfig lo:0 192.168.50.240 netmask 255.255.255.255 broadcast 192.168.50.255 ``` 添加路由(确保请求的IP是192.168.50.253,出去的数据包也为192.168.50.253) ```bash route add -host 192.168.50.240 dev lo:0 ```   ### LVS+NAT **`通过网络地址转换,调度器重写请求报文的目标地址,根据预设的调度算法,将请求分派给后端的RS;RS的响应报文通过调度器时,报文的源地址被重写,再返回给客户,完成整个负载调度过程。`** #### 准备环境 ```bash LVS主机: 192.168.50.253 Real Server: 192.168.50.251/192.168.50.252 网络模式:NAT ``` #### **DR配置** #### 安装ipvsadm ```bash yum install ipvsadm -y ``` #### 设置ipv4转发 ```bash sysctl -w net.ipv4.ip_forward=1 ``` #### 关selinux,firewall,iptables ```bash setenforce 0 systemctl stop firewall iptables -F ``` #### 设置ipvsadm ```bash ipvsadm -A -t 192.168.50.253:80 -s rr ipvsadm -a -t 192.168.50.253:80 -r 192.168.50.251:80 -m ipvsadm -a -t 192.168.50.253:80 -r 192.168.50.252:80 -m ipvsadm -S # -A 添加虚拟服务 # -a 添加一个真是的主机到虚拟服务 # -S 保存 # -s 选择调度方法 # rr 轮训调度 # -m 网络地址转换NAT ``` #### **RS配置** 安装web ```bash yum install nginx -y ``` 修改网关 ```bash vim /etc/sysconfig/network-scripts/ifcfg-enp0s3 ``` ```ini GATEWAY0=192.168.50.253 ``` #### 测试(外网机器) `注意:外网测试,同网段直接访问192.168.50.253,LVS仅修改目的地址成RS,当RS应答给客户端,发现为同网段,不会经过LVS去做SNAT,客户端发送的DEST地址和收到的应答包的SRC地址不一致丢弃` 路由器上面做个端口映射 113.119.xx.xx:8999->192.168.50.253:80 ```bash curl http://113.119.xx.xx:8999/ ```   ### LVS+DR(`无VIP`) **`VS/DR通过改写请求报文的MAC地址,将请求发送到RS,而RS将响应直接返回给客户。同VS/TUN技术一样,VS/DR技术可极大地 提高集群系统的伸缩性。这种方法没有IP隧道的开销,对集群中的RS也没有必须支持IP隧道协议的要求,但是要求调度器与RS都有一块网卡连 在同一物理网段上。`** #### 准备环境 ```bash LVS主机: 192.168.50.253 08:00:27:e6:f4:0a Real Server: 192.168.50.251 08:00:27:8a:58:c1 192.168.50.252 08:00:27:29:31:d8 网络模式:DR ``` #### **DR配置** #### 安装ipvsadm ```bash yum install ipvsadm -y ``` #### 设置ipv4转发 ```bash sysctl -w net.ipv4.ip_forward=1 ``` #### 关selinux,firewall,iptables ```bash setenforce 0 systemctl stop firewall iptables -F ``` #### 设置ipvsadm ```bash ipvsadm -A -t 192.168.50.253:8080 -s rr #虚拟服务端口需要和真实服务端口一致 ipvsadm -a -t 192.168.50.253:8080 -r 192.168.50.251:8080 -g -w 1 ipvsadm -a -t 192.168.50.253:8080 -r 192.168.50.252:8080 -g -w 1 ipvsadm -S # -A 添加虚拟服务 # -a 添加一个真是的主机到虚拟服务 # -S 保存 # -s 选择调度方法 # -g DR模式 # rr 轮训调度 ``` 配置RS MAC静态绑定 `因为负载均衡服务器使用的是真实IP 192.168.50.253,当查询ARP,因为RS回环接口配置192.168.50.253,所以不会应答ARP,相反,如果配置VIP,那么回环地址配置VIP,192.168.50.253请求ARP的时候,RS会应答ARP` ```bash arp -s 192.168.50.251 08:00:27:8a:58:c1 arp -s 192.168.50.252 08:00:27:29:31:d8 ``` #### **RS配置** 启动web服务 ```bash python -m SimpleHTTPServer 8080 ``` 修改内核参数 ```bash echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce ``` 逻辑网卡添加ip地址192.168.50.253 ```bash ifconfig lo:0 192.168.50.253 netmask 255.255.255.255 broadcast 192.168.50.255 ``` 添加路由(确保请求的IP是192.168.50.253,出去的数据包也为192.168.50.253) ```bash route add -host 192.168.50.253 dev lo:0 ```   ### LVS+DR(`有VIP`) #### 准备环境 ```bash VIP: 192.168.50.240 LVS主机: 192.168.50.253 08:00:27:e6:f4:0a Real Server: 192.168.50.251 08:00:27:8a:58:c1 192.168.50.252 08:00:27:29:31:d8 网络模式:DR ``` #### **DR配置** #### 安装ipvsadm ```bash yum install ipvsadm -y ``` #### 设置ipv4转发 ```bash sysctl -w net.ipv4.ip_forward=1 ``` #### 关selinux,firewall,iptables ```bash setenforce 0 systemctl stop firewall iptables -F ``` #### 配置VIP ```bash ifconfig eth0:0 192.168.50.240 netmask 255.255.255.255 broadcast 192.168.50.255 ``` #### 设置ipvsadm ```bash ipvsadm -A -t 192.168.50.240:8080 -s rr #虚拟服务端口需要和真实服务端口一致 ipvsadm -a -t 192.168.50.240:8080 -r 192.168.50.251:8080 -g -w 1 ipvsadm -a -t 192.168.50.240:8080 -r 192.168.50.252:8080 -g -w 1 ipvsadm -S # -A 添加虚拟服务 # -a 添加一个真是的主机到虚拟服务 # -S 保存 # -s 选择调度方法 # -g DR模式 # rr 轮训调度 ``` #### **RS配置** 启动web服务 ```bash python -m SimpleHTTPServer 8080 ``` 修改内核参数 ```bash echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce ``` 添加VIP ```bash ifconfig lo:0 192.168.50.240 netmask 255.255.255.255 broadcast 192.168.50.255 ``` 添加路由(确保请求的IP是192.168.50.253,出去的数据包也为192.168.50.253) ```bash route add -host 192.168.50.240 dev lo:0 ```   ### LVS+TUNNEL(内网跨网段) #### 准备环境 ```bash Client: 192.168.10.3 路由器(LINUX) 192.168.10.4 192.168.20.4 VIP: 192.168.10.100 LVS主机: 192.168.10.5 Real Server: 192.168.20.3 网络模式:TUNNEL ```   #### **DR配置** 配置VIP ```bash ifconfig eth1:1 192.168.10.100 netmask 255.255.255.255 broadcast 192.168.10.100 up route add -host 192.168.10.100 dev eth1:1 ``` 修改内核参数 ```bash echo "0" >/proc/sys/net/ipv4/ip_forward echo "1" >/proc/sys/net/ipv4/conf/all/send_redirects echo "1" >/proc/sys/net/ipv4/conf/default/send_redirects echo "1" >/proc/sys/net/ipv4/conf/eth1/send_redirects ``` 配置lvs ```bash ipvsadm -C ipvsadm -A -t 192.168.10.100:8080 -s rr ipvsadm -a -t 192.168.10.100:8080 -r 192.168.20.3 -i ```   #### **RS配置** 配置tunnel隧道 ```bash modprobe ipip ifconfig tunl0 192.168.10.100 netmask 255.255.255.255 broadcast 192.168.10.100 up route add -host 192.168.10.100 dev tunl0 ``` 修改内核参数 ```bash echo 0 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/tunl0/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/tunl0/arp_announce echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce echo 0 > /proc/sys/net/ipv4/conf/tunl0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter ``` 启动服务 ```bash echo "RS SERVER" >index.html python -m SimpleHTTPServer 8080 ```   #### 客户端测试 ```bash curl http://192.168.10.100:8080 ``` ``` RS SERVER ``` `测试成功`   #### RS主机抓包 监听隧道接口 ```bash tcpdump -i tunl0 -nnn -vvv ``` ```bash 08:32:34.269392 IP (tos 0x0, ttl 64, id 51443, offset 0, flags [DF], proto TCP (6), length 60) 192.168.10.3.46734 > 192.168.10.100.8080: Flags [S], cksum 0xdbc2 (correct), seq 2270636359, win 28200, options [mss 1410,sackOK,TS val 1958324 ecr 0,nop,wscale 7], length 0 08:32:34.271186 IP (tos 0x0, ttl 64, id 51444, offset 0, flags [DF], proto TCP (6), length 52) 192.168.10.3.46734 > 192.168.10.100.8080: Flags [.], cksum 0xa968 (correct), seq 2270636360, ack 1942327447, win 221, options [nop,nop,TS val 1958326 ecr 1821109], length 0 08:32:34.271345 IP (tos 0x0, ttl 64, id 51445, offset 0, flags [DF], proto TCP (6), length 135) 192.168.10.3.46734 > 192.168.10.100.8080: Flags [P.], cksum 0xa230 (correct), seq 0:83, ack 1, win 221, options [nop,nop,TS val 1958327 ecr 1821109], length 83: HTTP, length: 83 GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 192.168.10.100:8080 Accept: */* ``` `通过上面的抓包日志可以分析DR已经将SYN包发送到RS主机` 监听eth1接口8080端口的数据包 ```bash tcpdump -i eth1 and port 8080 -nnn -vvv ``` ```bash 08:31:57.116678 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 192.168.10.100.8080 > 192.168.10.3.46732: Flags [S.], cksum 0x95e6 (incorrect -> 0x6552), seq 2019760809, ack 3127325422, win 27960, options [mss 1410,sackOK,TS val 1783956 ecr 1921172,nop,wscale 7], length 0 08:31:57.118567 IP (tos 0x0, ttl 64, id 8764, offset 0, flags [DF], proto TCP (6), length 52) 192.168.10.100.8080 > 192.168.10.3.46732: Flags [.], cksum 0x95de (incorrect -> 0xfff2), seq 1, ack 84, win 219, options [nop,nop,TS val 1783958 ecr 1921174], length 0 08:31:57.118811 IP (tos 0x0, ttl 64, id 8765, offset 0, flags [DF], proto TCP (6), length 69) 192.168.10.100.8080 > 192.168.10.3.46732: Flags [P.], cksum 0x95ef (incorrect -> 0x4015), seq 1:18, ack 84, win 219, options [nop,nop,TS val 1783958 ecr 1921174], length 17: HTTP, length: 17 HTTP/1.0 200 OK ``` `通过上面的抓包日志可以发现,RS也将应答包SYN+ACK直接发送给客户端` **`总结:LVS tunnel 跨网段转发是成功的。`**   ### LVS+TUNNEL(公网) `Ip Tunnel模式最大的优点就在于它可以跨网段转发,没有DR和NAT模式的组网限制。这在部署上带来的很大的灵活性,甚至还可以跨机房转发,不过不建议这样使用,一是会带来跨机房间的流量,提高了成本;二是跨机房转发必然会要在RS机房上绑定LVS机房的VIP,这有可能会被运营商的防火墙认为是IP伪造请求而拦截` #### 准备环境(Vultr VPS) ```bash Client: 183.54.238.66 VIP: 104.238.150.254 LVS主机: 167.179.115.37 Real Server: 202.182.125.31 139.180.202.67 网络模式:TUNNEL ```   #### **DR配置** DR主机所在的VPS申请添加一个公网ip,配置到eth0:1接口上 ```bash ifconfig eth0:1 104.238.150.254 netmask 255.255.255.255 broadcast 104.238.150.254 up route add -host 104.238.150.254 dev eth0:1 ``` 修改内核参数 ```bash echo "0" >/proc/sys/net/ipv4/ip_forward echo "1" >/proc/sys/net/ipv4/conf/all/send_redirects echo "1" >/proc/sys/net/ipv4/conf/default/send_redirects echo "1" >/proc/sys/net/ipv4/conf/eth0/send_redirects ``` 配置lvs ```bash ipvsadm -C ipvsadm -A -t 104.238.150.254:8080 -s rr ipvsadm -a -t 104.238.150.254:8080 -r 202.182.125.31 -i ipvsadm -a -t 104.238.150.254:8080 -r 139.180.202.67 -i ```   #### **RS配置** 配置tunnel隧道 ```bash modprobe ipip ifconfig tunl0 104.238.150.254 netmask 255.255.255.255 broadcast 104.238.150.254 up route add -host 104.238.150.254 dev tunl0 ``` 修改内核参数 ```bash echo 0 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/tunl0/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/tunl0/arp_announce echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce echo 0 > /proc/sys/net/ipv4/conf/tunl0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter ``` 启动服务 ```bash python -m SimpleHTTPServer 8080 ```   #### 客户端测试 浏览器访问 `http://104.238.150.254:8080` `浏览器显示访问不了!!!`   #### RS主机抓包 监听隧道接口 ```bash tcpdump -i tunl0 -nnn -vvv ``` ```bash tcpdump: listening on tunl0, link-type RAW (Raw IP), capture size 262144 bytes 09:20:12.713031 IP (tos 0x0, ttl 116, id 29938, offset 0, flags [DF], proto TCP (6), length 48) 183.54.238.66.63376 > 104.238.150.254.8080: Flags [S], cksum 0x5a81 (correct), seq 3523639844, win 8192, options [mss 1440,nop,nop,sackOK], length 0 09:20:54.742880 IP (tos 0x0, ttl 116, id 30339, offset 0, flags [DF], proto TCP (6), length 52) 183.54.238.66.63400 > 104.238.150.254.8080: Flags [S], cksum 0xb006 (correct), seq 2103403813, win 8192, options [mss 1440,nop,wscale 2,nop,nop,sackOK], length 0 09:20:54.993380 IP (tos 0x0, ttl 116, id 30342, offset 0, flags [DF], proto TCP (6), length 52) 183.54.238.66.63402 > 104.238.150.254.8080: Flags [S], cksum 0x8306 (correct), seq 484897436, win 8192, options [mss 1440,nop,wscale 2,nop,nop,sackOK], length 0 09:20:57.744463 IP (tos 0x0, ttl 116, id 30376, offset 0, flags [DF], proto TCP (6), length 52) ``` `通过上面的抓包日志可以分析DR已经将SYN包发送到RS主机` 监听客户端访问服务器8080端口的数据包 ```bash tcpdump -i eth0 host 183.54.238.66 and port 8080 -vvv -nnn ``` ```bash tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 09:19:13.659753 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 104.238.150.254.8080 > 183.54.238.66.63354: Flags [S.], cksum 0xa58c (incorrect -> 0x6d88), seq 2281292955, ack 1846351957, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:19:14.861060 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 104.238.150.254.8080 > 183.54.238.66.63354: Flags [S.], cksum 0xa58c (incorrect -> 0x6d88), seq 2281292955, ack 1846351957, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:19:16.660745 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 104.238.150.254.8080 > 183.54.238.66.63354: Flags [S.], cksum 0xa58c (incorrect -> 0x6d88), seq 2281292955, ack 1846351957, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 09:19:19.061063 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) ``` `通过上面的抓包日志可以发现,RS也将应答包SYN+ACK直接发送给客户端` **`总结:LVS tunnel DR转发,RS应答是正常的。RS应答的时候被Vultr的防火墙认为是IP伪造请求而拦截,所以导致实验失败!`**   ### LVS+FULLNAT `LVS 当前应用主要采用 DR 和 NAT 模式,但这 2 种模式要求 RealServer 和 LVS 在同一个 vlan中,导致部署成本过高;TUNNEL 模式虽然可以跨 vlan,但 RealServer上需要部署 ipip 模块等,网络拓扑上需要连通外网,较复杂,不易运维。` `为了解决上述问题,我们在 LVS 上添加了一种新的转发模式:FULLNAT,该 模式和 NAT 模式的区别是:Packet IN 时,除了做 DNAT,还做 SNAT(用户 ip->内 网 ip),从而实现 LVS-RealServer 间可以跨 vlan 通讯,RealServer 只需要连接到内 网;` LVS FULLNAT 实战:https://www.haxi.cc/archives/LVS-FULLNAT实战.html 相关链接: LVS-ospf集群:http://noops.me/?p=974
阅读 10 评论 0 收藏 0
阅读 10
评论 0
收藏 0

   2018-07-02 17:58:12    2019-11-14 14:34:47   

高可用 Keepavlied 负载均衡 ipvs
### 安装Keepalived ```bash yum install keepalived -y ``` &emsp; ### 使用简单的failover 参考:https://docs.oracle.com/cd/E37670_01/E41138/html/section_uxg_lzh_nr.html 典型的Keepalived高可用性配置包括一个主服务器和一个或多个备份服务器。一个或多个虚拟IP地址(定义为VRRP实例)被分配给主服务器的网络接口,以便它可以为网络客户端提供服务。备份服务器侦听主服务器定期发送的组播VRRP通告报文。默认广告时间间隔为一秒。如果备份节点无法接收三个连续的VRRP通告,则具有最高分配优先级的备份服务器将接管主服务器,并将虚拟IP地址分配给其自己的网络接口。如果多个备份服务器具有相同的优先级,则具有最高IP地址值的备份服务器将成为主服务器 以下示例使用Keepalived在两台服务器上实现简单的故障转移配置。一台服务器充当主服务器,另一台服务器充当备份服务器,主服务器的优先级高于备份服务器。 显示虚拟IP地址10.0.0.100最初如何分配给主服务器(10.0.0.71)。当主服务器发生故障时,备份服务器(10.0.0.72)将成为新的主服务器,并被分配虚拟IP地址10.0.0.100。 &emsp; ![](https://docs.oracle.com/cd/E37670_01/E41138/html/images/keepalived1.png) &emsp; #### master配置 ```bash vim /etc/keepalived/keepalived.conf ``` ```ini global_defs { notification_email { root@mydomain.com } notification_email_from svr1@mydomain.com smtp_server localhost smtp_connect_timeout 30 } vrrp_instance VRRP1 { state MASTER # Specify the network interface to which the virtual address is assigned interface eth0 # The virtual router ID must be unique to each VRRP instance that you define virtual_router_id 41 # Set the value of priority higher on the master server than on a backup server priority 200 advert_int 1 authentication { auth_type PASS auth_pass 1066 } virtual_ipaddress { 10.0.0.100/24 } } ``` &emsp; #### backup配置 ```bash vim /etc/keepalived/keepalived.conf ``` ```ini global_defs { notification_email { root@mydomain.com } notification_email_from svr2@mydomain.com smtp_server localhost smtp_connect_timeout 30 } vrrp_instance VRRP1 { state BACKUP # Specify the network interface to which the virtual address is assigned interface eth0 virtual_router_id 41 # Set the value of priority lower on the backup server than on the master server priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1066 } virtual_ipaddress { 10.0.0.100/24 } } ``` 如果主服务器(svr1)发生故障,keepalived会将虚拟IP地址10.0.0.100/24分配给备份服务器(svr2)上的eth0接口,该服务器将成为主服务器。 #### 查看master网卡分配的VIP ```bash ip addr list eth0 ``` ``` 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:cb:a6:8d brd ff:ff:ff:ff:ff:ff inet 10.0.0.72/24 brd 10.0.0.255 scope global eth0 inet 10.0.0.100/24 scope global eth0 inet6 fe80::a00:27ff:fecb:a68d/64 scope link valid_lft forever preferred_lft forever ``` #### 查看backup日志 ```bash tail -f /var/log/messages ``` ``` ...51:55 ... VRRP_Instance(VRRP1) Entering BACKUP STATE ... ...53:08 ... VRRP_Instance(VRRP1) Transition to MASTER STATE ...53:09 ... VRRP_Instance(VRRP1) Entering MASTER STATE ...53:09 ... VRRP_Instance(VRRP1) setting protocol VIPs. ...53:09 ... VRRP_Instance(VRRP1) Sending gratuitous ARPs on eth0 for 10.0.0.100 ``` &emsp; ### Keepalived负载均衡之NAT模式(双网卡场景) 以下示例在NAT模式下使用Keepalived在两台服务器上实现简单的故障转移和负载平衡配置。一台服务器充当主服务器,另一台服务器充当备份服务器,主服务器的优先级高于备份服务器。每个服务器都有两个网络接口,其中一个接口连接到面向外部网络(192.168.1.0/24)的一侧,另一个接口连接到内部网络(10.0.0.0/24),其中两个Web服务器可以访问。 &emsp; ![](https://docs.oracle.com/cd/E37670_01/E41138/html/images/keepalived2.png) &emsp; #### master配置 此配置类似“使用简单的failover”,增加了vrrp_sync_group部分,以便在故障转移时将网络接口一起分配,并使用virtual_server部分定义真实的后备Keepalived用于负载平衡的终端服务器。 lb_kind的值设置为NAT(网络地址转换),这意味着Keepalived服务器代表后端服务器处理来自客户端的入站和出站网络流量。 ```bash vim /etc/keepalived/keepalived.conf ``` ```ini global_defs { notification_email { root@mydomain.com } notification_email_from svr1@mydomain.com smtp_server localhost smtp_connect_timeout 30 } vrrp_sync_group VRRP1 { # Group the external and internal VRRP instances so they fail over together group { external internal } } vrrp_instance external { state MASTER interface eth0 virtual_router_id 91 priority 200 advert_int 1 authentication { auth_type PASS auth_pass 1215 } # Define the virtual IP address for the external network interface virtual_ipaddress { 192.168.1.1/24 } } vrrp_instance internal { state MASTER interface eth1 virtual_router_id 92 priority 200 advert_int 1 authentication { auth_type PASS auth_pass 1215 } # Define the virtual IP address for the internal network interface virtual_ipaddress { 10.0.0.100/24 } } # Define a virtual HTTP server on the virtual IP address 192.168.1.1 virtual_server 192.168.1.1 80 { delay_loop 10 protocol TCP # Use round-robin scheduling in this example lb_algo rr # Use NAT to hide the back-end servers lb_kind NAT # Persistence of client sessions times out after 2 hours persistence_timeout 7200 real_server 10.0.0.71 80 { weight 1 TCP_CHECK { connect_timeout 5 connect_port 80 } } real_server 10.0.0.72 80 { weight 1 TCP_CHECK { connect_timeout 5 connect_port 80 } } } ``` &emsp; #### backup配置 ```bash vim /etc/keepalived/keepalived.conf ``` ```ini global_defs { notification_email { root@mydomain.com } notification_email_from svr2@mydomain.com smtp_server localhost smtp_connect_timeout 30 } vrrp_sync_group VRRP1 { # Group the external and internal VRRP instances so they fail over together group { external internal } } vrrp_instance external { state BACKUP interface eth0 virtual_router_id 91 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1215 } # Define the virtual IP address for the external network interface virtual_ipaddress { 192.168.1.1/24 } } vrrp_instance internal { state BACKUP interface eth1 virtual_router_id 92 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1215 } # Define the virtual IP address for the internal network interface virtual_ipaddress { 10.0.0.100/24 } } # Define a virtual HTTP server on the virtual IP address 192.168.1.1 virtual_server 192.168.1.1 80 { delay_loop 10 protocol TCP # Use round-robin scheduling in this example lb_algo rr # Use NAT to hide the back-end servers lb_kind NAT # Persistence of client sessions times out after 2 hours persistence_timeout 7200 real_server 10.0.0.71 80 { weight 1 TCP_CHECK { connect_timeout 5 connect_port 80 } } real_server 10.0.0.72 80 { weight 1 TCP_CHECK { connect_timeout 5 connect_port 80 } } } ``` &emsp; #### 防火墙配置 如果将Keepalived配置为使用NAT模式与内部网络上的服务器进行负载平衡,则Keepalived服务器将处理所有入站和出站网络流量,并通过重写真实服务器的源IP地址来隐藏后端服务器,使用外部网络接口的虚拟IP地址在传出数据包。 开启IP伪装(master/backup) ```bash iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save ``` 允许网卡之间的转发(master/backup) ```bash iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited service iptables save ``` 开放端口(以HTTP为例) ```bash iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT service iptables save ``` &emsp; #### 创建VIP的路由(后端服务器) ```bash ip route add default via 10.0.0.100 dev eth0 ip route show ``` ``` default via 10.0.0.100 dev eth0 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.71 ``` 永久生效 ```bash echo "default via 10.0.0.100 dev eth0" > /etc/sysconfig/network-scripts/route-eth0 ``` &emsp; ### Keepalived负载均衡之NAT模式(单网卡场景) `注意:不能在同一网段直接访问虚拟IP,因为真实服务针对客户端发来的数据包,应答的时候不会经过keepalived(数据包不需要路由),改不了数据包,所以访问不了。如果keepalived和真实主机处于同一内网推荐使用DR模式,代理性能更高,此处仅为实验,为了更深入理解。` 此配置类似“Keepalived负载均衡之NAT模式(双网卡场景)” ![](https://image.ynotes.cn/keepalived_single_network.png) &emsp; #### master配置 ```bash vim /etc/keepalived/keepalived.conf ``` ```ini ! Configuration File for keepalived global_defs { notification_email { test01@ynotes.cn } notification_email_from haproxy1@ynotes.cn smtp_server localhost smtp_connect_timeout 30 router_id LVS_DEVEL vrrp_skip_check_adv_addr #vrrp_strict #严格执行VRRP协议规范,此模式不支持节点单播,注销该参数 vrrp_garp_interval 0 vrrp_gna_interval 0 } vrrp_instance VI_1 { state MASTER interface enp0s3 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.50.240 } } virtual_server 192.168.50.240 5555 { delay_loop 6 lb_algo rr lb_kind NAT persistence_timeout 50 protocol TCP real_server 192.168.50.251 5555 { weight 1 TCP_CHECK { connect_port 5555 connect_timeout 3 } } real_server 192.168.50.252 5555 { weight 1 TCP_CHECK { connect_port 5555 connect_timeout 3 } } } ``` &emsp; #### backup配置 ```bash vim /etc/keepalived/keepalived.conf ``` ```ini ! Configuration File for keepalived global_defs { notification_email { test01@ynotes.cn } notification_email_from haproxy2@ynotes.cn smtp_server localhost smtp_connect_timeout 30 router_id LVS_DEVEL vrrp_skip_check_adv_addr #vrrp_strict #严格执行VRRP协议规范,此模式不支持节点单播,注销该参数 vrrp_garp_interval 0 vrrp_gna_interval 0 } vrrp_instance VI_1 { state BACKUP interface enp0s3 virtual_router_id 51 priority 80 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.50.240 } } virtual_server 192.168.50.240 5555 { delay_loop 6 lb_algo rr lb_kind NAT persistence_timeout 50 protocol TCP real_server 192.168.50.251 5555 { weight 1 TCP_CHECK { connect_port 5555 connect_timeout 3 } } real_server 192.168.50.252 5555 { weight 1 TCP_CHECK { connect_port 5555 connect_timeout 3 } } } ``` &emsp; #### 开启端口转发(master/backup) ```bash echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p ``` ``` net.ipv4.ip_forward = 1 ``` &emsp; #### 防火墙配置 对后端服务器的流量进行转发 开启SNAT(master/backup) ```bash iptables -t nat -A POSTROUTING -o enp0s3 -s 192.168.50.251/32 -j SNAT --to-source 192.168.50.240 #对源地址为192.168.50.251的数据包替换源地址为192.168.50.240 iptables -t nat -A POSTROUTING -o enp0s3 -s 192.168.50.252/32 -j SNAT --to-source 192.168.50.240 service iptables save #永久保存配置 ``` &emsp; #### 修改默认网关(后端服务器) ```bash vim /etc/sysconfig/network-scripts/ifcfg-enp0s3 #修改默认网关 ``` ```bash GATEWAY0=192.168.50.240 #这里配置成VIP地址 ``` ```bash systemctl restart network #重启网卡 ip route #查看路由信息 ``` ``` default via 192.168.50.240 dev enp0s3 proto static metric 100 172.10.0.0/24 dev br-975d989973b4 proto kernel scope link src 172.10.0.1 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 172.18.0.0/16 dev br-b64efd3fb71e proto kernel scope link src 172.18.0.1 172.20.0.0/16 dev docker_gwbridge proto kernel scope link src 172.20.0.1 192.168.50.0/24 dev enp0s3 proto kernel scope link src 192.168.50.252 metric 100 192.168.100.0/24 dev br-ea58d9f6ef1f proto kernel scope link src 192.168.100.1 ``` &emsp; ### Keepalived负载均衡之DR模式 以下示例在直接路由(DR)模式下使用Keepalived在两台服务器上实现简单的故障转移和负载平衡配置。一台服务器充当主服务器,另一台服务器充当备份服务器,主服务器的优先级高于备份服务器。每个Keepalived服务器都有一个网络接口,服务器连接到同一网段(10.0.0.0/24),可以访问两个Web服务器。 下图显示Keepalived主服务器具有网络地址10.0.0.11和10.0.0.1(虚拟)。 Keepalived备份服务器的网络地址为10.0.0.12。 Web服务器websvr1和websvr2分别具有网络地址10.0.0.71和10.0.0.72。此外,两个Web服务器都配置了虚拟IP地址10.0.0.1,以使它们接受具有该目标地址的数据包。主服务器接收传入请求并重定向到Web服务器,Web服务器直接响应。 &emsp; ![](https://docs.oracle.com/cd/E37670_01/E41138/html/images/keepalived3.png) #### master配置 类似“Keepalived负载均衡之NAT模式”的配置,但lb_kind的值设置为DR(直接路由),这意味着Keepalived服务器处理来自的所有入站网络包,出站网络包由后端服务器直接回复客户端,绕过Keepalived服务器。此配置减少了Keepalived服务器上的负载,但安全性较低,因为每个后端服务器都需要外部访问。某些实现使用额外的网络接口,每个Web服务器都有一个专用网关来处理响应网络包。 ```bash vim /etc/keepalived/keepalived.conf ``` ```ini global_defs { notification_email { root@mydomain.com } notification_email_from svr1@mydomain.com smtp_server localhost smtp_connect_timeout 30 } vrrp_instance external { state MASTER interface eth0 virtual_router_id 91 priority 200 advert_int 1 authentication { auth_type PASS auth_pass 1215 } virtual_ipaddress { 10.0.0.1/24 } } virtual_server 10.0.0.1 80 { delay_loop 10 protocol TCP lb_algo rr # Use direct routing lb_kind DR persistence_timeout 7200 real_server 10.0.0.71 80 { weight 1 TCP_CHECK { connect_timeout 5 connect_port 80 } } real_server 10.0.0.72 80 { weight 1 TCP_CHECK { connect_timeout 5 connect_port 80 } } } ``` &emsp; #### backup配置 ```bash vim /etc/keepalived/keepalived.conf ``` ```ini global_defs { notification_email { root@mydomain.com } notification_email_from svr2@mydomain.com smtp_server localhost smtp_connect_timeout 30 } vrrp_instance external { state BACKUP interface eth0 virtual_router_id 91 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1215 } virtual_ipaddress { 10.0.0.1/24 } } virtual_server 10.0.0.1 80 { delay_loop 10 protocol TCP lb_algo rr # Use direct routing lb_kind DR persistence_timeout 7200 real_server 10.0.0.71 80 { weight 1 TCP_CHECK { connect_timeout 5 connect_port 80 } } real_server 10.0.0.72 80 { weight 1 TCP_CHECK { connect_timeout 5 connect_port 80 } } } ``` &emsp; #### 防火墙配置 开启服务端口,以http服务为例(master/backup) ```bash iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT service iptables save ``` &emsp; #### 后端服务器(RS)配置 ```bash echo "net.ipv4.conf.lo.arp_ignore = 1" >> /etc/sysctl.conf #只响应目的IP地址为接收网卡上的本地地址的arp请求 echo "net.ipv4.conf.lo.arp_announce = 2" >> /etc/sysctl.conf echo "net.ipv4.conf.all.arp_ignore = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.all.arp_announce = 2" >> /etc/sysctl.conf sysctl -p ``` ``` net.ipv4.conf.lo.arp_ignore = 1 net.ipv4.conf.lo.arp_announce = 2 net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.all.arp_announce = 2 ``` ```bash echo "ifconfig lo:0 10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.255 up" >> /etc/rc.local ifconfig lo:0 10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.255 up ip addr show lo ``` ``` 2: lo: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:cb:a6:8d brd ff:ff:ff:ff:ff:ff inet 10.0.0.72/24 brd 10.0.0.255 scope global eth0 inet 10.0.0.1/24 brd 10.0.0.255 scope global secondary eth0 inet6 fe80::a00:27ff:fecb:a68d/64 scope link valid_lft forever preferred_lft forever ```
阅读 15 评论 0 收藏 0
阅读 15
评论 0
收藏 0

   2018-07-02 11:31:47    2018-11-14 14:35:02   

HAProxy Keepalived 高可用 负载均衡 LoadBalance
### 准备工作 ```bash HAProxy/Keepalived 192.168.50.250 (Master) 192.168.50.253 (Backup) web服务器 192.168.50.251 192.168.50.252 VIP地址 192.168.50.240 ``` ### HAProxy(Master) #### 安装HAProxy ```bash yum install haproxy -y ``` &emsp; #### 开启IP转发 ```bash echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf sysctl -p ``` ``` net.ipv4.ip_forward = 1 net.ipv4.ip_nonlocal_bind = 1 ``` &emsp; #### 配置HAProxy ```bash cat /etc/haproxy/haproxy.cfg ``` ```ini global log 127.0.0.1 local2 #日志输出配置,所有日志都记录在本机,通过local0输出 chroot /var/lib/haproxy #改变工作目录 pidfile /var/run/haproxy.pid maxconn 80000 #限制单个进程的最大连接数 user haproxy #所属运行用户 group haproxy #所属运行用户组 daemon #后台运行 nbproc 1 #指定作为守护进程运行时的进程数 stats socket /var/lib/haproxy/stats defaults mode http #mode {http|tcp|health},http是七层模式,tcp是四层模式,health是健康检测返回OK log global option httplog #http 日志格式 option dontlognull #不记录空连接 option http-server-close option forwardfor except 127.0.0.0/8 option redispatch #在连接失败或断开的情况下,允许当前会话被重新分发 retries 3 #设置在一个服务器上链接失败后的重连次数 timeout http-request 10s timeout queue 1m timeout connect 10s #连接超时 timeout client 1m #客户端超时 timeout server 1m #服务器超时 timeout http-keep-alive 10s timeout check 10s #心跳检测超时 maxconn 80000 #限制单个进程的最大连接数 #前端代理web frontend web bind *:5555 #acl www hdr(host) -i www.ynotes.cn #acl规则,-i是访问的域名,如果访问的是www.ynotes.cn,分发到后端www #acl image hdr(host) -i image.ynotes.cn #use_backend www if www #use_backend image if image default_backend web #backend www # mode http # balance roundrobin # server web2 192.168.50.252:5555 check #backend image # mode http # balance roundrobin # server web1 192.168.50.251:5555 check backend web balance roundrobin server web1 192.168.50.251:5555 check inter 2000 fall 3 server web2 192.168.50.252:5555 check inter 2000 fall 3 listen status #启动统计页面 bind *:7777 mode http stats enable stats refresh 10s stats uri /haproxy stats realm Haproxy\ Statistics stats auth admin:admin stats hide-version ``` #### 开启HAProxy日志 修改rsyslog配置文件 ```bash vim /etc/rsyslog.conf ``` ```ini #启用在udp 514端口接收日志消息 $ModLoad imudp $UDPServerRun 514 #在rules(规则)节中添加如下信息 local2.* /var/log/haproxy.log #表示将发往facility local2的消息写入haproxy.log文件中,"local2.* "前面的local2表示facility,预定义的。*表示所有等级的消息 ``` 重启rsyslog ```bash systemctl restart rsyslog ``` &emsp; #### 配置两台nginx 192.168.50.251/192.168.50.252 ```bash cat /etc/nginx.conf ``` ```ini ... server { listen 5555; location / { root /var/www/haproxy/node; } } ... ``` 192.168.50.251 ```bash echo 192.168.50.251 >/var/www/haproxy/node/index.html ``` 192.168.50.252 ```bash echo 192.168.50.252 >/var/www/haproxy/node/index.html ``` &emsp; #### HAProxy启动关闭与开机启动 启动/关闭 ```bash systemctl start haproxy systemctl stop haproxy ``` 开机启动/禁用 ```bash systemctl enable haproxy systemctl disable haproxy ``` &emsp; #### 防火墙开启访问HAProxy代理的服务 iptable ```bash iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 5555 -j ACCEPT iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 7777 -j ACCEPT ``` firewalld ```bash firewall-cmd --zone=<zone> --add-port=5555/tcp --permanent#zone指定网卡接口应用的区域,可通过firewall-cmd --get-zone-of-interface=<interface> 查看网卡所在区域,添加网卡到指定区域firewall-cmd --permanent --zone=<zone> --change-interface=<interface> firewall-cmd --zone=<zone> --add-port=7777/tcp --permanent firewall-cmd --reload ``` &emsp; #### 测试访问HAProxy代理 ```bash while true; do curl http://192.168.50.253:5555; sleep 1; done ``` ``` 192.168.50.252 192.168.50.251 192.168.50.252 192.168.50.251 192.168.50.252 ^C ``` &emsp; #### 访问统计页面 http://192.168.50.253:7777/haproxy ![](https://image.ynotes.cn/haproxy_statistics.png) &emsp; #### 配置HAProxy会话粘滞 开启会话粘滞,使用cookie参数SERVER的值做匹配 ```bash cat /etc/haproxy/haproxy.cfg ``` ```ini #balance roundrobin #注释改行 cookie SERVER insert server web1 192.168.50.251:5555 cookie 1 check server web2 192.168.50.252:5555 cookie 2 check ``` 测试 ```bash while true; do curl http://192.168.50.253:5555 --cookie "SERVER=1"; sleep 1; done ``` ``` 192.168.50.251 192.168.50.251 192.168.50.251 ^C ``` ```bash while true; do curl http://192.168.50.253:5555 --cookie "SERVER=2"; sleep 1; done ``` ``` 192.168.50.252 192.168.50.252 192.168.50.252 ^C ``` 开启会话粘滞,使用cookie参数前缀名做匹配,使用"\~"做分隔符,以SESSIONID为例,格式如:set-Cookie: SESSIONID=N\~Session_ID; ```bash cat /etc/haproxy/haproxy.cfg ``` ```ini #balance roundrobin #注释改行 cookie SESSIONID prefix server web1 192.168.50.251:5555 cookie 1 check server web2 192.168.50.252:5555 cookie 2 check ``` 测试 ```bash while true; do curl http://192.168.50.253:5555 --cookie "SESSIONID=1~AAA"; sleep 1; done ``` ``` 192.168.50.251 192.168.50.251 192.168.50.251 ^C ``` ```bash while true; do curl http://192.168.50.253:5555 --cookie "SESSIONID=2~AAA"; sleep 1; done ``` ``` 192.168.50.252 192.168.50.252 192.168.50.252 ^C ``` &emsp; ### HAProxy(Backup) `同Master` &emsp; ### keepalived(Master) #### 安装keepalived ```bash yum install keepalived -y ``` #### 配置Keepalived ```bash vim /etc/keepalived/keepalived.conf ``` ```bash global_defs { notification_email { test01@ynotes.cn } notification_email_from haproxy1@ynotes.cn smtp_server localhost smtp_connect_timeout 30 router_id LVS_DEVEL vrrp_skip_check_adv_addr vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0 } vrrp_script chk_haproxy { script "/etc/keepalived/check_haproxy.sh" interval 5 weight -4 } vrrp_instance VI_1 { state MASTER interface enp0s3 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.50.240 } track_script { chk_haproxy } } ``` ```bash cat /etc/keepalived/check_haproxy.sh ``` ```bash #!/bin/bash if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then systemctl start haproxy sleep 2 #睡眠时间少于vrrp_script 中的interval 5参数值 if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then systemctl stop keepalived fi fi ``` #### 开启路由转发(前面已开启,如果单独配置keepalived需开启) ```bash echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p ``` ``` net.ipv4.ip_forward = 1 ``` #### Keepalived启动关闭与开机启动 启动/关闭 ```bash systemctl start keepalived systemctl stop keepalived ``` 开机启动/禁用 ```bash systemctl enable keepalived systemctl disable keepalived ``` &emsp; ### keepalived(Backup) #### 安装keepalived ```bash yum install keepalived -y ``` #### 配置Keepalived ```bash vim /etc/keepalived/keepalived.conf ``` ```bash global_defs { notification_email { test01@ynotes.cn } notification_email_from haproxy1@ynotes.cn smtp_server localhost smtp_connect_timeout 30 router_id LVS_DEVEL vrrp_skip_check_adv_addr vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0 } vrrp_script chk_haproxy { script "/etc/keepalived/check_haproxy.sh" interval 5 weight -4 } vrrp_instance VI_1 { state BACKUP interface enp0s3 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.50.240 } track_script { chk_haproxy } } ``` `其他同Master` &emsp; #### 测试 停止192.168.50.253的keeaplived ```bash systemctl stop keepalived ``` 查看192.168.50.253的vip ```bash ip a|grep 192.168.50.240 #执行无输出 ``` 查看192.168.50.250的vip ```bash ip a|grep 192.168.50.240 #输出VIP ``` ```bash inet 192.168.50.240/32 scope global enp0s3 ``` 访问192.168.50.240:5555 ```bash curl http://192.168.50.240:5555 #看到192.168.50.250成功接管VIP,并且能访问页面 ``` ``` 192.168.50.252 ```
阅读 10 评论 0 收藏 0
阅读 10
评论 0
收藏 0


第 1 页 / 共 2 页
 
第 1 页 / 共 2 页