lvs-nat
修改请求报文的目标IP,多目标IP的DNAT
配置网络
LVS主机 注意网卡的顺序 (nat和主机模式)
[root@lvs ~]# cat /etc/NetworkManager/system-connections/ens160.nmconnection
[connection]
id=ens160
type=ethernet
interface-name=ens160
[ipv4]
address1=192.168.136.100/24,192.168.136.2
method=manual
dns=114.114.114.114;
[root@lvs ~]# cat /etc/NetworkManager/system-connections/ens224.nmconnection
[connection]
id=ens224
type=ethernet
interface-name=ens224
[ipv4]
address1=192.168.0.100/24
method=manual
dns=114.114.114.114;
打开内核路由功能 让两个网卡通讯
[root@lvs ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward =
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
[root@lvs ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
# 生效
[root@lvs ~]# sysctl -p
net.ipv4.ip_forward = 1
server1
[root@server1 ~]# cat /etc/NetworkManager/system-connections/ens160.nmconnection
[connection]
id=ens160
type=ethernet
interface-name=ens160
[ipv4]
address1=192.168.0.10/24,192.168.0.100
method=manual
server2
[root@server2 ~]# cat /etc/NetworkManager/system-connections/ens160.nmconnection
[connection]
id=ens160
type=ethernet
interface-name=ens160
[ipv4]
address1=192.168.0.20/24,192.168.0.100
method=manual
配置httpd服务
server1
yum install httpd -y
echo webserver1 - 192.168.0.10 > /var/www/html/index.html
systemctl enable --now httpd
server2
yum install httpd -y
echo webserver1 - 192.168.0.20 > /var/www/html/index.html
systemctl enable --now httpd
在lvs主机中测试
[root@lvs ~]# curl 192.168.0.10
webserver1 - 192.168.0.10
[root@lvs ~]# curl 192.168.0.20
webserver2 - 192.168.0.20
LVS中 下载安装LVS 添加策略
dnf install ipvsadm -y
lvsadm的相关命令
管理集群服务 ipvsadm -A|E -t(tcp)|u(udp)|f(防护墙标签) \
-A #添加
-E #修改
-t #tcp服务
-u #udp服务
-s #指定调度算法,默认为WLC
-p #设置持久连接超时,持久连接可以理解为在同一个时间段同一个来源的请求调度到同一Realserver
-f #firewall mask 火墙标记,是一个数字
管理集群中的real server
ipvsadm -a|e -t|u|f service-address -r server-address [-g | -i| -m](工作模式) [-w weight](权重)
-a #添加realserver
-e #更改realserver
-t #tcp协议 -u #udp协议
-f #火墙 标签
-r #realserver地址
-g #直连路由模式
-i #ipip隧道模式
-m #nat模式
-w #设定权重
-Z #清空计数器
-C #清空lvs策略
-L #查看lvs策略
-n #不做解析
--rate :输出速率信息
看策略的命令
ipvsadm -Ln
添加策略
ipvsadm -A 添加一个集群服务,需要使用选项 rr 轮询 静态算法 -s 指定集群服务使用的调度算法 -m是nat模式
ipvsadm -A -t 192.168.136.100:80 -s rr
ipvsadm -a -t 192.168.136.100:80 -r 192.168.0.10:80 -m
ipvsadm -a -t 192.168.136.100:80 -r 192.168.0.20:80 -m
查看策略
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.136.100:80 rr
-> 192.168.0.10:80 Masq 1 0 0
-> 192.168.0.20:80 Masq 1 0 0
测试
[root@server ~]# for i in {1..10}
> do
> curl 192.168.136.100
> done
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
保存策略
[root@lvs ~]# ipvsadm-save
保存进文件
[root@lvs ~]# ipvsadm-save > /etc/sysconfig/ipvsadm
ps: 最好把解析做好 否则很慢
不做解析的化,可以加-n选项
[root@lvs ~]# ipvsadm-save -n > /etc/sysconfig/ipvsadm
将策略清空,重新导入
[root@lvs ~]# ipvsadm -C
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
[root@lvs ~]# ipvsadm-restore < /etc/sysconfig/ipvsadm
以上用的是rr算法 接下来介绍wrr算法 (加权轮询)
WRR:Weighted RR,加权轮询根据RS的配置进行加权调度,性能差的RS被调度的次数少
清空策略
[root@lvs ~]# ipvsadm -C
重新添加策略 -w 2 既10的主机访问两次 -w 1 既20的主机访问一次
[root@lvs ~]# ipvsadm -A -t 192.168.136.100:80 -s wrr
[root@lvs ~]# ipvsadm -a -t 192.168.136.100:80 -r 192.168.0.10 -m -w 2
[root@lvs ~]# ipvsadm -a -t 192.168.136.100:80 -r 192.168.0.20 -m -w 1
测试
[root@client ~]# curl 192.168.136.100
webserver2 - 192.168.0.20
[root@client ~]# curl 192.168.136.100
webserver1 - 192.168.0.10
[root@client ~]# curl 192.168.136.100
webserver1 - 192.168.0.10
lvs-DR
DR:Direct Routing,直接路由,LVS默认模式,应用最广泛,通过为请求报文重新封装一个MAC首部进行 转发,源MAC是DIP所在的接口的MAC,目标MAC是某挑选出的RS的RIP所在接口的MAC地址;源 IP/PORT,以及目标IP/PORT均保持不变
根本:解决nat模式中的VS压力问题
实验图
网络配置
lvs主机
client
[root@client ~]# cat /etc/NetworkManager/system-connections/ens160.nmconnection
[connection]
id=ens160
type=ethernet
interface-name=ens160
[ipv4]
address1=192.168.136.128/24,192.168.136.100
method=manual
dns=114.114.114.114;
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.136.100 0.0.0.0 UG 100 0 0 ens160
192.168.136.0 0.0.0.0 255.255.255.0 U 100 0 0 ens160
router主机 一个nat 一个仅主机
[root@router ~]# cat /etc/NetworkManager/system-connections/ens160.nmconnection
[connection]
id=ens160
type=ethernet
interface-name=ens160
[ipv4]
address1=192.168.136.100/24,192.168.136.2
method=manual
dns=114.114.114.114;
[root@router ~]# cat /etc/NetworkManager/system-connections/ens224.nmconnection
[connection]
id=ens224
type=ethernet
interface-name=ens224
[ipv4]
address1=192.168.0.100/24
method=manual
[root@router ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
lvs主机
[root@lvs ~]# ip a a 192.168.0.200/32 dev lo
[root@lvs ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.0.200/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:96:71:57 brd ff:ff:ff:ff:ff:ff
altname enp19s0
inet 192.168.0.50/24 brd 192.168.0.255 scope global noprefixroute ens224
valid_lft forever preferred_lft forever
inet6 fe80::e57b:8655:5c22:2be8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@lvs ~]# cat /etc/NetworkManager/system-connections/ens224.nmconnection
[connection]
id=ens224
type=ethernet
interface-name=ens224
[ipv4]
address1=192.168.0.50/24,192.168.0.100
method=manual
dns=114.114.114.114;
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.100 0.0.0.0 UG 100 0 0 ens224
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens224
server1 仅主机 记得配httpd 上面已经配置过了
[root@server1 ~]# ip a a 192.168.0.200/32 dev lo
[root@server1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.0.200/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:8a:ae:0e brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.0.10/24 brd 192.168.0.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::efbe:acf4:b525:3659/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@server1 ~]# cat /etc/NetworkManager/system-connections/ens160.nmconnection
[connection]
id=ens160
type=ethernet
interface-name=ens160
[ipv4]
address1=192.168.0.10/24,192.168.0.100
method=manual
rs主机中 使VIP不对外响应 禁用arp
[root@server1 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@server1 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@server1 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@server1 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
server2 与server1类似 记得配httpd
[root@server2 ~]# ip a a 192.168.0.200/32 dev lo
[root@server2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.0.200/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:69:ad:c8 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.0.20/24 brd 192.168.0.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::661e:8965:208d:b9b3/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@server2 ~]# cat /etc/NetworkManager/system-connections/ens160.nmconnection
[connection]
id=ens160
type=ethernet
interface-name=ens160
[ipv4]
address1=192.168.0.20/24,192.168.0.100
method=manual
dns=114.114.114.114;
rs主机中 使VIP不对外响应 禁用arp协议
[root@server2 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@server2 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@server2 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@server2 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
如果永久禁用arp那么写进配置文件
LVS主机写策略
测试
防火墙标记解决轮询问题
当我们使用https服务时,RS安装mod_ssl模块 https
[root@server1 ~]# yum install mod_ssl -y
[root@server1 ~]# systemctl restart httpd
[root@server1 ~]# curl -k https://192.168.0.10 -k不用证书
假设我们的策略是这样写的
ipvsadm -A -t 192.168.0.200:443 -s rr
ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.10:443 -g
ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.20:443 -g
ipvsadm -A -t 192.168.0.200:443 -s rr
ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.10:443 -g
ipvsadm -a -t 192.168.0.200:443 -r 192.168.0.20:443 -g
问题:只会访问同一台
[root@client ~]# curl 192.168.0.200; curl -k https://192.168.0.200
webserver2 - 192.168.0.10
webserver1 - 192.168.0.10
[root@client ~]# curl 192.168.0.200; curl -k https://192.168.0.200
webserver2 - 192.168.0.20
webserver1 - 192.168.0.20
怎么解决呢??
防火墙标记解决轮询问题
[root@lvs ~]# iptables -t mangle -nL
# lvs主机中为端口做标记
[root@lvs ~]# iptables -t mangle -A PREROUTING -d 192.168.0.200 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 66
[root@lvs ~]# iptables -t mangle -nL
[root@lvs ~]# ipvsadm -C
[root@lvs ~]# ipvsadm -A -f 66 -s rr
[root@lvs ~]# ipvsadm -a -f 66 -r 192.168.0.10 -g
[root@lvs ~]# ipvsadm -a -f 66 -r 192.168.0.20 -g
测试
[root@client ~]# curl 192.168.0.200; curl -k https://192.168.0.200
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
[root@client ~]# curl 192.168.0.200; curl -k https://192.168.0.200
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
[root@client ~]# curl 192.168.0.200; curl -k https://192.168.0.200
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
大功告成!!!