赞
踩
1. LVS(Linux Virtual Server)即Linux虚拟服务器,是一个虚拟的服务器集群系统,目前 LVS 是 Linux 内核标准的一部分。
2. 通过 LVS 达到的负载均衡技术和 Linux 操作系统实现一个高性能高可用的 Linux 服务器集群,它具有良好的可靠性、可扩展性和可操作性。从而以低廉的成本实现最优的性能。
3. LVS 是一个实现负载均衡集群的开源软件项目,LVS架构从逻辑上可分为调度层、Server集群层和共享存储。
1. 高并发连接:LVS基于内核网络层面工作,有超强的承载能力和并发处理能力。单台LVS负载均衡器,可支持上万并发连接。稳定性强:是工作在网络4层之上仅作分发之用,这个特点也决定了它在负载均衡软件里的性能最强,稳定性最好,对内存和cpu资源消耗极低。
2. 成本低廉:硬件负载均衡器少则十几万,多则几十万上百万,LVS只需一台服务器和就能免费部署使用,性价比极高。
3. 配置简单:LVS配置非常简单,仅需几行命令即可完成配置,也可写成脚本进行管理。
4. 支持多种算法:支持多种论调算法,可根据业务场景灵活调配进行使用
5. 支持多种工作模型:可根据业务场景,使用不同的工作模式来解决生产环境请求处理问题。
6. 应用范围广:因为LVS工作在4层,所以它几乎可以对所有应用做负载均衡,包括http、数据库、DNS、ftp服务等等
7. 缺点:工作在4层,不支持7层规则修改,机制过于庞大,不适合小规模应用。
1. 当客户端的请求到达负载均衡器的内核空间时,首先会到达PREROUTING链。
2. 当内核发现请求数据包的目的地址是本机时,将数据包送往INPUT链。
3. LVS由用户空间的ipvsadm和内核空间的IPVS组成,ipvsadm用来定义规则,IPVS利用ipvsadm定义的规则工作,IPVS工作在INPUT链上,当数据包到达INPUT链时,首先会被IPVS检查,如果数据包里面的目的地址及端口没有在规则里面,那么这条数据包将经过INPUT链送至用户空间,交给用户空间的进程来处理。
4. 如果数据包里面的目的地址及端口在规则里面,那么这条数据报文将被修改目的地址为事先定义好的后端服务器,并送往POSTROUTING链。
5. 最后经由POSTROUTING链发往后端服务器。
Virtual Server via Direct Routing(VS-DR):用直接路由技术实现虚拟服务器。当参与集群的计算机和作为控制管理的计算机在同一个网段时可以用此方法,控制管理的计算机接收到请求包时直接送到参与集群的节点。直接路由模式比较特别,很难说和什么方面相似,前种模式基本上都是工作在网络层上(三层),而直接路由模式则应该是工作在数据链路层上(二层)。
1. Director和REAL SERVER都配置同一个IP(VIP),Director将该IP配置到对外的网卡上,Real server将该IP配置到lo网卡上。
2. 配置arp_ignore为1(目的是让数据包发出apr请求时,只有Director会响应该arp请求),所有REAL SERVER对本身这个IP的ARP请求保持静默。
3. Director收到数据包后根据调度算法,找出对应的 REAL SERVER,把目的MAC地址改为REAL SERVER的MAC并发给这台REAL SERVER。
4. 这时REAL SERVER通过网卡eth0收到这个数据包,由于Real Server上的lo网卡配置的也有VIP,所以RS接收该数据包。
5. 由于DR要对二层包头进行改换,所以DR和REAL SERVER之间必须在一个广播域,也可以简单的理解为在同一台交换机上。
1. 当用户请求到达DirectorServer,此时请求的数据报文会先到内核空间的PREROUTING链。 此时报文的源IP为CIP,目标IP为VIP 。
2. PREROUTING检查发现数据包的目标IP是本机,将数据包送至INPUT链。
3. IPVS比对数据包请求的服务是否为集群服务,若是,修改数据包的目标IP地址为后端服务器IP,然后将数据包发至POSTROUTING链。 此时报文的源IP为CIP,目标IP为RIP ,在这个过程完成了目标IP的转换。
4. POSTROUTING链通过选路,将数据包发送给Real Server。
5. Real Server比对发现目标为自己的IP,开始构建响应报文发回给Director Server。 此时报文的源IP为RIP,目标IP为CIP 。
6. Director Server在响应客户端前,此时会将源IP地址修改为自己的VIP地址,然后响应给客户端。 此时报文的源IP为VIP,目标IP为CIP。
1
1. 客户端将请求发往前端的负载均衡器,请求报文源地址是CIP,目标地址为VIP。
2. 负载均衡器收到报文后,发现请求的是在规则里面存在的地址,那么它将在客户端请求报文的首部再封装一层IP报文,将源地址改为DIP,目标地址改为RIP,并将此包发送给RS。
3. RS收到请求报文后,会首先拆开第一层封装,然后发现里面还有一层IP首部的目标地址是自己lo接口上的VIP,所以会处理次请求报文,并将响应报文通过lo接口送给eth0网卡(这个网卡一般指和调度器在一个网段的网卡)直接发送给客户端。注意:需要设置lo接口的VIP不能在公网上出现。
特点
1. RIP,DIP可以使用私有地址;
2. RIP和DIP可以不再同一个网络中,且RIP的网关未必需要指向DIP;
3. 支持端口映射;
4. RS的OS可以使用任意类型;
5. 请求报文经由Director,响应报文也经由Director
Nat模式
VIP 192.168.170.159
DIP 192.168.170.128
R1IP 192.168.170.130
R2IP 192.168.170.100
[root@lvs ~]# systemctl disable --now firewalld
[root@lvs ~]# setenforce 0
[root@R1 ~]# systemctl disable --now firewalld
[root@R1 ~]# setenforce 0
[root@R2 ~]# setenforce 0
[root@R2 ~]# systemctl disable --now firewalld
安装配置httpd并且生成证书后使用同一个证书
[root@R1 apache]# mkdir /etc/pki/CA [root@R1 apache]# cd /etc/pki/CA [root@R1 CA]# mkdir private [root@R1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ........+++++ ....................................................+++++ e is 65537 (0x010001) [root@R1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:ha Organizational Unit Name (eg, section) []:ha Common Name (eg, your name or your server's hostname) []:hanao.com Email Address []:1@1.com [root@R1 CA]# mkdir certs newcerts crl [root@R1 CA]# touch index.txt && echo 01 > serial [root@R1 CA]# (umask 077;openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ..............................+++++ .................+++++ e is 65537 (0x010001) [root@R1 CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:ha Organizational Unit Name (eg, section) []:ha Common Name (eg, your name or your server's hostname) []:hanao.com Email Address []:1@1.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@R1 CA]# openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 12 06:14:14 2021 GMT Not After : Jun 12 06:14:14 2022 GMT Subject: countryName = CN stateOrProvinceName = HB organizationName = ha organizationalUnitName = ha commonName = hanao.com emailAddress = 1@1.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B1:16:DF:69:E3:BE:CC:DA:F7:46:6F:98:33:4F:2F:52:87:47:D6:FC X509v3 Authority Key Identifier: keyid:DC:5C:6E:05:C8:3A:37:ED:74:81:D8:C1:66:52:2A:AB:F0:80:8A:78 Certificate is to be certified until Jun 12 06:14:14 2022 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@R1 CA]# mv httpd.key httpd.crt /etc/httpd/ [root@R1 CA]# scp /etc/httpd/httpd.key 192.168.170,100:/etc/httpd/ root@192.168.10.21's password: httpd.key 100% 1679 1.5MB/s 00:00 [root@R1 CA]# scp /etc/httpd/httpd.crt 192.168.10.21:/etc/httpd/ root@192.168.10.21's password: httpd.crt 100% 4539 4.9MB/s 00:00 [root@R1 CA]# echo "R1" >/usr/local/apache/htdocs/index.html
#httpd安装过程省略
[root@R2 ~]# systemctl start httpd
[root@R2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:80 *:*
[root@R2 ~]# echo "R2" >/usr/local/apache/htdocs/index.html
[root@lvs ~]# dnf -y install ipvsadm #开启ip转发功能 [root@lvs ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [root@lvs ~]# sysctl -p net.ipv4.ip_forward = 1 #在调度器上添加并保持规则 [root@lvs ~]# ipvsadm -A -t 192.168.170.128:80 -s rr [root@lvs ~]# ipvsadm -a -t 192.168.170.128:80 -r 192.168.170.130:80 -m [root@lvs ~]# ipvsadm -a -t 192.168.170.128:80 -r 192.168.170.100:80 -m [root@lvs ~]# ipvsadm -A -t 192.168.170.128:443 -s rr [root@lvs ~]# ipvsadm -a -t 192.168.170.128:443 -r 192.168.170.100:443 -m [root@lvs ~]# ipvsadm -a -t 192.168.170.128:443 -r 192.168.170.130:443 -m [root@lvs ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm [root@lvs ~]# cat /etc/sysconfig/ipvsadm -A -t 192.168.170.128:80 -s rr -a -t 192.168.170.128:80 -r 192.168.170.130:80 -m -w 1 -a -t 192.168.170.128:80 -r 192.168.170.100:80 -m -w 1 -A -t 192.168.170.128:443 -s rr -a -t 192.168.170.128:443 -r 192.168.170.130:443 -m -w 1 -a -t 192.168.170.128:443 -r 192.168.170.100:443 -m -w 1 #设置开机自启 [root@lvs ~]# systemctl enable ipvsadm Created symlink /etc/systemd/system/multi-user.target.wants/ipvsadm.service → /usr/lib/systemd/system/ipvsadm.service. [root@lvs ~]# echo "ipvsadm -R < /etc/sysconfig/ipvsadm" >>/etc/rc.d/rc.loca
将RIP的网关都指向DIP
[root@R1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.170,100 NETMASK=255.255.255.0 GATEWAY=192.168.170.159 DNS1=114.114.114.114 [root@R2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.170.130 NETMASK=255.255.255.0 GATEWAY=192.168.170.159 DNS1=114.114.114.114
[root@c1 ~]# curl 192.168.170.159
R1
[root@c1 ~]# curl 192.168.170.159
R2
修改相应网管的配置!!!
[root@lvs ~]# cat /etc/sysconfig/network-scripts/eth0
TYPE=Ethernet
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR0=192.168.170.128
PREFIX0=24
IPADDR1=192.168.170.159
PREFIX1=24
GATEWAY=192.168.170.2
DNS1=114.114.114.114
[root@R1 ~]# cat >> /etc/sysctl.conf <<EOF > net.ipv4.conf.all.arp_ignore=1 > net.ipv4.conf.all.arp_announce=2 > EOF [root@R1 ~]# sysctl -p net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.all.arp_announce = 2 [root@R2 ~]# cat >> /etc/sysctl.conf <<EOF > net.ipv4.conf.all.arp_ignore=1 > net.ipv4.conf.all.arp_announce=2 > EOF [root@R2 ~]# sysctl -p net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.all.arp_announce = 2 [root@R1 ~]# ifconfig lo:0 192.168.170.159/32 broadcast 192.168.170.159 up [root@R1 ~]# route add -host 192.168.170.159 dev lo:0 [root@R1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.170.100 PREFIX=24 GATEWAY=192.168.170.2 DNS1=114.114.114.114 [root@R2 ~]# ifconfig lo:0 192.168.96.128/32 broadcast 192.168.96.128 up [root@R2 ~]# route add -host 192.168.96.128 dev lo:0 [root@R2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static NAME=ens33 ONBOOT=yes IPADDR=192.168.170.130 PREFIX=24 GATEWAY=192.168.170.2 DNS1=114.114.114.114
[root@lvs ~]# ipvsadm -A -t 192.168.170.159:80 -s rr [root@lvs ~]# ipvsadm -a -t 192.168.170.159:80 -r 192.168.170.100:80 -g [root@lvs ~]# ipvsadm -a -t 192.168.170.159:80 -r 192.168.170.130:80 -g [root@lvs ~]# ipvsadm -A -t 192.168.170.159:443 -s rr [root@lvs ~]# ipvsadm -a -t 192.168.170.159:443 -r 192.168.170.100:443 -g [root@lvs ~]# ipvsadm -a -t 192.168.170.159:443 -r 192.168.170.130:443 -g [root@lvs ~]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.170.159:80 rr -> 192.168.170.130:80 Route 1 0 0 -> 192.168.170.100:80 Route 1 0 0 TCP 192.168.170.159:443 rr -> 192.168.170.130:443 Route 1 0 0 -> 192.168.170.100:443 Route 1 0 0 ipvsadm -Sn > /etc/sysconfig/ipvsadm [root@lvs ~]# echo "ipvsadm -Sn > /etc/sysconfig/ipvsadm" >>/etc/rc.d/rc.local
[root@c1 ~]# curl 192.168.170.159
R1
[root@c1 ~]# curl 192.168.170.159
R2
[root@c1 ~]# curl 192.168.170.159
R2
[root@c1 ~]# curl 192.168.170.159
R1
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。