LVS-dr基礎配置
一、LVS-dr的基本原理
direct routing,它通過修改請求報文的目標MAC地址進行轉發。
請求報文經由director傳送至RS,那麼就不能讓除Director外的RS響應,因此,有三種解決方案:1.在上游路由器進行IP和MAC的繫結,2.在RS上做arptables,3.修改RS主機核心引數,也就是說vip別名在環回口,修改的核心引數能使vip對發來的請求不做處理。
響應報文不經由director,而是有vip直接響應cip,其中vip通過rip的MAC和gateway直接響應cip。
dr的基本規則:
(1)保證前端路由器將目標IP為VIP的請求報文傳送給director
解決方案:
靜態繫結
arptables
修改RS主機核心的引數
(2)RS的RIP可以使用私有地址;但也可以使用公網地址
(3)RS跟Director必須在同一物理網路中
(4)請求報文經由Director排程,但響應報文一定不能經由Director;
(5)不支援埠對映
(6)RS可以大多數OS
(7)RS的閘道器不能指向DIP
二、實驗環境,區域網環境。
Client:本機windows7 Director:CentOS7.1 RealServer:node1,node2均為CentOS6.7 Director與RealServer的所有IP均為同一網段
拓撲如下:
三、配置
director: [[email protected]~]#ifconfigens33:0192.168.1.15/32broadcast192.168.1.15up [[email protected]~]#routeadd-host192.168.1.15devens33:0 RS: node1: [[email protected]~]#echo1>/proc/sys/net/ipv4/conf/all/arp_ignore [[email protected]~]#echo1>/proc/sys/net/ipv4/conf/eth2/arp_ignore [[email protected]~]#echo2>/proc/sys/net/ipv4/conf/all/arp_announce [[email protected]~]#echo2>/proc/sys/net/ipv4/conf/eth2/arp_announce [[email protected]~]#ifconfiglo:0192.168.1.15/32broadcast192.168.1.15up [[email protected]~]#routeadd-host192.168.1.15devlo:0 node2: [[email protected]~]#echo1>/proc/sys/net/ipv4/conf/all/arp_ignore [[email protected]~]#echo1>/proc/sys/net/ipv4/conf/eth0/arp_ignore [[email protected]~]#echo2>/proc/sys/net/ipv4/conf/all/arp_announce [[email protected]~]#echo2>/proc/sys/net/ipv4/conf/eth0/arp_announce [[email protected]~]#ifconfiglo:0192.168.1.15/32broadcast192.168.1.15up [[email protected]~]#routeadd-host192.168.1.15devlo:0 或寫指令碼並給予執行許可權設定核心引數 [[email protected]~]#vimlvsdrka.sh #!/bin/bash # case$1in start) echo1>/proc/sys/net/ipv4/conf/all/arp_ignore echo1>/proc/sys/net/ipv4/conf/eth2/arp_ignore echo2>/proc/sys/net/ipv4/conf/all/arp_announce echo2>/proc/sys/net/ipv4/conf/eth2/arp_announce ;; stop) echo0>/proc/sys/net/ipv4/conf/all/arp_ignore echo0>/proc/sys/net/ipv4/conf/eth2/arp_ignore echo0>/proc/sys/net/ipv4/conf/all/arp_announce echo0>/proc/sys/net/ipv4/conf/eth2/arp_announce ;; esac [[email protected]~]#chmod+xlvsdrka.sh [[email protected]~]#./lvsdrka.shstart [[email protected]~]#cat/proc/sys/net/ipv4/conf/all/arp_ignore 1 [[email protected]~]#cat/proc/sys/net/ipv4/conf/all/arp_announce 2
兩個核心引數:
arp_announce:arp通告
0:通告全部IP 預設
1:儘量避免將非本網路的地址通告給網路中的其他地址
2:總是用最佳本地地址通告網路
arp_ignore:arp響應
0:無論從哪個介面請求的,只要主機有這個地址,就會響應 預設
1:從哪個介面請求的地址,就從哪個介面的地址響應
2,3,4,,5,6,7,8,有9個級別,其餘不常用
在lvs-dr中,我們一般使用arp_ignore=1arp_announce=2
測試web服務
[[email protected]~]#curlhttp://192.168.1.20 <h1>thisisnode1<\h1> [[email protected]~]#curlhttp://192.168.1.21 <h1>thisisnode2<\h1>
配置叢集規則
[[email protected]~]#ipvsadm-A-t192.168.1.15:80-srr [[email protected]~]#ipvsadm-a-t192.168.1.15:80-r192.168.1.20-g [[email protected]~]#ipvsadm-a-t192.168.1.15:80-r192.168.1.21-g
四、測試結果
五、配置http與https雙叢集服務
此處網段改為192.168.3.0網段。
1、建立私有CA(以Director主機為例) [[email protected]~]#cd/etc/pki/CA [[email protected]CA]#(umask077;opensslgenrsa-outprivate/cakey.pem2048) GeneratingRSAprivatekey,2048bitlongmodulus ..................+++ .......+++ eis65537(0x10001) [[email protected]CA]#touchindex.txt [[email protected]CA]#echo01>serial [[email protected]CA]#opensslreq-new-x509-keyprivate/cakey.pem-outcacert.pem-days365 Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:XJ LocalityName(eg,city)[DefaultCity]:XJ OrganizationName(eg,company)[DefaultCompanyLtd]:JJ OrganizationalUnitName(eg,section)[]:Ops CommonName(eg,yournameoryourserver'shostname)[]:CA EmailAddress[]:ca.admin.com 2、RS主機申請證書 [[email protected]~]#cd/etc/httpd/ [[email protected]httpd]#mkdirssl [[email protected]httpd]#cdssl [[email protected]ssl]#(umask077;opensslgenrsa-outhttpd.key2048) GeneratingRSAprivatekey,2048bitlongmodulus ..............+++ ..................................+++ eis65537(0x10001) [[email protected]ssl]#opensslreq-new-keyhttpd.key-outhttpd.csr Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:XJ LocalityName(eg,city)[DefaultCity]:XJ OrganizationName(eg,company)[DefaultCompanyLtd]:JJ OrganizationalUnitName(eg,section)[]:Ops CommonName(eg,yournameoryourserver'shostname)[]:CA EmailAddress[]:rs1.admin.com Pleaseenterthefollowing'extra'attributes tobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]: 3、將申請的證書發往CA [[email protected]ssl]#scphttpd.csr[email protected]:/root Theauthenticityofhost'192.168.3.10(192.168.3.10)'can'tbeestablished. RSAkeyfingerprintisef:85:f8:aa:1c:de:41:5a:fd:93:8d:9f:83:f7:a2:ff. Areyousureyouwanttocontinueconnecting(yes/no)?y Pleasetype'yes'or'no':yes Warning:Permanentlyadded'192.168.3.10'(RSA)tothelistofknownhosts. [email protected]'spassword: httpd.csr100%10131.0KB/s00:00 4、CA簽署併發證 [[email protected]CA]#opensslca-in/root/httpd.csr-out/root/httpd.crt Usingconfigurationfrom/etc/pki/tls/openssl.cnf Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber:1(0x1) Validity NotBefore:Nov913:48:212016GMT NotAfter:Nov913:48:212017GMT Subject: countryName=CN stateOrProvinceName=XJ organizationName=JJ organizationalUnitName=Ops commonName=CA emailAddress=rs1.admin.com X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier: 7E:FA:3A:6F:89:28:EF:D1:CF:5C:42:75:50:7B:C6:99:1D:98:91:B6 X509v3AuthorityKeyIdentifier: keyid:91:9D:0E:8E:86:45:09:DE:C3:3F:63:61:C2:3D:CB:E1:E3:1C:F1:B6 CertificateistobecertifieduntilNov913:48:212017GMT(365days) Signthecertificate?[y/n]:y 1outof1certificaterequestscertified,commit?[y/n]y Writeoutdatabasewith1newentries DataBaseUpdated [[email protected]CA]#scp/root/httpd.crt[email protected]:/etc/httpd/ssl/ Theauthenticityofhost'192.168.3.20(192.168.3.20)'can'tbeestablished. RSAkeyfingerprintise5:84:6c:f7:c0:60:3d:0b:39:b6:1e:12:0d:48:8b:07. Areyousureyouwanttocontinueconnecting(yes/no)?yes Warning:Permanentlyadded'192.168.3.20'(RSA)tothelistofknownhosts. [email protected]'spassword: httpd.crt100%44824.4KB/s00:00 4、安裝mod-ssl [[email protected]~]#yuminstallmod_ssl 5、修改ssl的配置檔案 [[email protected]~]#cd/etc/httpd/conf.d/ [[email protected]conf.d]#vimssl.conf DocumentRoot"/var/www/html"#啟用 SSLCertificateFile/etc/httpd/ssl/httpd.crt#×××以及金鑰的所在路徑 SSLCertificateKeyFile/etc/httpd/ssl/httpd.key 6、重啟httpd服務 [[email protected]conf.d]#servicehttpdrestart 7、Director配置ipvsadm規則 #使用iptables在PREROUTING鏈上的MARK標記將http與https標記為一組 [[email protected]~]#iptables-tmangle-APREROUTING-d192.168.3.15-ptcp--dport80-jMARK--set-mark10 [[email protected]~]#iptables-tmangle-APREROUTING-d192.168.3.15-ptcp--dport443-jMARK--set-mark10 [[email protected]~]#ipvsadm-A-f10-srr [[email protected]~]#ipvsadm-a-f10-r192.168.3.20-g [[email protected]~]#ipvsadm-a-f10-r192.168.3.21-g
六、測試
轉載於:https://blog.51cto.com/jiayimeng/1870428