LVS負載均衡中arp_ignore和arp_annonuce引數配置的含義
先簡單的介紹下關於LVS負載均衡
LVS(Linux Virtual Server)Linux伺服器集群系統 針對高可伸縮,高可用服務的需求,給予IP層和內容請求分發的負載均衡排程解決方法,並在Linux的核心中實現,將一組伺服器構成一個實現可伸縮,高可用網路服務的虛擬伺服器
負載均衡 1.大量的兵法訪問或資料流量分擔到多型節點裝置分別處理,減少使用者的等待時間 2.單個重負載的運算分擔到多型節點裝置上做並行處理,每個節點裝置處理結束後,將結果彙總,返回給使用者
負載排程器 一組伺服器通過高速的區域網或者地理分佈的廣域網相互相連,在他們的前端有一個負載均衡排程器(Load Balancer),負載均衡排程器能無縫的將網路請求排程到真實的伺服器上,從而使得伺服器叢集的結構對使用者是透明的,使用者通過訪問集群系統提供的網路服務,就像訪問一臺高效能,高可用的伺服器。
IP負載均衡技術(三種) 1.VS/NAT(網路地址轉換) 通過網路地址轉換,排程器重寫請求報文的目標地址,根據預設的排程演算法,將請求分發給後端的真實伺服器,真實伺服器的響應報文通過排程器時,報文的源地址被重寫,再返回到客戶端,完成整個排程的過程
2.VS/TUN(IP隧道模式) 排程器將請求的報文通過IP隧道轉發至真實伺服器,而真實的伺服器直接將結果返回給使用者,排程器只處理請求報文,由於一般網路服務的應答大於請求,採用IP隧道模式,集群系統的最大吞吐量可以提高10倍。
3.VS/DR(直接路由) 通過改寫請求報文的MAC地址,將請求傳送到真是伺服器,真實伺服器將響應直接返回給使用者,之際額路由模式可以極大的提高集群系統的伸縮性,這種方法沒有IP隧道的開銷,叢集中真實的伺服器也沒有必要必須支援IP隧道協議,只是需要排程器與真實伺服器有一塊網絡卡連在同一物理網段上。
其中在這三種IP負載均衡的技術中,DR和TUN模式都需要在真實伺服器上對arp_ignore和arp_announce引數進行配置,主要是實現禁止響應對VIP的ARP請求。
在lvs環境中,需要設定以下的引數
echo “1” > /proc/sys/net/ipv4/conf/all/arp_ignore
echo “1” > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo “2” > /proc/sys/net/ipv4/conf/lo/arp_announce
echo “2” > /proc/sys/net/ipv4/conf/all/arp_announce
先來看看關於arp_ignore和arp_announce的有關介紹 有關arp_ignore的相關介紹:
arp_ignore - INTEGER Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP address is local address configured on the incoming interface 2 - reply only if the target IP address is local address configured on the incoming interface and both with the sender’s IP address are part from same subnet on this interface 3 - do not reply for local addresses configured with scope host, only resolutions for global and link addresses are replied 4-7 - reserved 8 - do not reply for all local addresses
The max value from conf/{all,interface}/arp_ignore is used
when ARP request is received on the {interface}
arp_ignore:定義對目標地址為本地IP的ARP詢問不同的應答模式0
0 - (預設值): 迴應任何網路介面上對任何本地IP地址的arp查詢請求
1 - 只回答目標IP地址是來訪網路介面本地地址的ARP查詢請求
2 -只回答目標IP地址是來訪網路介面本地地址的ARP查詢請求,且來訪IP必須在該網路介面的子網段內
3 - 不迴應該網路介面的arp請求,而只對設定的唯一和連線地址做出迴應
4-7 - 保留未使用
8 -不迴應所有(本地地址)的arp查詢
有關arp_announce的相關介紹:
arp_announce - INTEGER Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface: 0 - (default) Use any local address, configured on any interface 1 - Try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2. 2 - Always use the best local address for this target. In this mode we ignore the source address in the IP packet and try to select local address that we prefer for talks with the target host. Such local address is selected by looking for primary IP addresses on all our subnets on the outgoing interface that include the target IP address. If no suitable local address is found we select the first local address we have on the outgoing interface or on all other interfaces, with the hope we will receive reply for our request and even sometimes no matter the source IP address we announce.
The max value from conf/{all,interface}/arp_announce is used.
Increasing the restriction level gives more chance for
receiving answer from the resolved target while decreasing
the level announces more valid sender's information.
arp_announce:對網路介面上,本地IP地址的發出的,ARP迴應,作出相應級別的限制: 確定不同程度的限制,宣佈對來自本地源IP地址發出Arp請求的介面
0 - (預設) 在任意網路介面(eth0,eth1,lo)上的任何本地地址
1 -儘量避免不在該網路介面子網段的本地地址做出arp迴應. 當發起ARP請求的源IP地址是被設定應該經由路由達到此網路介面的時候很有用.此時會檢查來訪IP是否為所有介面上的子網段內ip之一.如果改來訪IP不屬於各個網路介面上的子網段內,那麼將採用級別2的方式來進行處理.
2 - 對查詢目標使用最適當的本地地址.在此模式下將忽略這個IP資料包的源地址並嘗試選擇與能與該地址通訊的本地地址.首要是選擇所有的網路介面的子網中外出訪問子網中包含該目標IP地址的本地地址. 如果沒有合適的地址被發現,將選擇當前的傳送網路介面或其他的有可能接受到該ARP迴應的網路介面來進行傳送.
關於對arp_announce 理解的一點補充
Assume that a linux box X has three interfaces - eth0, eth1 and eth2. Each interface has an IP address IP0,
IP1 and IP2. When a local application tries to send an IP packet with IP0 through the eth2. Unfortunately,
the target node’s mac address is not resolved. Thelinux box X will send the ARP request to know
the mac address of the target(or the gateway). In this case what is the IP source address of the
“ARP request message”? The IP0- the IP source address of the transmitting IP or IP2 - the outgoing
interface? Until now(actually just 3 hours before) ARP request uses the IP address assigned to
the outgoing interface(IP2 in the above example) However the linux’s behavior is a little bit
different. Actually the selection of source address in ARP request is totally configurable
bythe proc variable “arp_announce”
If we want to use the IP2 not the IP0 in the ARP request, we should change the value to 1 or 2.
The default value is 0 - allow IP0 is used for ARP request.
其實就是路由器的問題,因為路由器一般是動態學習ARP包的(一般動態配置DHCP的話),當內網的機器要傳送一個到外部的ip包,那麼它就會請求 路由器的Mac地址,傳送一個arp請求,這個arp請求裡面包括了自己的ip地址和Mac地址,而linux預設是使用ip的源ip地址作為arp裡面 的源ip地址,而不是使用傳送裝置上面的 ,這樣在lvs這樣的架構下,所有傳送包都是同一個VIP地址,那麼arp請求就會包括VIP地址和裝置 Mac,而路由器收到這個arp請求就會更新自己的arp快取,這樣就會造成ip欺騙了,VIP被搶奪,所以就會有問題。
arp快取為什麼會更新了,什麼時候會更新呢,為了減少arp請求的次數,當主機接收到詢問自己的arp請求的時候,就會把源ip和源Mac放入自 己的arp表裡面,方便接下來的通訊。如果收到不是詢問自己的包(arp是廣播的,所有人都收到),就會丟掉,這樣不會造成arp表裡面無用資料太多導致 有用的記錄被刪除。 在設定引數的時候將arp_ignore 設定為1,意味著當別人的arp請求過來的時候,如果接收的裝置上面沒有這個ip,就不做出響應,預設是0,只要這臺機器上面任何一個裝置上面有這個ip,就響應arp請求,併發送mac地址