LVS四层负载均衡
四种模式
1.NAT模式
2.TUN隧道模式
3.DR直接路由,推荐使用
4.FULLNAT,完全NAT
LVS负载均衡实践
环境准备
1.MySQL负载均衡
外部IP地址 内部IP地址 角色 备注
L4:
192.168.238.15 172.16.1.15 LVS调度器(Director) 对外提供服务的VIP为192.168.238.17
192.168.238.16 172.16.1.16 LVS调度器(Director) 对外提供服务的VIP为192.168.238.17
192.168.238.51 172.16.1.51 RS1(真实服务器) MySQL
192.168.238.52 172.16.1.52 RS2(真实服务器) MySQL
#L4+L7+WEB 大规模web负载均衡
L4:
192.168.238.15 172.16.1.15 LVS调度器(Director) 对外提供服务的VIP为192.168.238.17
192.168.238.16 172.16.1.16 LVS调度器(Director) 对外提供服务的VIP为192.168.238.17
L7:
192.168.238.5 172.16.1.5 LVS调度器(Director)
192.168.238.6 172.16.1.6 LVS调度器(Director)
192.168.238.7 172.16.1.7 RS1(真实服务器) web01
192.168.238.8 172.16.1.8 RS2(真实服务器) web02LVS负载均衡安装
#在lb4-01、lb4-02上安装LVS
[root@lb4-01 ~]# yum install ipvsadm -y
[root@lb4-01 ~]# rpm -qa ipvsadm
ipvsadm-1.27-8.el7.x86_64
[root@lb4-01 ~]# modprobe ip_vs #把ipvs加入到内核
[root@lb4-01 ~]# lsmod|grep ip_vs #检查内核是否有ip_vs
ip_vs 145458 0
nf_conntrack 143360 1 ip_vs
libcrc32c 12644 3 xfs,ip_vs,nf_conntrack
[root@lb4-01 ~]# uname -r
3.10.0-1160.83.1.el7.x86_64
[root@lb4-01 ~]# yum install kernel-devel -y
[root@lb4-01 ~]# ln -s /usr/src/kernels/3.10.0-1160.83.1.el7.x86_64/ /usr/src/linux
[root@lb4-01 ~]# ls -l /usr/src/
lrwxrwxrwx 1 root root 45 Mar 3 10:34 linux -> /usr/src/kernels/3.10.0-1160.83.1.el7.x86_64/
特别注意:
ln命令链接路径要和uname -r输出结果内核版本对应。
如果没有/usr/src/kernels/xx路径,可通过yum install kernel-devel -y安装。场景1:实现MySQL数据库负载均衡
###配置LVS虚拟IP(VIP)
ifconfig eth1:17 172.16.1.17/24 up #==>简便写法
#route add -host 172.16.1.17 dev eth1 #==添加主机路由,也可不加此行。
###手工执行配置添加LVS服务并增加两台RS ipvsadm
ipvsadm -C #<== -C clear the whole table
ipvsadm --set 30 5 60 #<== --set tcp tcpfin udp set connection timeout values
#ipvsadm -A -t 172.16.1.17:3306 -s wrr #--add-service -A add virtual service with options
ipvsadm -A -t 172.16.1.17:3306 -s wrr -p 20
#dr模式
ipvsadm -a -t 172.16.1.17:3306 -r 172.16.1.51:3306 -g -w 1
ipvsadm -a -t 172.16.1.17:3306 -r 172.16.1.52:3306 -g -w 1
# ipvsadm -a|e -t|u|f service-address -r server-address [options]
[root@lb4-01 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.1.17:3306 wrr persistent 20
-> 172.16.1.51:3306 Route 1 0 0
-> 172.16.1.52:3306 Route 1 0 0
[root@lb4-01 ~]# ipvsadm -Ln --stats
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes
-> RemoteAddress:Port
TCP 172.16.1.17:3306 0 0 0 0 0
-> 172.16.1.51:3306 0 0 0 0 0
-> 172.16.1.52:3306 0 0 0 0 0
[删除方法]
ipvsadm -D -t 172.16.1.17:3306
ipvsadm -d -t 172.16.1.17:3306 -r 172.16.1.51:3306 <==正确
[相关参数说明]
[root@oldboy ~]# ipvsadm -help
# --clear -C clear the whole table
# --add-service -A add virtual service with options
# --tcp-service -t service-address service-address is host[:port]
# --scheduler -s scheduler one of rr|wrr|lc|wlc|lblc|lblcr|dh|sh|sed|nq,
# --add-server -a add real server with options
# --real-server -r server-address server-addres s is host (and port)
# --masquerading -m masquerading (NAT)
# --gatewaying -g gatewaying (direct routing) (default)
# --delete-server -d delete real server
# --persistent -p [timeout] persistent service(会话保持功能)
# --set tcp tcpfin udp set connection timeout values
# --weight -w weight capacity of real server
# --ipip -i ipip encapsulation (tunneling)
提示:更多参数请ipvsadm -help自行查看
命令执行过程及检查配置的执行结果
ipvsadm -C
ipvsadm --set 30 5 60
ipvsadm -A -t 172.16.1.17:3306 -s wrr -p 20
ipvsadm -a -t 172.16.1.17:3306 -r 172.16.1.51:3306 -g -w 1
ipvsadm -a -t 172.16.1.17:3306 -r 172.16.1.52:3306 -g -w 1
ipvsadm -L -n --sort
ipvsadm -d -t 172.16.1.17:3306 -r 172.16.1.51:3306 #==>删除测试
ipvsadm -L -n --sort
ipvsadm -a -t 172.16.1.17:3306 -r 172.16.1.51:3306 -g -w 1
ipvsadm -L -n --sort手工在RS端绑定lo网卡及抑制ARP
#每台real server端执行db01、db02
命令:
ifconfig lo:17 172.16.1.17 up
route add -host 172.16.1.17 dev lo
工作中写到配置文件:
vim /etc/sysconfig/network-scripts/ifcfg-lo:17
#centos7 添加方法
ip addr add 172.16.1.17/32 dev lo label lo:17
route add -host 172.16.1.17 dev lo
过程:
ifconfig lo:17
route -n|grep 172.16.1.17
#172.16.1.17 0.0.0.0 255.255.255.255 UH 0 0 0 lo
每个集群节点上的环回接口(lo)设备上被绑定VIP地址(其广播地址是其本身,子网掩码是255.255.255.255,采取可变长掩码方式把网段划分成只含一个主机地址的目的是避免ip地址冲突)允许LVS-DR集群中的集群节点接受发向该VIP地址的数据包,这会有一个非常严重的问题发生,集群内部的真实服务器将尝试回复来自正在请求VIP客户端的ARP广播,这样所有的真实服务器都将声称自己拥有该VIP地址,这时客户端将有可能直接发送请求数据包到某台真实服务器上,从而破坏了DR集群的负载均衡策略。因此,必须要抑制所有真实服务器响应目标地址为VIP的ARP广播,而把客户端ARP广播的响应交给负载均衡调度器。手工在RS端抑制ARP响应
#在db01、db02执行
抑制ARP响应方法如下:
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
cat /proc/sys/net/ipv4/conf/lo/arp_ignore
cat /proc/sys/net/ipv4/conf/all/arp_ignore
cat /proc/sys/net/ipv4/conf/all/arp_announce
cat /proc/sys/net/ipv4/conf/lo/arp_announce
#在web01上安装mysql测试:
yum install mariadb -y
mysql -h 172.16.1.17 -uroot -poldboy123 #172.16.1.17是VIP
####停掉了51,发现连不了
lvs没有健康检查功能,51停掉了,仍然请求发给51,需要手工清理51
[root@lb4-01 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.1.17:3306 wrr persistent 20
-> 172.16.1.51:3306 Route 1 0 0
-> 172.16.1.52:3306 Route 1 0 4
[root@lb4-01 ~]# ipvsadm -d -t 172.16.1.17:3306 -r 172.16.1.51:3306
[root@lb4-01 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.1.17:3306 wrr persistent 20
-> 172.16.1.52:3306 Route 1 0 0
重连成功,LVS的健康检查要靠keepalved配合实现抑制ARP脚本实现脚本
开发脚本配置LVS RS真实服务器端
#!/bin/bash
# Written by oldboy
# description: Config realserver lo and apply noarp
VIP=(
172.16.1.17
)
. /etc/rc.d/init.d/functions
case "$1" in
start)
for ((i=0; i<`echo ${#VIP[*]}`; i++))
do
interface="lo:`echo ${VIP[$i]}|awk -F . '{print $4}'`"
/sbin/ifconfig $interface ${VIP[$i]} broadcast ${VIP[$i]} netmask 255.255.255.255 up
done
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
action "Start LVS of RearServer.by old1boy"
;;
stop)
for ((i=0; i<`echo ${#VIP[*]}`; i++))
do
interface="lo:`echo ${VIP[$i]}|awk -F . '{print $4}'`"
/sbin/ifconfig $interface ${VIP[$i]} broadcast ${VIP[$i]} netmask 255.255.255.255 down
done
echo "close LVS Directorserver"
if [ ${#VIP[*]} -eq 1 ];then
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
fi
action "Close LVS of RearServer.by old2boy"
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac工作中可以将lo网卡写到配置文件:
db01、db02上操作
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-lo:17
[root@db01 network-scripts]# cat /etc/sysconfig/network-scripts/ifcfg-lo:17
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
NAME="lo:17"
DEVICE="lo:17"
ONBOOT="yes"
IPADDR="172.16.1.17"
PREFIX="32arp抑制技术参数说明
arp_ignore- INTEGER
定义对目标地址为本地IP的ARP询问不同的应答模式
0 -(默认值): 回应任何网络接口上对任何本地IP地址的arp查询请求。
1 -只回答目标IP地址是来访网络接口本地地址的ARP查询请求。
2 -只回答目标IP地址是来访网络接口本地地址的ARP查询请求,且来访IP必须在该网络接口的子网段内。
3 -不回应该网络界面的arp请求,而只对设置的唯一和连接地址做出回应。
4-7 -保留未使用。
8 -不回应所有(本地地址)的arp查询。
arp_announce - INTEGER
对网络接口上,本地IP地址的发出的,ARP回应,作出相应级别的限制:
确定不同程度的限制,宣布对来自本地源IP地址发出Arp请求的接口
0 -(默认) 在任意网络接口(eth0,eth1,lo)上的任何本地地址
1 -尽量避免不在该网络接口子网段的本地地址做出arp回应. 当发起ARP请求的源IP地址是被设置应该经由路由达到此网络接口的时候很有用.此时会检查来访IP是否为所有接口上的子网段内ip之一。如果该来访IP不属于各个网络接口上的子网段内,那么将采用级别2的方式来进行处理.
2 -对查询目标使用最适当的本地地址,在此模式下将忽略这个IP数据包的源地址并尝试选择能与该地址通信的本地地址,首要是选择所有的网络接口的子网中外出访问子网中包含该目标IP地址的本地地址。如果没有合适的地址被发现,将选择当前的发送网络接口或其他的有可能接受到该ARP回应的网络接口来进行发送.限制了使用本地的vip地址作为优先的网络接口场景2:实现LVS+keepalved L4 mysql集群高可用
配置lb4-01/02
[root@lb4-01 ~]# cat /etc/keepalived/keepalived.conf
global_defs {
router_id lb4-01
}
vrrp_instance VI_1 {
state MASTER #state BACKUP
interface eth1
virtual_router_id 52
priority 150 #priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.16.1.17/24 dev eth1 label eth1:17
}
}
#MySQL port 3306
virtual_server 172.16.1.17 3306 {
delay_loop 6
lb_algo wrr
lb_kind DR
persistence_timeout 20
protocol TCP
real_server 172.16.1.51 3306 {
weight 1
TCP_CHECK {
connect_timeout 5
##nb_get_retry 3
delay_before_retry 3
connect_port 3306
}
}
real_server 172.16.1.52 3306 {
weight 1
TCP_CHECK {
connect_timeout 5
## nb_get_retry 3
delay_before_retry 3
connect_port 3306
}
}
}
配置完重启keepalived完成
[root@lb4-01 ~]# systemctl restart keepalived
检查
[root@lb4-01 ~]# ifconfig |grep 'eth1:17'
#在web01上测试
mysql -h 172.16.1.17 -uroot -poldboy123
#停掉db01上的mariadb
[root@db01 ~]# systemctl stop mariadb
#在测试web01测试
mysql -h 172.16.1.17 -uroot -poldboy123
use test;
show tables;场景3:实现Web4层负载及配合后端7层反向代理+web节点
环境说明
2.L4+L7+WEB 大规模web负载均衡
L4:
192.168.238.15 172.16.1.15 LVS调度器(Director) 对外提供服务的VIP为192.168.238.17
192.168.238.16 172.16.1.16 LVS调度器(Director) 对外提供服务的VIP为192.168.238.17
L7:
192.168.238.5 172.16.1.5 nginx lb01 测好了。
192.168.238.6 172.16.1.6 nginx lb02
192.168.238.7 172.16.1.7 RS1(真实服务器) web01
192.168.238.8 172.16.1.8 RS2(真实服务器) web02
[root@lb4-02 keepalived]# curl -H "host:www.yunwei.com" 172.16.1.7
web01
[root@lb4-02 keepalived]# curl -H "host:www.yunwei.com" 172.16.1.8
web02配置keepalived lb4-01/02
[root@lb4-01 ~]# vi /etc/keepalived/keepalived.conf
global_defs {
router_id lb4-01
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 53
priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.238.17/24 dev eth0 label eth0:17
}
}
#web config
virtual_server 192.168.238.17 80 {
delay_loop 6
lb_algo wrr
lb_kind DR
persistence_timeout 20
protocol TCP
real_server 192.168.238.5 80 {
weight 1
TCP_CHECK {
connect_timeout 5
#nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 192.168.238.6 80 {
weight 1
TCP_CHECK {
connect_timeout 5
# nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
===============================================
vrrp_instance VI_2 {
state MASTER #state BACKUP
interface eth1
virtual_router_id 52
priority 150 #priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.16.1.17/24 dev eth1 label eth1:17
}
}
#MySQL config
virtual_server 172.16.1.17 3306 {
delay_loop 6
lb_algo wrr
lb_kind DR
persistence_timeout 20
protocol TCP
real_server 172.16.1.51 3306 {
weight 1
TCP_CHECK {
connect_timeout 5
#nb_get_retry 3
delay_before_retry 3
connect_port 3306
}
}
real_server 172.16.1.52 3306 {
weight 1
TCP_CHECK {
connect_timeout 5
# nb_get_retry 3
delay_before_retry 3
connect_port 3306
}
}
}lb01、lb02配置VIP绑定,和抑制ARP(脚本)
[root@lb01 conf.d]# mkdir /server/scripts -p
[root@lb01 conf.d]# cd /server/scripts/
[root@lb01 scripts]# vim ipvs.sh
#!/bin/bash
# Written by oldboy
# description: Config realserver lo and apply noarp
VIP=(
192.168.238.17
)
. /etc/rc.d/init.d/functions
case "$1" in
start)
for ((i=0; i<`echo ${#VIP[*]}`; i++))
do
interface="lo:`echo ${VIP[$i]}|awk -F . '{print $4}'`"
/sbin/ifconfig $interface ${VIP[$i]} broadcast ${VIP[$i]} netmask 255.255.255.255 up
done
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
action "Start LVS of RearServer.by old1boy"
;;
stop)
for ((i=0; i<`echo ${#VIP[*]}`; i++))
do
interface="lo:`echo ${VIP[$i]}|awk -F . '{print $4}'`"
/sbin/ifconfig $interface ${VIP[$i]} broadcast ${VIP[$i]} netmask 255.255.255.255 down
done
echo "close LVS Directorserver"
if [ ${#VIP[*]} -eq 1 ];then
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
fi
action "Close LVS of RearServer.by old2boy"
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac
[root@lb01 scripts]# sh ipvs.sh start
Start LVS of RearServer.by old1boy [ 确定 ]
#检查
[root@lb01 scripts]# ifconfig |grep 'lo:17'获取lvs+nginx+web前端用户真实IP
#测试,需要把proxy_protocol给注释掉,不然访问报错。
upstream www {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 80;
#listen 80 proxy_protocol; #注释
server_name www.yunwei.com;
set_real_ip_from 172.16.1.0/24; #添加七层负载前经过的代理IP地址
real_ip_header proxy_protocol; #将proxy_protocol获取的IP赋值给$remote_addr
location / {
proxy_pass http://www;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
#将proxy_protocol真实客户端的IP地址赋值给X-Forwarded-For变量携带至后端
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
}
}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 这个开启
客户端访问LVS是携带源IP的,LVS仅仅是转发,DR修改目的MAC,并没有改变源IP。所以客户源IP可以被nginx lb01获取到,然后通过x-forward-for传给web节点
#查看日志
[root@web01 conf.d]# tail -f /var/log/nginx/access.log
172.16.1.6 - - [03/Mar/2023:16:14:53 +0800] "GET / HTTP/1.0" 200 6 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54" "192.168.238.1"
172.16.1.6 - - [03/Mar/2023:16:14:54 +0800] "GET / HTTP/1.0" 200 6 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54" "192.168.238.1"
172.16.1.6 - - [03/Mar/2023:16:14:54 +0800] "GET / HTTP/1.0" 200 6 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54" "192.168.238.1"
172.16.1.6 - - [03/Mar/2023:16:14:55 +0800] "GET / HTTP/1.0" 200 6 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54" "192.168.238.1"
最后一位是192.168.238.1是真实IP
