lvs: Linux Virtual Server
l4: 四层交换,四层路由;
根据请求报文的目标IP和PORT将其转发至后端主机集群中的某一台主机(根据挑选算法);
netfilter:
PREROUTING --> INPUT
PREROUTING --> FORWARD --> POSTROUTING
OUTPUT --> POSTROUTING
lvs:
ipvsadm/ipvs
ipvsadm: 用户空间的命令行工具,用于管理集群服务;
ipvs: 工作内核中netfilter INPUT钩子上;
支持TCP, UDP, AH, EST, AH_EST, SCTP等诸多协议;
lvs arch:
调度器:director, dispatcher, balancer
RS: Real Server
Client IP: CIP
Director Virutal IP: VIP
Director IP: DIP
Real Server IP: RIP
lvs type:
lvs-nat
lvs-dr(direct routing)
lvs-tun(ip tunneling) ip隧道
lvs-fullnat
lvs-nat:
多目标的DNAT(iptables);它通过修改请求报文的目标IP地址(同时可能会修改目标端口)至挑选出某RS的RIP地址实现转发;
(1) RS和DIP应该使用私网地址,且RS的网关要指向DIP;
(2) 请求和响应报文都要经由director转发;极高负载的场景中,director可能会成为系统瓶颈;
(3) 支持端口映射;
(4) RS可以使用任意OS;
(5) RS的RIP和Director的DIP必须在同一IP网络;
lvs-dr: direct routing
它通过修改请求报文的目标MAC地址进行转发;
Director: VIP, DIP
RSs: RIP, VIP
(1) 保证前端路由器将目标IP为VIP的请求报文发送给director;
解决方案:
静态绑定
arptables
修改RS主机内核的参数
(2) RS的RIP可以使用私有地址;但也可以使用公网地址;
(3) RS跟Director必须在同一物理网络中;
(4) 请求报文经由Director调度,但响应报文一定不能经由Director;
(5) 不支持端口映射;
(6) RS可以大多数OS;
(7) RS的网关不能指向DIP;
lvs-tun:
不修改请求报文的ip首部,而是通过在原有的ip首部(cip<-->vip)之外,再封装一个ip首部(dip<-->rip);
(1) RIP, DIP, VIP全得是公网地址;
(2) RS的网关的不能指向DIP;
(3) 请求报文必须经由director调度,但响应报文必须不能经由director;
(4) 不支持端口映射;
(5) RS的OS必须支持隧道功能;
lvs-fullnat:
director通过同时修改请求报文的目标地址和源地址进行转发;
(1) VIP是公网地址;RIP和DIP是私网地址,二者无须在同一网络中;
(2) RS接收到的请求报文的源地址为DIP,因此要响应给DIP;
(3) 请求报文和响应报文都必须经由Director;
(4) 支持端口映射机制;
(5) RS可以使用任意OS;
http: stateless
session保持:
session绑定:
source ip hash
cookie
session集群:
session服务器:
lvs scheduler:
静态方法:仅根据算法本身进行调度;
RR:round robin,轮调
WRR:weighted rr,
SH: source hash, 实现session保持的机制;将来自于同一个IP的请求始终调度至同一RS;
DH:destination hash, 将对同一个目标的请求始终发往同一个RS;
动态方法:根据算法及各RS的当前负载状态进行调度;
Overhead=
LC:Least Connection
Overhead=Active*256+Inactive
WLC: Weighted LC
Overhead=(Active*256+Inactive)/weight
SED: Shortest Expection Delay
Overhead=(Active+1)*256/weight
NQ:Never Queue
SED算法的改进;
LBLC:Locality-Based LC,即为动态的DH算法;
正向代理情形下的cache server调度;
LBLCR:Locality-Based Least-Connection with Replication,带复制功能的LBLC算法;
ipvs的集群服务:
tcp, udp, ah, esp, ah_esp, sctp
(1) 一个ipvs主机可以同时定义多个cluster service;
tcp, udp
(2) 一个cluster service上至少应该一个real server;
定义时:指明lvs-type, 以及lvs scheduler;
ipvsadm的用法:
管理集群服务
ipvsadm -A|E -t|u|f service-address [-s scheduler]
ipvsadm -D -t|u|f service-address
service-address:
tcp: -t ip:port
udp: -u ip:port
fwm: -f mark
-s scheculer:
默认为wlc
管理集群服务中的RS
ipvsadm -a|e -t|u|f service-address -r server-address [-g|i|m] [-w weight]
ipvsadm -d -t|u|f service-address -r server-address
server-address:
ip[:port]
lvs-type:
-g: gateway, dr
-i: ipip, tun
-m: masquerade, nat
清空和查看:
ipvsadm -C
ipvsadm -L|l [options]
-n: numeric,基于数字格式显示地址和端口;
-c: connection,显示ipvs连接;
--stats:统计数据
--rate: 速率
--exact: 精确值
保存和重载:
ipvsadm -R 重载
ipvsadm -S [-n] 保存
置零计数器:
ipvsadm -Z [-t|u|f service-address]
lvs-nat:
lvs-nat示例:nat类型的ipvs集群
vnet2
vip 172.16.100.9
dip 192.168.20.1
rip1:192.168.20.7
rip2:192.168.20.8
#cat /proc/sys/net/ipv4/ip_forward 如果为0
# vim /etc/sysctl.conf 添加
net.ipv4.ip_forward=1 #打开director的转发功能
# sysctl -p -->net.ipv4.ip_forward=1 或者cat /prc/sys/net/ipv4/ip_forward 为 1
然后添加规则:
# ipvsadm -A -t 172.16.100.9:80 -s ss
# ipvsadm -L -n 查看下规则
# ipvsadm -a -t 172.16.100.9:80 -r 192.168.20.7 -m
# ipvsadm -a -t 172.16.100.9:80 -r 192.168.20.8 -m
# ipvsadm -L -n
添加成功
保存规则
# ipvsadm -S > /etc/sysconfig/ipvsadm
清空规则
# ipvsadm -C
重载规则
# ipvsadm -R < /etc/sysconfig/ipvsadm
修改规则:
# ipvsadm -E -t 172.16.100.9:80 -s sh
# ipvsadm -e -t 172.16.100.9:80 -r 192.168.20.7:8080 -m
# ipvsadm -e -t 172.16.100.9:80 -r 192.168.20.8:8080 -m
如果ipvsadm -e修改不成功,可以修改 /etc/sysconf/ipvsadm 文件
-A -t 172.16.100.9:http -s rr
-A -t 172.16.100.9:http -r 192.168.20.7:8080 -m -w 1
-A -t 172.16.100.9:http -r 192.168.20.8:8080 -m -w 1
# ipvsadm -C
# ipvsadm -R < /etc/sysconf/ipvsadm
# ipvsadm -L -n
删除规则
# ipvsadm -d -t 172.16.100.9:80 -r 192.168.20.7:8080
# ipvsadm -d -t 172.16.100.9:80 -r 192.168.20.8:8080
# ipvsadm -D -t 172.16.100.9:80
显示当前已经建立的连接
# ipvsadm -L -c
显示统计数据
# ipvsadm -L -n --stats
lvs-dr:
两个内核参数:
arp_ignore
arp_announce
lvs-dr
bridge,eth0
dip:172.16.100.9
vip:eth0:0,172.16.100.10
bridge,eth0 rip1 172.16.100.21
lo:0 vip 172.16.100.10
bridge,eth0 rip2 172.16.100.22
lo:0 vip 172.16.100.10
director:
配置vip
~]# ifconfig eno16777736:0 172.16.100.10/32 broadcast 172.16.100.10 up
或# ip addr add 172.16.100.10/32 dev eno16777736
~]# route add -host 172.16.100.10 dev eno16777736:0
或# ip route add 172.16.100.10 dev eno16777736
主机上cmd 输入命令
arp -a
RS:
两个rs都进行配置
~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
~]# echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
~]# echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce
rs配置vip
~]# ifconfig lo:0 172.16.100.10/32 broadcast 172.16.100.10 up
~]# route add -host 172.16.100.10 dev lo:0
# ipvsadm -A -t 172.16.100.10:80 -s rr
# ipvsadm -a -t 172.16.100.10:80 -r 172.16.100.21 -g
# ipvsadm -a -t 172.16.100.10:80 -r 172.16.100.22 -g
修改vip 是vip与rip不在同一网段
setka.sh
#!/bin/bash
vip=172.16.100.10
case $1 in
start)
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce
ifconfig lo:0 $vip netmask 255.255.255.255 broadcast $vip up
;;
stop)
ifconfig lo:0 down
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/eth0/arp_announce
;;
esac
在172.16.100.21/22 (rs)上分别执行
setka.sh stop
在172.16.100.9 (dr)上删除vip
# ip addr del 172.16.100.10/32 dev eno16777736
# ip addr show
添加ip
# ip addr add 192.168.0.10/32 dev eno16777736
用本机ping 192.168.0.10 ,如果ping不通,检查一下物理机网关是否指向172.16.100.1
21/22执行下面脚本,配置vip地址
#!/bin/bash
vip=192.168.0.10
case $1 in
start)
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce
ifconfig lo:0 $vip netmask 255.255.255.255 broadcast $vip up
;;
stop)
ifconfig lo:0 down
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/eth0/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/eth0/arp_announce
;;
esac
172.16.100.9 # ipvsadm -C 清理规则
# ipvsadm -A -t 192.168.0.10:80 -s rr
# ipvsadm -a -t 192.168.0.10:80 -r 172.16.100.21 -g
# ipvsadm -a -t 192.168.0.10:80 -r 172.16.100.22 -g
