Haproxy/LVS負(fù)載均衡實(shí)現(xiàn)+keepalived實(shí)現(xiàn)高可用

haproxy+keepalived 集群高可用集群轉(zhuǎn)發(fā)

環(huán)境介紹

#內(nèi)核版本
Ubuntu 18.04.4 LTS \n \l
107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
#節(jié)點(diǎn)介紹
192.168.1.113  hk-master1
192.168.1.114  hk-master2
192.168.1.111  hk-slave1
192.168.1.112  hk-slave2

內(nèi)核調(diào)優(yōu)

#調(diào)整Linux進(jìn)程資源限制 vim /etc/security/limits.conf 
root soft core unlimited
root hard core unlimited
root soft nproc 600000
root hard nproc 600000
root soft nofile 648576
root hard nofile 600000
root soft memlock 32000
root hard memlock 32000
root soft msgqueue 8192000
root hard msgqueue 8192000

* soft core unlimited
* hard core unlimited
* soft nproc 600000
* hard nproc 600000
* soft nofile 600000
* hard nofile 600000
* soft memlock 32000
* hard memlock 32000
* soft msgqueue 8192000
* hard msgqueue 8192000
#驗(yàn)證(進(jìn)程對資源的使用情況)
root@hk-master2:~# ulimit -a
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 7376
max locked memory       (kbytes, -l) 32000
max memory size         (kbytes, -m) unlimited
open files                      (-n) 600000
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 8192000
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 600000
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

#調(diào)整內(nèi)核限制追加以下配置 /etc/sysctl.conf
 net.ipv4.conf.default.rp_filter = 1
 net.ipv4.ip_nonlocal_bind = 1 
 net.ipv4.ip_forward = 1 
 net.ipv4.conf.default.accept_source_route = 0
 kernel.sysrq = 0
 kernel.msgmnb = 65536
 kernel.msgmax = 65536
 kernel.shmmax = 68719476736
 kernel.shmall = 4294967296
 net.ipv4.tcp_mem = 786432 1048576 1572864
 net.ipv4.tcp_rmem = 4096 87380 4194304
 net.ipv4.tcp_wmem = 4096 16384 4194304
 net.ipv4.tcp_window_scaling = 1
 net.ipv4.tcp_sack = 1
 net.core.wmem_default = 8388608
 net.core.rmem_default = 8388608
 net.core.rmem_max = 16777216
 net.core.wmem_max = 16777216
 net.core.netdev_max_backlog = 262144
 net.core.somaxconn = 20480
 net.core.optmem_max = 81920
 net.ipv4.tcp_max_syn_backlog = 262144
 net.ipv4.tcp_syn_retries = 3
 net.ipv4.tcp_retries1 = 3
 net.ipv4.tcp_retries2 = 15
 net.ipv4.tcp_timestamps = 0 #代理不要開這個(gè)
 net.ipv4.tcp_fin_timeout = 1
 net.ipv4.tcp_max_tw_buckets = 20000
 net.ipv4.tcp_max_orphans = 3276800
 net.ipv4.tcp_synack_retries = 1
 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_keepalive_time = 300
 net.ipv4.tcp_keepalive_intvl = 30
 net.ipv4.tcp_keepalive_probes = 3
 net.ipv4.ip_local_port_range = 10001 65000
 vm.overcommit_memory = 0
 vm.swappiness = 10
#驗(yàn)證 sysctl -p

haproxy安裝和功能介紹

#安裝
root@hk-master2:~# apt install -y haproxy
root@hk-master1:~# apt install -y haproxy

配置介紹

配置文件目錄

主程序:/usr/sbin/haproxy
配置文件:/etc/haproxy/haproxy.cfg
Unit file:/usr/lib/systemd/system/haproxy.service

配置段:

#global 配置:
? chroot #鎖定運(yùn)行目錄
? deamon #以守護(hù)進(jìn)程運(yùn)行
? #stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin #socket文件
? user, group, uid, gid #運(yùn)行haproxy的用戶身份
? nbproc #開啟的haproxy進(jìn)程數(shù),與CPU保持一致
? nbthread #指定每個(gè)haproxy進(jìn)程開啟的線程數(shù),默認(rèn)為每個(gè)進(jìn)程一個(gè)線程
? cpu-map 1 0 #綁定haproxy 進(jìn)程至指定CPU
? maxconn #每個(gè)haproxy進(jìn)程的最大并發(fā)連接數(shù)
? maxsslconn #SSL每個(gè)haproxy進(jìn)程ssl最大連接數(shù)
? maxconnrate #每個(gè)進(jìn)程每秒最大連接數(shù)
? spread-checks #后端server狀態(tài)check隨機(jī)提前或延遲百分比時(shí)間,建議2-5(20%-50%)之間
? pidfile #指定pid文件路徑
? log 127.0.0.1 local3 info #定義全局的syslog服務(wù)器;最多可以定義兩個(gè)
? defaults [<name>] #默認(rèn)配置項(xiàng),針對以下的frontend、backend和lsiten生效,可以多個(gè)name
? frontend <name> #前端servername,類似于Nginx的一個(gè)虛擬主機(jī) server。 ? backend <name> #后端服務(wù)器組,等于nginx的upstream
? listen <name> #將frontend和backend合并在一起配置
? 注:name字段只能使用”-”、”_”、”.”、和”:”,并且嚴(yán)格區(qū)分大小寫,例如:Web和web是完全不
同的兩組服務(wù)器。


#defaults 配置參數(shù):
? option redispatch #當(dāng)server Id對應(yīng)的服務(wù)器掛掉后,強(qiáng)制定向到其他健康的服務(wù)器
? option abortonclose #當(dāng)服務(wù)器負(fù)載很高的時(shí)候,自動結(jié)束掉當(dāng)前隊(duì)列處理比較久的鏈接
? option http-keep-alive 60#開啟會話保持
? option forwardfor #開啟IP透傳
? mode http #默認(rèn)工作類型
? timeout connect 120s #轉(zhuǎn)發(fā)客戶端請求到后端server的最長連接時(shí)間(TCP之前) ? timeout server 600s #轉(zhuǎn)發(fā)客戶端請求到后端服務(wù)端的超時(shí)超時(shí)時(shí)長(TCP之后)
? timeout client 600s #與客戶端的最長空閑時(shí)間
? timeout http-keep-alive 120s #session 會話保持超時(shí)時(shí)間,范圍內(nèi)會轉(zhuǎn)發(fā)到相同的后端服務(wù)器
? #timeout check 5s #對后端服務(wù)器的檢測超時(shí)時(shí)間

#listen 配置參考:
listen WEB_PORT_80
    bind 192.168.7.102:80
    mode http
    option forwardfor
    server web1 192.168.7.101:8080 check inter 3000 fall 3 rise 5
    server web2 192.168.7.101:8080 check inter 3000 fall 3 rise 5

#后端服務(wù)器檢測機(jī)制參數(shù)介紹:
check #對指定real進(jìn)行健康狀態(tài)檢查,默認(rèn)不開啟
? addr IP #可指定的健康狀態(tài)監(jiān)測IP
? port num #指定的健康狀態(tài)監(jiān)測端口
? inter num #健康狀態(tài)檢查間隔時(shí)間,默認(rèn)2000 ms
? fall num #后端服務(wù)器失效檢查次數(shù),默認(rèn)為3 ? rise num #后端服務(wù)器從下線恢復(fù)檢查次數(shù),默認(rèn)為2 ? weight #默認(rèn)為1,最大值為256,0表示不參與負(fù)載均衡
? backup #將后端服務(wù)器標(biāo)記為備份狀態(tài)
? disabled #將后端服務(wù)器標(biāo)記為不可用狀態(tài)
? redirect prefix http://www.magedu.com/ #將請求臨時(shí)重定向至其它URL,只適用于http模式
? maxconn <maxconn>:當(dāng)前后端server的最大并發(fā)連接數(shù)
? backlog <backlog>:當(dāng)server的連接數(shù)達(dá)到上限后的后援隊(duì)列長度

調(diào)度算法

靜態(tài)調(diào)度算法
balance: 指明對后端服務(wù)器的調(diào)度算法,配置在listen或backend
靜態(tài)算法:按照事先定義好的規(guī)則輪詢公平調(diào)度,不關(guān)心后端服務(wù)器的當(dāng)前負(fù)載、鏈接數(shù)和相應(yīng)速度等,且無法實(shí)時(shí)修改權(quán)重,只能重啟后生效。
static-rr:基于權(quán)重的輪詢調(diào)度,不支持權(quán)重的運(yùn)行時(shí)調(diào)整及后端服務(wù)器慢啟動,其后端主機(jī)數(shù)量沒有限制 (出現(xiàn)請求按比例分發(fā)給后端)
first:根據(jù)服務(wù)器在列表中的位置,自上而下進(jìn)行調(diào)度,但是其只會當(dāng)?shù)谝慌_服務(wù)器的連接數(shù)達(dá)到上限,新請求才會分配給下一臺服務(wù),因此會忽略服務(wù)器的權(quán)重設(shè)置。  (配置的后端服務(wù)器連接數(shù)到了上線,才會分發(fā)到下臺后端服務(wù)器)
動態(tài)調(diào)度算法
動態(tài)算法:基于后端服務(wù)器 狀態(tài)進(jìn)行調(diào)度適當(dāng)調(diào)整,比如優(yōu)先調(diào)度至當(dāng)前負(fù)載較低的服務(wù)器,且權(quán)重可以在haproxy運(yùn)行時(shí)動態(tài)調(diào)整無需重啟。
roundrobin:基于權(quán)重的輪詢動態(tài)調(diào)度算法,支持權(quán)重的運(yùn)行時(shí)調(diào)整,不等于lvs 的rr,支持慢啟動即新加的服務(wù)器會逐漸增加轉(zhuǎn)發(fā)數(shù),每個(gè)后端backend中最多支持4095個(gè)server,此為默認(rèn)調(diào)度算法,server 權(quán)重設(shè)置 weight
leastconn: 加權(quán)的最少連接的動態(tài),支持權(quán)重的運(yùn)行時(shí)調(diào)整和慢啟動,即當(dāng)前后端服務(wù)器連接最少的優(yōu)先調(diào)度,比較適合長連接的場景使用,比如MySQL等場景。
source調(diào)度算法
source:源地址hash,基于用戶源地址hash并將請求轉(zhuǎn)發(fā)到后端服務(wù)器,默認(rèn)為靜態(tài)即取模方式,但是可以通過hash-type支持的選項(xiàng)更改,后續(xù)同一個(gè)源地址請求將被轉(zhuǎn)發(fā)至同一個(gè)后端web服務(wù)器,比較適用于session保持/緩存業(yè)務(wù)等場景。

? map-based:取模法,基于服務(wù)器權(quán)重的hash數(shù)組取模,該hash是靜態(tài)的即不支持在線調(diào)整權(quán)重,不支持慢啟動,其對后端服務(wù)器調(diào)度均衡,缺點(diǎn)是當(dāng)服務(wù)器的總權(quán)重發(fā)生變化時(shí),即有服務(wù)器上線或下線,都會因權(quán)重發(fā)生變化而導(dǎo)致調(diào)度結(jié)果整體改變hash(o)mod n 。

?consistent:一致性哈希,該hash是動態(tài)的,支持在線調(diào)整權(quán)重,支持慢啟動,優(yōu)點(diǎn)在于當(dāng)服務(wù)器的總權(quán)重發(fā)生變化時(shí),對調(diào)度結(jié)果影響是局部的,不會引起大的變動。

#配置案例:
listen web_prot_http_nodes
    bind 192.168.7.101:80
    mode http
    balance source
    hash-type consistent
    log global
    option forwardfor
    server 192.168.7.101 192.168.7.101:8080 check inter 3000 fall 3 rise 5
    server 192.168.7.102 192.168.7.102:8080 check inter 3000 fall 3 rise 5
uri調(diào)度算法
uri:基于對用戶請求的uri做hash并將請求轉(zhuǎn)發(fā)到后端指定服務(wù)器
? map-based:取模法
? consistent:一致性哈希

listen web_prot_http_nodes
    bind 192.168.7.101:80
    mode http #不支持tcp,會切換到tcp的roundrobin負(fù)載模式
    balance uri
    hash-type consistent
    log global
    option forwardfor
    server 192.168.7.101 192.168.7.101:8080 check inter 3000 fall 3 rise 5
    server 192.168.7.102 192.168.7.102:8080 check inter 3000 fall 3 rise 5
url_param 調(diào)度算法
#url_param: 對用戶請求的url中的<params>部分中的參數(shù)name作hash計(jì)算,并由服務(wù)器總權(quán)重相除以后派發(fā)至某挑出的服務(wù)器;通常用于追蹤用戶,以確保來自同一個(gè)用戶的請求始終發(fā)往同一個(gè)Backend Server
#url 傳遞的查詢字符串進(jìn)行bash
listen web_prot_http_nodes
    bind 192.168.7.101:80
    mode http #不支持tcp,會切換到tcp的roundrobin負(fù)載模式
    balance url_param name #基于參數(shù)name做hash
    hash-type consistent
    log global
    option forwardfor
    server 192.168.7.101 192.168.7.101:8080 check inter 3000 fall 3 rise 5
    server 192.168.7.102 192.168.7.102:8080 check inter 3000 fall 3 rise 5
hdr調(diào)度算法
#針對每個(gè)用戶的http請求頭中的指定信息做hash,此處由<name>指定的http首部將會被取出并做hash計(jì)算,然后由服務(wù)器總權(quán)重相除以后派發(fā)至某挑出的服務(wù)器,假如無有效的值,則會被輪詢調(diào)度
hdr( Cookie、 User-Agent、host )

listen web_prot_http_nodes
    bind 192.168.7.101:80
    mode http
    balance hdr(User-Agent)
    hash-type consistent #一致性hash 
    log global
    option forwardfor
    server 192.168.7.101 192.168.7.101:8080 check inter 3000 fall 3 rise 5
    server 192.168.7.102 192.168.7.102:8080 check inter 3000 fall 3 rise 5
rdp-cookie調(diào)度算法
rdp-cookie對遠(yuǎn)程桌面的負(fù)載,使用cookie保持會話

listen RDP
    bind 192.168.7.101:3389
    balance rdp-cookie
    mode tcp
    server rdp0 172.18.139.20:3389 check fall 3 rise 5 inter 2000 weight 1
    server rdp1 172.18.139.21:3389 check fall 3 rise 5 inter 2000 weight 1

配置狀態(tài)頁

stats enable #基于默認(rèn)的參數(shù)啟用stats page
stats hide-version # 隱藏版本
stats refresh <delay> # 設(shè)定自動刷新時(shí)間間隔
stats uri <prefix> #自定義stats page uri,默認(rèn)值:/haproxy?stats 
stats realm <realm> #賬戶認(rèn)證時(shí)的提示信息,示例:stats realm : HAProxy\ Statistics
stats auth <user>:<passwd> #認(rèn)證時(shí)的賬號和密碼,可使用多次,默認(rèn):no authentication
stats admin { if | unless } <cond> #啟用stats page中的管理功能


listen stats
    bind :9009
    stats enable
    #stats hide-version 
    stats uri /haproxy-status
    stats realm HAPorxy\ Stats\ Page
    stats auth haadmin:123456
    stats auth admin:123456
    stats refresh 30s
    stats admin if TRUE

自定義錯(cuò)誤頁面

errorfile 500 /usr/local/haproxy/html/500.html #自定義錯(cuò)誤頁面跳轉(zhuǎn)
errorfile 502 /usr/local/haproxy/html/502.html
errorfile 503 /usr/local/haproxy/html/503.html

errorloc 503 http://192.168.7.103/error_page/503.html

壓縮功能

compression algo #啟用http協(xié)議中的壓縮機(jī)制,常用算法有g(shù)zip deflate
compression type #要壓縮的類型
? 示例:
    ? compression algo gzip
    ? compression type compression type text/plain text/html text/css text/xml text/javascript application/javascript

配置https

bind *:443 ssl crt /PATH/TO/SOME_PEM_FILE
    crt 后證書文件為PEM格式,且同時(shí)包含證書和所有私鑰
    cat demo.crt demo.key > demo.pem 
把80端口的請求重向定443
    bind *:80
    redirect scheme https if !{ ssl_fc }
向后端傳遞用戶請求的協(xié)議和端口(frontend或backend)
    http_request set-header X-Forwarded-Port %[dst_port]
    http_request add-header X-Forwared-Proto https if { ssl_fc }
#配置示例:
frontend https_frontend
  bind *:443 ssl crt /etc/ssl/certs/servername.pem
  mode http
  option httpclose
  option forwardfor
  reqadd X-Forwarded-Proto:\ https
  default_backend web_server

backend web_server
  mode http
  balance roundrobin
  cookie SERVERID insert indirect nocache
  server s1 192.168.250.47:80 check cookie s1
  server s2 192.168.250.49:80 check cookie s2
 注意:這里的pem 文件是下面兩個(gè)文件合并而成:
  cat servername.crt servername.key |tee servername.pem
  
#第二種四層轉(zhuǎn)發(fā)
frontend https_frontend
  bind *:443
  mode tcp
  default_backend web_server

backend web_server
  mode tcp
  balance roundrobin
  stick-table type ip size 200k expire 30m
  stick on src
  server s1 192.168.250.47:443
  server s2 192.168.250.49:443
  
  注意,這種模式下mode 必須是tcp 模式

四層負(fù)載IP透傳

#在四層負(fù)載設(shè)備中,把client發(fā)送的報(bào)文目標(biāo)地址(原來是負(fù)載均衡設(shè)備的IP地址),根據(jù)均衡設(shè)備設(shè)置的選擇web服務(wù)器的規(guī)則選擇對應(yīng)的web服務(wù)器IP地址,這樣client就可以直接跟此服務(wù)器建立TCP連接并發(fā)送數(shù)據(jù)。

listen web_prot_http_nodes
    bind 192.168.7.102:80
    mode tcp
    server 192.168.7.102 blogs.studylinux.net:80 send-proxy check inter 3000 fall 3 rise 5 #send-proxy

Nginx配置:
    listen 80 proxy_protocol; 
        '"tcp_ip":"$proxy_protocol_addr",' #TCP獲取客戶端真實(shí)IP日志格式

七層負(fù)載IP透傳

#七層負(fù)載均衡服務(wù)器起了一個(gè)代理服務(wù)器的作用,服務(wù)器建立一次TCP連接要三次握手,而client要訪問webserver要先與七層負(fù)載設(shè)備進(jìn)行三次握手后建立TCP連接,把要訪問的報(bào)文信息發(fā)送給七層負(fù)載均衡;然后七層負(fù)載均衡再根據(jù)設(shè)置的均衡規(guī)則選擇特定的webserver,然后通過三次握手與此臺webserver建立TCP連接,然后webserver把需要的數(shù)據(jù)發(fā)送給七層負(fù)載均衡設(shè)備,負(fù)載均衡設(shè)備再把數(shù)據(jù)發(fā)送給client;所以,七層負(fù)載均衡設(shè)備起到了代理服務(wù)器的作用。

listen web_prot_http_nodes
    bind 192.168.7.102:80
    mode http
    #option forwardfor
    server 192.168.7.102 blogs.studylinux.net:80 check inter 3000 fall 3 rise 5

heepalived 安裝和功能介紹

root@hk-master2:~# apt install -y haproxy
root@hk-master1:~# apt install -y haproxy

功能

基于vrrp協(xié)議完成地址流動
為vip地址所在的節(jié)點(diǎn)生成ipvs規(guī)則(在配置文件中預(yù)先定義) 
為ipvs集群的各RS做健康狀態(tài)檢測
基于腳本調(diào)用接口通過執(zhí)行腳本完成腳本中定義的功能,進(jìn)而影響集群事務(wù),以此支持nginx、haproxy等服務(wù)

環(huán)境要求

#個(gè)節(jié)點(diǎn)時(shí)間同步
#關(guān)閉selinux
#添加防火墻策略/關(guān)閉防火墻
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 \
  --in-interface ens0 --destination 192.168.1.114 --protocol vrrp -j ACCEPT
success
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 \
  --out-interface ens0 --destination 192.168.1.114 --protocol vrrp -j ACCEPT
success
firewall-cmd --reload
success

配置介紹

主配置文件:/etc/keepalived/keepalived.conf
主程序文件:/usr/sbin/keepalived
Unit File: 
    ? /usr/lib/systemd/system/keepalived.service (CentOS) 
    ? /lib/systemd/system/keepalived.service (Ubuntu)

#配置文件組成部分
TOP HIERACHY
    GLOBAL CONFIGURATION
        Global definitions
        
    VRRP CONFIGURATION
        VRRP instance(s):即一個(gè)vrrp虛擬路由器
        
    LVS CONFIGURATION
        Virtual server group(s)
        Virtual server(s):ipvs集群的vs和rs
        
#配置參數(shù):
state MASTER|BACKUP:當(dāng)前節(jié)點(diǎn)在此虛擬路由器上的初始狀態(tài),狀態(tài)為MASTER或者BACKUP
interface IFACE_NAME:綁定為當(dāng)前虛擬路由器使用的物理接口ens32,ens0,bond0,br0
virtual_router_id VRID:當(dāng)前虛擬路由器惟一標(biāo)識,范圍是0-255
priority 100:當(dāng)前物理節(jié)點(diǎn)在此虛擬路由器中的優(yōu)先級;范圍1-254
advert_int 1:vrrp通告的時(shí)間間隔,默認(rèn)1s
authentication { #認(rèn)證機(jī)制
auth_type AH|PASS
auth_pass <PASSWORD> 僅前8位有效
}
virtual_ipaddress { #虛擬IP
    <IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label <LABEL>
    192.168.200.17/24 dev ens1
    192.168.200.18/24 dev ens2 label ens2:1
}
track_interface { #配置監(jiān)控網(wǎng)絡(luò)接口,一旦出現(xiàn)故障,則轉(zhuǎn)為FAULT狀態(tài)實(shí)現(xiàn)地址轉(zhuǎn)移
    ens0
    ens1
    … 
    }

組播配置

#master :
global_defs { 
    notification_email { 
        root@localhost #keepalived 發(fā)生故障切換時(shí)郵件發(fā)送的對象,可以按行區(qū)分寫多個(gè)
}
    notification_email_from keepalived@localhost
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
    router_id ha1.example.com
    vrrp_skip_check_adv_addr #所有報(bào)文都檢查比較消耗性能,此配置為如果收到的報(bào)文和上一個(gè)報(bào)文是同一個(gè)路由器則跳過檢查報(bào)文中的源地址
    vrrp_strict #嚴(yán)格遵守VRRP協(xié)議,不允許狀況:1,沒有VIP地址,2.單播鄰居,3.在VRRP版本2中有IPv6地 址. ? vrrp_garp_interval 0 #ARP報(bào)文發(fā)送延遲
    vrrp_gna_interval 0 #消息發(fā)送延遲
    vrrp_mcast_group4 224.0.0.18 #默認(rèn)組播IP地址,224.0.0.0到239.255.255.255
    #vrrp_iptables
    }
    vrrp_instance VI_1 {
        state MASTER
        interface ens0
        virtual_router_id 80
        priority 100
        advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111qwer
    } 
    virtual_ipaddress {
        192.168.7.248 dev ens0 label ens0:0
    } 
}
#backup :
global_defs {
    notification_email {
        root@localhost
} 
    notification_email_from keepalived@localhost
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
    router_id ha2.example.com
    vrrp_skip_check_adv_addr #
    vrrp_strict #嚴(yán)格遵守VRRP協(xié)議。
    vrrp_garp_interval 0 #ARP報(bào)文發(fā)送延遲
    vrrp_gna_interval 0 #消息發(fā)送延遲
    vrrp_mcast_group4 224.0.0.18 #組播IP地址,224.0.0.0到239.255.255.255
    #vrrp_iptables
}
vrrp_instance VI_1 {
    state BACKUP
    interface ens0
    virtual_router_id 80
    priority 90
    advert_int 1
    authentication {
    auth_type PASS
    auth_pass 1111qwer
} 
virtual_ipaddress {
    192.168.7.248 dev ens0 label ens0:0
    } 
}

非搶占

#設(shè)置成雙備模式 關(guān)閉vip搶占 + nopreempt
#hk-master1
vrrp_instance VI_1 {
    state BACKUP
    interface ens0
    virtual_router_id 80
    priority 100
    advert_int 1 
    nopreempt
#hk-master2
vrrp_instance VI_1 {
    state BACKUP
    interface ens0
    virtual_router_id 80
    priority 90
    advert_int 1 
    nopreempt

單波配置

unicast_src_ip 本機(jī)源IP
    unicast_peer {
    目標(biāo)主機(jī)IP
}

通知配置

vim /etc/mail.rc
set from=12161xxqq.com
set smtp=smtp.qq.com
set smtp-auth-user=12161xxqq.com
set smtp-auth-password=xxxxxxx
set smtp-auth=login
set ssl-verify=ignore

nopreempt:定義工作模式為非搶占模式
preempt_delay 300:搶占式模式,節(jié)點(diǎn)上線后觸發(fā)新選舉操作的延遲時(shí)長,
默認(rèn)模式
定義通知腳本:
    notify_master <STRING>|<QUOTED-STRING>:
        當(dāng)前節(jié)點(diǎn)成為主節(jié)點(diǎn)時(shí)觸發(fā)的腳本
    notify_backup <STRING>|<QUOTED-STRING>:
        當(dāng)前節(jié)點(diǎn)轉(zhuǎn)為備節(jié)點(diǎn)時(shí)觸發(fā)的腳本
    notify_fault <STRING>|<QUOTED-STRING>:
        當(dāng)前節(jié)點(diǎn)轉(zhuǎn)為“失敗”狀態(tài)時(shí)觸發(fā)的腳本
    notify <STRING>|<QUOTED-STRING>:
        通用格式的通知觸發(fā)機(jī)制,一個(gè)腳本可完成以上三種狀態(tài)的轉(zhuǎn)換時(shí)的通知

[圖片上傳失敗...(image-79b2d4-1593177183263)]

應(yīng)用層監(jiān)控

HTTP_GET|SSL_GET:應(yīng)用層檢測
HTTP_GET|SSL_GET {
    url {
        path <URL_PATH>:定義要監(jiān)控的URL
        status_code <INT>:判斷上述檢測機(jī)制為健康狀態(tài)的響應(yīng)碼
    }
connect_timeout <INTEGER>:連接請求的超時(shí)時(shí)長
nb_get_retry <INT>:重試次數(shù)
delay_before_retry <INT>:重試之前的延遲時(shí)長
connect_ip <IP ADDRESS>:向當(dāng)前RS哪個(gè)IP地址發(fā)起健康狀態(tài)檢測請求
connect_port <PORT>:向當(dāng)前RS的哪個(gè)PORT發(fā)起健康狀態(tài)檢測請求
bindto <IP ADDRESS>:發(fā)出健康狀態(tài)檢測請求時(shí)使用的源地址
bind_port <PORT>:發(fā)出健康狀態(tài)檢測請求時(shí)使用的源端口
}
#real_server http監(jiān)測
real_server 192.168.7.103 80 {
    weight 1
    HTTP_GET {
    url {
        path /index.html
        status_code 200
        } 
    }
    connect_timeout 5
    nb_get_retry 3
    delay_before_retry 3 
}3

tcp監(jiān)控

傳輸層檢測 TCP_CHECK
    TCP_CHECK {
        connect_ip <IP ADDRESS>:向當(dāng)前RS的哪個(gè)IP地址發(fā)起健康狀態(tài)檢測請求
        connect_port <PORT>:向當(dāng)前RS的哪個(gè)PORT發(fā)起健康狀態(tài)檢測請求
        bindto <IP ADDRESS>:發(fā)出健康狀態(tài)檢測請求時(shí)使用的源地址
        bind_port <PORT>:發(fā)出健康狀態(tài)檢測請求時(shí)使用的源端口
        connect_timeout <INTEGER>:連接請求的超時(shí)時(shí)長
    }

腳本監(jiān)控

分兩步:(1) 先定義一個(gè)腳本;(2) 調(diào)用此腳本
vrrp_script <SCRIPT_NAME> {
    script <STRING>|<QUOTED-STRING>
    interval <INTEGER> # 間隔時(shí)間,單位為秒,默認(rèn)1秒
    timeout <INTEGER> # 超時(shí)時(shí)間
    weight <INTEGER:-254..254> # 權(quán)重,監(jiān)測失敗后會執(zhí)行權(quán)重+操作
    fall <INTEGER> #腳本幾次失敗轉(zhuǎn)換為失敗
    rise <INTEGER> # 腳本連續(xù)監(jiān)測成果后,把服務(wù)器從失敗標(biāo)記為成功的次數(shù)
    user USERNAME [GROUPNAME] # 執(zhí)行監(jiān)測的用戶或組
    init_fail # 設(shè)置默認(rèn)標(biāo)記為失敗狀態(tài),監(jiān)測成功之后再轉(zhuǎn)換為成功狀態(tài)
}

vrrp_instance VI_1 {
…
track_script {
    SCRIPT_NAME_1
    SCRIPT_NAME_2
    }
}

配置案例:

#查找配置案例
root@hk-master2:~# find /usr/share/doc/keepalived/ -name keepalived.*
/usr/share/doc/keepalived/samples/keepalived.conf.vrrp.routes
/usr/share/doc/keepalived/samples/keepalived.conf.fwmark
/usr/share/doc/keepalived/samples/keepalived.conf.vrrp.sync
/usr/share/doc/keepalived/samples/keepalived.conf.SMTP_CHECK
/usr/share/doc/keepalived/samples/keepalived.conf.HTTP_GET.port
/usr/share/doc/keepalived/samples/keepalived.conf.vrrp.scripts
/usr/share/doc/keepalived/samples/keepalived.conf.SSL_GET
/usr/share/doc/keepalived/samples/keepalived.conf.virtual_server_group
/usr/share/doc/keepalived/samples/keepalived.conf.virtualhost
/usr/share/doc/keepalived/samples/keepalived.conf.vrrp.static_ipaddress
/usr/share/doc/keepalived/samples/keepalived.conf.misc_check
/usr/share/doc/keepalived/samples/keepalived.conf.vrrp.localcheck
/usr/share/doc/keepalived/samples/keepalived.conf.sample
/usr/share/doc/keepalived/samples/keepalived.conf.misc_check_arg
/usr/share/doc/keepalived/samples/keepalived.conf.IPv6
/usr/share/doc/keepalived/samples/keepalived.conf.quorum
/usr/share/doc/keepalived/samples/keepalived.conf.inhibit
/usr/share/doc/keepalived/samples/keepalived.conf.track_interface
/usr/share/doc/keepalived/samples/keepalived.conf.vrrp.lvs_syncd
/usr/share/doc/keepalived/samples/keepalived.conf.vrrp
/usr/share/doc/keepalived/samples/keepalived.conf.status_code
/usr/share/doc/keepalived/samples/keepalived.conf.vrrp.rules
/usr/share/doc/keepalived/keepalived.conf.SYNOPSIS.gz

#
root@hk-master2:~# vim /etc/keepalived/keepalived.conf #hk-master1與這個(gè)配置就routid和優(yōu)先級不一樣其他的都一樣

! Configuration File for keepalived

global_defs {
   #notification_email {
    # acassen
   #}
 #  notification_email_from Alexandre.Cassen@firewall.loc
  # smtp_server 192.168.200.1
  # smtp_connect_timeout 30
   router_id LVS_DEVEL_114
}

vrrp_instance VI_1 {
    state BACKUP
    interface ens33
    garp_master_delay 10
    #smtp_alert
    virtual_router_id 51
    priority 99
    nopreempt
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.1.200 label ens33:1
    }
}

haproxy動態(tài)上線下線后端服務(wù)器

#以上基于hk-master1實(shí)現(xiàn)了一個(gè)vip-192.168.1.200。 這里基于這個(gè)vip做負(fù)載均衡配置
#hk-master1:
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        nbproc 2
        maxconn 65536
        stats timeout 30s
        cpu-map 1 0
        cpu-map 2 1
        stats socket /run/haproxy/admin.sock1 mode 660 level admin process 1
        stats socket /run/haproxy/admin.sock2 mode 660 level admin process 2
        nbthread 12
        user haproxy
        group haproxy
        daemon
        #ulimit -n 65536

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
listen stats
  mode http
  bind 192.168.1.113:9999
  stats enable
  log global
  stats uri /haproxy-status
  stats auth haadmin:123123

listen nginx
  bind 192.168.1.200:80
  mode http
  server 192.168.1.111 192.168.1.111:80 check inter 2s fall 3 rise 5
  server 192.168.1.112 192.168.1.112:80 check inter 2s fall 3 rise 5   
  
#升級前下線后端服務(wù)器
root@hk-master1:~# cat updatecode.sh 
#!/bin/bash
cpus=`cat /proc/cpuinfo |grep processor |wc -l`

for ((i=1;i<=$cpus;i++));  
  do
     echo "disable server $1/$2" | socat stdio /run/haproxy/admin.sock$i;
  done  

#升級完畢上線后端服務(wù)器
root@hk-master1:~# cat percode.sh 
#!/bin/bash
cpus=`cat /proc/cpuinfo |grep processor |wc -l`

for ((i=1;i<=$cpus;i++));  
  do
     echo "enable server $1/$2" | socat stdio /run/haproxy/admin.sock$i;
  done

LVS+keepalived 高可用集群

lvs 主要的工作是提供調(diào)度算法,把客戶端請求按照需求調(diào)度在 real 服務(wù)器,keepalived 主要的工作是提供 lvs 控制器的一個(gè)冗余,并且對 real 服務(wù)器做健康檢查,發(fā)現(xiàn)不健康的 real 服務(wù)器,就把它從 lvs 集群中剔除,real 服務(wù)器只負(fù)責(zé)提供服務(wù)。

keepalived底層有關(guān)于IPVS的功能模塊,可以直接在其配置文件中實(shí)現(xiàn)LVS的配置,不需要通過ipvsadm命令再單獨(dú)配置

LVS 負(fù)載策略介紹

#IP 負(fù)載均衡技術(shù)(VS/NAT,VS/TUN,VS/DR):
Virtual Server via Network Address Translation(VS/NAT)
通過網(wǎng)絡(luò)地址轉(zhuǎn)換,調(diào)度器重寫請求報(bào)文的目標(biāo)地址,根據(jù)預(yù)設(shè)的調(diào)度算法,將請求分派給后端的真實(shí)服務(wù)器;真實(shí)服務(wù)器的響應(yīng)報(bào)文通過調(diào)度器時(shí),報(bào)文的源地址被重寫,再返回給客戶,完成整個(gè)負(fù)載調(diào)度過程。

Virtual Server via IP Tunneling(VS/TUN)
采用 NAT 技術(shù)時(shí),由于請求和響應(yīng)報(bào)文都必須經(jīng)過調(diào)度器地址重寫,當(dāng)客戶請求越來越多時(shí),調(diào)度器的處理能力將成為瓶頸。為了解決這個(gè)問題,調(diào)度器把請求報(bào) 文通過 IP 隧道轉(zhuǎn)發(fā)至真實(shí)服務(wù)器,而真實(shí)服務(wù)器將響應(yīng)直接返回給客戶,所以調(diào)度器只處理請求報(bào)文。由于一般網(wǎng)絡(luò)服務(wù)應(yīng)答比請求報(bào)文大許多,采用 VS/TUN 技術(shù)后,集群系統(tǒng)的最大吞吐量可以提高 10 倍。

Virtual Server via Direct Routing(VS/DR)
VS/DR 通過改寫請求報(bào)文的 MAC 地址,將請求發(fā)送到真實(shí)服務(wù)器,而真實(shí)服務(wù)器將響應(yīng)直接返回給客戶。同 VS/TUN 技術(shù)一樣,VS/DR 技術(shù)可極大地 提高集群系統(tǒng)的伸縮性。這種方法沒有 IP 隧道的開銷,對集群中的真實(shí)服務(wù)器也沒有必須支持 IP 隧道協(xié)議的要求,但是要求調(diào)度器與真實(shí)服務(wù)器都有一塊網(wǎng)卡連 在同一物理網(wǎng)段上。

LVS 調(diào)度算法

1.輪詢:Round Robin,簡稱rr,分發(fā)器按照循環(huán)的方式將請求平均的發(fā)送給后端的rs

2.加權(quán)輪詢:Weight Round-Robin,簡稱wrr,增對輪詢的優(yōu)化,會給每臺rs定義對應(yīng)的權(quán)重值,權(quán)重值大的rs會比權(quán)重值小的rs接收到更多分發(fā)器轉(zhuǎn)發(fā)的請求

3.最小連接:Least-Connection,簡稱lc,分發(fā)器向每臺rs轉(zhuǎn)發(fā)請求時(shí),會記錄rs的連接數(shù),根據(jù)連接數(shù)判斷所有rs的情況,將最新的請求轉(zhuǎn)發(fā)給連接數(shù)最少的rs

4.加權(quán)最小連接:Weight Least-Connection,簡稱wlc,增對最小連接的優(yōu)化,定義每臺rs的權(quán)重值,分發(fā)器將新的請求轉(zhuǎn)發(fā)給rs時(shí),會根據(jù)權(quán)重值判斷轉(zhuǎn)發(fā)請求給每臺rs的比例,分發(fā)器可以自動判斷rs的情況,動態(tài)調(diào)整權(quán)重值

#以上為4中常用調(diào)度算法,除此之外還有基于局部性的最小連接、帶復(fù)制的基于局部性最小連接、目標(biāo)地址散列調(diào)度、源地址散列調(diào)度等

LVS NAT模式搭建

測試環(huán)境:準(zhǔn)備3臺機(jī)器,1臺分發(fā)器(dir)和2臺rs

dir內(nèi)網(wǎng):192.168.1.113 外網(wǎng):192.168.111.200
rs1內(nèi)網(wǎng):192.168.1.111
rs2內(nèi)網(wǎng):192.168.1.112

apt install -y iptables #all node
systemctl enable iptables --now #all node
#設(shè)置rs1與rs2的網(wǎng)關(guān)為dir的內(nèi)網(wǎng)ip:
root@hk-slave1:/opt# vim /etc/netplan/01-netcfg.yaml 
root@hk-slave1:/opt# netplan apply
root@hk-slave1:/opt# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 ens33
0.0.0.0         192.168.1.113   0.0.0.0         UG    0      0        0 ens33
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ens33
# dir 上創(chuàng)建vip 開啟代理后端服務(wù)的lvs 模塊
root@hk-master1:~# cat  /usr/local/sbin/lvs_nat.sh
#! /bin/bash
# dir上開啟路由轉(zhuǎn)發(fā)功能
echo 1 > /proc/sys/net/ipv4/ip_forward
# 關(guān)閉icmp的重定向
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
# 注意區(qū)分網(wǎng)卡名字,兩個(gè)網(wǎng)卡分別為ens33(內(nèi)網(wǎng))和ens37(外網(wǎng))
echo 0 > /proc/sys/net/ipv4/conf/ens33/send_redirects
#echo 0 > /proc/sys/net/ipv4/conf/ens37/send_redirects
# dir設(shè)置nat防火墻
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -s 192.168.1.0/24  -j MASQUERADE
# 定義ipvsadm路徑到變量
IPVSADM='/sbin/ipvsadm'
# 清空ipvsadm規(guī)則
$IPVSADM -C
# 配置lvs,-s 指定調(diào)度算法為輪詢
$IPVSADM -A -t 192.168.1.200:80 -s rr
# -r指定rs1,-w表示模式為nat,-w指定權(quán)重值
$IPVSADM -a -t 192.168.1.200:80 -r 192.168.1.111:80 -m -w 1
# 指定rs2
$IPVSADM -a -t 192.168.1.200:80 -r 192.168.1.112:80 -m -w 1
root@hk-master1:~# bash /usr/local/sbin/lvs_nat.sh 
# 驗(yàn)證代理配置
root@hk-master1:~# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.1.200:80 rr
  -> 192.168.1.111:80             Masq    1      0          0         
  -> 192.168.1.112:80             Masq    1      0          0   
  
 #dir 主機(jī) curl 調(diào)用虛擬ip 192.168.1.200
 root@hk-master1:~# curl 192.168.1.200
192.168.1.112 nginx page
root@hk-master1:~# curl 192.168.1.200
192.168.1.111 nginx page
root@hk-master1:~# curl 192.168.1.200
192.168.1.112 nginx page
root@hk-master1:~# curl 192.168.1.200
192.168.1.111 nginx page
root@hk-master1:~#

LVS DR 模式搭建

測試環(huán)境:準(zhǔn)備3臺機(jī)器,1臺分發(fā)器(dir)和2臺rs

dir內(nèi)網(wǎng):192.168.1.113
rs1內(nèi)網(wǎng):192.168.1.111
rs2內(nèi)網(wǎng):192.168.1.112
VIP:192.168.1.200

DR模式rs1,與rs2機(jī)器的網(wǎng)關(guān)不需要配置為dir的ip地址,同樣使用iptables工具管理防火墻,也要下載ipvsadm

root@hk-master1:~#iptables -F 
root@hk-master1:~# ipvsadm -C
root@hk-master1:~# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn

root@hk-master1:~# bash /usr/local/sbin/lvs_dr.sh 
SIOCADDRT: File exists

root@hk-master1:~# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.1.200:80 rr
  -> 192.168.1.111:80             Route   1      0          0         
  -> 192.168.1.112:80             Route   1      0          0         

root@hk-master1:~# cat /usr/local/sbin/lvs_dr.sh 
#! /bin/bash
# 開啟端口轉(zhuǎn)發(fā)
echo 1 > /proc/sys/net/ipv4/ip_forward
ipv=/sbin/ipvsadm
vip=192.168.1.200
rs1=192.168.1.111
rs2=192.168.1.112
# 添加VIP
ifconfig ens33:2 $vip broadcast $vip netmask 255.255.255.255 up
route add -host $vip dev ens33:2
# 清空ipvsadm規(guī)則
$ipv -C
# 定義lvs調(diào)度算法為輪詢
$ipv -A -t $vip:80 -s rr
# 指定轉(zhuǎn)發(fā)目標(biāo)rs1,-g表示dr模式,-w定義權(quán)重值
$ipv -a -t $vip:80 -r $rs1:80 -g -w 1
# 指定轉(zhuǎn)發(fā)目標(biāo)rs2
$ipv -a -t $vip:80 -r $rs2:80 -g -w 1

# rs1和rs2 都執(zhí)行:
root@hk-slave1:/opt# bash /usr/local/sbin/lvs_rs.sh 

root@hk-slave1:/opt# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.1.200/32 brd 192.168.1.200 scope global lo:0
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/enser 00:0c:29:9f:37:c7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.111/24 brd 192.168.1.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe9f:37c7/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/enser 02:42:d9:b9:ab:13 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:d9ff:feb9:ab13/64 scope link 
       valid_lft forever preferred_lft forever

root@hk-slave1:/opt# cat /usr/local/sbin/lvs_rs.sh 
#!/bin/bash
netplan apply
vip=192.168.1.200
# 把vip綁定在lo上,是為了實(shí)現(xiàn)rs直接把結(jié)果返回給客戶端
ifconfig lo:0 $vip broadcast $vip netmask 255.255.255.255 up
route add -host $vip lo:0
# 以下操作為更改arp內(nèi)核參數(shù),目的是為了讓rs順利發(fā)送mac地址給客戶端
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce

結(jié)合keepalive 實(shí)現(xiàn)高可用

以上面配置的LVS DR模式為例,使用keepalived+lvs的場景:

1.dir會將收到的請求分發(fā)給后端的rs,但是當(dāng)某臺rs宕機(jī)的時(shí)候,dir不會知道,還會繼續(xù)分發(fā)請求到宕機(jī)的rs機(jī)器,為了避免該情況出現(xiàn),可以使用keepalived的避免

#清空規(guī)則
root@hk-master1:~# iptables -F
root@hk-master1:~# ipvsadm -C
#編輯keepalive配置文件
root@hk-master1:~# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.1.200:80 rr persistent 1
  -> 192.168.1.111:80             Route   100    0          0         
  -> 192.168.1.112:80             Route   100    0          0         
root@hk-master1:~# vim /etc/keepalived/keepalived.conf 
root@hk-master1:~# cat /etc/keepalived/keepalived.conf 
vrrp_instance VI_1 {
    state BACKUP
    #綁定vip的網(wǎng)卡
    interface ens33
    #路由id,需要與backup機(jī)器相同
    virtual_router_id 51
    #定義權(quán)重,備用服務(wù)器上要小于100
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass keepalived123
    }
    virtual_ipaddress {
        192.168.1.200
    }
}
virtual_server 192.168.1.200 80 {
    #每隔10秒查詢r(jià)ealserver狀態(tài)
    delay_loop 10
    #lvs 算法
    lb_algo rr
    #DR模式
    lb_kind DR
    #同一IP的連續(xù)1秒內(nèi)被分配到同一臺rs
    persistence_timeout 1
    #用TCP協(xié)議檢查rs
    protocol TCP

    real_server 192.168.1.111 80 {
        #權(quán)重
        weight 100
        TCP_CHECK {
        #10秒無響應(yīng)超時(shí)
        connect_timeout 10
        nb_get_retry 3
        delay_before_retry 3
        connect_port 80
        }
    }
    real_server 192.168.1.112 80 {
        weight 100
        TCP_CHECK {
        connect_timeout 10
        nb_get_retry 3
        delay_before_retry 3
        connect_port 80
        }
     }
}           

#驗(yàn)證配置
root@hk-master1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/enser 00:0c:29:bb:35:0d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.113/24 brd 192.168.1.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet 192.168.1.200/32 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:febb:350d/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/enser 02:42:c9:56:f7:39 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
root@hk-master1:~# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.1.200:80 wlc persistent 1
  -> 192.168.1.111:80             Route   100    1          0   
  
  #瀏覽器測試
  #在rs當(dāng)中一臺服務(wù)停的時(shí)候會暫時(shí)出現(xiàn)訪問不了的清空
curl: (7) Failed to connect to 192.168.1.200 port 80: Connection refused
root@hk-master2:~# curl 192.168.1.200
curl: (7) Failed to connect to 192.168.1.200 port 80: Connection refused
root@hk-master2:~# curl 192.168.1.200
192.168.1.112 nginx page
root@hk-master2:~# curl 192.168.1.200

2.完整的架構(gòu)dir需要兩臺,實(shí)現(xiàn)高可用,當(dāng)dir1宕機(jī)時(shí),dir2會切換為dir1,接收請求并分發(fā)到后端的rs

#配置一臺dir的從服務(wù)器
scp /etc/keepalived/keepalived.conf 192.168.1.114:/etc/keepalived/
root@hk-master2:~# cat /etc/keepalived/keepalived.conf 
vrrp_instance VI_1 {
    state BACKUP
    #綁定vip的網(wǎng)卡
    interface ens33
    #路由id,需要與backup機(jī)器相同
    virtual_router_id 51
    #定義權(quán)重,備用服務(wù)器上要小于100
    priority 99
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass keepalived123
    }
    virtual_ipaddress {
        192.168.1.200
    }
}
virtual_server 192.168.1.200 80 {
    #每隔10秒查詢r(jià)ealserver狀態(tài)
    delay_loop 10
    #lvs 算法
    lb_algo wlc
    #DR模式
    lb_kind DR
    #同一IP的連續(xù)1秒內(nèi)被分配到同一臺rs
    persistence_timeout 1
    #用TCP協(xié)議檢查rs
    protocol TCP

    real_server 192.168.1.111 80 {
        #權(quán)重
        weight 100
        TCP_CHECK {
        #10秒無響應(yīng)超時(shí)
        connect_timeout 10
        nb_get_retry 3
        delay_before_retry 3
        connect_port 80
        }
    }
    real_server 192.168.1.112 80 {
        weight 100
        TCP_CHECK {
        connect_timeout 10
        nb_get_retry 3
        delay_before_retry 3
        connect_port 80
        }
     }
}

#重啟 rs 中的一臺nginx 測試keepalived
root@hk-master1:~# tail -f /var/log/syslog
Jun 26 20:55:17 k8s-node3 Keepalived_healthcheckers[46661]: TCP connection to [192.168.1.111]:tcp:80 failed.
Jun 26 20:55:17 k8s-node3 Keepalived_healthcheckers[46661]: Check on service [192.168.1.111]:tcp:80 failed after 1 retry.
Jun 26 20:55:17 k8s-node3 Keepalived_healthcheckers[46661]: Removing service [192.168.1.111]:tcp:80 to VS [192.168.1.200]:tcp:80
Jun 26 20:56:45 k8s-node3 Keepalived_healthcheckers[46661]: TCP connection to [192.168.1.111]:tcp:80 success.
Jun 26 20:56:45 k8s-node3 Keepalived_healthcheckers[46661]: Adding service [192.168.1.111]:tcp:80 to VS [192.168.1.200]:tcp:80
root@hk-master2:~# tail -f /var/log/syslog
Jun 26 20:55:15 k8s-node4 Keepalived_healthcheckers[43729]: Check on service [192.168.1.111]:tcp:80 failed after 1 retry.
Jun 26 20:55:15 k8s-node4 Keepalived_healthcheckers[43729]: Removing service [192.168.1.111]:tcp:80 to VS [192.168.1.200]:tcp:80
Jun 26 20:56:43 k8s-node4 Keepalived_healthcheckers[43729]: TCP connection to [192.168.1.111]:tcp:80 success.
Jun 26 20:56:43 k8s-node4 Keepalived_healthcheckers[43729]: Adding service [192.168.1.111]:tcp:80 to VS [192.168.1.200]:tcp:80

#測試 vip 飄逸
root@hk-master1:~# systemctl stop keepalived.service 
root@hk-master2:~# tail -f /var/log/syslog
Jun 26 20:57:36 k8s-node4 Keepalived_vrrp[43730]: VRRP_Instance(VI_1) Transition to MASTER STATE
Jun 26 20:57:37 k8s-node4 Keepalived_vrrp[43730]: VRRP_Instance(VI_1) Entering MASTER STATE
root@hk-master2:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/enser 00:0c:29:0f:45:99 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.114/24 brd 192.168.1.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet 192.168.1.200/32 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe0f:4599/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/enser 02:42:d1:34:f6:db brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容