LVS的工作機制以及其調度算法等一些初步瞭解在我之前的文章裏面已有記錄。請看這裏
- #!/bin/bash
- #
- # LVS script for VS/DR
- #
- . /etc/rc.d/init.d/functions
- #
- VIP=172.23.136.150
- RIP1=172.23.136.149
- RIP2=172.23.136.148
- PORT=80
- #
- case "$1" in
- start)
- /sbin/ifconfig eth0:1 $VIP broadcast $VIP netmask 255.255.255.255 up
- /sbin/route add -host $VIP dev eth0:1
- # Since this is the Director we must be able to forward packets
- echo 1 > /proc/sys/net/ipv4/ip_forward
- # Clear all iptables rules.
- /sbin/iptables -F
- # Reset iptables counters.
- /sbin/iptables -Z
- # Clear all ipvsadm rules/services.
- /sbin/ipvsadm -C
- # Add an IP virtual service for VIP 172.23.136.150 port 80
- # In this recipe, we will use the round-robin scheduling method.
- # In production, however, you should use a weighted, dynamic scheduling method.
- /sbin/ipvsadm -A -t $VIP:80 -s wlc
- # Now direct packets for this VIP to
- # the real server IP (RIP) inside the cluster
- /sbin/ipvsadm -a -t $VIP:80 -r $RIP1 -g -w 1
- /sbin/ipvsadm -a -t $VIP:80 -r $RIP2 -g -w 2
- /bin/touch /var/lock/subsys/ipvsadm &> /dev/null
- ;;
- stop)
- # Stop forwarding packets
- echo 0 > /proc/sys/net/ipv4/ip_forward
- # Reset ipvsadm
- /sbin/ipvsadm -C
- # Bring down the VIP interface
- /sbin/ifconfig eth0:1 down
- /sbin/route del $VIP
- /bin/rm -f /var/lock/subsys/ipvsadm
- echo "ipvs is stopped..."
- ;;
- status)
- if [ ! -e /var/lock/subsys/ipvsadm ]; then
- echo "ipvsadm is stopped ..."
- else
- echo "ipvs is running ..."
- ipvsadm -L -n
- fi
- ;;
- *)
- echo "Usage: $0 {start|stop|status}"
- ;;
- esac
(二)、RealServer端配置
在各個realserver端分別運行ipvsclient腳本,腳本內容如下:
- #!/bin/bash
- #
- # Script to start LVS DR real server.
- # description: LVS DR real server
- #
- . /etc/rc.d/init.d/functions
- VIP=172.23.136.150
- host=`/bin/hostname`
- case "$1" in
- start)
- # Start LVS-DR real server on this machine.
- /sbin/ifconfig lo down
- /sbin/ifconfig lo up
- echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
- echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
- echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
- echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
- /sbin/ifconfig lo:0 $VIP broadcast $VIP netmask 255.255.255.255 up
- /sbin/route add -host $VIP dev lo:0
- ;;
- stop)
- # Stop LVS-DR real server loopback device(s).
- /sbin/ifconfig lo:0 down
- echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
- echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
- echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
- echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
- ;;
- status)
- # Status of LVS-DR real server.
- islothere=`/sbin/ifconfig lo:0 | grep $VIP`
- isrothere=`netstat -rn | grep "lo:0" | grep $VIP`
- if [ ! "$islothere" -o ! "isrothere" ];then
- # Either the route or the lo:0 device
- # not found.
- echo "LVS-DR real server Stopped."
- else
- echo "LVS-DR real server Running."
- fi
- ;;
- *)
- # Invalid entry.
- echo "$0: Usage: $0 {start|status|stop}"
- exit 1
- ;;
- esac
(三)、測試
訪問172.23.136.150,可以發現負載均衡已正常工作
現在我在後端兩臺realserver上都配置了phpmyadmin,並且兩數據庫的賬號密碼均相同。現在訪問172.23.136.150/phpmyadmin 你會發現一個很有意思的現象就是始終無法登陸上(在使用ipvsadm定義規則時沒有定義權重)
因此Directory還需要基於“連接追蹤”實現將同一個客戶端的請求始終發往其第一次被分配到的realserver,ipvs會在自己的內部維護一個hash表,表中保存着不同的客戶端第一次請求時所分發的後端realserver,以及保存該條目的時間,當該段時間消耗完之後,連接還未斷開,那麼這段時間會自動延遲你所定義的持久連接時間。當下一個請求達到時,就會去這個表中對比,將請求分發給條目中所對應的realserver用來保證整個請求的完整性。
lvs的持久連接類型分以下幾種:
1.pcc:持久客戶端連接,在指定規則時,使用0端口代表所有的端口,即所有到達VIP的請求全部按照調度算法負載至後端的realserver
2.ppc:持久端口連接,明確指定請求VIP的哪個端口的請求分發至後端的realserver
3.Netfilter marked packets:防火牆標記的持久連接,主要用於多端口協議間的關聯,例如在電子商務網站上,在80端口挑選了商品後,當付款的時候就會跳轉至443端口。
4.FTP持久連接,用於主動連接和被動連接,很少用到。
(一)、pcc
任何類型的持久連接均只需要在Directory上配置,realserver則不需要進行額外配置,因爲這些只涉及到Directory的請求分發方法。
ipvsadm -C
ipvsadm -A -t 172.23.136.150:0 -p 360
ipvsadm -a -t 172.23.136.150:0 -r 172.23.136.148
ipvsadm -a -t 172.23.136.150:0 -r 172.23.136.149
在之前的配置基礎上執行以上配置即可。
(二)、ppc
ipvsadm -C
ipvsadm -A -t 172.23.136.150:80 -p 360
ipvsadm -a -t 172.23.136.150:80 -r 172.23.136.148
ipvsadm -a -t 172.23.136.150:80 -r 172.23.136.149
(三)、持久防火牆標記
持久防火牆標記需要結合iptables來使用
iptables -t mangle -A PREROUTING -i eth0 -p tcp -d 172.23.136.150 -m multiport --dport 80,443 -j MARK --set-mark 1
###把來自eth0所有目的地址爲172.23.136.150的80和443端口的請求綁定在一起,標籤爲1
ipvsadm -C
ipvsadm -A -f 1 -p 360
ipvsadm -a -f 1 -r 172.23.136.148
ipvsadm -a -f 1 -r 172.23.136.149
(四)、FTP持久連接
首先要了解FTP的工作模式:21控制端口 20數據端口
被動連接 是隨機從1024---65000內選出一個 作爲迴應端口號,所以我們要限制被動連接回應端口的範圍。
編輯你所用的FTP軟件,vsftpd或者pure-ftpd,設置其端口範圍結合iptables打標籤
iptables -t mangle -A PREROUTING -i eth0 -p tcp -d 192.168.2.100 --dport 21 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -p tcp -d 192.168.2.100 --dport 10000:12000 -j MARK --set-mark 1
ipvsadm -C
ipvsadm -A -f 1 -p 360
ipvsadm -a -f 1 -r 172.23.136.148
ipvsadm -a -f 1 -r 172.23.136.149
小結:
訪問172.23.136.150/phpmyadmin,現在已經可以正常登錄進去,因爲此次的連接被持久分發到後端的同一臺realserver上。整個請求是完整的。
查看其連接分配狀態,可以發現同一個客戶端的請求都被定向至後端的同一個realserver。
ipvsadm -lcn
IPVS connection entries
pro expire state source virtual destination
TCP 01:55 FIN_WAIT 172.23.136.93:56944 172.23.136.150:80 172.23.136.149:80
TCP 01:56 FIN_WAIT 172.23.136.93:56947 172.23.136.150:80 172.23.136.149:80
TCP 01:39 FIN_WAIT 172.23.136.93:56928 172.23.136.150:80 172.23.136.149:80
TCP 01:56 FIN_WAIT 172.23.136.93:56946 172.23.136.150:80 172.23.136.149:80
TCP 01:39 FIN_WAIT 172.23.136.93:56930 172.23.136.150:80 172.23.136.149:80
TCP 01:55 FIN_WAIT 172.23.136.93:56943 172.23.136.150:80 172.23.136.149:80
TCP 01:55 FIN_WAIT 172.23.136.93:56945 172.23.136.150:80 172.23.136.149:80
TCP 01:47 FIN_WAIT 172.23.136.93:56933 172.23.136.150:80 172.23.136.149:80
TCP 01:39 FIN_WAIT 172.23.136.93:56931 172.23.136.150:80 172.23.136.149:80
TCP 14:57 ESTABLISHED 172.23.136.93:56948 172.23.136.150:80 172.23.136.149:80
TCP 05:50 NONE 172.23.136.93:0 172.23.136.150:80 172.23.136.149:80
TCP 01:39 FIN_WAIT 172.23.136.93:56932 172.23.136.150:80 172.23.136.149:80