一、ipvs scheduler
ipvs scheduler:根據其調度時是否考慮各RS當前的負載狀態
有兩種方法:靜態方法和動態方法
1、靜態方法
僅根據算法本身進行調度
1、RR:roundrobin,輪詢
2、WRR:Weighted RR,加權輪詢
3、SH:Source Hashing
實現session sticky,源IP地址hash;將來自於同一個IP地址的請求始終發往第一次挑中的RS,從而實現會話綁定
4、DH:Destination Hashing
目標地址哈希,將發往同一個目標地址的請求始終轉發至第一次挑中的RS,典型使用場景是正向代理緩存場景中的負載均衡,如:寬帶運營商
2、動態方法
主要根據每RS當前的負載狀態及調度算法進行調度Overhead=value 較小的RS將被調度
1、LC:least connections 適用於長連接應用
Overhead=activeconns)*256+inactiveconns
Overhead(負載值),activeconns活動鏈接、當前正在連並有數據通訊的鏈接個數,inactiveconns非活動鏈接、連接上了但沒有數據通訊
2、WLC:Weighted LC,LVS默認調度方法
Overhead=(activeconns*256+inactiveconns)/weight
存在的弊端就是剛開始的時候,這時候weight沒有發揮出應有的效果
3、SED:Shortest Expection Delay,初始連接高權重優先
Overhead=(activeconns+1)*256/weight
存在的弊端就是,RS直接weight差別巨大的時候,weight數值大的,負載要多承受的過多
4、NQ:Never Queue,第一輪均勻分配,後續SED
5、LBLC:Locality-Based LC,動態的DH算法,使用場景:根據(後端)負載狀態實現正向代理(負載大就不進行隨機調度)
6、LBLCR:LBLC with Replication,帶複製功能的LBLC
解決LBLC負載不均衡問題,從負載重的複製到負載輕的RS
二、ipvs
ipvsadm/ipvs
1、ipvs
grep -i -C 10 "ipvs" /boot/config-VERSION-RELEASE.x86_64
ipvs集羣:
管理集羣服務
管理服務上的RS
程序包:ipvsadm
Unit File: ipvsadm.service
主程序:/usr/sbin/ipvsadm
規則保存工具:/usr/sbin/ipvsadm-save
規則重載工具:/usr/sbin/ipvsadm-restore
配置文件:/etc/sysconfig/ipvsadm-config
[root@cenots7a~]#yum install ipvsadm ========================================================================================== Package Arch Version Repository Size ========================================================================================== Installing: ipvsadm x86_64 1.27-7.el7 base 45 k Transaction Summary ========================================================================================== [L@cenots7a~]$grep -i -A 15 ipvs /boot/config-3.10.0-693.17.1.el7.x86_64 #調度支持的協議 CONFIG_IP_VS_PROTO_TCP=y CONFIG_IP_VS_PROTO_UDP=y CONFIG_IP_VS_PROTO_AH_ESP=y CONFIG_IP_VS_PROTO_ESP=y CONFIG_IP_VS_PROTO_AH=y CONFIG_IP_VS_PROTO_SCTP=y #調度支持的算法 CONFIG_IP_VS_RR=m CONFIG_IP_VS_WRR=m CONFIG_IP_VS_LC=m CONFIG_IP_VS_WLC=m CONFIG_IP_VS_LBLC=m CONFIG_IP_VS_LBLCR=m CONFIG_IP_VS_DH=m CONFIG_IP_VS_SH=m CONFIG_IP_VS_SED=m CONFIG_IP_VS_NQ=m [root@cenots7a~]#rpm -qi ipvsadm ipvsadm用於設置,維護和檢查Linux內核中的虛擬服務器表。 Linux虛擬服務器可用於構建基於兩個或更多節點羣集的可擴展網絡服務。 羣集的活動節點將服務請求重定向到將實際執行服務的一組服務器主機。 支持的功能包括: - 兩個傳輸層(第四層)協議(TCP和UDP) - 三種數據包轉發方法(NAT,隧道和直接路由) - 八種負載均衡算法(循環法,加權循環,最小連接,加權最小連接,基於局部的最小連接,基於局部的複製最小連接,目標散列和源散列) [root@cenots7a~]#rpm -ql ipvsadm /etc/sysconfig/ipvsadm-config /usr/lib/systemd/system/ipvsadm.service /usr/sbin/ipvsadm /usr/sbin/ipvsadm-restore #讀取配置命令 /usr/sbin/ipvsadm-save #保存配置命令 /usr/share/doc/ipvsadm-1.27 /usr/share/doc/ipvsadm-1.27/README /usr/share/man/man8/ipvsadm-restore.8.gz /usr/share/man/man8/ipvsadm-save.8.gz /usr/share/man/man8/ipvsadm.8.gz
二、ipvsadm命令
核心功能:
集羣服務管理(VS):增、刪、改、
集羣服務的RS管理:增、刪、改
查看
ipvsadm -A|E -t|u|f service-address [-s scheduler] [-p [timeout]] [-M netmask] [--pe persistence_engine] [-b sched-flags]
ipvsadm -D -t|u|f service-address 刪除
ipvsadm –C 清空
ipvsadm –R 重載
ipvsadm -S [-n] 保存
ipvsadm -a|e -t|u|f service-address -r server-address [options]
ipvsadm -d -t|u|f service-address -r server-address
ipvsadm -L|l [options]
ipvsadm -Z [-t|u|f service-address]
1、管理集羣服務
增、改
ipvsadm -A|E -t|u|f service-address [-s scheduler](調度算法) [-p [timeout]]
刪除
ipvsadm -D -t|u|f service-address
service-address
-t|u|f:
-t: TCP協議的端口,VIP:TCP_PORT
-u: UDP協議的端口,VIP:UDP_PORT
-f:firewall MARK,標記,一個數字
[-s scheduler]:指定集羣的調度算法,默認爲wlc
2、管理集羣上的RS
增、改
ipvsadm -a|e -t|u|f service-address -r server-address [-g|i|m](LVS 3種模式) [-w weight]
刪
ipvsadm -d -t|u|f service-address -r server-address
server-address:
rip[:port] 如省略port,不作端口映射
選項:
lvs類型:
-g: gateway, dr類型,默認
-i: ipip, tun類型
-m: masquerade, nat類型
-w weight:權重
3、查看及清空
清空定義的所有內容
ipvsadm –C
清空計數器
ipvsadm -Z [-t|u|f service-address]
查看
ipvsadm -L|l [options]
--numeric, -n:以數字形式輸出地址和端口號
--exact:擴展信息,精確值
--connection,-c:當前IPVS連接輸出
--stats:統計信息
--rate :輸出速率信息
ipvs規則:/proc/net/ip_vs
ipvs連接:/proc/net/ip_vs_conn
[root@VSserver~]#ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.1.100:80 wrr -> 172.18.68.103:80 Masq 3 0 0 -> 172.18.68.104:80 Masq 1 0 0 [root@VSserver~]#ipvsadm -ln --stats IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes -> RemoteAddress:Port TCP 192.168.1.100:80 237 1383 1013 92061 113827 -> 172.18.68.103:80 173 1038 693 68681 79459 -> 172.18.68.104:80 64 345 320 23380 34368 [root@VSserver~]#cat /proc/net/ip_vs_conn Pro FromIP FPrt ToIP TPrt DestIP DPrt State Expires PEName PEData TCP C0A80165 A3DE C0A80164 0050 AC124468 0050 TIME_WAIT 38 # 192.168.1.101 客戶端端口號 VIP 80端口 RIP 內部端口 #刪除RS服務器的操作 [root@VSserver~]#ipvsadm -d -t 10.0.0.100:0 -r 172.18.68.104:0 [root@VSserver~]#ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:0 rr persistent 360 -> 172.18.68.103:0 Route 1 0 0
4、保存及重載規則
保存:建議保存至/etc/sysconfig/ipvsadm
ipvsadm-save > /PATH/TO/IPVSADM_FILE
ipvsadm -S > /PATH/TO/IPVSADM_FILE
systemctl stop ipvsadm.service
重載:
ipvsadm-restore < /PATH/FROM/IPVSADM_FILE
ipvsadm -R < /PATH/FROM/IPVSADM_FILE
systemctl restart ipvsadm.service
[root@VSserver~]#ipvsadm-save -n > /etc/sysconfig/ipvsadm #這個文件內沒有記錄,可能無法啓動服務 [root@VSserver~]#ipvsadm -C [root@VSserver~]#ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn [root@VSserver~]#service ipvsadm stop ipvsadm: Clearing the current IPVS table: [ OK ] ipvsadm: Unloading modules: [ OK ] [root@VSserver~]#service ipvsadm start #啓動的時候會自動讀取etc下的記錄文件 ipvsadm: Clearing the current IPVS table: [ OK ] ipvsadm: Applying IPVS configuration: [ OK ] [root@VSserver~]#ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.1.100:80 wrr -> 172.18.68.103:80 Masq 3 0 0 -> 172.18.68.104:80 Masq 1 0 0
5、注意事項
負載均衡集羣設計時要注意的問題
(1) 是否需要會話保持
(2) 是否需要共享存儲
共享存儲:NAS, SAN, DS(分佈式存儲)
數據同步:
lvs-nat:
設計要點:
(1) RIP與DIP在同一IP網絡, RIP的網關要指向DIP
(2) 支持端口映射
(3) Director要打開核心轉發功能
時間同步
#實驗:實現NTP服務 #VS服務器設置 [root@Centos6-server~]#yum install chrony [root@Centos6-server~]#vim /etc/chrony.conf server 210.72.145.44 iburst # Allow NTP client access from local network. allow 192.168.1.0/24 # Serve time even if not synchronized to any NTP server. local stratum 10 [root@Centos6-server~]#service chronyd start [root@Centos6-server~]#chkconfig chronyd on #RS服務器設置 [root@centos7mini~]#vim /etc/chrony.conf server 192.168.1.100 iburst #同步有一定的延遲 210 Number of sources = 1 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^? 172.18.68.103 0 6 0 - +0ns[ +0ns] +/- 0ns
三、LVS高可用性
LVS的ipvs服務器沒有任何的健康性檢測功能
1 Director不可用,整個系統將不可用;SPoF Single Point of Failure
解決方案:高可用
keepalived(輕量化) heartbeat/corosync(重量級)
2 某RS不可用時,Director依然會調度請求至此RS
解決方案: 由Director對各RS健康狀態進行檢查,失敗時禁用,成功時啓用
keepalived heartbeat/corosync
ldirectord(本身就帶ipvsadm的命令配置)
檢測方式:
(a) 網絡層檢測,icmp
(b) 傳輸層檢測,端口探測
(c) 應用層檢測,請求某關鍵資源
RS全不用時:backup server, sorry server
官方地址:http://horms.net/projects/ldirectord/
1、ldirectord
ldirectord:監控和控制LVS守護進程,可管理LVS規則
包名:ldirectord-3.9.6-0rc1.1.1.x86_64.rpm
文件:
/etc/ha.d/ldirectord.cf 主配置文件
/usr/share/doc/ldirectord-3.9.6/ldirectord.cf 配置模版
/usr/lib/systemd/system/ldirectord.service 服務
/usr/sbin/ldirectord 主程序
/var/log/ldirectord.log 日誌
/var/run/ldirectord.ldirectord.pid pid文件
2、Ldirectord 配置文件示例
checktimeout=3 #健康性檢查的超時時間,3秒不迴應就認爲RS服務器不服務了 checkinterval=1 #探測時間 #fallback=127.0.0.1:80 #道歉服務器的地址 autoreload=yes #自動加載配置文件 logfile="/var/log/ldirectord.log" #日誌文件 quiescent=no #down時yes權重爲0,no爲刪除 #logfile="local0" #日誌的級別 #emailalert="[email protected]" #發送郵件通知 #emailalertfreq=3600 #emailalertstatus=all quiescent=no virtual=5 #指定VS的FWM或IP:port real=172.16.0.7:80 gate 2 real=172.16.0.8:80 gate 1 fallback=127.0.0.1:80 gate #sorry server service=http scheduler=wrr checktype=negotiate checkport=80 request="index.html" receive="Test Ldirectord" [root@VSserver~]#echo Sorry Server > /app/website/index.html [root@Client~]#curl 10.0.0.100 Sorry Server
3、安裝 Ldirectord
[root@VSserver~]#yum install ldirectord-3.9.6-0rc1.1.1.x86_64.rpm Dependencies Resolved ============================================================================================================ Package Arch Version Repository Size ============================================================================================================ Installing: ldirectord x86_64 3.9.6-0rc1.1.1 /ldirectord-3.9.6-0rc1.1.1.x86_64 191 k Installing for dependencies: cifs-utils x86_64 4.8.1-20.el6 base 65 k keyutils x86_64 1.4-5.el6 base 39 k nfs-utils x86_64 1:1.2.3-75.el6 base 336 k nfs-utils-lib x86_64 1.1.5-13.el6 base 71 k perl-IO-Socket-INET6 noarch 2.56-4.el6 base 17 k perl-MailTools noarch 2.04-4.el6 base 101 k perl-Net-SSLeay x86_64 1.35-10.el6_8.1 base 174 k perl-Socket6 x86_64 0.23-4.el6 base 27 k perl-TimeDate noarch 1:1.16-13.el6 base 37 k resource-agents x86_64 3.9.5-46.el6 base 389 k rpcbind x86_64 0.2.0-13.el6 base 51 k Transaction Summary ============================================================================================================ Install 12 Package(s) [root@VSserver~]#rpm -ql ldirectord /etc/ha.d /etc/ha.d/resource.d /etc/ha.d/resource.d/ldirectord /etc/init.d/ldirectord /etc/logrotate.d/ldirectord /usr/lib/ocf/resource.d/heartbeat/ldirectord /usr/sbin/ldirectord /usr/share/doc/ldirectord-3.9.6 /usr/share/doc/ldirectord-3.9.6/COPYING /usr/share/doc/ldirectord-3.9.6/ldirectord.cf /usr/share/man/man8/ldirectord.8.gz
#實驗:配置Ldirectord
#修改配置文件 [root@VSserver~]#cp /usr/share/doc/ldirectord-3.9.6/ldirectord.cf /etc/ha.d/ # Global Directives checktimeout=3 checkinterval=1 fallback=127.0.0.1:80 autoreload=yes logfile="/var/log/ldirectord.log" quiescent=no # Sample for an http virtual service virtual=10.0.0.100:80 real=172.18.68.103:80 gate 3 #DR模式 權重爲 3 real=172.18.68.104:80 gate 1 service=http #服務軟件 scheduler=wrr #persistent=600 #持久連接 #netmask=255.255.255.255 protocol=tcp # checktype=negotiate # checkport=80 #檢查端口 request="test.html" #測試頁面 receive="test" #測試內容 #增加測試頁面 [root@RS1~]#echo test > /var/www/html/test.html [root@RS2~]#echo test > /var/www/html/test.html [root@VSserver~]#service ldirectord start Starting ldirectord... success #自動添加的 ipvsadm 的設置 [root@VSserver~]#ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:80 wrr -> 172.18.68.103:80 Route 3 0 0 -> 172.18.68.104:80 Route 1 0 0 #測試 [root@Client~]#for i in {1..10} ; do curl 10.0.0.100 ; done RS1 RS1 RS1 RS2 [root@RS2~]#service httpd stop [root@VSserver~]#ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:80 wrr -> 172.18.68.103:80 Route 3 0 0 [root@RS2~]#service httpd start [root@VSserver~]#ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:80 wrr -> 172.18.68.103:80 Route 3 0 0 -> 172.18.68.104:80 Route 1 0 0 [root@RS1~]#service httpd stop [root@RS2~]#service httpd stop [root@VSserver~]#ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.0.0.100:80 wrr -> 127.0.0.1:80 Local 1 0 0 [root@VSserver~]#tail /var/log/ldirectord.log [Thu Mar 8 09:43:09 2018|ldirectord|21342] Deleted real server: 172.18.68.103:80 (10.0.0.100:80) [Thu Mar 8 09:43:35 2018|ldirectord|21342] Deleted real server: 172.18.68.104:80 (10.0.0.100:80) [Thu Mar 8 09:43:35 2018|ldirectord|21342] Added fallback server: 127.0.0.1:80 (10.0.0.100:80) (Weight set to 1) [Thu Mar 8 09:43:50 2018|ldirectord|21342] Resetting soft failure count: 172.18.68.103:80 (tcp:10.0.0.100:80) [Thu Mar 8 09:43:50 2018|ldirectord|21342] Added real server: 172.18.68.103:80 (10.0.0.100:80) (Weight set to 3) [Thu Mar 8 09:43:50 2018|ldirectord|21342] Deleted fallback server: 127.0.0.1:80 (10.0.0.100:80) [Thu Mar 8 09:43:56 2018|ldirectord|21342] Resetting soft failure count: 172.18.68.104:80 (tcp:10.0.0.100:80) [Thu Mar 8 09:43:56 2018|ldirectord|21342] Added real server: 172.18.68.104:80 (10.0.0.100:80) (Weight set to 1)
#實驗:用 ldirectord 完成DR模式MARK調度
#VS服務器上添加MARK標籤 [root@VSserver~]#iptables -t mangle -A PREROUTING -d 10.0.0.100 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 10 [root@VSserver~]#iptables -nvL -t mangle Chain PREROUTING (policy ACCEPT 119 packets, 11983 bytes) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- * * 0.0.0.0/0 10.0.0.100 multiport dports 80,443 MARK set 0xa #設置 ldirectord 配置 [root@VSserver~]#vim /etc/ha.d/ldirectord.cf virtual=10 #這的10 是根據 mangle 表標籤的定義的十六進制數 real=172.18.68.103 gate real=172.18.68.104 gate service=http scheduler=wrr #persistent=600 #netmask=255.255.255.255 #protocol=tcp checktype=negotiate checkport=80 request="test.html" receive="test" [root@VSserver~]#ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn FWM 10 wrr #這的10就是根據配置中的 -> 172.18.68.103:0 Route 3 0 0 -> 172.18.68.104:0 Route 1 0 0 [root@Client~]#for i in {1..10} ; do sleep 0.5 ; curl -k https://10.0.0.100 ; curl 10.0.0.100 ; done RS1 RS2 RS1 RS2
#實驗:上訴實驗,所有服務均可以被調度,現在只希望80端口和443端口被調度
#實驗基礎是DR模型,使用ldriectord服務 [root@Client~]#ssh 10.0.0.100 The authenticity of host '10.0.0.100 (10.0.0.100)' can't be established. RSA key fingerprint is 67:c6:59:f8:69:2e:a2:9c:96:cf:72:40:61:51:9c:85. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.0.100' (RSA) to the list of known hosts. [email protected]'s password: Last login: Thu Mar 8 08:29:50 2018 from 172.18.0.1 [root@VSserver~]#exit logout Connection to 10.0.0.100 closed. [root@Router~]#iptables -A FORWARD -p tcp -m multiport --dports 80,443 -j ACCEPT #在中間的路由器上加iptables策略 [root@Router~]#iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #只允許之前鏈接過的服務,以及響應的文件 [root@Router~]#iptables -A FORWARD -j REJECT #其他所有穿過路由器的服務均拒絕 [root@Router~]#iptables -nvL Chain INPUT (policy ACCEPT 22 packets, 1936 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 12 packets, 1648 bytes) pkts bytes target prot opt in out source destination [root@Client~]#curl 10.0.0.100 RS2 [root@Client~]#ssh 10.0.0.100 ssh: connect to host 10.0.0.100 port 22: Connection refused