本次實驗基於DR模型來搭建,我們需要準備至少三臺機器,這裏全部使用虛擬機。這三臺機器的IP分別是192.168.40.129 192.168.40.132 192.168.40.133。我們先來看一下我們要搭建的模型的整體架構:
我們希望實現的效果是,當用戶請求打在192.168.40.200:80的時候能夠將node2和node3的web服務以負載均衡的方式顯示出來。其中192.168.40.200:80是一個虛擬IP也就是VIP。如果不知道什麼是VIP或者其作用的,可以去看看我之前寫的文章。
在node2和node3上安裝httpd
yum install -y httpd
然後直接運行httpd -k start
爲什麼要用httpd? 因爲部署快,我們只需要下載然後運行即可看到效果。
修改httpd的默認主頁:
node2:echo '192.168.40.132' > /var/www/html/index.html
node3:echo '192.168.40.133' > /var/www/html/index.html
這一步主要是爲了能夠在負債均衡的時候看到ip地址的變化
嘗試訪問我們的web服務,在瀏覽器上輸入192.168.40.133和192.168.40.132:
在node2和node3上添加VIP
node2和node3都需要在本地網卡記錄VIP,因爲它們都需要能夠接收到客戶端發送過來的數據包,如果沒有記錄相應的目標地址IP的話會被丟棄掉。
我們可以使用ifconfig lo:2 192.168.40.200 netmask 255.255.255.255來添加,這句命令的語義是:
在虛擬網卡的2端口添加一個源ip是192.168.40.200的路由條目,其子網掩碼的是255.255.255.255。爲什麼要配置的是虛擬網卡,其實和arp協議有關,如果配置的虛擬網卡,纔有可能做到隱藏VIP的目的,後面會講到。
在node2和node3執行完後我們在打開ifconfig會發現多了我們剛剛配置的信息:
修改node2和node3的arp協議的傳播類型
我們的node2和node3節點已經有了VIP,但這是不夠的,因爲一旦擁有了這個IP,服務上線的時候就會將這條地址廣播給局域網當中的所有主機,這麼一來當我們的客戶端發送請求的時候,就無法辨別出數據包究竟該發送給node2還是node3,而實際上,數據包應該是交給master節點處理,並且整個局域網當中也只有master節點能對外暴露自己的VIP。
那麼我們該怎麼做才能既讓node2和node3擁有VIP,又不讓這個IP讓別人知道呢?答案是修改arp協議的傳播類型arp_ignore和arp_announce。這兩個參數什麼意思,我把英語原文解釋貼在下面了:
arp_ignore - INTEGER
Define different modes for sending replies in response to
received ARP requests that resolve local target IP addresses:
0 - (default): reply for any local target IP address, configured
on any interface
1 - reply only if the target IP address is local address
configured on the incoming interface
2 - reply only if the target IP address is local address
configured on the incoming interface and both with the
sender's IP address are part from same subnet on this interface
3 - do not reply for local addresses configured with scope host,
only resolutions for global and link addresses are replied
4-7 - reserved
8 - do not reply for all local addresses
The max value from conf/{all,interface}/arp_ignore is used
when ARP request is received on the {interface}
arp_announce - INTEGER
Define different restriction levels for announcing the local
source IP address from IP packets in ARP requests sent on
interface:
0 - (default) Use any local address, configured on any interface
1 - Try to avoid local addresses that are not in the target's
subnet for this interface. This mode is useful when target
hosts reachable via this interface require the source IP
address in ARP requests to be part of their logical network
configured on the receiving interface. When we generate the
request we will check all our subnets that include the
target IP and will preserve the source address if it is from
such subnet. If there is no such subnet we select source
address according to the rules for level 2.
2 - Always use the best local address for this target.
In this mode we ignore the source address in the IP packet
and try to select local address that we prefer for talks with
the target host. Such local address is selected by looking
for primary IP addresses on all our subnets on the outgoing
interface that include the target IP address. If no suitable
local address is found we select the first local address
we have on the outgoing interface or on all other interfaces,
with the hope we will receive reply for our request and
even sometimes no matter the source IP address we announce.
The max value from conf/{all,interface}/arp_announce is used.
腦闊疼,大概翻譯一下,我們只需要關係前兩個參數:
arp_ignore控制收到arp請求後的響應方式
- 0代表收到arp報文後,會毫無保留的把自己的本地目標ip告訴對方
- 1代表只對指定了本地目標ip的報文進行相應
arp_announce控制的是主動發送arp數據的方式
- 允許使用任意網卡上的IP地址作爲arp請求的源IP
- 儘量不使用本地網卡的子網卡的ip地址作爲arp請求的源IP地址
從上面的描述可以看出,如果我們的VIP是配置在物理網卡上,無疑還是會把自己的IP暴露出去,這也是我們選擇在node2和node3節點的虛擬網卡上創建VIP的原因。
很明顯,我們應該把這倆參數都設置成1:
echo 1 > /proc/sys/net/ipv4/conf/eth2/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
配置master
先配置VIP,與node2和node3不同的是,master要在物理網卡上配:
ifconfig eth2:2 192.168.40.200/24
安裝ipvsadm:yum install ipvsadm
在ipvsadm中配置VIP和RIP:
ipvsadm -A -t 192.168.40.200:80 -s rr #配置虛擬IP
ipvsadm -a -t 192.168.40.200:80 -r 192.168.40.133 -g -w 1 #配置虛擬IP對應需要負載的真實服務器地址
ipvsadm -a -t 192.168.40.200:80 -r 192.168.40.132 -g -w 1 #配置虛擬IP對應需要負載的真實服務器地址
然後可以使用ipvsadm -ln查看配置的信息:
大功告成,我們訪問192.168.40.200試試效果吧!
