ldirectord 结合ipvsadm 配置nat,dr模型

ldirectord 结合ipvsadm 配置nat,dr模型 

一、nat模型

1、 drector # wget ftp://172.16.0.1/pub/Sources/7.x86_64/crmsh/ldirectord-3.9.6-0rc1.1.1.x86_64.rpm

# yum -y install nginx (同时用于做为sorry主机)

# yum -y install ldirectord-3.9.6-0rc1.1.1.x86_64.rpm

# echo “sorry, the service is down for maintenance, is recovering” > /usr/share/nginx/html/index.html 

主机为两块网卡， 一个是桥接，一个仅主机 (其中仅主机的配置静态地址为192.16.0.5) 

开启核心转发功能 

# echo 1 > /proc/sys/net/ipv4/ip_forward 

nod1 # yum -y install httpd 

# echo “<h1>RS1</h1>” > /var/www/html/index.html

主机为一块网卡，仅主机（配置静态地址为192.16.0.2）

网关指向 192.16.0.5  

# route add default gw 192.16.0.5 

node2   # yum -y install nginx 

# echo “<h1>RS2</h1>” > /var/www/html/index.html 

主机为一块网卡，仅主机（配置静态地址为192.16.0.3）

网关指向 192.16.0.5  

# route add default gw 192.16.0.5 

directory 此时:可以在drector主机上进行测试，

# curl 192.16.0.2 返回RS1 

# curl 192.16.0.3 返回RS2 

directory 使用ipvsadm指定调度算法及调度主机；

# ipvsadm -A -t 172.16.250.89:80 -wrr 

# ipvsadm -a -t 172.16.250.89:80 -r 192.16.0.2:80 -m -w 3 

# ipvsadm -a -t 172.16.250.89:80 -r 192.16.0.3:80 -m -w 1

在别的主机中测试结果 

# for i in {1..4} ; do curl 172.16.250.89; done 

<h1>RS1</h1>

<h1>RS2</h2>

<h1>RS1</h1>

<h1>RS1</h1>

# 将规则保存 ipvsadm -S > /etc/sysconfig/ipvsadm 

2、 directory 配置ldirectord 

# cp /usr/share/doc/ldirectord-3.9.6/ldirectord.cf /etc/ha.d/ldirectord.cf 

# vim /etc/ha.d/ldirectord.cf 

checktimeout=3

checkinterval=1

fallback=127.0.0.1:80

autoreload=yes

logfile=”/var/log/ldirectord.log”

quiescent=no

virtual=172.16.250.89:80 

real=192.16.0.2:80 masq 1

real=192.16.0.3:80 masq 3

fallback=127.0.0.1:80 masq

service=http

scheduler=wrr

protocol=tcp

checktype=negotiate

checkport=80

注：virtual:172.16.250.89:80 ，后面需要指定端口，否则protocol=tcp指定启动时会报错 

real=192.16.0.2:80 masq  因为上面配置的为nat模型，所以此处使用masq 

fallback=172.0.0.1:80 此处便是nginx的sorry server,但所有结点都停掉时，会向用户提供一个sorry server 

# systemctl start ldirectord 

# ipvsadm -Ln 查看结点 

在别的主机中测试 

#for i in {1..4} ; do curl 172.16.250.89; done 

<h1>RS2</h2>

<h1>RS1</h1>

<h1>RS2</h2>

<h1>RS2</h2>

node1,node2 将两个结点手动停掉

# systemctl stop httpd  在测试主机中会返回sorry信息

二 、 dr 模型

1、 directory ,node1 ,node2 三台主机都是一块网块， 并且网卡都为桥接，且node1,nod2，不需要指定网关

编写脚本

#vim setkp.sh 

#!/bin/bash 

vip=172.16.252.166

mask=255.255.255.255

interface=’lo:0′

eth=’eno16777736:0′ 

case $1 in 

start) 

echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore

echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore

echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce

echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce

ifconfig $interface $vip netmask $mask broadcast $vip up 

route add -host $vip dev $interface 

;; 

dstart) 

ifconfig $eth $vip/32 netmask $mask broadcast $vip up

;;

dstop)

ifconfig $eth down

;;

stop)

ifconfig $interface down 

echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore

echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore

echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce

echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce

;; 

status) 

ifconfig 

cat /proc/sys/net/ipv4/conf/all/arp_ignore

cat /proc/sys/net/ipv4/conf/lo/arp_ignore

cat /proc/sys/net/ipv4/conf/all/arp_announce

cat /proc/sys/net/ipv4/conf/lo/arp_announce

;; 

*)

echo “Usage: $(basename $0) {dstart|dstop|start|stop}”

exit 1 

esac

在director主机中执行 

# sh setkp.sh dstart 

# sh setkp.sh status 查看状态

# scp setkp.sh 172.16.251.232:/root

# scp setkp.sh 172.16.251.191:/root 

# ipvsadm -A -t 172.16.252.166:http -s wrr

# ipvsadm -a -t 172.16.252.166:http -r 172.16.251.232:http -g -w 1

# ipvsadm -a -t 172.16.252.166:http -r 172.16.251.191:http -g -w 3

# systemctl start nginx 

# echo “Sorry Page” > /usr/share/nginx/html/index.html 

在node1主机中执行

# sh setkp.sh start 

# sh setkp.sh status 

# systemctl start httpd 

echo “<h1>NODE1</h1>” > /var/www/html/index.html 

  在node2主机中执行 

# sh setkp.sh start

# sh setkp.sh status 

# systemctl start httpd 

echo “<h2>NODE2</h2>” > /var/www/html/index.html  

在其它主机中进行测试

#for i in {1..4} ; do curl 172.16.252.166; done 

<h1>RS1</h2>

<h1>RS2</h2>

<h1>RS2</h2>

<h1>RS2</h2>

2、 ldirectord配置

# cat /etc/ha.d/ldirectord.cf | grep -v  “^[[:space:]]*#” | grep -v “^[[:space:]]*$” 

# vim /etc/ha.d/ldirectord.cf 

checktimeout=3

checkinterval=1

fallback=127.0.0.1:80

autoreload=yes

logfile=”/var/log/ldirectord.log”

quiescent=no

virtual=172.16.252.166:80

real=172.16.251.191:80 gate 1

real=172.16.251.232:80 gate 3

fallback=127.0.0.1:80 gate

service=http

scheduler=wrr

protocol=tcp

checktype=negotiate

checkport=80

# systemctl start ldirectord 

在其它主机中进行测试 

# for i in {1..4} ; do curl 172.16.252.166; done 

<h1>RS1</h2>

<h1>RS1</h2>

<h1>RS2</h2>

<h1>RS1</h2>

当主机所有结点都停止服务时 （node1,node2）

# systemctl stop httpd 

# for i in {1..4} ; do curl 172.16.252.166; done 

Sorry Page

Sorry Page

Sorry Page

Sorry Page

 3 、借助防火墙标记来分类报文,而后标记定义集群服务，这样不同的服务可以使用一个集群进行调度,并启用持久连接 

将两台node结点启动 

# systemctl start httpd 

在director主机中配置 

# iptables -t mangle -A PREROUTING -d 172.16.252.166 -p tcp -m multiport –dport 80,443 -j MARK –set-mark 10 为端口打标记 

# ipvsadm -A -f 10 -s rr -p 360

# ipvsadm -a -f 10 -r 172.16.251.191:0 -g -w 1

# ipvsadm -a -f 10 -r 172.16.251.232:0 -g -w 1

在其它主机中进行测试 

# for i in {1..5} ; do curl 172.16.252.166; done 

<h1>RS1</h2>

<h1>RS1</h2>

<h1>RS1</h2>

<h1>RS1</h2>

<h1>RS1</h2>

在两台node结点上建立https服务

nod1 # mkdir /etc/httpd/cacert 

# cd /etc/httpd/cacert 

# (umask 066;openssl genrsa -out httpd.key 1024)

# openssl req -new -key httpd.key  -out httpd.crt -days 7200

# scp httpd.csr 172.16.252.162:/root

在director主机中生成自签证书

# echo 01 > /etc/pki/CA/serial

# touch /etc/pki/CA/index.txt 

# cd /etc/pki/CA/

# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

# openssl ca -in /root/httpd.csr  -out /tmp/httpd.crt

# scp /tmp/httpd.crt  172.16.251.232:/root

# scp /etc/pki/CA/cacert.pem  172.16.250.69:/root

nod2    # mkdir /etc/httpd/cacert

nod1    # cd /etc/httpd/cacert/ && scp * 172.16.251.191:/etc/httpd/cacert/ 

nod1,node1 # vim /etc/httpd/conf.d/ssl.conf  

修改 : SSLCertificateFile /etc/httpd/cacert/httpd.crt

  SSLCertificateKeyFile /etc/httpd/cacert/httpd.key 

# systemctl restart httpd

在其它主机中进行测试:

# vim /etc/hosts 

加入 : 172.16.252.166  www.rj.com 

测试https与http的持久连接 

# for i in {1..4} ;do curl –cacert /root/cacert.pem https://www.rj.com && curl http://www.rj.com ; done 

<h1>RS2</h2>

<h1>RS2</h2>

<h1>RS2</h2>

<h1>RS2</h2>

<h1>RS2</h2>

<h1>RS2</h2>

<h1>RS2</h2>

<h1>RS2</h2>

在 ldirectord 中实现 

driector   # vim /etc/ha.d/ldirectord.cf 

checktimeout=3

checkinterval=1

fallback=127.0.0.1:80

autoreload=yes

logfile=”/var/log/ldirectord.log”

quiescent=no

virtual=10

real=172.16.251.191:80 gate 1

real=172.16.251.232:80 gate 3

fallback=127.0.0.1:80 gate

service=http

scheduler=wrr

checktype=negotiate

checkport=80

# systemctl start ldirectord

# ipvsadm -Ln 

在其它主机中进行测试:

# for i in {1..4} ;do curl –cacert /root/cacert.pem https://www.rj.com && curl http://www.rj.com ; done 

<h1>RS1</h2>

<h1>RS2</h2>

<h1>RS1</h2>

<h1>RS1</h2>

<h1>RS1</h2>

<h1>RS2</h2>

<h1>RS1</h2>

<h1>RS1</h2>