[toc]

ldirectord 结合ipvsadm 配置nat,dr模型

一、nat模型

• drector

COPY
# wget ftp://172.16.0.1/pub/Sources/7.x86_64/crmsh/ldirectord-3.9.6-0rc1.1.1.x86_64.rpm
# yum -y install nginx (同时用于做为sorry主机)
# yum -y install ldirectord-3.9.6-0rc1.1.1.x86_64.rpm
# echo “sorry, the service is down for maintenance, is recovering” > /usr/share/nginx/html/index.html

主机为两块网卡， 一个是桥接，一个仅主机 (其中仅主机的配置静态地址为192.16.0.5)

• 开启核心转发功能

COPY
# echo 1 > /proc/sys/net/ipv4/ip_forward 
nodeff1
# yum -y install httpd 
# echo “<h1>RS1</h1>” > /var/www/html/index.html

主机为一块网卡，仅主机（配置静态地址为192.16.0.2）

网关指向 192.16.0.5

COPY
# route add default gw 192.16.0.5 
node2   
# yum -y install nginx 
# echo “<h1>RS2</h1>” > /var/www/html/index.html

主机为一块网卡，仅主机（配置静态地址为192.16.0.3）

网关指向 192.16.0.5

COPY
# route add default gw 192.16.0.5

directory 此时:可以在drector主机上进行测试，

COPY
# curl 192.16.0.2 返回RS1 
# curl 192.16.0.3 返回RS2

directory 使用ipvsadm指定调度算法及调度主机；

COPY
# ipvsadm -A -t 172.16.250.89:80 -wrr 
# ipvsadm -a -t 172.16.250.89:80 -r 192.16.0.2:80 -m -w 3 
# ipvsadm -a -t 172.16.250.89:80 -r 192.16.0.3:80 -m -w 1

在别的主机中测试结果

COPY
# for i in {1..4} ; do curl 172.16.250.89; done 
<h1>RS1</h1>
<h1>RS2</h2>
<h1>RS1</h1>
<h1>RS1</h1>
# 将规则保存 ipvsadm -S > /etc/sysconfig/ipvsadm

• directory 配置ldirectord

COPY
# cp /usr/share/doc/ldirectord-3.9.6/ldirectord.cf /etc/ha.d/ldirectord.cf 
# vim /etc/ha.d/ldirectord.cf 
checktimeout=3
checkinterval=1
fallback=127.0.0.1:80
autoreload=yes
logfile=”/var/log/ldirectord.log”
quiescent=no
virtual=172.16.250.89:80 
real=192.16.0.2:80 masq 1
real=192.16.0.3:80 masq 3
fallback=127.0.0.1:80 masq
service=http
scheduler=wrr
protocol=tcp
checktype=negotiate
checkport=80

注：virtual:172.16.250.89:80 ，后面需要指定端口，否则protocol=tcp指定启动时会报错

real=192.16.0.2:80 masq 因为上面配置的为nat模型，所以此处使用masq

fallback=172.0.0.1:80 此处便是nginx的sorry server,但所有结点都停掉时，会向用户提供一个sorry server

COPY
# systemctl start ldirectord 
# ipvsadm -Ln 查看结点 
在别的主机中测试 
#for i in {1..4} ; do curl 172.16.250.89; done 
<h1>RS2</h2>
<h1>RS1</h1>
<h1>RS2</h2>
<h1>RS2</h2>
node1,node2 将两个结点手动停掉
# systemctl stop httpd  在测试主机中会返回sorry信息

二、dr 模型

• directory ,node1 ,node2 三台主机都是一块网块， 并且网卡都为桥接，且node1,nod2，不需要指定网关

  编写脚本

COPY
#vim setkp.sh 
#!/bin/bash 
vip=172.16.252.166
mask=255.255.255.255
interface=’lo:0′
eth=’eno16777736:0′ 
case $1 in 
start) 
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig $interface $vip netmask $mask broadcast $vip up 
route add -host $vip dev $interface 
;; 
dstart) 
ifconfig $eth $vip/32 netmask $mask broadcast $vip up
;;
dstop)
ifconfig $eth down
;;
stop)
ifconfig $interface down 
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
;; 
status) 
ifconfig 
cat /proc/sys/net/ipv4/conf/all/arp_ignore
cat /proc/sys/net/ipv4/conf/lo/arp_ignore
cat /proc/sys/net/ipv4/conf/all/arp_announce
cat /proc/sys/net/ipv4/conf/lo/arp_announce
;; 
*)
echo “Usage: $(basename $0) {dstart|dstop|start|stop}”
exit 1 
esac

在director主机中执行

COPY
# sh setkp.sh dstart 
# sh setkp.sh status 查看状态
# scp setkp.sh 172.16.251.232:/root
# scp setkp.sh 172.16.251.191:/root 
# ipvsadm -A -t 172.16.252.166:http -s wrr
# ipvsadm -a -t 172.16.252.166:http -r 172.16.251.232:http -g -w 1
# ipvsadm -a -t 172.16.252.166:http -r 172.16.251.191:http -g -w 3
# systemctl start nginx 
# echo “Sorry Page” > /usr/share/nginx/html/index.html

在node1主机中执行

COPY
# sh setkp.sh start 
# sh setkp.sh status 
# systemctl start httpd 
echo “<h1>NODE1</h1>” > /var/www/html/index.html

在node2主机中执行

COPY
# sh setkp.sh start
# sh setkp.sh status 
# systemctl start httpd 
echo “<h2>NODE2</h2>” > /var/www/html/index.html

在其它主机中进行测试

COPY
#for i in {1..4} ; do curl 172.16.252.166; done 
<h1>RS1</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>

• ldirectord配置

COPY
# cat /etc/ha.d/ldirectord.cf | grep -v  “^[[:space:]]*#” | grep -v “^[[:space:]]*$” 
# vim /etc/ha.d/ldirectord.cf 
checktimeout=3
checkinterval=1
fallback=127.0.0.1:80
autoreload=yes
logfile=”/var/log/ldirectord.log”
quiescent=no
virtual=172.16.252.166:80
real=172.16.251.191:80 gate 1
real=172.16.251.232:80 gate 3
fallback=127.0.0.1:80 gate
service=http
scheduler=wrr
protocol=tcp
checktype=negotiate
checkport=80
# systemctl start ldirectord

在其它主机中进行测试

COPY
# for i in {1..4} ; do curl 172.16.252.166; done 
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS2</h2>
<h1>RS1</h2>
当主机所有结点都停止服务时 （node1,node2）
# systemctl stop httpd 
# for i in {1..4} ; do curl 172.16.252.166; done 
Sorry Page
Sorry Page
Sorry Page
Sorry Page

• 借助防火墙标记来分类报文,而后标记定义集群服务，这样不同的服务可以使用一个集群进行调度,并启用持久连接
• 将两台node结点启动

COPY
# systemctl start httpd

在director主机中配置

COPY
# iptables -t mangle -A PREROUTING -d 172.16.252.166 -p tcp -m multiport –dport 80,443 -j MARK –set-mark 10 为端口打标记 
# ipvsadm -A -f 10 -s rr -p 360
# ipvsadm -a -f 10 -r 172.16.251.191:0 -g -w 1
# ipvsadm -a -f 10 -r 172.16.251.232:0 -g -w 1

在其它主机中进行测试

COPY
# for i in {1..5} ; do curl 172.16.252.166; done 
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS1</h2>

在两台node结点上建立https服务

COPY
nod1 
# mkdir /etc/httpd/cacert 
# cd /etc/httpd/cacert 
# (umask 066;openssl genrsa -out httpd.key 1024)
# openssl req -new -key httpd.key  -out httpd.crt -days 7200
# scp httpd.csr 172.16.252.162:/root

在director主机中生成自签证书

COPY
# echo 01 > /etc/pki/CA/serial
# touch /etc/pki/CA/index.txt 
# cd /etc/pki/CA/
# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
# openssl ca -in /root/httpd.csr  -out /tmp/httpd.crt
# scp /tmp/httpd.crt  172.16.251.232:/root
# scp /etc/pki/CA/cacert.pem  172.16.250.69:/root

COPY
node2  
# mkdir /etc/httpd/cacert
node1  
# cd /etc/httpd/cacert/ && scp * 172.16.251.191:/etc/httpd/cacert/ 
nod1,node1 
# vim /etc/httpd/conf.d/ssl.conf  
修改 : SSLCertificateFile /etc/httpd/cacert/httpd.crt
SSLCertificateKeyFile /etc/httpd/cacert/httpd.key 
# systemctl restart httpd

在其它主机中进行测试:

COPY
# vim /etc/hosts 
加入 : 172.16.252.166  www.rj.com

测试https与http的持久连接

COPY
# for i in {1..4} ;do curl –cacert /root/cacert.pem https://www.rj.com && curl http://www.rj.com ; done 
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>
<h1>RS2</h2>

在 ldirectord 中实现

COPY
driector  
# vim /etc/ha.d/ldirectord.cf 
checktimeout=3
checkinterval=1
fallback=127.0.0.1:80
autoreload=yes
logfile=”/var/log/ldirectord.log”
quiescent=no
virtual=10
real=172.16.251.191:80 gate 1
real=172.16.251.232:80 gate 3
fallback=127.0.0.1:80 gate
service=http
scheduler=wrr
checktype=negotiate
checkport=80
# systemctl start ldirectord
# ipvsadm -Ln

在其它主机中进行测试

COPY
# for i in {1..4} ;do curl –cacert /root/cacert.pem https://www.rj.com && curl http://www.rj.com ; done 
<h1>RS1</h2>
<h1>RS2</h2>
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS1</h2>
<h1>RS2</h2>
<h1>RS1</h2>
<h1>RS1</h2>