校友会网站建设方案,一诺摄影设计,重庆做app开发的公司,上传网站页面打不开怎么办LVS 负载均衡
一、LVS 基础概述
LVS#xff08;Linux Virtual Server#xff0c;Linux 虚拟服务器#xff09;是由章文嵩博士主导的开源负载均衡项目#xff0c;已集成到 Linux 内核#xff0c;核心是实现基于 IP 层的数据请求负载均衡调度。终端用户访问 LVS 调度器Linux Virtual ServerLinux 虚拟服务器是由章文嵩博士主导的开源负载均衡项目已集成到 Linux 内核核心是实现基于 IP 层的数据请求负载均衡调度。终端用户访问 LVS 调度器请求目标为 VIP虚拟 IP调度器按预设算法将请求分发至后端 Real Server真实服务器IP 为 RIP若 Real Server 挂载相同存储、提供相同服务集群对用户透明Real Server 按 LVS 工作模式将数据回传用户。其官方站点为http://www.linuxvirtualserver.org支持 NAT、TUN、DR 三种工作模式
二、LVS 体系结构
LVS 集群系统由三层架构组成用户仅感知 “虚拟服务器”核心为 Director Server调度服务器
层级组成与功能负载均衡层Loader Balancer含 1 台 / 多台 Director Server安装 LVS 内核模块实现路由分发和 Ldirectord 监控模块检测 Real Server 健康异常时剔除、恢复后重新加入类似路由器角色服务器群组层Server Array由 Real Server 组成可部署 WEB、MAIL、FTP 等服务Real Server 间通过高速 LAN/WAN 连接Director Server 也可兼任 Real Server数据共享存储层Shared Storage多为磁盘阵列提供共享存储与内容一致性支持 NFS简易但高并发性能差或集群文件系统如 Red Hat GFS、Oracle OCFS2
系统支持Director Server 仅支持 Linux2.6 内核原生支持和 FreeBSD应用少、性能一般Real Server 支持 Linux、Windows、Solaris、AIX 等多系统
三、LVS 核心管理工具
LVS 依赖 “内核模块 用户工具” 协同工作核心工具为ipvs和ipvsadm
1. ipvs内核核心组件
定位LVS 软件内核层核心运行于负载均衡层负责 IP 包处理、负载均衡算法执行、系统配置与管理维护虚拟服务器与 Real Server 链表关键特性1 台 ipvs 主机可定义多个集群服务可能影响调度性能每个集群服务至少需 1 台 Real Server
2. ipvsadm用户空间命令行工具 定位用于管理集群服务与 Real Server支持增、删、改、查操作指定工作模式、权重等 常用命令与功能 功能分类关键命令示例集群服务管理增-A -t ip:port -s 算法、改-E、删-D、清空-C、保存-S /etc/sysconfig/ipvsadm、重载-R /etc/sysconfig/ipvsadmReal Server 管理增-a -t ip:port -r rip:port -g/i/m、改-e、删-d、指定权重-w 数值查看与格式列表-L/-l、数字显示 IP / 端口-n需跟在-L后工作模式指定DR 模式-g默认、TUN 模式-i、NAT 模式-m 核心语法示例ipvsadm -A -t 172.16.30.10:80 -s rr创建 TCP 80 端口集群服务轮询算法ipvsadm -a -t 172.16.30.10:80 -r 192.168.100.20:80 -m添加 Real ServerNAT 模式
四、LVS 工作模式及原理
1. NAT 模式网络地址转换
原理请求与响应均经过 Director Server通过地址转换实现调度 客户端请求源 CIP目标 VIP到达 DirectorDirector 将目标 IP 改为 RIP转发至 Real ServerReal Server网关指向 Director处理后将响应源 RIP目标 CIP发回 DirectorDirector 将源 IP 改为 VIP回传客户端 特点仅需 Director 配置公网 IP支持 IP / 端口转换Real Server 系统灵活但 Director 易成瓶颈仅支持 10-20 台 RS关键要求Real Server 网关必须指向 Director 的内网 IPDIP
2. DR 模式直接路由
原理仅修改请求报文的 MAC 地址响应直接回客户端无需经 Director 客户端请求CIP→VIP到达 DirectorDirector 将源 MAC 改为 DIP 的 MAC目标 MAC 改为 RIP 的 MAC转发至 Real ServerReal Server 识别目标 MAC 为自身处理后通过 lo 接口→eth0 直接回传客户端 特点无 IP 隧道开销性能高需 Director 与 Real Server 在同一局域网Real Server 需配置 VIPlo 接口32 位子网掩码避免 ARP 响应冲突关键要求Real Server 配置arp_ignore1仅回应自身接口 IP 的 ARP 请求、arp_announce2ARP 请求源 IP 为 RIP
3. TUN 模式隧道模式
原理通过 IP 隧道封装请求响应直接回客户端 客户端请求CIP→VIP到达 DirectorDirector 在请求报文外封装新 IP 头源 DIP目标 RIP通过隧道发至 Real ServerReal Server 解封装后识别目标 VIPlo 接口配置处理后直接回传客户端 特点Director 无瓶颈仅分发请求支持跨地域部署但 Real Server 需合法 IP且支持 “IP Tunneling” 协议多为 Linux 系统
五、LVS 调度算法
LVS 调度算法分静态不考虑服务器负载和动态基于服务器实时负载调整两类共 10 种
1. 静态调度算法4 种
rr轮询均等分发请求不考虑服务器连接数 / 负载。wrr加权轮询按权重分发可动态调整 Real Server 权重依据负载sh源地址散列按客户端源 IP 散列固定将同一客户端请求分发至同一 Real Serverdh目标地址散列按请求目标 IP 散列固定将同一目标 IP 请求分发至同一 Real Server
2. 动态调度算法6 种
lc最少链接将请求分发至当前连接数最少的 Real Server适用于 RS 性能相近场景wlc加权最少链接结合权重与连接数权重高、连接数少的 RS 优先分配适用于 RS 性能差异大场景lblc基于局部性最少连接优先将同一目标 IP 请求分发至最近使用过的 RS若 RS 可用且负载低lblcr复杂基于局部性最少连接维护 “目标 IP→RS 组” 映射避免单点 RS 负载过高sed最少期望延迟不考虑非活动连接权重高的 RS 优先分配可能导致高权重 RS 繁忙nq永不排队直接将请求分发至连接数为 0 的 RS无排队等待
六、LVS 典型配置案例
文档提供 4 类配置案例核心步骤均含 “环境准备→基础配置→服务部署→规则配置→测试验证”关键差异如下
1. LVS-NAT 模式HTTP 负载集群
环境Client192.168.100.200、DirectorDIP192.168.100.10VIP172.16.30.10、RS1192.168.100.20网关 192.168.100.10、RS2192.168.100.30网关 192.168.100.10均为 Rocky Linux 9关键步骤 所有主机关闭防火墙systemctl stop/disable firewalld与 SELinuxSELINUXdisabled配置 IP 与网关RS 网关指向 Director 的 DIPRS 部署 httpdyum install httpd生成差异化首页如echo RS1 /var/www/html/index.htmlDirector 开启 IP 转发net.ipv4.ip_forward1sysctl -p安装 ipvsadm 并添加规则ipvsadm -A -t 172.16.30.10:80 -s rripvsadm -a ... -m保存规则ipvsadm -Sn /etc/sysconfig/ipvsadm重启 ipvsadm客户端测试curl http://172.16.30.10轮询返回 RS1/RS2
2. LVS-NAT 模式HTTPS 负载集群
新增步骤 Director 生成 CA 密钥与证书openssl genrsa、openssl req -new -x509RS 生成证书请求CSR发送至 DirectorDirector 签署 CSR 生成证书回传 RSRS 配置 httpd 的 SSL 模块mod_ssl指定证书路径Director 添加 443 端口规则ipvsadm -A -t 172.16.30.10:443 -s rripvsadm -a ... -m客户端测试curl -k https://172.16.30.10轮询返回 RS1/RS2
3. LVS-DR 模式HTTP 负载集群
环境DirectorDIP192.168.100.10VIP192.168.100.100、RS1/RS2RIP192.168.100.20/30VIP192.168.100.100关键差异 RS 配置 ARP 内核参数arp_ignore1、arp_announce2sysctl -pRS 在 lo 接口配置 VIPifconfig lo 192.168.100.100/32 up添加路由route add -host 192.168.100.100 dev loDirector 添加规则时指定 DR 模式-g默认无需开启 IP 转发客户端测试curl http://192.168.100.100轮询返回 RS1/RS2
4. LVS-TUN 模式HTTP 负载集群
环境DirectorVIP192.168.100.55tunl0 接口、RS1/RS2RIP192.168.100.20/30tunl0 接口 VIP关键差异 所有主机开启 IP 转发RS 加载 ipip 模块modprobe ipip配置 tunl0 接口 VIPifconfig tunl0 192.168.100.55/32 upRS 配置内核参数rp_filter0避免反向路径过滤Director 添加规则时指定 TUN 模式-i客户端测试curl http://192.168.100.55轮询返回 RS1/RS2
具体示例配置lvs-nat模式的httpd负载集群—http
DR、RS1、RS2三台主机关闭防火墙和selinux 略
RS1
[rootrs1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 PREFIX24
GATEWAY192.168.100.10
IPV6_PRIVACYno
~
[rootrs1 ~]# systemctl restart networkRS2
[rootrs2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
PREFIX24
GATEWAY192.168.100.10
IPV6_PRIVACYno
~
[rootrs2 ~]# systemctl restart networklvs-dr lvs-dr
[rootlvs-dr ~]# nmcli connection show
NAME UUID TYPE
ens33 1b997c48-8eff-4fa9-be0d-5e2acd617368 ethernet
virbr0 8cb8b09f-e215-4ef7-a952-30012815b908 bridge
Wired connection 1 5d0b9ad8-d21e-344a-8a1f-5207b018d317 ethernet
[rootlvs-dr ~]# nmcli connection delete Wired\ connection\ 1
Connection Wired connection 1 (5d0b9ad8-d21e-344a-8a1f-5207b018d317) successfully deleted.
[rootlvs-dr ~]# nmcli connection add con-name ens36 ifname ens36 type ethernet
Connection ens36 (c5ea1843-9f29-4242-a6f0-d53457489a7e) successfully added.
[rootlvs-dr ~]# nmcli connection show
NAME UUID TYPE DEVICE
ens33 1b997c48-8eff-4fa9-be0d-5e2acd617368 ethernet ens33
ens36 c5ea1843-9f29-4242-a6f0-d53457489a7e ethernet ens36
virbr0 8cb8b09f-e215-4ef7-a952-30012815b908 bridge virbr0
[rootlvs-dr ~]# nmcli connection modify ens36 ipv4.addresses 172.16.30.10/24 ipv4.method manual connection.autoconnect yes
[rootlvs-dr ~]# nmcli connection up ens36
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[rootlvs-dr ~]# ifconfig ens36
ens36: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500inet 172.16.30.10 netmask 255.255.255.0 broadcast 172.16.30.255inet6 fe80::947e:8560:897e:6572 prefixlen 64 scopeid 0x20linkether 00:0c:29:e4:65:28 txqueuelen 1000 (Ethernet)RX packets 235 bytes 55357 (54.0 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 77 bytes 12865 (12.5 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lvs-dr配置DR开启IP转发功能
[rootlvs-dr ~]# vim /etc/sysctl.conf net.ipv4.ip_forward 1
~
[rootlvs-dr ~]# sysctl -p
net.ipv4.ip_forward 1后端RS1和RS2部署WEB服务器
RS1
[rootrs1 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[rootrs1 ~]# cd /etc/yum.repos.d/
[rootrs1 yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[rootrs1 yum.repos.d]# rm -rf *
[rootrs1 yum.repos.d]# vim sy.repo[aa]
nameaa1
baseurlfile:///mnt
enabled1
gpgcheck0
~
[rootrs1 ~]# yum -y install httpdRS2
[rootrs2 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[rootrs2 ~]# cd /etc/yum.repos.d/
[rootrs2 yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[rootrs2 yum.repos.d]# rm -rf *
[rootrs2 yum.repos.d]# vim syy.repo[aa]
nameaa1
baseurlfile:///mnt
enabled1
gpgcheck0
~
[rootrs2 ~]# yum -y install httpdRS1
[rootrs1 ~]# cd /var/www/html/
[rootrs1 html]# ls
[rootrs1 html]# vim index.html
RS1
~
[rootrs1 html]# systemctl restart httpd
[rootrs1 html]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.RS2
[rootrs2 ~]# cd /var/www/html/
[rootrs2 html]# ls
[rootrs2 html]# vim index.html
RS2
~
[rootrs2 html]# systemctl restart httpd
[rootrs2 html]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.client
[rootclient ~]# curl http://192.168.100.20
RS1
[rootclient ~]# curl http://192.168.100.30
RS2安装ipvsadm并添加规则
lvs-dr
[rootlvs-dr ~]# rpm -q ipvsadm
package ipvsadm is not installed
[rootlvs-dr ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[rootlvs-dr ~]# cd /etc/yum.repos.d/
[rootlvs-dr yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[rootlvs-dr yum.repos.d]# rm -rf *
[rootlvs-dr yum.repos.d]# vim qvq.repo[aa]
nameaa1
baseurlfile:///mnt
enabled1
gpgcheck0
~[rootlvs-dr ~]# yum -y install ipvsadm[rootlvs-dr ~]# ipvsadm -A -t 172.16.30.10:80 -s rr
[rootlvs-dr ~]# ipvsadm -a -t 172.16.30.10:80 -r 192.168.100.20:80 -m
[rootlvs-dr ~]# ipvsadm -a -t 172.16.30.10:80 -r 192.168.100.30:80 -m
[rootlvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.30.10:80 rr- 192.168.100.20:80 Masq 1 0 0 - 192.168.100.30:80 Masq 1 0 0
[rootlvs-dr ~]# ipvsadm -Sn /etc/sysconfig/ipvsadm
[rootlvs-dr ~]# systemctl restart ipvsadm.service
[rootlvs-dr ~]# systemctl enable ipvsadm
Created symlink from /etc/systemd/system/multi-user.target.wants/ipvsadm.service to /usr/lib/systemd/system/ipvsadm.service.客户端测试
client [rootclient ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 IPADDR172.16.30.20
PREFIX24
~
[rootclient ~]# systemctl restart network
[rootclient ~]# curl http://172.16.30.10
RS2
[rootclient ~]# curl http://172.16.30.10
RS1
[rootclient ~]# curl http://172.16.30.10
RS2
[rootclient ~]# curl http://172.16.30.10
RS1配置lvs-nat模式的httpd负载集群—https
lvs-dr
[rootlvs-dr ~]# cd /etc/pki/CA/
[rootlvs-dr CA]# ls
certs crl newcerts private
[rootlvs-dr CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................
...................
e is 65537 (0x10001)
[rootlvs-dr CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1vSNIqqEysdxli2WpN25
3Hwkj/y1j6BpqDFSqCuzSzxYxyrlp2W6Ef8o3QARD5NVXmaWgR0VspFiudI7w
nc/doiY9ko5JuzLuUJANXYGsaYY4zli24uLcgWIGdgWD4/d7Ym5t/BrIGozVjUDR
OEygS6ueiLQcaxUG3KbL59IbejqzQdtj7NvtROpaq2iwAAQQ1QUpPqLNwSd0Q7AF
lekrJeTmfRRfvCk0QDeiTo0QrVqwyEaBfZPxk/H3kAjsrpkJxCewMlI4nks4Oe
/JnXzkeBDmrXh5EFc47CZlyGwfeMGMTQEYa1Hg2OfxcMQEhCjTuv3Cc2nFOGFwu
5QIDAQAB
-----END PUBLIC KEY-----
[rootlvs-dr CA]# ls
certs crl newcerts private
[rootlvs-dr CA]# ls private/
cakey.pem
[rootlvs-dr CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your servers hostname) []:server.example.com
Email Address []:shenyiexample.com
[rootlvs-dr CA]# touch index.txt
[rootlvs-dr CA]# echo 01 serial在RS1中生成证书签署请求并发送给CA
RS1
[rootrs1 html]# yum -y install mod_ssl[rootrs1 html]# cd /etc/httpd/
[rootrs1 httpd]# ls
conf conf.d conf.modules.d logs modules run
[rootrs1 httpd]# mkdir ssl
[rootrs1 httpd]# cd ssl/
[rootrs1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................................
................................................................................................
e is 65537 (0x10001)
[rootrs1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your servers hostname) []:rs1.example.com
Email Address []:shenyiexample.comPlease enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:RS2
[rootrs2 html]# yum -y install mod_ssl[rootrs2 html]# cd /etc/httpd/
[rootrs2 httpd]# ls
conf conf.d conf.modules.d logs modules run
[rootrs2 httpd]# mkdir ssl
[rootrs2 httpd]# cd ssl/
[rootrs2 ssl]# (umask 077;openssl genrsa -out httpd2.key 2048)
Generating RSA private key, 2048 bit long modulus
.
....
e is 65537 (0x10001)
[rootrs2 ssl]# openssl req -new -key httpd2.key -days 1024 -out httpd2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your servers hostname) []:rs2.example.com
Email Address []:shenyiexample.comPlease enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:RS1
[rootrs1 ssl]# scp httpd.csr root192.168.100.10:/root/
The authenticity of host 192.168.100.10 (192.168.100.10) cant be established.
ECDSA key fingerprint is SHA256:UN0UZbtBfFQeLR3836aFd9k4cm9na95JOPqBnPk05VU.
ECDSA key fingerprint is MD5:20:05:39:25:84:f6:1b:bb:8b:b3:ed:b9:bf:96:99:ba.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 192.168.100.10 (ECDSA) to the list of known hosts.
root192.168.100.10s password:
httpd.csr 100% 1041 1.1MB/s 00:00 在DR中查看
[rootlvs-dr ~]# cd -
/etc/pki/CA
[rootlvs-dr CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[rootlvs-dr ~]# ls
anaconda-ks.cfg Downloads Music Templates
Desktop httpd.csr Pictures Videos
Documents initial-setup-ks.cfg PublicCA签署证书并发给RS1
[rootlvs-dr ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Sep 22 12:56:12 2025 GMTNot After : Jul 12 12:56:12 2028 GMTSubject:countryName CNstateOrProvinceName HBorganizationName LQorganizationalUnitName linuxcommonName rs1.example.comemailAddress shenyiexample.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 74:C4:69:A0:7B:BB:49:42:7B:6D:81:5A:07:5C:BC:42:74:BF:89:8DX509v3 Authority Key Identifier: keyid:09:F9:B7:D5:02:F9:3A:2F:AC:03:F5:55:05:1B:22:74:7B:3D:52:3DCertificate is to be certified until Jul 12 12:56:12 2028 GMT (1024 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[rootlvs-dr ~]# ls
anaconda-ks.cfg Downloads initial-setup-ks.cfg Public
Desktop httpd.crt Music Templates
Documents httpd.csr Pictures Videos将CA签署的证书httpd.crt和服务器的证书cacert.pem发送给RS1
[rootlvs-dr ~]# scp httpd.crt root192.168.100.20:/etc/httpd/ssl
root192.168.100.20s password:
httpd.crt 100% 4587 3.0MB/s 00:00 RS1
[rootrs1 ~]# cd /etc/httpd/
[rootrs1 httpd]# cd ssl/
[rootrs1 ssl]# ls
httpd.crt httpd.csr httpd.keyRS2
[rootrs2 ~]# cd /etc/httpd/
[rootrs2 httpd]# ls ssl/
httpd2.csr httpd2.key httpd.key
[rootrs2 httpd]# cd ssl/
[rootrs2 ssl]# rm -rf http*RS1中把RS1的证书和密钥发送给RS2
RS1
[rootrs1 ssl]# scp httpd.crt httpd.key root192.168.100.30:/etc/httpd/ssl/
The authenticity of host 192.168.100.30 (192.168.100.30) cant be established.
ECDSA key fingerprint is SHA256:UN0UZbtBfFQeLR3836aFd9k4cm9na95JOPqBnPk05VU.
ECDSA key fingerprint is MD5:20:05:39:25:84:f6:1b:bb:8b:b3:ed:b9:bf:96:99:ba.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 192.168.100.30 (ECDSA) to the list of known hosts.
root192.168.100.30s password:
httpd.crt 100% 4587 3.2MB/s 00:00
httpd.key 100% 1679 1.9MB/s 00:00 RS2
[rootrs2 ssl]# ls
httpd.crt httpd.key在RS1中修改https的配置文件
[rootlvs-dr ~]# cd /etc/pki/CA/private/
[rootlvs-dr private]# ls
cakey.pem
[rootlvs-dr private]# cd ..
[rootlvs-dr CA]# ls
cacert.pem crl index.txt.attr newcerts serial
certs index.txt index.txt.old private serial.old
[rootlvs-dr CA]# scp cacert.pem root192.168.100.20:/etc/httpd/ssl/
root192.168.100.20s password:
cacert.pem 100% 1399 687.2KB/s 00:00
[rootlvs-dr CA]# scp cacert.pem root192.168.100.30:/etc/httpd/ssl/
The authenticity of host 192.168.100.30 (192.168.100.30) cant be established.
ECDSA key fingerprint is SHA256:UN0UZbtBfFQeLR3836aFd9k4cm9na95JOPqBnPk05VU.
ECDSA key fingerprint is MD5:20:05:39:25:84:f6:1b:bb:8b:b3:ed:b9:bf:96:99:ba.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 192.168.100.30 (ECDSA) to the list of known hosts.
root192.168.100.30s password:
cacert.pem 100% 1399 815.3KB/s 00:00 RS1
[rootrs1 ssl]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt ////# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# youve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ////
.....
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCACertificateFile /etc/httpd/ssl/cacert.pem /////# Client Authentication (Type):[rootrs1 ssl]# scp /etc/httpd/conf.d/ssl.conf root192.168.100.30:/etc/httpd/conf.d/ssl.conf
root192.168.100.30s password:
ssl.conf 100% 9474 3.4MB/s 00:00
[rootrs1 ssl]# systemctl restart httpd[rootrs2 ssl]# systemctl restart httpd[rootrs1 ssl]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:111 *:*
LISTEN 0 128 *:6000 *:*
LISTEN 0 5 192.168.122.1:53 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 127.0.0.1:6010 *:*
LISTEN 0 128 127.0.0.1:6011 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::6000 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 ::1:631 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 ::1:6010 :::*
LISTEN 0 128 :::443 :::*
LISTEN 0 128 ::1:6011 :::* 在DR中添加规则
[rootlvs-dr ~]# ipvsadm -A -t 172.16.30.10:443 -s rr
[rootlvs-dr ~]# ipvsadm -a -t 172.16.30.10:443 -r 192.168.100.20 -m
[rootlvs-dr ~]# ipvsadm -a -t 172.16.30.10:443 -r 192.168.100.30 -m
[rootlvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.16.30.10:80 rr- 192.168.100.20:80 Masq 1 0 0 - 192.168.100.30:80 Masq 1 0 0
TCP 172.16.30.10:443 rr- 192.168.100.20:443 Masq 1 0 0 - 192.168.100.30:443 Masq 1 0 0
[rootlvs-dr ~]# ipvsadm -Sn /etc/sysconfig/ipvsadm
[rootlvs-dr ~]# systemctl restart ipvsadm客户端测试
[rootclient ~]# curl -k https://172.16.30.10:443
RS2
[rootclient ~]# curl -k https://172.16.30.10:443
RS1
[rootclient ~]# curl -k https://172.16.30.10:443
RS2
[rootclient ~]# curl -k https://172.16.30.10:443
RS1配置LVS-DR模式的httpd负载集群
关闭防火墙和selinux 略
RS1配置本地yum仓库
[rootrs1 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[rootrs1 ~]# cd /etc/yum.repos.d/
[rootrs1 yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[rootrs1 yum.repos.d]# rm -rf *
[rootrs1 yum.repos.d]# vim sy.repo
[aa]
nameaa1
baseurlfile:///mnt
enabled1
gpgcheck0
~ 安装httpd
[rootrs1 ~]# yum -y install httpd[rootrs1 ~]# echo RS1 /var/www/html/index.html
[rootrs1 ~]# systemctl restart httpd
[rootrs1 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.RS2配置本地yum仓库
[rootrs2 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[rootrs2 ~]# cd /etc/yum.repos.d/
[rootrs2 yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[rootrs2 yum.repos.d]# rm -rf *
[rootrs2 yum.repos.d]# vim sy.repo
[aa]
nameaa1
baseurlfile:///mnt
enabled1
gpgcheck0
~ 安装httpd
[rootrs2 ~]# yum -y install httpd[rootrs2 ~]# echo RS2 /var/www/html/index.html
[rootrs2 ~]# systemctl restart httpd
[rootrs2 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.LVS-DR
[rootlvs-dr ~]# curl http://192.168.100.20
RS1
[rootlvs-dr ~]# curl http://192.168.100.30
RS2LVS上配置ip关闭防火墙和selinux 略
添加IP
[rootlvs-dr ~]# ifconfig lo 192.168.100.100/32 broadcast 192.168.100.100 netmask 255.255.255.255 up
[rootlvs-dr ~]# ip a
1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 192.168.100.100/0 brd 192.168.100.100 scope global lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft foreverRS上配置arp内核参数
RS1
[rootrs1 ~]# vim /etc/sysctl.conf
# 将对应网卡设置为只回应目标IP为自身接口地址的ARP请求
net.ipv4.conf.all.arp_ignore 1
# 将ARP请求的源IP设置为所有接口的IP也就是RIP
net.ipv4.conf.all.arp_announce 2
net.ipv4.conf.lo.arp_ignore 1
net.ipv4.conf.lo.arp_announce 2
~
[rootrs1 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore 1
net.ipv4.conf.all.arp_announce 2
net.ipv4.conf.lo.arp_ignore 1
net.ipv4.conf.lo.arp_announce 2RS2
[rootrs2 ~]# vim /etc/sysctl.conf
net.ipv4.conf.all.arp_ignore 1
net.ipv4.conf.all.arp_announce 2
net.ipv4.conf.lo.arp_ignore 1
net.ipv4.conf.lo.arp_announce 2
~
[rootrs2 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore 1
net.ipv4.conf.all.arp_announce 2
net.ipv4.conf.lo.arp_ignore 1
net.ipv4.conf.lo.arp_announce 2RS上配置VIP
一定要先配置好内核参数再配置VIP如果先配置VIPVIP配置好后会立即通告给所有人而修改内核参数就是为了不通告
LVS服务器的ens160网卡的ip192.168.100.100作为VIP
RS1
[rootrs1 ~]# ifconfig lo 192.168.100.100/32 broadcast 192.168.100.100 netmask 255.255.255.255 upRS2
[rootrs2 ~]# ifconfig lo 192.168.100.100/32 broadcast 192.168.100.100 netmask 255.255.255.255 up添加路由信息
RS1
[rootrs1 ~]# route add -host 192.168.100.100/32 dev lo
[rootrs1 ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 100 0 0 ens33
192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
rs1.example.com 0.0.0.0 255.255.255.255 UH 0 0 0 lo
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0RS2
[rootrs2 ~]# route add -host 192.168.100.100/32 dev lo
[rootrs2 ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 100 0 0 ens33
192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
rs2.example.com 0.0.0.0 255.255.255.255 UH 0 0 0 lo
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0添加并保存规则
LVS-DR
[rootlvs-dr ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[rootlvs-dr ~]# cd /etc/yum.repos.d/
[rootlvs-dr yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[rootlvs-dr yum.repos.d]# rm -rf *
[rootlvs-dr yum.repos.d]# vim sy.repo
[aa]
nameaa1
baseurlfile:///mnt
enabled1
gpgcheck0
~ [rootlvs-dr ~]# yum -y install ipvsadm[rootlvs-dr ~]# ipvsadm -A -t 192.168.100.100:80 -s rr
[rootlvs-dr ~]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.20 -g
[rootlvs-dr ~]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.30 -g
[rootlvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.100.100:80 rr- 192.168.100.20:80 Route 1 0 0 - 192.168.100.30:80 Route 1 0 0
[rootlvs-dr ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward 1
~
[rootlvs-dr ~]# sysctl -p
net.ipv4.ip_forward 1
[rootlvs-dr ~]# ipvsadm -Sn /etc/sysconfig/ipvsadm
[rootlvs-dr ~]# systemctl restart ipvsadm
[rootlvs-dr ~]# systemctl enable ipvsadm
Created symlink from /etc/systemd/system/multi-user.target.wants/ipvsadm.service to /usr/lib/systemd/system/ipvsadm.service.客户端验证
client
[rootclient ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR192.168.100.40
PREFIX24
~
[rootclient ~]# systemctl restart network
[rootclient ~]# curl http://192.168.100.100
RS2
[rootclient ~]# curl http://192.168.100.100
RS1
[rootclient ~]# curl http://192.168.100.100
RS2
[rootclient ~]# curl http://192.168.100.100
RS1权重论调
LVS-DR
[rootlvs-dr ~]# ipvsadm -C
[rootlvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn[rootlvs-dr ~]# ipvsadm -A -t 192.168.100.100:80 -s wrr
[rootlvs-dr ~]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.20 -g -w 3
[rootlvs-dr ~]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.30 -g
[rootlvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.100.100:80 wrr- 192.168.100.20:80 Route 3 0 0 - 192.168.100.30:80 Route 1 0 0
[rootlvs-dr ~]# ipvsadm -Sn /etc/sysconfig/ipvsadm
[rootlvs-dr ~]# systemctl restart ipvsadmclient
[rootclient ~]# curl http://192.168.100.100
RS2
[rootclient ~]# curl http://192.168.100.100
RS1
[rootclient ~]# curl http://192.168.100.100
RS1
[rootclient ~]# curl http://192.168.100.100
RS1
[rootclient ~]# curl http://192.168.100.100
RS2
[rootclient ~]# curl http://192.168.100.100
RS1
[rootclient ~]# curl http://192.168.100.100
RS1
[rootclient ~]# curl http://192.168.100.100
RS1
[rootclient ~]# curl http://192.168.100.100
RS2TUN模式
关闭防火墙和selinux
RS1配置本地yum仓库部署httpd
[rootrs1 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[rootrs1 ~]# cd /etc/yum.repos.d/
[rootrs1 yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[rootrs1 yum.repos.d]# rm -rf *
[rootrs1 yum.repos.d]# vim sy.repo
[aa]
nameaa1
baseurlfile:///mnt
enabled1
gpgcheck0
~
[rootrs1 ~]# yum -y install httpd[rootrs1 ~]# echo RS1 /var/www/html/index.html
[rootrs1 ~]# systemctl restart httpd
[rootrs1 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.RS2配置本地yum仓库部署httpd
[rootrs2 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[rootrs2 ~]# cd /etc/yum.repos.d/
[rootrs2 yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[rootrs2 yum.repos.d]# rm -rf *
[rootrs2 yum.repos.d]# vim sy.repo
[aa]
nameaa1
baseurlfile:///mnt
enabled1
gpgcheck0
~
[rootrs2 ~]# yum -y install httpd[rootrs2 ~]# echo RS2 /var/www/html/index.html
[rootrs2 ~]# systemctl restart httpd
[rootrs2 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.LVS-DR配置本地yum仓库
[rootlvs-dr ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[rootlvs-dr ~]# cd /etc/yum.repos.d/
[rootlvs-dr yum.repos.d]# ls
CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-Media.repo
CentOS-Debuginfo.repo CentOS-Sources.repo
[rootlvs-dr yum.repos.d]# rm -rf *
[rootlvs-dr yum.repos.d]# vim sy.repo
[aa]
nameaa1
baseurlfile:///mnt
enabled1
gpgcheck0
~ LVS-DR修改内核参数开启IP转发
[rootlvs-dr ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward 1
~
[rootlvs-dr ~]# sysctl -p
net.ipv4.ip_forward 1
[rootlvs-dr ~]# yum -y install ipvsadm
[rootlvs-dr ~]# ifconfig tunl0 192.168.100.55 broadcast 192.168.100.55 netmask 255.255.255.255 up启用ipip模块
RS1
[rootrs1 ~]# lsmod | grep ipip
[rootrs1 ~]# modprobe ipip
[rootrs1 ~]# lsmod | grep ipip
ipip 13465 0
tunnel4 13252 1 ipip
ip_tunnel 25163 1 ipip
[rootrs1 ~]# ifconfig tunl0 192.168.100.55 broadcast 192.168.100.55 netmask 255.255.255.255 upRS2
[rootrs2 ~]# modprobe ipip
[rootrs2 ~]# ifconfig tunl0 192.168.100.55 broadcast 192.168.100.55 netmask 255.255.255.255 up修改内核参数为
RS1
[rootrs1 ~]# vim /etc/sysctl.conf
net.ipv4.conf.tunl0.arp_ignore 1
net.ipv4.conf.tunl0.arp_announce 2
net.ipv4.conf.all.arp_ignore 1
net.ipv4.conf.all.arp_announce 2
net.ipv4.conf.tunl0.rp_filter 0
net.ipv4.conf.all.rp_filter 0
~
[rootrs1 ~]# sysctl -p
net.ipv4.conf.tunl0.arp_ignore 1
net.ipv4.conf.tunl0.arp_announce 2
net.ipv4.conf.all.arp_ignore 1
net.ipv4.conf.all.arp_announce 2
net.ipv4.conf.tunl0.rp_filter 0
net.ipv4.conf.all.rp_filter 0RS2
[rootrs2 ~]# vim /etc/sysctl.conf
net.ipv4.conf.tunl0.arp_ignore 1
net.ipv4.conf.tunl0.arp_announce 2
net.ipv4.conf.all.arp_ignore 1
net.ipv4.conf.all.arp_announce 2
net.ipv4.conf.tunl0.rp_filter 0
net.ipv4.conf.all.rp_filter 0
~
[rootrs2 ~]# sysctl -p
net.ipv4.conf.tunl0.arp_ignore 1
net.ipv4.conf.tunl0.arp_announce 2
net.ipv4.conf.all.arp_ignore 1
net.ipv4.conf.all.arp_announce 2
net.ipv4.conf.tunl0.rp_filter 0
net.ipv4.conf.all.rp_filter 0DR上添加规则 LVS-DR
[rootlvs-dr ~]# ipvsadm -A -t 192.168.100.55:80 -s rr
[rootlvs-dr ~]# ipvsadm -a -t 192.168.100.55:80 -r 192.168.100.20 -i
[rootlvs-dr ~]# ipvsadm -a -t 192.168.100.55:80 -r 192.168.100.30 -i
[rootlvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size4096)
Prot LocalAddress:Port Scheduler Flags- RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.100.55:80 rr- 192.168.100.20:80 Tunnel 1 0 0 - 192.168.100.30:80 Tunnel 1 0 0
[rootlvs-dr ~]# ipvsadm -Sn /etc/sysconfig/ipvsadm
[rootlvs-dr ~]# systemctl restart ipvsadm
[rootlvs-dr ~]# systemctl enable ipvsadm
Created symlink from /etc/systemd/system/multi-user.target.wants/ipvsadm.service to /usr/lib/systemd/system/ipvsadm.service.客户端验证 client
[rootclient ~]# curl http://192.168.100.55
RS2
[rootclient ~]# curl http://192.168.100.55
RS1
[rootclient ~]# curl http://192.168.100.55
RS2
[rootclient ~]# curl http://192.168.100.55
RS1
