lvs+keepalived+nginx實現高性能負載均衡集群
DR模式的缺陷:
1:Realserver和 lvs的vip提供服務的端口必須一致。
也就是說:vip的端口對外端口為 80,但後端服務的真實端口為8080,通過lvs的DR模式是實現不了的。
2:Realserver和LVS不能在同一臺機器上
3: Realserver 和LVS需要在同一個vlan或者局域網下。
1、 nginx安裝
防火牆設置:
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload
firewall-cmd --list-all-zones
wget http://nginx.org/download/nginx-1.14.0.tar.gz
wget
<code>wget https://sourceforge.net/projects/pcre/files/pcre/8.42/pcre-8.42.tar.gz/<code>
yum -y install gcc gcc-c++ autoconf automake zlib zlib-devel openssl openssl-devel pcre-devel perl*
useradd -M -s /sbin/nologin www
tar -xzf openssl-1.0.2o.tar.gz
cd /opt/openssl-1.0.2o
./config
make
make install
tar -xzf pcre-8.42.tar.gz
tar -xzf nginx-1.14.0.tar.gz
cd nginx-1.14.0
解決方案:
打開nginx源文件下的/opt/nginx-1.14.0/auto/lib/openssl/conf文件:
找到這麼一段代碼:
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
修改成以下代碼:
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_sub_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-pcre --with-pcre-jit --with-stream --with-openssl=../openssl-1.0.2o --with-pcre=../pcre-8.42
make && make install
2、 LVS+keepalived
環境規劃
網絡拓撲圖
6.1、開啟路由轉發功能
分別在lvs master和lvs slave執行如下操作:
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.ens33.send_redirects = 0
6.2、ipvs安裝
分別在lvs master和lvs slave執行如下操作:
yum -y install ipvsadm
ipvsadm
lsmod | grep ip_vs
6.3、keepalived安裝
分別在lvs master和lvs slave執行如下操作:
yum -y install keepalived
6.4、keepalived配置
6.4.1、lvs master配置如下:
cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
# notification_email {
# }
# notification_email_from [email protected]
# smtp_server 192.168.200.1
# smtp_connect_timeout 30
router_id LVS_01
#vrrp_skip_check_adv_addr #註釋這一段,否則停止master,vip訪問不了
#vrrp_strict
#vrrp_garp_interval 0
#vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.11.218/23 dev ens33 label ens33:1 #配置與服務器同一網段
}
}
virtual_server 192.168.11.218 80 {
delay_loop 6
<code> lb_algo rr #負載均衡調度算法,一般用wrr、rr、wlc/<code>
lb_kind DR #負載均衡轉發規則。一般包括DR,NAT,TUN 3種。
persistence_timeout 50
protocol TCP
real_server 192.168.11.213 80 {
weight 1
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 192.168.11.214 80 {
weight 1
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
6.4.2、lvs salve配置如下:
cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
# notification_email {
# }
# notification_email_from [email protected]
# smtp_server 192.168.200.1
# smtp_connect_timeout 30
router_id LVS_02
#vrrp_skip_check_adv_addr #註釋這一段,否則停止backup,vip訪問不了
#vrrp_strict
#vrrp_garp_interval 0
#vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 51
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.11.218/23 dev ens33 label ens33:1 #配置與服務器同一網段
}
}
virtual_server 192.168.11.218 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP
real_server 192.168.11.213 80 {
weight 1
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 192.168.11.214 80 {
weight 1
TCP_CHECK {
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
6.5、realserver的配置
兩臺web服務器都要執行下面腳本:
cat /etc/rc.d/init.d/realserver.sh
#!/bin/bash
SNS_VIP=192.168.11.218
#/etc/rc.d/init.d/functions
case "$1" in
start)
ifconfig lo:0 $SNS_VIP netmask 255.255.255.255 broadcast $SNS_VIP
/sbin/route add -host $SNS_VIP dev lo:0
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
sysctl -p >/dev/null 2>&1
echo "RealServer Start OK"
;;
stop)
ifconfig lo:0 down
route del $SNS_VIP >/dev/null 2>&1
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
echo "RealServer Stoped"
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac
exit 0
chmod u+x /etc/rc.d/init.d/realserver.sh
/etc/rc.d/init.d/realserver.sh start
6.6、啟動keepalived並進行測試
systemctl start firewalld
systemctl start keepalived
systemctl stop firewalld
ps -ef |grep keepalived
注:重啟keepalived服務後,lvs master本地網卡添加了ens33:1的ip,即vip地址
配置心得:如果vip訪問不了,先重啟服務器,開啟keepalived服務,然後才關閉防火牆
tail -f /var/log/messages
ipvsadm -L -n
ip add |grep ens33 #lvs master有vip地址
ip add |grep ens33 #lvs backup沒有vip地址
watch ipvsadm -Ln
ipvsadm -D -t 127.0.0.1:80 刪除lvs路由
6.7、測試負載均衡
kill掉192.168.11.214 nginx:
pkill nginx #192.168.11.214操作
ipvsadm -L -n #查看lvs的轉發
訪問vip:http://192.168.11.218
重啟192.168.11.214 nginx:
./nginx
ipvsadm -L -n
關閉其中一臺keepalived服務,vip地址飄移到另外一臺keepalived服務器,lvs服務器ping vip地址正常,訪問網站正常:
systemctl stop keepalived
總結:依次停止某一臺服務(master keepalived,backup keepalived,213 nginx,214 nginx),查看訪問http://192.168.11.218是否正常。
6.8、防火牆配置
Lvs兩臺服務器防火牆配置:
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 \\
--in-interface ens33 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 \\
--out-interface ens33 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
nginx兩臺服務器防火牆配置:
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
查看防火牆配置:
iptables -L OUTPUT_direct --line-numbers
iptables -L INPUT_direct --line-numbers
刪除防火牆配置:
firewall-cmd --direct --permanent --remove-rule ipv4 filter INPUT 0 \\
--in-interface ens33 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --direct --permanent --remove-rule ipv4 filter OUTPUT 0 \\
--out-interface ens33 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --zone=public --remove-port=80/tcp --permanent
firewall-cmd --reload
總結:
當 MASTER 服務器無法提供服務時,VIP 會在 MASTER 上自動移除,BACKUP 服務器會提升為 MASTER 狀態,綁定 VIP 、接管服務。當 MASTER 修復加入網絡後,會自動搶回 VIP ,成為 MASTER 身份。當後端提供服務nginx服務掛起時,會自動切換至其它nginx服務器。
閱讀更多 愛踢人生 的文章