lvs主机:192.168.50.154
httpd主机:192.168.50.157 192.168.50.156 (ip需要在同一网段)
虚拟ip:192.168.50.183
前提准备:
bash
lvs安装:
yum install ipvsadm -y
lsmod|grep ip_vs
modprobe ip_vs
lsmod|grep ip_vs
httpd:(使用yum安装,并且启动一个静态页面)
[root@rabbit4-64 httpd]# netstat -ntlp|grep 8222
tcp6 0 0 :::8222 :::* LISTEN 30863/httpd
[root@three-3 html]# netstat -nltp|grep 8222
tcp6 0 0 :::8222 :::* LISTEN 102136/httpd
[root@three-3 html]# curl 192.168.50.157:8222
<h1> 192.168.50.157 test</h1>
[root@three-3 html]# curl 192.168.50.156:8222
<h1> 192.168.50.156 test </h1>1.配置虚拟ip(lvs机器中)
bash
ipvsadm --set 30 5 60
ipvsadm -A -t 192.168.50.183 -s wrr #添加一个虚拟服务,使用加权轮询(WRR)算法。
ipvsadm -a -t 192.168.50.183:8222 -r 192.168.50.157:8222 -g -w 1 #添加一台真实服务器到虚拟服务中。
ipvsadm -a -t 192.168.50.183:8222 -r 192.168.50.156:8222 -g -w 1 #添加一台真实服务器到虚拟服务中。
ifconfig ens192:183 192.168.50.183
[root@first-1 ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.50.183:8222 wrr
-> 192.168.50.156:8222 Route 1 0 0
-> 192.168.50.157:8222 Route 1 0 0
[root@first-1 ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00f3:d4 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.154/24 brd 192.168.50.255 scope global ens192
valid_lft forever preferred_lft forever
inet 192.168.50.183/24 brd 192.168.50.255 scope global secondary ens192:183
valid_lft forever preferred_lft forever
inet6 fe80::c142:751b:6435:68b4/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe80a:cd2:ebda/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
inet6 fe801:ecd9/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
3: ens224: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 00:50:56:84:95:0c brd ff:ff:ff:ff:ff:ff
#尝试能不能ping通
[root@rabbit4-64 httpd]# ping 192.168.50.183
PING 192.168.50.183 (192.168.50.183) 56(84) bytes of data.
64 bytes from 192.168.50.183: icmp_seq=1 ttl=62 time=22.6 ms
64 bytes from 192.168.50.183: icmp_seq=2 ttl=62 time=22.2 ms
#测试数据是否已经过去:选择一台没有用的机器
[root@four-4 ~]# telnet 192.168.50.183 8222 (多选几台机器执行)
Trying 192.168.50.183...
# 在192.168.50.157 和 192.168.50.156 中进行抓包
tcpdump -i ens192 port 8222 #两台机器都执行
[root@three-3 html]# tcpdump -i ens192 port 8222
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
13:57:30.772510 IP 192.168.50.157.48650 > 192.168.50.183.8222: Flags [S], seq 43617727, win 29200, options [mss 1460,sackOK,TS val 182619098 ecr 0,nop,wscale 7], length
13:57:31.774161 IP 192.168.50.157.48650 > 192.168.50.183.8222: Flags [S], seq 43617727, win 29200, options [mss 1460,sackOK,TS val 182620100 ecr 0,nop,wscale 7], lengt
[root@rabbit4-64 httpd]# tcpdump -i ens192 port 8222
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
14:04:34.395304 IP 192.168.50.154.35818 > rabbit4-64.8222: Flags [S], seq 3231811907, win 29200, options [mss 1460,sackOK,TS val 183213407 ecr 0,nop,wscale 7], length 0
14:04:34.395452 IP rabbit4-64.8222 > 192.168.50.154.35818: Flags [S.], seq 2724865354, ack 3231811908, win 28960, options [mss 1460,sackOK,TS val 2606830328 ecr 183213407,nop,wscale 7], length 0
14:04:34.417852 IP 192.168.50.154.35818 > rabbit4-64.8222: Flags [.], ack 1, win 229, options [nop,nop,TS val 183213430 ecr 2606830328], length 0
14:04:35.648993 IP 192.168.50.154.35818 > rabbit4-64.8222: Flags [P.], seq 1:6, ack 1, win 229, options [nop,nop,TS val 183214661 ecr 2606830328], length 5
14:04:35.649098 IP rabbit4-64.8222 > 192.168.50.154.35818: Flags [.], ack 6, win 227, options [nop,nop,TS val 2606831582 ecr 183214661], length 0
# 从 tcpdump 输出中可以看到,只有 SYN(同步)标志,没有后续的 ACK(确认)标志,这意味着连接尝试没有成功建立,需要进行arp抑制dr模式arp抑制过程:
客户端发送请求:
请求首先到达部署了LVS的负载均衡器。
负载均衡器根据负载均衡策略选择目标服务器来处理请求。在DR模式中,负载均衡器会选择一个真实服务器来处理请求,并且它会修改请求的目标MAC地址为所选真实服务器的MAC地址。
负载均衡器将请求转发给所选的真实服务器。在DR模式中,它会将请求的目标IP地址修改为所选真实服务器的IP地址,并将目标MAC地址修改为所选真实服务器的MAC地址。
真实服务器接收到请求,并根据请求的目标IP地址进行处理。由于请求的目标IP地址被修改为真实服务器的IP地址,因此它将直接响应客户端,但响应的目标MAC地址是虚拟服务器的MAC地址。
真实服务器处理请求并生成响应,然后将响应发送回客户端。响应的目标IP地址是客户端的IP地址,而目标MAC地址是虚拟服务器的MAC地址。
当客户端收到响应后,它会尝试更新自己的ARP缓存,将虚拟服务器的IP地址映射到虚拟服务器的MAC地址。由于进行了ARP抑制,负载均衡器不会响应ARP请求,因此客户端无法获取真实服务器的MAC地址。
在后续的请求中,客户端会继续发送请求到虚拟服务器的IP地址,但由于ARP缓存中已经存在虚拟服务器的MAC地址,因此请求会直接发送到负载均衡器,绕过了真实服务器。
arp抑制:
bash
ifconfig lo:183 192.168.50.183/32 up
route add -host 192.168.50.183 dev lo
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce测试结果:
bash
[root@second-2 ~]# curl 192.168.50.183:8222
<h1> 192.168.50.157</h1>
[root@second-2 ~]# curl 192.168.50.183:8222
<h1> 192.168.50.156 test </h1>
[root@second-2 ~]# curl 192.168.50.183:8222
<h1> 192.168.50.157</h1>
[root@second-2 ~]# curl 192.168.50.183:8222
<h1> 192.168.50.156 test </h1>