lvs-dr集群之vip与dip/rip不在同一网段的实验环境设

作者: 小尛酒窝 | 来源:发表于2018-05-18 17:16 被阅读0次

前言

在学习了lvs集群后，看到lvs-dr集群能够实现vip与dip/rip不在同一网段的模式部署，为了加深对lvs的理解，因此尝试设计实现了一下。在设计配置前，我在网上找了很很多资料，也尝试过按照相应的资料来部署验证，但是最终结果还是无法验证成功。后来我参考网络上的资料，按照自己的思路调整了下拓扑，就成功把结果验证出来了。
附上参考链接：https://blog.csdn.net/brad_chen/article/details/47807505
https://www.cnblogs.com/AloneSword/p/3935462.html

未验证拓扑图a

修改后验证成功的拓扑图b

工作原理

在修改后的拓扑中，lvs-dr的数据流向大致为如下：客户端请求VIP，router会将请求转发给director。为了保证第一个接受请求报文的是director，需要在Real Server上修改Arp响应的机制，确保网络中只有director会响应VIP的arp请求。随后当director检查请求报文，发现其请求的是一组集群服务的时候，其会根据ipvsadm设置的调度算法将请求转发给Real Server。此过程中，director不会更改数据报文中的IP地址信息，仅仅修改报文中的源目mac信息。当请求报文根据director修改的源目mac信息到达Real Server后，Real Server会对请求报文进行响应。此时Real Server 发送源地址为VIP，目标地址为client Ip，源mac为Real Server 的mac地址，目标地址为client或网关的mac地址的响应报文。最后路由器将接受到的响应报文转发给client终端，完成通信。

实际上中，在发起请求报文之前，还需要进行三次握手的协商，如下面抓包的前三条记录，到了第四条记录才是真正的数据传输。

[root@client ~]# tcpdump -i eno16777736 -nn -e port 80
13:22:28.360656 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49672 > 172.16.0.8.80: Flags [S], seq 448411585, win 29200, options [mss 1460,sackOK,TS val 22310691 ecr 0,nop,wscale 7], length 0
13:22:28.364284 00:0c:29:21:59:d7 > 00:0c:29:6d:1a:7d, ethertype IPv4 (0x0800), length 74: 172.16.0.8.80 > 188.88.88.10.49672: Flags [S.], seq 3569473399, ack 448411586, win 28960, options [mss 1460,sackOK,TS val 13371774 ecr 22310691,nop,wscale 7], length 0
13:22:28.364346 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 66: 188.88.88.10.49672 > 172.16.0.8.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 22310696 ecr 13371774], length 0
13:22:28.365675 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 140: 188.88.88.10.49672 > 172.16.0.8.80: Flags [P.], seq 1:75, ack 1, win 229, options [nop,nop,TS val 22310697 ecr 13371774], length 74
13:22:28.367973 00:0c:29:21:59:d7 > 00:0c:29:6d:1a:7d, ethertype IPv4 (0x0800), length 66: 172.16.0.8.80 > 188.88.88.10.49672: Flags [.], ack 75, win 227, options [nop,nop,TS val 13371778 ecr 22310697], length 0
13:22:28.369291 00:0c:29:21:59:d7 > 00:0c:29:6d:1a:7d, ethertype IPv4 (0x0800), length 340: 172.16.0.8.80 > 188.88.88.10.49672: Flags [P.], seq 1:275, ack 75, win 227, options [nop,nop,TS val 13371780 ecr 22310697], length 274
13:22:28.369309 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 66: 188.88.88.10.49672 > 172.16.0.8.80: Flags [.], ack 275, win 237, options [nop,nop,TS val 22310701 ecr 13371780], length 0
13:22:28.369757 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 66: 188.88.88.10.49672 > 172.16.0.8.80: Flags [F.], seq 75, ack 275, win 237, options [nop,nop,TS val 22310701 ecr 13371780], length 0
13:22:28.371169 00:0c:29:21:59:d7 > 00:0c:29:6d:1a:7d, ethertype IPv4 (0x0800), length 66: 172.16.0.8.80 > 188.88.88.10.49672: Flags [F.], seq 275, ack 76, win 227, options [nop,nop,TS val 13371782 ecr 22310701], length 0
13:22:28.371185 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 66: 188.88.88.10.49672 > 172.16.0.8.80: Flags [.], ack 276, win 237, options [nop,nop,TS val 22310703 ecr 13371782], length 0

而在拓扑图a中，我在client抓包中发现，客户端并没有跟请求的server 三次握手协商成功，如下所示：

[root@client ~]# tcpdump -i eno16777736 -nn -e port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes
13:32:32.392266 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22914724 ecr 0,nop,wscale 7], length 0
13:32:34.396238 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22916728 ecr 0,nop,wscale 7], length 0
13:32:38.404080 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22920736 ecr 0,nop,wscale 7], length 0
13:32:46.420052 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22928752 ecr 0,nop,wscale 7], length 0
13:33:02.436673 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22944768 ecr 0,nop,wscale 7], length 0
13:33:34.500116 00:0c:29:6d:1a:7d > 00:0c:29:21:59:d7, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22976832 ecr 0,nop,wscale 7], length 0

但是我在router的Eth1上却抓包了相应的ACK报文：

[root@router ~]# tcpdump -i eno33554984 -nn -e host 172.16.0.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno33554984, link-type EN10MB (Ethernet), capture size 262144 bytes
03:09:59.317554 00:0c:29:21:59:cd > 00:0c:29:26:a3:20, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22913721 ecr 0,nop,wscale 7], length 0
03:09:59.318328 00:0c:29:26:a3:20 > 00:0c:29:a9:56:bd, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22913721 ecr 0,nop,wscale 7], length 0
03:09:59.318746 00:0c:29:a9:56:bd > 00:0c:29:21:59:c3, ethertype IPv4 (0x0800), length 74: 172.16.0.8.80 > 188.88.88.10.49675: Flags [S.], seq 3017446266, ack 1074120057, win 28960, options [mss 1460,sackOK,TS val 14025057 ecr 22913721,nop,wscale 7], length 0
03:10:00.319527 00:0c:29:21:59:cd > 00:0c:29:26:a3:20, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22914724 ecr 0,nop,wscale 7], length 0
03:10:00.319786 00:0c:29:26:a3:20 > 00:0c:29:a9:56:bd, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22914724 ecr 0,nop,wscale 7], length 0
03:10:00.319789 00:0c:29:a9:56:bd > 00:0c:29:21:59:c3, ethertype IPv4 (0x0800), length 74: 172.16.0.8.80 > 188.88.88.10.49675: Flags [S.], seq 3017446266, ack 1074120057, win 28960, options [mss 1460,sackOK,TS val 14026142 ecr 22913721,nop,wscale 7], length 0
03:10:01.583522 00:0c:29:a9:56:bd > 00:0c:29:21:59:c3, ethertype IPv4 (0x0800), length 74: 172.16.0.8.80 > 188.88.88.10.49675: Flags [S.], seq 3017446266, ack 1074120057, win 28960, options [mss 1460,sackOK,TS val 14027511 ecr 22913721,nop,wscale 7], length 0
03:10:02.323965 00:0c:29:21:59:cd > 00:0c:29:26:a3:20, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22916728 ecr 0,nop,wscale 7], length 0
03:10:02.323979 00:0c:29:26:a3:20 > 00:0c:29:a9:56:bd, ethertype IPv4 (0x0800), length 74: 188.88.88.10.49675 > 172.16.0.8.80: Flags [S], seq 1074120056, win 29200, options [mss 1460,sackOK,TS val 22916728 ecr 0,nop,wscale 7], length 0
03:10:02.323982 00:0c:29:a9:56:bd > 00:0c:29:21:59:c3, ethertype IPv4 (0x0800), length 74: 172.16.0.8.80 > 188.88.88.10.49675: Flags [S.], seq 3017446266, ack 1074120057, win 28960, options [mss 1460,sackOK,TS val 14028313 ecr 22913721,nop,wscale 7], length 0

也就是说拓扑a中，client到VIP的三次请求都没完成，因此我在拓扑a中抓包也看不到任何的关于http或者数据传输的信息。至于为什么ack都回到了router却没有转发到client，这也是我一直百思不得其解的。如果这现象有朋友有想法或者我的做法有误的话，还望各位提点。

设计配置

设计拓扑

此拓扑中我使用了五个虚拟机分别为Router、client、RS1、RS2和Director。Router划分三个子网，分别是外网192.167.0.0/24、测试网络188.88.88.0/24、内网10.10.10.0/24，其余Ip信息跟拓扑图中一致。

1、配置Router

首先为Router 的虚拟机添加三个虚拟网卡，其中Eth0为桥接到本地网络作为外网，其余两个虚拟网卡分别桥接到188.88.88.0/24和10.10.10.0/24的主机网络中。
使用nmtui命令工具配置接口IP和网关：

[root@router ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.81  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::20c:29ff:fe21:59b9  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:21:59:b9  txqueuelen 1000  (Ethernet)
        RX packets 16269  bytes 18572778 (17.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6041  bytes 747550 (730.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.254  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::20c:29ff:fe21:59c3  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:21:59:c3  txqueuelen 1000  (Ethernet)
        RX packets 3143  bytes 270428 (264.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7899  bytes 14591038 (13.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
eno50332208: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 188.88.88.254  netmask 255.255.255.0  broadcast 188.88.88.255
        inet6 fe80::20c:29ff:fe21:59cd  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:21:59:cd  txqueuelen 1000  (Ethernet)
        RX packets 61  bytes 6425 (6.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 118  bytes 9539 (9.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@router ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 eno16777736
10.10.10.0      0.0.0.0         255.255.255.0   U     100    0        0 eno33554984
188.88.88.0     0.0.0.0         255.255.255.0   U     100    0        0 eno50332208
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 eno16777736

在于director直连的eno33554984接口下配置虚拟子接口，Ip为172.16.0.1作为vip网关：

#不配置此虚拟子接口的话，请求报文无法传递给director
[root@router ~]# ifconfig eno33554984:0 172.16.0.1/24 up

配置iptables启用snat：

[root@router ~]# iptables -F
#放开内网三个网段的上网流量
[root@router ~]# iptables -t nat -I POSTROUTING -s 188.88.88.0/24 -j SNAT --to-source 192.168.0.81
[root@router ~]# iptables -t nat -I POSTROUTING -s 10.10.10.0/24 -j SNAT --to-source 192.168.0.81
[root@router ~]# iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 192.168.0.81

开启路由转发功能：

[root@router ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

2、配置director

安装ipvsadm：

[root@director ~]# yum install -y ipvsadm

配置接口：

[root@director ~]# ifconfig ens33 10.10.10.8 netmask 255.255.255.0 up

创建director配置脚本：

[root@director ~]# vim vs.sh
#!/bin/bash
#
vip='172.16.0.8'
iface='ens33:0'
mask='255.255.255.0'
port='80'
rs1='10.10.10.11'
rs2='10.10.10.12'
scheduler='wrr'
type='-g'
drgw='172.16.0.1'

case $1 in
start)
        ifconfig $iface $vip netmask $mask broadcast $vip up
        route add default gw $drgw
        iptables -F

        ipvsadm -A -t ${vip}:${port} -s $scheduler
        ipvsadm -a -t ${vip}:${port} -r ${rs1} $type -w 1
        ipvsadm -a -t ${vip}:${port} -r ${rs2} $type -w 1
        ;;
stop)
        ipvsadm -C
        ifconfig $iface down
        ;;
*)
        echo "Usage $(basename $0) start|stop"
        exit 1
        ;;
esac

执行脚本：

[root@director ~]# bash -x vs.sh  start
+ vip=172.16.0.8
+ iface=ens33:0
#为了能与172.16.0.1通信，需配置director的vip掩码为255.255.255.0
+ mask=255.255.255.0
+ port=80
+ rs1=10.10.10.11
+ rs2=10.10.10.12
+ scheduler=wrr
+ type=-g
+ drgw=172.16.0.1
+ case $1 in
+ ifconfig ens33:0 172.16.0.8 netmask 255.255.255.0 broadcast 172.16.0.8 up
+ route add default gw 172.16.0.1
+ iptables -F
+ ipvsadm -A -t 172.16.0.8:80 -s wrr
+ ipvsadm -a -t 172.16.0.8:80 -r 10.10.10.11 -g -w 1
+ ipvsadm -a -t 172.16.0.8:80 -r 10.10.10.12 -g -w 1

3、配置RS1和RS2

将RS1和RS2 接入到跟10.10.10.0/24 网卡上，使用nmtui命令工具配置其IP地址信息，网关指向10.10.10.254：

[root@rs1 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.11  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::c559:fd98:3450:1449  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:a9:56:bd  txqueuelen 1000  (Ethernet)
        RX packets 27199  bytes 34870271 (33.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6211  bytes 647161 (631.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@rs1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.10.254    0.0.0.0         UG    100    0        0 ens33
10.10.10.0      0.0.0.0         255.255.255.0   U     100    0        0 ens33

编辑生成下述脚本：

[root@rs1 ~]# vim rs1.sh
#!/bin/bash
#
vip=172.16.0.8
mask='255.255.255.255'

case $1 in
start)
        echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
        echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
        echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
        echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce

        ifconfig lo:0 $vip netmask $mask broadcast $vip up
        route add -host $vip dev lo:0
        ;;
stop)
        ifconfig lo:0 down

        echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
        echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
        echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
        echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce

        ;;
*)
        echo "Usage $(basename $0) start|stop"
        exit 1
        ;;
esac

执行脚本：

[root@rs1 ~]# bash -x rs1.sh 
+ vip=172.16.0.8
+ mask=255.255.255.255
+ case $1 in
++ basename rs1.sh
+ echo 'Usage rs1.sh start|stop'
Usage rs1.sh start|stop
+ exit 1
[root@rs1 ~]# bash -x rs1.sh  start
+ vip=172.16.0.8
+ mask=255.255.255.255
+ case $1 in
+ echo 1
+ echo 1
+ echo 2
+ echo 2
+ ifconfig lo:0 172.16.0.8 netmask 255.255.255.255 broadcast 172.16.0.8 up
+ route add -host 172.16.0.8 dev lo:0

安装httpd服务：

[root@rs1 ~]# yum install -y httpd

编辑index页面：

[root@rs1 ~]# vim /var/www/html/index.html
<h1>This RS1 10.10.10.11</h1>

启动httpd服务和关闭防火墙：

[root@rs1 ~]# systemctl start httpd
[root@rs1 ~]# systemctl stop firewalld

重复以上步骤配置RS2。

4、配置client

将client接入到188.88.88.0/24的网卡上。使用nmtui配置其IP地址：

[root@client ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 188.88.88.10  netmask 255.255.255.0  broadcast 188.88.88.255
        inet6 fe80::20c:29ff:fe6d:1a7d  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:6d:1a:7d  txqueuelen 1000  (Ethernet)
        RX packets 4567  bytes 467167 (456.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1581  bytes 158829 (155.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@client ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         188.88.88.254   0.0.0.0         UG    100    0        0 eno16777736
188.88.88.0     0.0.0.0         255.255.255.0   U     100    0        0 eno16777736

5、测试验证

从client访问虚拟服务172.16.0.8：

[root@client ~]# for i in {1..10};do curl http://172.16.0.8 ;done
<h1>This RS2 10.10.10.12</h1>
<h1>This RS1 10.10.10.11</h1>
<h1>This RS2 10.10.10.12</h1>
<h1>This RS1 10.10.10.11</h1>
<h1>This RS2 10.10.10.12</h1>
<h1>This RS1 10.10.10.11</h1>
<h1>This RS2 10.10.10.12</h1>
<h1>This RS1 10.10.10.11</h1>
<h1>This RS2 10.10.10.12</h1>
<h1>This RS1 10.10.10.11</h1>

另外如果需要模拟映射到外网的场景，可在Router上做DNAT映射，然后访问192.168.0.81来实现访问lvs虚拟服务。如：
在Router上添加DNAT：

[root@router ~]# iptables -t nat -I PREROUTING -d 192.168.0.81 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.8:80

模拟外网访问

lvs-dr集群之vip与dip/rip不在同一网段的实验环境设

前言

工作原理

设计配置

1、配置Router

2、配置director

3、配置RS1和RS2

4、配置client

5、测试验证

相关文章

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读