深入理解Keepalived+LVS
keepalived篇:
master和bakeup之间的通信(vrrp协议)
master : 172.25.88.1
bakeup :172.25.88.2
1.在matser上抓vrrp的包
[root@server1 ~]# /etc/init.d/keepalived start
Starting keepalived: [ OK ]
[root@server1 ~]# tcpdump vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:07:23.710761 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
15:07:24.711710 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
15:07:25.712926 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
15:07:26.713916 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
15:07:27.714890 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
发现master在向224.0.0.18发送广播包,分析包文的值优先级为102,是我们的master
2.在bakeup上抓vrrp的包
[root@server2 ~]# /etc/init.d/keepalived start
Starting keepalived: [ OK ]
[root@server2 ~]# tcpdump vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:07:38.022848 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
15:07:39.023899 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
15:07:40.024861 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
15:07:41.025770 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
15:07:42.026831 IP 172.25.88.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 102, authtype simple, intvl 1s, length 20
由此发现,master工作时,bakeup不发送vrrp包,只是接受并返回master的包
3.将master的keepalived down了
[root@server1 ~]# /etc/init.d/keepalived stop
Stopping keepalived: [ OK ]
再次抓包
[root@server1 ~]# tcpdump vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:22:43.293115 IP 172.25.88.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 52, authtype simple, intvl 1s, length 20
15:22:44.293714 IP 172.25.88.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 52, authtype simple, intvl 1s, length 20
15:22:45.294471 IP 172.25.88.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 188, prio 52, authtype simple, intvl 1s, length 20
由优先级 prio 52可知,现在已经是bakeup在组播vrrp包。
总结:master只发不收,bakeup反之
其他主机也收不到vrrp包,因为有route_id限制
关于接管
BACKUP在确认没有收到MASTER的广播报文后,会主动发送组播报文,声明自己的keepalived状态,随后启用VIP。正式接管keepliaved。
关于谁来当master
1.当两个state均为master时,prio大的为master
2.当两个state均为master时且prio优先级相同时,双方都认为自己是master,双方会出现抢占ip的情况,导致地址冲突。
特殊说明
1.实现不回切 bakeup
vim /etc/keepalived/keepalived.conf
29 no preempt 非抢占模式
30 priority 150 且proi要比master大,我的master的proi为100
2.主备的virtual_router_id要相同,否则都会发组播报文
virtual_router_id 188
LVS篇
lvs-why
传统:DNS负载均衡缺点:
1.服务调度算法只支持WRR
2.攻击防御能力很弱,每次有攻击靠一台机器抗。
3.如果server宕了,运维就只能把server的ip从DNS中删除,但localDNS有大量的缓存,至于删除操作什么时候生效不可控.
工作机制
我们都知道netfilter加载iptables模块,实现了防火墙。
其实lvs,就是netfilter加载ipvs模块实现的!
lvs分为ipvs(内核)和ipvsadm(用户空间)两部分:
用户用过ipvsadm编写策略,而内核加载ipvs在netfilter生效!
ipvs 结合input链(钩子函数在链上)工作,发现用户请求的是一个集群服务,就转发至forward,转发至postrouting链,进入RS(后端服务器 )。
类型
1.nat 地址转换
定义:多目标的dnat(目标地址转换)
cip->vip->rip->vip->cip
进出的连接都要经过DS,DR压力大,只能负载均衡10个rs左右。
rule: