1、实现基于MYSQL验证的vsftpd虚拟用户访问
1.1数据库安装并新建vsftpd虚拟账户
##注意:MySQL8.0由于取消了PASSWORD()函数不支持,因此选择Mariadb
[root@CentOS84 ~]# yum install mariadb-server
[root@CentOS84 ~]# systemctl start mariadb.service
[root@CentOS84 ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.3.28-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.000 sec)
MariaDB [vsftpd]> create table users(id INT AUTO_INCREMENT NOT NULL PRIMARY KEY,name CHAR(50) BINARY NOT NULL,password CHAR(48) BINARY NOT NULL);
Query OK, 0 rows affected (0.004 sec)
MariaDB [(none)]> use vsftpd
MariaDB [vsftpd]> desc users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(50) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.001 sec)
MariaDB [vsftpd]> insert into users(name,password) values('user01',password('123456'));
Query OK, 1 row affected (0.002 sec)
MariaDB [vsftpd]> insert into users(name,password) values('user02',password('123456'));
Query OK, 1 row affected (0.001 sec)
MariaDB [vsftpd]> select * from users;
+----+------------+-------------------------------------------+
| id | name | password |
+----+------------+-------------------------------------------+
| 1 | user01 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| 2 | user02 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
+----+------------+-------------------------------------------+
2 rows in set (0.000 sec)
MariaDB [vsftpd]> grant select on vsftpd.* to vsftpd@'10.10.10.%' identified by '123456';
Query OK, 0 rows affected (0.003 sec)
MariaDB [vsftpd]> flush privileges;
Query OK, 0 rows affected (0.001 sec)1.2 vsftp服务器安装配置
[root@centos79 ~]# yum -y install vsftpd gcc gcc-c++ make mariadb-devel pam-devel
[root@centos79 ~]# wget https://jaist.dl.sourceforge.net/project/pam-mysql/pam-mysql/0.7RC1/pam_mysql-0.7RC1.tar.gz
[root@centos79 ~]# tar xf pam_mysql-0.7RC1.tar.gz
[root@centos79 ~]# cd pam_mysql-0.7RC1/
[root@centos79 pam_mysql-0.7RC1]# ./configure --with-pam-mods-dir=/lib64/security
[root@centos79 pam_mysql-0.7RC1]# make install
[root@centos79 pam_mysql-0.7RC1]# ls -l /lib64/security/pam_mysql*
-rwxr-xr-x. 1 root root 882 Mar 21 23:55 /lib64/security/pam_mysql.la
-rwxr-xr-x. 1 root root 141712 Mar 21 23:55 /lib64/security/pam_mysql.so
[root@centos79 pam_mysql-0.7RC1]# cat > /etc/pam.d/vsftpd.mysql << EOF
auth required pam_mysql.so user=vsftpd passwd=123456 host=10.10.10.10 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required pam_mysql.so user=vsftpd passwd=123456 host=10.10.10.10 db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
EOF
[root@centos79 pam_mysql-0.7RC1]# useradd -s /sbin/nologin -d /data/ftproot -r vuser
[root@centos79 pam_mysql-0.7RC1]# mkdir -pv /data/ftproot/upload
mkdir: created directory ‘/data’
mkdir: created directory ‘/data/ftproot’
mkdir: created directory ‘/data/ftproot/upload’
[root@centos79 pam_mysql-0.7RC1]# setfacl -m u:vuser:rwx /data/ftproot/upload
[root@centos79 pam_mysql-0.7RC1]# tail -10 /etc/vsftpd/vsftpd.conf
# Make sure, that one of the listen options is commented !!
listen_ipv6=YES
pam_service_name=vsftpd.mysql ##修改
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES ##新增
guest_username=vuser ##新增
user_config_dir=/etc/vsftpd/conf.d/ ##新增
[root@centos79 pam_mysql-0.7RC1]# mkdir /etc/vsftpd/conf.d/
[root@centos79 pam_mysql-0.7RC1]# cat /etc/vsftpd/conf.d/user01
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_root=/data/ftproot/user01
[root@centos79 data]# tree
.
└── ftproot
├── upload
└── user01
└── user01.txt
3 directories, 1 file
[root@centos79 pam_mysql-0.7RC1]# systemctl restart vsftpd1.3 测试验证
[root@centos79 pam_mysql-0.7RC1]# ftp 10.10.10.14
Connected to 10.10.10.14 (10.10.10.14).
220 (vsFTPd 3.0.2)
Name (10.10.10.14:root): user01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,10,14,27,234).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Mar 22 15:00 user01.txt
226 Directory send OK.
[root@centos79 pam_mysql-0.7RC1]# ftp 10.10.10.14
Connected to 10.10.10.14 (10.10.10.14).
220 (vsFTPd 3.0.2)
Name (10.10.10.14:root): user02
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,10,14,174,123).
150 Here comes the directory listing.
drwxrwxr-x 2 0 0 6 Mar 22 14:45 upload
drwxr-xr-x 2 0 0 24 Mar 22 15:00 user01
226 Directory send OK.2、配置c共享,实现/www目录共享
2.1 安装samba包及相关配置
#安装samba包
[root@CentOS84 ~]# yum install samba -y
#新建账户
[root@CentOS84 ~]# groupadd -r smbadmins
[root@CentOS84 ~]# useradd -s /sbin/nologin -G smbadmins user01
[root@CentOS84 ~]# useradd -s /sbin/nologin user02
[root@CentOS84 ~]# id user01 && id user02
uid=1000(user01) gid=1000(user01) groups=1000(user01),990(smbadmins)
uid=1001(user02) gid=1001(user02) groups=1001(user02)
[root@CentOS84 ~]# smbpasswd -a user01
New SMB password:
Retype new SMB password:
Added user user01.
[root@CentOS84 ~]# smbpasswd -a user02
New SMB password:
Retype new SMB password:
Added user user02.
[root@CentOS84 ~]#
[root@CentOS84 ~]# pdbedit -L
user01:1000:
user02:1001:
[root@CentOS84 ~]# pdbedit -L -v
---------------
Unix username: user01
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3350075616-399153355-3649817978-1000
Primary Group SID: S-1-5-21-3350075616-399153355-3649817978-513
Full Name:
Home Directory: \\CENTOS84\user01
HomeDir Drive:
Logon Script:
Profile Path: \\CENTOS84\user01\profile
Domain: CENTOS84
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Tue, 22 Mar 2022 06:38:19 EDT
Password can change: Tue, 22 Mar 2022 06:38:19 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username: user02
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3350075616-399153355-3649817978-1001
Primary Group SID: S-1-5-21-3350075616-399153355-3649817978-513
Full Name:
Home Directory: \\CENTOS84\user02
HomeDir Drive:
Logon Script:
Profile Path: \\CENTOS84\user02\profile
Domain: CENTOS84
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Tue, 22 Mar 2022 06:38:27 EDT
Password can change: Tue, 22 Mar 2022 06:38:27 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
#创建www目录,配置smb.conf文件
[root@CentOS84 ~]# mkdir /data/www -pv
mkdir: created directory '/data'
mkdir: created directory '/data/www'
[root@CentOS84 ~]# chgrp smbadmins /data/www
[root@CentOS84 ~]# chmod 2775 /data/www
[root@CentOS84 ~]#
[root@CentOS84 ~]# vim /etc/samba/smb.conf
##最后新增
[www]
path = /data/www
write list = @smbadmins2.2 验证测试
[root@centos79 ~]# yum install cifs-utils -y
[root@centos79 ~]# mkdir /data/user{1..2} -pv
mkdir: created directory ‘/data/user1’
mkdir: created directory ‘/data/user2’
[root@centos79 ~]# mount -o username=user01 //10.10.10.10/www /data/user1
Password for user01@//10.10.10.10/www: ******
[root@centos79 ~]# echo "hello smb" > /data/user1/user1.txt
[root@centos79 ~]# ls -l /data/user1/user1.txt
-rwxr-xr-x. 1 root root 10 Mar 22 18:45 /data/user1/user1.txt
[root@centos79 ~]# mount -o username=user02 //10.10.10.10/www /data/user2
Password for user02@//10.10.10.10/www: ******
[root@centos79 ~]# echo "hello smb" > /data/user2/user02.txt
-bash: /data/user2/user02.txt: Permission denied2.3 fstab挂载
[root@centos79 ~]# vim /etc/samba/smb.txt
[root@centos79 ~]# vim /etc/fstab
#
# /etc/fstab
# Created by anaconda on Mon Dec 20 17:49:21 2021
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=1aaa0a2e-4045-4a1f-9a2c-0caf4002216e /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
//10.10.10.10/www /data/user1 cifs username=user01,password=123456,_netdev 0 0
//10.10.10.10/www /data/user2 cifs credentials=/etc/samba/smb.txt,_netdev 0 0
[root@centos79 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 919612 0 919612 0% /dev
tmpfs 931508 0 931508 0% /dev/shm
tmpfs 931508 9816 921692 2% /run
tmpfs 931508 0 931508 0% /sys/fs/cgroup
/dev/mapper/centos-root 17811456 2071860 15739596 12% /
/dev/sda1 1038336 193472 844864 19% /boot
tmpfs 186304 0 186304 0% /run/user/0
[root@centos79 ~]# mount -a
[root@centos79 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 919612 0 919612 0% /dev
tmpfs 931508 0 931508 0% /dev/shm
tmpfs 931508 9816 921692 2% /run
tmpfs 931508 0 931508 0% /sys/fs/cgroup
/dev/mapper/centos-root 17811456 2071860 15739596 12% /
/dev/sda1 1038336 193472 844864 19% /boot
tmpfs 186304 0 186304 0% /run/user/0
//10.10.10.10/www 17811456 1802124 16009332 11% /data/user1
//10.10.10.10/www 17811456 1802124 16009332 11% /data/user23、使用rsync+inotify实现/www目录实时同步
3.1 Data Server安装inotify-tools
#查看内核是否支持inotify
[root@data ~]# grep -i inotify /boot/config-4.18.0-305.3.1.el8.x86_64
CONFIG_INOTIFY_USER=y
[root@data ~]# ls -l /proc/sys/fs/inotify/
total 0
-rw-r--r--. 1 root root 0 Mar 23 10:01 max_queued_events
-rw-r--r--. 1 root root 0 Mar 23 10:01 max_user_instances
-rw-r--r--. 1 root root 0 Mar 23 10:01 max_user_watches
[root@data ~]# cat /proc/sys/fs/inotify/max_queued_events
16384
[root@data ~]# cat /proc/sys/fs/inotify/max_user_instances
128
[root@data ~]# cat /proc/sys/fs/inotify/max_user_watches
8192
#inotify内核参数说明:
#max_queued_events:inotify 事件队列最大长度,如值太小会出现 Event Queue Overflow 错误,默认值:16384, 生产环境建议调大,比如:327679
#max_user_instances:每个用户创建inotify实例最大值,默认值:128
#max_user_watches:可以监视的文件的总数量(inotifywait 单进程),默认值:8192,建议调大
#安装inotify-tools
[root@data ~]# yum install inotify-tools
[root@data ~]# rpm -ql inotify-tools
/usr/bin/inotifywait
/usr/bin/inotifywatch
/usr/lib/.build-id
/usr/lib/.build-id/4c
/usr/lib/.build-id/4c/50cc665007b18f08fb28fd1664b4363e77c6bf
/usr/lib/.build-id/76
/usr/lib/.build-id/76/f0034d7ea71f1d0011c7f0a9ba5c45c11f592b
/usr/lib/.build-id/cf
/usr/lib/.build-id/cf/b094946e4a3255959143feecd88504a6687c24
/usr/lib64/libinotifytools.so.0
/usr/lib64/libinotifytools.so.0.4.1
/usr/share/doc/inotify-tools
/usr/share/doc/inotify-tools/AUTHORS
/usr/share/doc/inotify-tools/COPYING
/usr/share/doc/inotify-tools/ChangeLog
/usr/share/doc/inotify-tools/NEWS
/usr/share/doc/inotify-tools/README
/usr/share/man/man1/inotifywait.1.gz
/usr/share/man/man1/inotifywatch.1.gz
#inotify-tools包主要工具:
#inotifywait: 在被监控的文件或目录上等待特定文件系统事件(open ,close,delete等)发生, 常用于实时同步的目录监控
#inotifywatch:收集被监控的文件系统使用的统计数据,指文件系统事件发生的次数统计
#创建备份目录
[root@data ~]# mkdir /data/www -pv3.2 备份服务器安装rsync,并配置rsync
#安装rsync
[root@bak ~]# yum install rsync-daemon -y
[root@bak ~]# rpm -ql rsync-daemon
/etc/rsyncd.conf
/etc/sysconfig/rsyncd
/usr/lib/systemd/system/rsyncd.service
/usr/lib/systemd/system/rsyncd.socket
/usr/lib/systemd/system/rsyncd@.service
/usr/share/man/man5/rsyncd.conf.5.gz
#配置文件
[root@bak ~]# vim /etc/rsyncd.conf
#提定以哪个用户来访问共享目录,将之指定为生成的文件所有者,默认为nobody
uid = root
gid = root
#port = 874 可指定非标准端口,默认873/tcp
# use chroot = yes
# max connections = 4
pid file = /var/run/rsyncd.pid
exclude = lost+found/
log file = /var/log/rsyncd.log
lock file = /var/run/rsyncd.lock
reverse lookup = no
# host allow = 10.10.10.0/24
# transfer logging = yes
# timeout = 900
# ignore nonreadable = yes
# dont compress = *.gz *.tgz *.zip *.z *.Z *.rpm *.deb *.bz2
# [ftp]
# path = /home/ftp
# comment = ftp export area
#每个模块名对应一个不同的path目录,如果同名后面模块生效
[backup]
path = /data/backup
comment = backup dir
#默认是yes,即只读
read only = no
#默认anonymous可以访问rsync服务器
auth users = rsyncuser
secrets file = /etc/rsync.pas
#生成验证文件和备份目录
[root@bak ~]# echo "rsyncuser:123456" > /etc/rsync.pas
[root@bak ~]# chmod 600 /etc/rsync.pas
[root@bak ~]# mkdir /data/backup -pv
#启动rsync服务
[root@bak ~]# systemctl start rsyncd
[root@bak ~]# ss -nltp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=979,fd=5))
LISTEN 0 5 0.0.0.0:873 0.0.0.0:* users:(("rsync",pid=10563,fd=4))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=979,fd=7))
LISTEN 0 5 [::]:873 [::]:* users:(("rsync",pid=10563,fd=5))3.3 登录Data Server进行通过rsync client 测试连接 rsync server
#数据服务器安装rsync和口令配置文件
[root@data ~]# yum install rsync
[root@data ~]# echo "123456" > /etc/rsync.pas
[root@data ~]# chmod 600 /etc/rsync.pas #权限不修改会导致rsync启动失败
#查看远程备份服务器rsync 服务是否可以正常连接
[root@data ~]# rsync rsync://10.10.10.15
backup backup dir
##交互式查看
[root@data ~]# rsync rsync://rsyncuser@10.10.10.15/backup
Password:
drwxr-xr-x 19 2022/03/23 10:52:53 .
##非交互式查看
[root@data ~]# rsync --password-file=/etc/rsync.pas rsync://rsyncuser@10.10.10.15/backup
drwxr-xr-x 19 2022/03/23 10:52:53 .
#测试数据传输及同步
[root@data ~]# rsync /etc/fstab --password-file=/etc/rsync.pas rsync://rsyncuser@10.10.10.15/backup
[root@bak ~]# ll /data/backup/
total 8
-rw-r--r--. 1 root root 579 Mar 23 14:14 fstab
[root@data ~]# touch /data/www/file01.txt
[root@data ~]# touch /data/www/file02.txt
[root@data ~]# touch /data/www/file03.txt
[root@data ~]# rsync -avz --delete --password-file=/etc/rsync.pas /data/www/ rsync://rsyncuser@10.10.10.15/backup
sending incremental file list
deleting test.txt
deleting hosts
deleting fstab
./
file01.txt
file02.txt
file03.txt
sent 227 bytes received 106 bytes 222.00 bytes/sec
total size is 0 speedup is 0.00
[root@bak ~]# ls -l /data/backup/
total 0
-rw-r--r--. 1 root root 0 Mar 23 14:25 file01.txt
-rw-r--r--. 1 root root 0 Mar 23 14:25 file02.txt
-rw-r--r--. 1 root root 0 Mar 23 14:25 file03.txt
[root@data ~]# rm -rf /data/www/file03.txt
[root@data ~]# rsync -avz --delete --password-file=/etc/rsync.pas /data/www/ rsync://rsyncuser@10.10.10.15/backup
sending incremental file list
deleting file03.txt
./
sent 96 bytes received 33 bytes 86.00 bytes/sec
total size is 0 speedup is 0.00
[root@bak ~]# ls -l /data/backup/
total 0
-rw-r--r--. 1 root root 0 Mar 23 14:25 file01.txt
-rw-r--r--. 1 root root 0 Mar 23 14:25 file02.txt3.4 shell脚本实现实施数据同步
#脚本内容
[root@data ~]# vim inotify_rsync.sh
#注意最后的/
SRC='/data/www/'
##
DEST='rsyncuser@10.10.10.15::backup'
##rpm -q rsync &> /dev/null || yum -y install rsync
inotifywait -mrq --exclude=".*\.swp" --timefmt '%Y-%m-%d %H:%M:%S' --format '%T %w %f' -e create,delete,moved_to,close_write,attrib ${SRC} |while read DATE TIME DIR FILE;do
FILEPATH=${DIR}${FILE}
rsync -az --delete --password-file=/etc/rsync.pas $SRC $DEST && echo "At ${TIME} on ${DATE}, file $FILEPATH was backuped up via rsync" >> /var/log/changelist.log
done
##脚本运行log
[root@data ~]# cd /data/www/
[root@data www]# echo "test" > text.txt
[root@data www]# echo "test" > text01.txt
[root@data www]# echo "test" > text02.txt
[root@data www]# rm -rf file01.txt
[root@bak ~]# ls -l /data/backup/
total 8
-rw-r--r--. 1 root root 0 Mar 23 14:25 file01.txt
-rw-r--r--. 1 root root 0 Mar 23 14:25 file02.txt
-rw-r--r--. 1 root root 5 Mar 23 14:38 text01.txt
-rw-r--r--. 1 root root 5 Mar 23 14:39 text02.txt
[root@bak ~]# ls -l /data/backup/
total 8
-rw-r--r--. 1 root root 0 Mar 23 14:25 file02.txt
-rw-r--r--. 1 root root 5 Mar 23 14:38 text01.txt
-rw-r--r--. 1 root root 5 Mar 23 14:39 text02.txt
[root@data www]# cat /var/log/changelist.log
At 14:38:57 on 2022-03-23, file /data/www/text01.txt was backuped up via rsync
At 14:38:57 on 2022-03-23, file /data/www/text01.txt was backuped up via rsync
At 14:39:01 on 2022-03-23, file /data/www/text02.txt was backuped up via rsync
At 14:39:01 on 2022-03-23, file /data/www/text02.txt was backuped up via rsync
At 14:39:22 on 2022-03-23, file /data/www/file01.txt was backuped up via rsync4、LVS调度算法总结
LVS 工作模式:
NAT模型:修改请求报文的目标IP,多目标IP的DNAT
DR模型:操纵封装新的MAC地址
TUN模型:在原请求IP报文之外新加一个IP首部
FULLNAT模型:修改请求报文的源和目标IP
LVS 调度算法:
分为两种:静态方法和动态方法
静态方法4种
仅根据算法本身进行调度
RR:roundrobin,轮询,较常用 ,将请求依次分配不同的RS节点,RS服务器均摊请求,这种算法比较简单,但是只适合RS节点相差性能不大的情况
WRR:Weighted RR,加权轮询,较常用,它将依据不同RS节点的权值分配任务,权值高的RS将优先获得任务,并且分配的连接数比权值低的RS节点更多。相同权值的RS得到相同数目的连接数
SH:Source Hashing,实现session
sticky,源IP地址hash;将来自于同一个IP地址的请求始终发往 第一次挑中的RS,从而实现会话绑定
DH:Destination Hashing;目标地址哈希,第一次轮询调度至RS,后续将发往同一个目标地址的 请求始终转发至第一次挑中的RS,典型使用场景是正向代理缓存场景中的负载均衡,如: Web缓存
动态方法6种
主要根据每RS当前的负载状态及调度算法进行调度Overhead=value 较小的RS将被调度
LC:least connections 适用于长连接应用
Overhead=activeconns*256+inactiveconns
WLC:Weighted LC,默认调度方法,较常用
Overhead=(activeconns*256+inactiveconns)/weight
SED:Shortest Expection Delay,初始连接高权重优先,只检查活动连接,而不考虑非活动连接
Overhead=(activeconns+1)*256/weight
NQ:Never Queue,第一轮均匀分配,后续SED
LBLC:Locality-Based LC,动态的DH算法,使用场景:根据负载状态实现正向代理,实现Web Cache等
LBLCR:LBLC with Replication,带复制功能的LBLC,解决LBLC负载不均衡问题,从负载重的复制 到负载轻的RS,,实现Web Cache等
内核版本 4.15 版本后新增调度算法:FO和OVF
FO(Weighted Fail Over)调度算法,在此FO算法中,遍历虚拟服务所关联的真实服务器链表,找到还未 过载(未设置IP_VS_DEST_F_OVERLOAD标志)的且权重最高的真实服务器,进行调度,属于静态算法
OVF(Overflow-connection)调度算法,基于真实服务器的活动连接数量和权重值实现。将新连接调度 到权重值最高的真实服务器,直到其活动连接数量超过权重值,之后调度到下一个权重值最高的真实服 务器,在此OVF算法中,遍历虚拟服务相关联的真实服务器链表,找到权重值最高的可用真实服务器,属于动态算法
5、LVS的跨网络DR实现
5.1 Client网络配置
[root@client ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:b3:f4:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.11/24 brd 192.168.10.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::e132:5b27:135f:b310/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@client ~]# ip r
default via 192.168.10.10 dev ens33 proto static metric 100
192.168.10.0/24 dev ens33 proto kernel scope link src 192.168.10.11 metric 1005.2 route网络配置
[root@route ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:68:87:02 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.10/24 brd 10.10.10.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet 172.10.10.10/24 brd 172.10.10.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe68:8702/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:68:87:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.10.10/24 brd 192.168.10.255 scope global noprefixroute ens224
valid_lft forever preferred_lft forever
inet6 fe80::dbe9:8327:fe8d:a8cb/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@route ~]# ip r
10.10.10.0/24 dev ens160 proto kernel scope link src 10.10.10.10 metric 104
172.10.10.0/24 dev ens160 proto kernel scope link src 172.10.10.10 metric 104
192.168.10.0/24 dev ens224 proto kernel scope link src 192.168.10.10 metric 103
##配置route启用IP_FORWORD功能
[root@route ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[root@route ~]# sysctl -p
net.ipv4.ip_forward = 15.3 RS服务器网络配置
DR模型中各主机上均需要配置VIP,解决地址冲突的方式有三种:
(1) 在前端网关做静态绑定
(2) 在各RS使用arptables
(3) 在各RS修改内核参数,来限制arp响应和通告的级别
限制响应级别:arp_ignore
0:默认值,表示可使用本地任意接口上配置的任意地址进行响应
1:仅在请求的目标IP配置在本地主机的接收到请求报文的接口上时,才给予响应
限制通告级别:arp_announce
0:默认值,把本机所有接口的所有信息向每个接口的网络进行通告
1:尽量避免将接口信息向非直接连接网络进行通告
2:必须避免将接口信息向非本网络进行通告
RS服务器都要执行此操作
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce##RS01
[root@rs1 ~]# ip addr add 172.10.10.100/32 dev lo
[root@rs1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 172.10.10.100/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:6e:86:eb brd ff:ff:ff:ff:ff:ff
inet 10.10.10.16/24 brd 10.10.10.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe6e:86eb/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@rs1 ~]# ip r
default via 10.10.10.10 dev ens160 proto static metric 100
10.10.10.0/24 dev ens160 proto kernel scope link src 10.10.10.16 metric 100
##安装nginx 用来测试负载规则
[root@rs1 ~]# yum install nginx -y && echo "rs01 10.10.10.16" > /usr/share/nginx/html/index.html && systemctl start nginx##RS02
[root@rs2 ~]# ip addr add 172.10.10.100/32 dev lo
[root@rs2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 172.10.10.100/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:4d:36:5b brd ff:ff:ff:ff:ff:ff
inet 10.10.10.17/8 brd 10.255.255.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4d:365b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@rs2 ~]# ip r
default via 10.10.10.10 dev ens160 proto static metric 100
10.0.0.0/8 dev ens160 proto kernel scope link src 10.10.10.17 metric 100
##安装nginx 用来测试负载规则
[root@rs2 ~]# yum install nginx -y && echo "rs02 10.10.10.17" > /usr/share/nginx/html/index.html && systemctl start nginx5.4 LVS网络配置
[root@lvs ~]# ip addr add 172.10.10.100/32 dev lo
[root@lvs ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 172.10.10.100/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:75:31:73 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.11/24 brd 10.10.10.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe75:3173/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@lvs ~]# ip r
default via 10.10.10.10 dev ens160 proto static metric 100
10.10.10.0/24 dev ens160 proto kernel scope link src 10.10.10.11 metric 100
##安装lvs管理工具包
[root@lvs ~]# yum install ipsadmin
[root@lvs ~]# ipvsadm -A -t 172.10.10.100:80 -s rr
[root@lvs ~]# ipvsadm -a -t 172.10.10.100 -r 10.10.10.16
[root@lvs ~]# ipvsadm -a -t 172.10.10.100:80 -r 10.10.10.16:80
[root@lvs ~]# ipvsadm -a -t 172.10.10.100:80 -r 10.10.10.17:80
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.10.10.100:80 rr
-> 10.10.10.16:80 Route 1 0 0
-> 10.10.10.17:80 Route 1 0 05.5 客户端测试
[root@client ~]# while : ; do curl 172.10.10.100 ;sleep 1 ; done
rs01 10.10.10.16
rs02 10.10.10.17
rs01 10.10.10.16
rs02 10.10.10.17
rs01 10.10.10.16
rs02 10.10.10.17
rs01 10.10.10.16
rs02 10.10.10.17
