当前位置：首页 > news >正文

LVS 负载均衡

news 2025/9/24 7:10:13

LVS 负载均衡

一、LVS 基础概述

LVS（Linux Virtual Server，Linux 虚拟服务器）是由章文嵩博士主导的开源负载均衡项目，已集成到 Linux 内核，核心是实现基于 IP 层的数据请求负载均衡调度。终端用户访问 LVS 调度器（请求目标为 VIP，虚拟 IP），调度器按预设算法将请求分发至后端 Real Server（真实服务器，IP 为 RIP）；若 Real Server 挂载相同存储、提供相同服务，集群对用户透明，Real Server 按 LVS 工作模式将数据回传用户。其官方站点为http://www.linuxvirtualserver.org，支持 NAT、TUN、DR 三种工作模式

二、LVS 体系结构

LVS 集群系统由三层架构组成，用户仅感知 “虚拟服务器”，核心为 Director Server（调度服务器）：

层级	组成与功能
负载均衡层（Loader Balancer）	含 1 台 / 多台 Director Server，安装 LVS 内核模块（实现路由分发）和 Ldirectord 监控模块（检测 Real Server 健康，异常时剔除、恢复后重新加入），类似路由器角色
服务器群组层（Server Array）	由 Real Server 组成，可部署 WEB、MAIL、FTP 等服务；Real Server 间通过高速 LAN/WAN 连接，Director Server 也可兼任 Real Server
数据共享存储层（Shared Storage）	多为磁盘阵列，提供共享存储与内容一致性；支持 NFS（简易但高并发性能差）或集群文件系统（如 Red Hat GFS、Oracle OCFS2）

系统支持：Director Server 仅支持 Linux（2.6 + 内核原生支持）和 FreeBSD（应用少、性能一般）；Real Server 支持 Linux、Windows、Solaris、AIX 等多系统

三、LVS 核心管理工具

LVS 依赖 “内核模块 + 用户工具” 协同工作，核心工具为ipvs和ipvsadm：

1. ipvs（内核核心组件）

定位：LVS 软件内核层核心，运行于负载均衡层，负责 IP 包处理、负载均衡算法执行、系统配置与管理，维护虚拟服务器与 Real Server 链表
关键特性：1 台 ipvs 主机可定义多个集群服务（可能影响调度性能），每个集群服务至少需 1 台 Real Server

2. ipvsadm（用户空间命令行工具）

定位：用于管理集群服务与 Real Server，支持增、删、改、查操作，指定工作模式、权重等

常用命令与功能：

功能分类	关键命令示例
集群服务管理	增（`-A -t ip:port -s 算法`）、改（`-E`）、删（`-D`）、清空（`-C`）、保存（`-S > /etc/sysconfig/ipvsadm`）、重载（`-R < /etc/sysconfig/ipvsadm`）
Real Server 管理	增（`-a -t ip:port -r rip:port -g/i/m`）、改（`-e`）、删（`-d`）、指定权重（`-w 数值`）
查看与格式	列表（`-L/-l`）、数字显示 IP / 端口（`-n`，需跟在`-L`后）
工作模式指定	DR 模式（`-g`，默认）、TUN 模式（`-i`）、NAT 模式（`-m`）

核心语法示例：ipvsadm -A -t 172.16.30.10:80 -s rr（创建 TCP 80 端口集群服务，轮询算法）ipvsadm -a -t 172.16.30.10:80 -r 192.168.100.20:80 -m`（添加 Real Server，NAT 模式）

四、LVS 工作模式及原理

1. NAT 模式（网络地址转换）

原理：请求与响应均经过 Director Server，通过地址转换实现调度：
1. 客户端请求（源 CIP，目标 VIP）到达 Director
2. Director 将目标 IP 改为 RIP，转发至 Real Server
3. Real Server（网关指向 Director）处理后，将响应（源 RIP，目标 CIP）发回 Director
4. Director 将源 IP 改为 VIP，回传客户端
特点：仅需 Director 配置公网 IP；支持 IP / 端口转换；Real Server 系统灵活，但 Director 易成瓶颈（仅支持 10-20 台 RS）
关键要求：Real Server 网关必须指向 Director 的内网 IP（DIP）

2. DR 模式（直接路由）

原理：仅修改请求报文的 MAC 地址，响应直接回客户端（无需经 Director）：
1. 客户端请求（CIP→VIP）到达 Director
2. Director 将源 MAC 改为 DIP 的 MAC，目标 MAC 改为 RIP 的 MAC，转发至 Real Server
3. Real Server 识别目标 MAC 为自身，处理后通过 lo 接口→eth0 直接回传客户端
特点：无 IP 隧道开销，性能高；需 Director 与 Real Server 在同一局域网；Real Server 需配置 VIP（lo 接口，32 位子网掩码，避免 ARP 响应冲突）
关键要求：Real Server 配置arp_ignore=1（仅回应自身接口 IP 的 ARP 请求）、arp_announce=2（ARP 请求源 IP 为 RIP）

3. TUN 模式（隧道模式）

原理：通过 IP 隧道封装请求，响应直接回客户端：
1. 客户端请求（CIP→VIP）到达 Director
2. Director 在请求报文外封装新 IP 头（源 DIP，目标 RIP），通过隧道发至 Real Server
3. Real Server 解封装后，识别目标 VIP（lo 接口配置），处理后直接回传客户端
特点：Director 无瓶颈（仅分发请求），支持跨地域部署；但 Real Server 需合法 IP，且支持 “IP Tunneling” 协议（多为 Linux 系统）

五、LVS 调度算法

LVS 调度算法分静态（不考虑服务器负载）和动态（基于服务器实时负载调整）两类，共 10 种：

1. 静态调度算法（4 种）

rr（轮询）：均等分发请求，不考虑服务器连接数 / 负载。
wrr（加权轮询）：按权重分发，可动态调整 Real Server 权重（依据负载）
sh（源地址散列）：按客户端源 IP 散列，固定将同一客户端请求分发至同一 Real Server
dh（目标地址散列）：按请求目标 IP 散列，固定将同一目标 IP 请求分发至同一 Real Server

2. 动态调度算法（6 种）

lc（最少链接）：将请求分发至当前连接数最少的 Real Server（适用于 RS 性能相近场景）
wlc（加权最少链接）：结合权重与连接数，权重高、连接数少的 RS 优先分配（适用于 RS 性能差异大场景）
lblc（基于局部性最少连接）：优先将同一目标 IP 请求分发至最近使用过的 RS（若 RS 可用且负载低）
lblcr（复杂基于局部性最少连接）：维护 “目标 IP→RS 组” 映射，避免单点 RS 负载过高
sed（最少期望延迟）：不考虑非活动连接，权重高的 RS 优先分配（可能导致高权重 RS 繁忙）
nq（永不排队）：直接将请求分发至连接数为 0 的 RS，无排队等待

六、LVS 典型配置案例

文档提供 4 类配置案例，核心步骤均含 “环境准备→基础配置→服务部署→规则配置→测试验证”，关键差异如下：

1. LVS-NAT 模式（HTTP 负载集群）

环境：Client（192.168.100.200）、Director（DIP：192.168.100.10，VIP：172.16.30.10）、RS1（192.168.100.20，网关 192.168.100.10）、RS2（192.168.100.30，网关 192.168.100.10），均为 Rocky Linux 9
关键步骤：
1. 所有主机关闭防火墙（systemctl stop/disable firewalld）与 SELinux（SELINUX=disabled）；
2. 配置 IP 与网关（RS 网关指向 Director 的 DIP）
3. RS 部署 httpd（yum install httpd），生成差异化首页（如echo RS1 > /var/www/html/index.html）
4. Director 开启 IP 转发（net.ipv4.ip_forward=1，sysctl -p），安装 ipvsadm 并添加规则（ipvsadm -A -t 172.16.30.10:80 -s rr，ipvsadm -a ... -m）
5. 保存规则（ipvsadm -Sn > /etc/sysconfig/ipvsadm），重启 ipvsadm
6. 客户端测试（curl http://172.16.30.10），轮询返回 RS1/RS2

2. LVS-NAT 模式（HTTPS 负载集群）

新增步骤：
1. Director 生成 CA 密钥与证书（openssl genrsa、openssl req -new -x509）
2. RS 生成证书请求（CSR），发送至 Director
3. Director 签署 CSR 生成证书，回传 RS
4. RS 配置 httpd 的 SSL 模块（mod_ssl），指定证书路径
5. Director 添加 443 端口规则（ipvsadm -A -t 172.16.30.10:443 -s rr，ipvsadm -a ... -m）；
6. 客户端测试（curl -k https://172.16.30.10），轮询返回 RS1/RS2

3. LVS-DR 模式（HTTP 负载集群）

环境：Director（DIP：192.168.100.10，VIP：192.168.100.100）、RS1/RS2（RIP：192.168.100.20/30，VIP：192.168.100.100）
关键差异：
1. RS 配置 ARP 内核参数（arp_ignore=1、arp_announce=2，sysctl -p）
2. RS 在 lo 接口配置 VIP（ifconfig lo 192.168.100.100/32 up），添加路由（route add -host 192.168.100.100 dev lo）
3. Director 添加规则时指定 DR 模式（-g，默认），无需开启 IP 转发
4. 客户端测试（curl http://192.168.100.100），轮询返回 RS1/RS2

4. LVS-TUN 模式（HTTP 负载集群）

环境：Director（VIP：192.168.100.55，tunl0 接口）、RS1/RS2（RIP：192.168.100.20/30，tunl0 接口 VIP）
关键差异：
1. 所有主机开启 IP 转发
2. RS 加载 ipip 模块（modprobe ipip），配置 tunl0 接口 VIP（ifconfig tunl0 192.168.100.55/32 up）
3. RS 配置内核参数（rp_filter=0，避免反向路径过滤）
4. Director 添加规则时指定 TUN 模式（-i）
5. 客户端测试（curl http://192.168.100.55），轮询返回 RS1/RS2

具体示例：配置lvs-nat模式的httpd负载集群—http

DR、RS1、RS2三台主机关闭防火墙和selinux 略

RS1：

[root@rs1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 PREFIX=24
GATEWAY=192.168.100.10
IPV6_PRIVACY=no
~     
[root@rs1 ~]# systemctl restart network

RS2：

[root@rs2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
PREFIX=24
GATEWAY=192.168.100.10
IPV6_PRIVACY=no
~       
[root@rs2 ~]# systemctl restart network

lvs-dr：

在这里插入图片描述

lvs-dr：

[root@lvs-dr ~]# nmcli connection show
NAME                UUID                                  TYPE    
ens33               1b997c48-8eff-4fa9-be0d-5e2acd617368  ethernet
virbr0              8cb8b09f-e215-4ef7-a952-30012815b908  bridge  
Wired connection 1  5d0b9ad8-d21e-344a-8a1f-5207b018d317  ethernet
[root@lvs-dr ~]# nmcli connection delete Wired\ connection\ 1 
Connection 'Wired connection 1' (5d0b9ad8-d21e-344a-8a1f-5207b018d317) successfully deleted.
[root@lvs-dr ~]# nmcli connection add con-name ens36 ifname ens36 type ethernet 
Connection 'ens36' (c5ea1843-9f29-4242-a6f0-d53457489a7e) successfully added.
[root@lvs-dr ~]# nmcli connection show
NAME    UUID                                  TYPE      DEVICE 
ens33   1b997c48-8eff-4fa9-be0d-5e2acd617368  ethernet  ens33  
ens36   c5ea1843-9f29-4242-a6f0-d53457489a7e  ethernet  ens36  
virbr0  8cb8b09f-e215-4ef7-a952-30012815b908  bridge    virbr0 
[root@lvs-dr ~]# nmcli connection modify ens36 ipv4.addresses 172.16.30.10/24 ipv4.method manual connection.autoconnect yes
[root@lvs-dr ~]# nmcli connection up ens36
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[root@lvs-dr ~]# ifconfig ens36
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 172.16.30.10  netmask 255.255.255.0  broadcast 172.16.30.255inet6 fe80::947e:8560:897e:6572  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:e4:65:28  txqueuelen 1000  (Ethernet)RX packets 235  bytes 55357 (54.0 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 77  bytes 12865 (12.5 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lvs-dr：（配置DR，开启IP转发功能）

[root@lvs-dr ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1
~ 
[root@lvs-dr ~]# sysctl -p
net.ipv4.ip_forward = 1

后端RS1和RS2部署WEB服务器：

RS1：

[root@rs1 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[root@rs1 ~]# cd /etc/yum.repos.d/
[root@rs1 yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo
[root@rs1 yum.repos.d]# rm -rf *
[root@rs1 yum.repos.d]# vim sy.repo[aa]
name=aa1
baseurl=file:///mnt
enabled=1
gpgcheck=0
~  
[root@rs1 ~]# yum -y install httpd

RS2：

[root@rs2 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[root@rs2 ~]# cd /etc/yum.repos.d/
[root@rs2 yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo
[root@rs2 yum.repos.d]# rm -rf *
[root@rs2 yum.repos.d]# vim syy.repo[aa]
name=aa1
baseurl=file:///mnt
enabled=1
gpgcheck=0
~ 
[root@rs2 ~]# yum -y install httpd

RS1：

[root@rs1 ~]# cd /var/www/html/
[root@rs1 html]# ls
[root@rs1 html]# vim index.html
RS1
~ 
[root@rs1 html]# systemctl restart httpd
[root@rs1 html]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

RS2：

[root@rs2 ~]# cd /var/www/html/
[root@rs2 html]# ls
[root@rs2 html]# vim index.html
RS2
~ 
[root@rs2 html]# systemctl restart httpd
[root@rs2 html]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

client：

[root@client ~]# curl http://192.168.100.20
RS1
[root@client ~]# curl http://192.168.100.30
RS2

安装ipvsadm并添加规则：

lvs-dr：

[root@lvs-dr ~]# rpm -q ipvsadm
package ipvsadm is not installed
[root@lvs-dr ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[root@lvs-dr ~]# cd /etc/yum.repos.d/
[root@lvs-dr yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo
[root@lvs-dr yum.repos.d]# rm -rf *
[root@lvs-dr yum.repos.d]# vim qvq.repo[aa]
name=aa1
baseurl=file:///mnt
enabled=1
gpgcheck=0
~[root@lvs-dr ~]# yum -y install ipvsadm

[root@lvs-dr ~]# ipvsadm -A -t 172.16.30.10:80 -s rr
[root@lvs-dr ~]# ipvsadm -a -t 172.16.30.10:80 -r 192.168.100.20:80 -m
[root@lvs-dr ~]# ipvsadm -a -t 172.16.30.10:80 -r 192.168.100.30:80 -m
[root@lvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.16.30.10:80 rr-> 192.168.100.20:80            Masq    1      0          0         -> 192.168.100.30:80            Masq    1      0          0         
[root@lvs-dr ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@lvs-dr ~]# systemctl restart ipvsadm.service 
[root@lvs-dr ~]# systemctl enable ipvsadm
Created symlink from /etc/systemd/system/multi-user.target.wants/ipvsadm.service to /usr/lib/systemd/system/ipvsadm.service.

客户端测试：

client：

在这里插入图片描述

[root@client ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 IPADDR=172.16.30.20
PREFIX=24
~  
[root@client ~]# systemctl restart network
[root@client ~]# curl http://172.16.30.10
RS2
[root@client ~]# curl http://172.16.30.10
RS1
[root@client ~]# curl http://172.16.30.10
RS2
[root@client ~]# curl http://172.16.30.10
RS1

配置lvs-nat模式的httpd负载集群—https

lvs-dr：

[root@lvs-dr ~]# cd /etc/pki/CA/
[root@lvs-dr CA]# ls
certs  crl  newcerts  private
[root@lvs-dr CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
...................+++
e is 65537 (0x10001)
[root@lvs-dr CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1vSNIqqEysdxli2WpN25
+3Hwkj/y1j6BpqDFSqCuzSzxYxyrlp2W6Ef8o3QARD5NVXmaWgR0Vs+p+FiudI7w
nc/doiY9ko5JuzLuUJANXYGsaYY4zli24uLcgWIGdgWD4/d7Ym5t/BrIGozVjUDR
OEygS6ueiLQcaxUG3KbL59IbejqzQdtj7NvtROpaq2iwAAQQ1QUpPqLNwSd0Q7AF
lekrJeTmfRRfvCk0QDeiTo0QrVqwyEaBf+ZPxk/H3kAjsrp+kJxCewMlI4nks4Oe
/JnXzkeBDmrXh5E+Fc47CZlyGwfeMGMTQEYa1Hg2OfxcMQEhCjTuv3Cc2nFOGFwu
5QIDAQAB
-----END PUBLIC KEY-----
[root@lvs-dr CA]# ls
certs  crl  newcerts  private
[root@lvs-dr CA]# ls private/
cakey.pem
[root@lvs-dr CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:server.example.com
Email Address []:shenyi@example.com
[root@lvs-dr CA]# touch index.txt
[root@lvs-dr CA]# echo 01 > serial

在RS1中生成证书签署请求，并发送给CA

RS1：

[root@rs1 html]# yum -y install mod_ssl[root@rs1 html]# cd /etc/httpd/
[root@rs1 httpd]# ls
conf  conf.d  conf.modules.d  logs  modules  run
[root@rs1 httpd]# mkdir ssl
[root@rs1 httpd]# cd ssl/
[root@rs1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................................+++
................................................................................................+++
e is 65537 (0x10001)
[root@rs1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:rs1.example.com
Email Address []:shenyi@example.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

RS2：

[root@rs2 html]# yum -y install mod_ssl[root@rs2 html]# cd /etc/httpd/
[root@rs2 httpd]# ls
conf  conf.d  conf.modules.d  logs  modules  run
[root@rs2 httpd]# mkdir ssl
[root@rs2 httpd]# cd ssl/
[root@rs2 ssl]# (umask 077;openssl genrsa -out httpd2.key 2048)
Generating RSA private key, 2048 bit long modulus
.+++
....+++
e is 65537 (0x10001)
[root@rs2 ssl]# openssl req -new -key httpd2.key -days 1024 -out httpd2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:rs2.example.com
Email Address []:shenyi@example.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

RS1：

[root@rs1 ssl]# scp httpd.csr root@192.168.100.10:/root/
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:UN0UZbtBfFQeLR3836aFd9k4cm9na95JOPqBnPk05VU.
ECDSA key fingerprint is MD5:20:05:39:25:84:f6:1b:bb:8b:b3:ed:b9:bf:96:99:ba.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.10' (ECDSA) to the list of known hosts.
root@192.168.100.10's password: 
httpd.csr                          100% 1041     1.1MB/s   00:00

在DR中查看：

[root@lvs-dr ~]# cd -
/etc/pki/CA
[root@lvs-dr CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@lvs-dr ~]# ls
anaconda-ks.cfg  Downloads             Music     Templates
Desktop          httpd.csr             Pictures  Videos
Documents        initial-setup-ks.cfg  Public

CA签署证书并发给RS1：

[root@lvs-dr ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Sep 22 12:56:12 2025 GMTNot After : Jul 12 12:56:12 2028 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = LQorganizationalUnitName    = linuxcommonName                = rs1.example.comemailAddress              = shenyi@example.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 74:C4:69:A0:7B:BB:49:42:7B:6D:81:5A:07:5C:BC:42:74:BF:89:8DX509v3 Authority Key Identifier: keyid:09:F9:B7:D5:02:F9:3A:2F:AC:03:F5:55:05:1B:22:74:7B:3D:52:3DCertificate is to be certified until Jul 12 12:56:12 2028 GMT (1024 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@lvs-dr ~]# ls
anaconda-ks.cfg  Downloads  initial-setup-ks.cfg  Public
Desktop          httpd.crt  Music                 Templates
Documents        httpd.csr  Pictures              Videos

将CA签署的证书httpd.crt和服务器的证书cacert.pem发送给RS1

[root@lvs-dr ~]# scp httpd.crt root@192.168.100.20:/etc/httpd/ssl
root@192.168.100.20's password: 
httpd.crt                       100% 4587     3.0MB/s   00:00

RS1：

[root@rs1 ~]# cd /etc/httpd/
[root@rs1 httpd]# cd ssl/
[root@rs1 ssl]# ls
httpd.crt  httpd.csr  httpd.key

RS2：

[root@rs2 ~]# cd /etc/httpd/
[root@rs2 httpd]# ls ssl/
httpd2.csr  httpd2.key  httpd.key
[root@rs2 httpd]# cd ssl/
[root@rs2 ssl]# rm -rf http*

RS1中把RS1的证书和密钥发送给RS2

RS1：

[root@rs1 ssl]# scp httpd.crt httpd.key root@192.168.100.30:/etc/httpd/ssl/
The authenticity of host '192.168.100.30 (192.168.100.30)' can't be established.
ECDSA key fingerprint is SHA256:UN0UZbtBfFQeLR3836aFd9k4cm9na95JOPqBnPk05VU.
ECDSA key fingerprint is MD5:20:05:39:25:84:f6:1b:bb:8b:b3:ed:b9:bf:96:99:ba.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.30' (ECDSA) to the list of known hosts.
root@192.168.100.30's password: 
httpd.crt                          100% 4587     3.2MB/s   00:00    
httpd.key                          100% 1679     1.9MB/s   00:00

RS2：

[root@rs2 ssl]# ls
httpd.crt  httpd.key

在RS1中修改https的配置文件

[root@lvs-dr ~]# cd /etc/pki/CA/private/
[root@lvs-dr private]# ls
cakey.pem
[root@lvs-dr private]# cd ..
[root@lvs-dr CA]# ls
cacert.pem  crl        index.txt.attr  newcerts  serial
certs       index.txt  index.txt.old   private   serial.old
[root@lvs-dr CA]# scp cacert.pem root@192.168.100.20:/etc/httpd/ssl/
root@192.168.100.20's password: 
cacert.pem                      100% 1399   687.2KB/s   00:00    
[root@lvs-dr CA]# scp cacert.pem root@192.168.100.30:/etc/httpd/ssl/
The authenticity of host '192.168.100.30 (192.168.100.30)' can't be established.
ECDSA key fingerprint is SHA256:UN0UZbtBfFQeLR3836aFd9k4cm9na95JOPqBnPk05VU.
ECDSA key fingerprint is MD5:20:05:39:25:84:f6:1b:bb:8b:b3:ed:b9:bf:96:99:ba.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.30' (ECDSA) to the list of known hosts.
root@192.168.100.30's password: 
cacert.pem                      100% 1399   815.3KB/s   00:00

RS1：

[root@rs1 ssl]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt   ////#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key     ////
.....
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCACertificateFile /etc/httpd/ssl/cacert.pem      /////#   Client Authentication (Type):[root@rs1 ssl]# scp /etc/httpd/conf.d/ssl.conf root@192.168.100.30:/etc/httpd/conf.d/ssl.conf 
root@192.168.100.30's password: 
ssl.conf                           100% 9474     3.4MB/s   00:00   
[root@rs1 ssl]# systemctl restart httpd

[root@rs2 ssl]# systemctl restart httpd

[root@rs1 ssl]# ss -anlt
State       Recv-Q Send-Q Local Address:Port               Peer Address:Port              
LISTEN      0      128     *:111                 *:*                  
LISTEN      0      128     *:6000                *:*                  
LISTEN      0      5      192.168.122.1:53                  *:*                  
LISTEN      0      128     *:22                  *:*                  
LISTEN      0      128    127.0.0.1:631                 *:*                  
LISTEN      0      100    127.0.0.1:25                  *:*                  
LISTEN      0      128    127.0.0.1:6010                *:*                  
LISTEN      0      128    127.0.0.1:6011                *:*                  
LISTEN      0      128    :::111                :::*                  
LISTEN      0      128    :::80                 :::*                  
LISTEN      0      128    :::6000               :::*                  
LISTEN      0      128    :::22                 :::*                  
LISTEN      0      128       ::1:631                :::*                  
LISTEN      0      100       ::1:25                 :::*                  
LISTEN      0      128       ::1:6010               :::*                  
LISTEN      0      128    :::443                :::*                  
LISTEN      0      128       ::1:6011               :::*

在DR中添加规则：

[root@lvs-dr ~]# ipvsadm -A -t 172.16.30.10:443 -s rr
[root@lvs-dr ~]# ipvsadm -a -t 172.16.30.10:443 -r 192.168.100.20 -m
[root@lvs-dr ~]# ipvsadm -a -t 172.16.30.10:443 -r 192.168.100.30 -m
[root@lvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.16.30.10:80 rr-> 192.168.100.20:80            Masq    1      0          0         -> 192.168.100.30:80            Masq    1      0          0         
TCP  172.16.30.10:443 rr-> 192.168.100.20:443           Masq    1      0          0         -> 192.168.100.30:443           Masq    1      0          0         
[root@lvs-dr ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@lvs-dr ~]# systemctl restart ipvsadm

客户端测试

[root@client ~]# curl -k https://172.16.30.10:443
RS2
[root@client ~]# curl -k https://172.16.30.10:443
RS1
[root@client ~]# curl -k https://172.16.30.10:443
RS2
[root@client ~]# curl -k https://172.16.30.10:443
RS1

配置LVS-DR模式的httpd负载集群：

关闭防火墙和selinux 略

RS1：（配置本地yum仓库）

[root@rs1 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[root@rs1 ~]# cd /etc/yum.repos.d/
[root@rs1 yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo
[root@rs1 yum.repos.d]# rm -rf *
[root@rs1 yum.repos.d]# vim sy.repo
[aa]
name=aa1
baseurl=file:///mnt
enabled=1
gpgcheck=0
~

安装httpd：

[root@rs1 ~]# yum -y install httpd[root@rs1 ~]# echo RS1 > /var/www/html/index.html
[root@rs1 ~]# systemctl restart httpd
[root@rs1 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

RS2：（配置本地yum仓库）

[root@rs2 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[root@rs2 ~]# cd /etc/yum.repos.d/
[root@rs2 yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo
[root@rs2 yum.repos.d]# rm -rf *
[root@rs2 yum.repos.d]# vim sy.repo
[aa]
name=aa1
baseurl=file:///mnt
enabled=1
gpgcheck=0
~

安装httpd：

[root@rs2 ~]# yum -y install httpd[root@rs2 ~]# echo RS2 > /var/www/html/index.html
[root@rs2 ~]# systemctl restart httpd
[root@rs2 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

LVS-DR：

[root@lvs-dr ~]# curl http://192.168.100.20
RS1
[root@lvs-dr ~]# curl http://192.168.100.30
RS2

LVS上配置ip：（关闭防火墙和selinux 略）

添加IP：

[root@lvs-dr ~]# ifconfig lo 192.168.100.100/32 broadcast 192.168.100.100 netmask 255.255.255.255 up
[root@lvs-dr ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 192.168.100.100/0 brd 192.168.100.100 scope global lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever

RS上配置arp内核参数

RS1：

[root@rs1 ~]# vim /etc/sysctl.conf 
# 将对应网卡设置为只回应目标IP为自身接口地址的ARP请求
net.ipv4.conf.all.arp_ignore = 1
# 将ARP请求的源IP设置为所有接口的IP，也就是RIP
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
~   
[root@rs1 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2

RS2：

[root@rs2 ~]# vim /etc/sysctl.conf 
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
~  
[root@rs2 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2

RS上配置VIP

一定要先配置好内核参数，再配置VIP，如果先配置VIP，VIP配置好后会立即通告给所有人，而修改内核参数就是为了不通告

LVS服务器的ens160网卡的ip：192.168.100.100作为VIP

RS1：

[root@rs1 ~]# ifconfig lo 192.168.100.100/32 broadcast 192.168.100.100 netmask 255.255.255.255 up

RS2：

[root@rs2 ~]# ifconfig lo 192.168.100.100/32 broadcast 192.168.100.100 netmask 255.255.255.255 up

添加路由信息

RS1：

[root@rs1 ~]# route add -host 192.168.100.100/32 dev lo
[root@rs1 ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    100    0        0 ens33
192.168.100.0   0.0.0.0         255.255.255.0   U     100    0        0 ens33
rs1.example.com 0.0.0.0         255.255.255.255 UH    0      0        0 lo
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

RS2：

[root@rs2 ~]# route add -host 192.168.100.100/32 dev lo
[root@rs2 ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    100    0        0 ens33
192.168.100.0   0.0.0.0         255.255.255.0   U     100    0        0 ens33
rs2.example.com 0.0.0.0         255.255.255.255 UH    0      0        0 lo
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

添加并保存规则

LVS-DR：

[root@lvs-dr ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[root@lvs-dr ~]# cd /etc/yum.repos.d/
[root@lvs-dr yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo
[root@lvs-dr yum.repos.d]# rm -rf *
[root@lvs-dr yum.repos.d]# vim sy.repo
[aa]
name=aa1
baseurl=file:///mnt
enabled=1
gpgcheck=0
~   [root@lvs-dr ~]# yum -y install ipvsadm

[root@lvs-dr ~]# ipvsadm -A -t 192.168.100.100:80 -s rr
[root@lvs-dr ~]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.20 -g
[root@lvs-dr ~]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.30 -g
[root@lvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.100.100:80 rr-> 192.168.100.20:80            Route   1      0          0         -> 192.168.100.30:80            Route   1      0          0         
[root@lvs-dr ~]# vim /etc/sysctl.conf 
net.ipv4.ip_forward = 1
~   
[root@lvs-dr ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@lvs-dr ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@lvs-dr ~]# systemctl restart ipvsadm
[root@lvs-dr ~]# systemctl enable ipvsadm
Created symlink from /etc/systemd/system/multi-user.target.wants/ipvsadm.service to /usr/lib/systemd/system/ipvsadm.service.

客户端验证

client：

[root@client ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 
IPADDR=192.168.100.40
PREFIX=24
~     
[root@client ~]# systemctl restart network
[root@client ~]# curl http://192.168.100.100
RS2
[root@client ~]# curl http://192.168.100.100
RS1
[root@client ~]# curl http://192.168.100.100
RS2
[root@client ~]# curl http://192.168.100.100
RS1

权重论调：

LVS-DR：

[root@lvs-dr ~]# ipvsadm -C
[root@lvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn

[root@lvs-dr ~]# ipvsadm -A -t 192.168.100.100:80 -s wrr
[root@lvs-dr ~]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.20 -g -w 3
[root@lvs-dr ~]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.30 -g
[root@lvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.100.100:80 wrr-> 192.168.100.20:80            Route   3      0          0         -> 192.168.100.30:80            Route   1      0          0         
[root@lvs-dr ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@lvs-dr ~]# systemctl restart ipvsadm

client：

[root@client ~]# curl http://192.168.100.100
RS2
[root@client ~]# curl http://192.168.100.100
RS1
[root@client ~]# curl http://192.168.100.100
RS1
[root@client ~]# curl http://192.168.100.100
RS1
[root@client ~]# curl http://192.168.100.100
RS2
[root@client ~]# curl http://192.168.100.100
RS1
[root@client ~]# curl http://192.168.100.100
RS1
[root@client ~]# curl http://192.168.100.100
RS1
[root@client ~]# curl http://192.168.100.100
RS2

TUN模式

关闭防火墙和selinux

RS1：（配置本地yum仓库，部署httpd）

[root@rs1 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[root@rs1 ~]# cd /etc/yum.repos.d/
[root@rs1 yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo
[root@rs1 yum.repos.d]# rm -rf *
[root@rs1 yum.repos.d]# vim sy.repo
[aa]
name=aa1
baseurl=file:///mnt
enabled=1
gpgcheck=0
~  
[root@rs1 ~]# yum -y install httpd[root@rs1 ~]# echo RS1 > /var/www/html/index.html
[root@rs1 ~]# systemctl restart httpd
[root@rs1 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

RS2：（配置本地yum仓库，部署httpd）

[root@rs2 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[root@rs2 ~]# cd /etc/yum.repos.d/
[root@rs2 yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo
[root@rs2 yum.repos.d]# rm -rf *
[root@rs2 yum.repos.d]# vim sy.repo
[aa]
name=aa1
baseurl=file:///mnt
enabled=1
gpgcheck=0
~   
[root@rs2 ~]# yum -y install httpd[root@rs2 ~]# echo RS2 > /var/www/html/index.html
[root@rs2 ~]# systemctl restart httpd
[root@rs2 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

LVS-DR：（配置本地yum仓库）

[root@lvs-dr ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 is write-protected, mounting read-only
[root@lvs-dr ~]# cd /etc/yum.repos.d/
[root@lvs-dr yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo
[root@lvs-dr yum.repos.d]# rm -rf *
[root@lvs-dr yum.repos.d]# vim sy.repo
[aa]
name=aa1
baseurl=file:///mnt
enabled=1
gpgcheck=0
~

LVS-DR：修改内核参数，开启IP转发

[root@lvs-dr ~]# vim /etc/sysctl.conf 
net.ipv4.ip_forward = 1
~ 
[root@lvs-dr ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@lvs-dr ~]# yum -y install ipvsadm
[root@lvs-dr ~]# ifconfig tunl0 192.168.100.55 broadcast 192.168.100.55 netmask 255.255.255.255 up

启用ipip模块

RS1：

[root@rs1 ~]# lsmod | grep ipip
[root@rs1 ~]# modprobe ipip
[root@rs1 ~]# lsmod | grep ipip
ipip                   13465  0 
tunnel4                13252  1 ipip
ip_tunnel              25163  1 ipip
[root@rs1 ~]# ifconfig tunl0 192.168.100.55 broadcast 192.168.100.55 netmask 255.255.255.255 up

RS2：

[root@rs2 ~]# modprobe ipip
[root@rs2 ~]# ifconfig tunl0 192.168.100.55 broadcast 192.168.100.55 netmask 255.255.255.255 up

修改内核参数为：

RS1：

[root@rs1 ~]# vim /etc/sysctl.conf 
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.tunl0.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
~   
[root@rs1 ~]# sysctl -p
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.tunl0.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0

RS2：

[root@rs2 ~]# vim /etc/sysctl.conf 
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.tunl0.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
~ 
[root@rs2 ~]# sysctl -p
net.ipv4.conf.tunl0.arp_ignore = 1
net.ipv4.conf.tunl0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.tunl0.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0

DR上添加规则：
LVS-DR：

[root@lvs-dr ~]# ipvsadm -A -t 192.168.100.55:80 -s rr
[root@lvs-dr ~]# ipvsadm -a -t 192.168.100.55:80 -r 192.168.100.20 -i
[root@lvs-dr ~]# ipvsadm -a -t 192.168.100.55:80 -r 192.168.100.30 -i
[root@lvs-dr ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.100.55:80 rr-> 192.168.100.20:80            Tunnel  1      0          0         -> 192.168.100.30:80            Tunnel  1      0          0         
[root@lvs-dr ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@lvs-dr ~]# systemctl restart ipvsadm
[root@lvs-dr ~]# systemctl enable ipvsadm
Created symlink from /etc/systemd/system/multi-user.target.wants/ipvsadm.service to /usr/lib/systemd/system/ipvsadm.service.

客户端验证：
client：

[root@client ~]# curl http://192.168.100.55
RS2
[root@client ~]# curl http://192.168.100.55
RS1
[root@client ~]# curl http://192.168.100.55
RS2
[root@client ~]# curl http://192.168.100.55
RS1

查看全文

http://www.dtcms.com/a/398211.html