LB&HA Cluster / LVS

1.7 LVS:持久连接(persistence)

luciferLeave a comment

 

持久连接模板:无论使用何种调度算法,在一段时间内能够实现将来自同一个源地址的请求始终发往同一个RS;

~]# ipvsadm -A|E -t|u|f service-address [-s scheduler] [-p [timemout]]

port Affinity:
每端口持久:每个端口对应定义为一个集群服务,每集群服务单独调度;
每防火墙标记持久:基于防火墙标记定义集群服务;可实现将多个端口上的应用统一调度,即所谓的’port Affinity’;
每客户端持久:基于0端口定义集群服务,即客户端对所有应用的请求全部调度至后端主机,必须定义为持久模式;

**************************

本次测试延续<1.6 LVS与防火墙标记>中的环境;
LVS采用lvs-dr模式,网络拓扑图为:

Client ---> Router ---> Switch ---> (physical adapter:0 VIP) Virtual Server (DIP)
                           |
                           |
                           |---------(RIP1) Real Server 1 (lo:0 VIP)
                           |
                           |---------(RIP1) Real Server 1 (lo:0 VIP)
               
VS、RS1、RS2处在同一网络;

DIP:192.168.206.55    						物理网卡:0(VIP):192.168.206.200
RIP1:192.168.206.66(apache:http、https)   	lo:0(VIP):192.168.206.200
RIP2:192.168.206.99(nginx:http、https)    	lo:0(VIP):192.168.206.200

GATEWAY:192.168.206.2

VS已经开启防火墙标记功能:

~]# iptables -F
~]# iptables -t mangle -A PREROUTING -d 192.168.206.200 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 5

查看当前LVS状态:

~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  5 rr
  -> 192.168.206.66:0             Route   1      0          0         
  -> 192.168.206.99:0             Route   1      0          0

更改LVS工作模式为持久连接(跟防火墙标记相结合):

~]# ipvsadm -E -f 5 -p
~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  5 wlc persistent 360
  -> 192.168.206.66:0             Route   1      0          0         
  -> 192.168.206.99:0             Route   1      0          0

测试:

~]# for i in {1..10}; do curl http://192.168.206.200; curl --cacert cacert.pem https://192.168.206.200;done
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>

********************************

备注,防火墙标记可以绑定指定的服务端口,下面的测试是一次性绑定后端RS的所有服务的端口;

首先清空上面的ipvs配置项:

]# ipvsadm -C

]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn

不使用防火墙标记,采用一次性绑定后端RS所有服务的端口:

~]# ipvsadm -A -t 192.168.206.200:0 -s rr -p

~]# ipvsadm -a -t 192.168.206.200:0 -r 192.168.206.66 -g
~]# ipvsadm -a -t 192.168.206.200:0 -r 192.168.206.99 -g


~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.206.200:0 rr persistent 360
-> 192.168.206.66:0 Route 1 0 0 
-> 192.168.206.99:0 Route 1 0 0

测试1:

~]# for i in {1..10}; do curl http://192.168.206.200; curl --cacert cacert.pem https://192.168.206.200;done
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>
<h2> hello 192.168.206.99 ..........  </h2>

测试2:VS一次性绑定后端RS所有服务端口后,此时如果在其他客户端用VIP地址进行远程连接,远程连接进来的并不是VS主机,而是后端的任意一台RS;
也就是说一次性绑定后端服务端口后,对VS的访问,都会转发到后端服务器;

Leave a Reply

Your email address will not be published. Required fields are marked *