AWS 搭建 LVS+keepalived 步驟

??
經(jīng)過測試，在 DR 模式和 TUN 模式下疚漆，由于 Web Server 返回的 IP 數(shù)據(jù)包無法穿透 AWS 的 VPC 網(wǎng)關(guān)酣胀，因此只有 NAT 模式是可行的。

LVS+Keepalived 架構(gòu)

LVS+Keepalived

EC2 實(shí)例

Name	實(shí)例 ID	IPv4 公有	私有 IP	備注
EC2_01	i-0260f608cf698958c	18.223.43.247	10.0.0.36	LVS Master
		18.223.129.244	10.0.0.100	Elastic IP
EC2_02	i-0f74aba2dc5e49679	18.216.101.69	10.0.0.56	LVS Backup
				Elastic IP
EC2_03	i-04cbd780d34525342	18.188.155.29	10.0.0.80	Nginx HTTP Web Server
EC2_04	i-08506e354ce830468	18.217.52.127	10.0.0.194	Nginx HTTP Web Server

一娶聘、編輯系統(tǒng)配置文件：`vim /etc/sysctl.conf`

EC2_01闻镶、EC2_02 實(shí)例修改如下：

# Uncomment the next line to enable packet forwarding for IPv4
# 開啟 IPv4 數(shù)據(jù)包轉(zhuǎn)發(fā)功能
net.ipv4.ip_forward=1
# 允許綁定非本機(jī)的IP
net.ipv4.ip_nonlocal_bind=1

EC2_03、EC2_04 實(shí)例修改如下：

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0

使配置文件立即生效：

$ sudo sysctl -p

參考：

ECS 做負(fù)載均衡需要用戶做額外的配置嗎趴荸？
Linux 實(shí)例常用內(nèi)核網(wǎng)絡(luò)參數(shù)介紹與常見問題處理

二儒溉、下載安裝 Keepalived 等相關(guān)軟件

# 1. 更新 apt 軟件包
apt-get update && apt-get upgrade

# 2. 安裝相關(guān)軟件包
apt-get install -y libssl-dev openssl libpopt-dev
apt install jq
apt install awscli

# 3. 配置 AWS CLI 
$ aws configure 
AWS Access Key ID [None]:  # AWS 訪問密鑰 ID
AWS Secret Access Key [None]:  # AWS 私有訪問密鑰
Default region name [None]: us-east-1 # 默認(rèn)區(qū)域名稱，弗吉尼亞北部數(shù)據(jù)中心（us-east-1）
Default output format [None]: json # 默認(rèn)輸出格式

# 3. 下載安裝 Keepalived
apt-get install keepalived

# 4. 查看 Keepalived 安裝版本
keepalived --version
Keepalived v1.3.9 (10/21,2017)
...

三发钝、keepalived.conf 配置文件

1. EC2_01 Keepalived.conf 文件

! Configuration File for keepalived

# 全局配置
global_defs {

    # 郵件通知設(shè)置
    notification_email {
       testuser@163.com
    }
    notification_email_from andywhm@163.com
    smtp_server 192.168.200.1
    smtp_connect_timeout 30
    router_id LVS_Master

    # 通知腳本設(shè)置
    script_user root        # 設(shè)置腳本運(yùn)行賬戶為 root
    enable_script_security  # 設(shè)置腳本可運(yùn)行

}

# VRRP 的實(shí)例 Group_LVS_1 配置
vrrp_instance Group_LVS_1 {
    state MASTER　　　　　　  # 配置為主服務(wù)
    interface eth0
    virtual_router_id 51      # 虛擬路由標(biāo)識(shí)
    priority 100              # 定義優(yōu)先級(jí)顿涣，數(shù)字越大，優(yōu)先級(jí)越高  
    advert_int 1              # 主備服務(wù)器之間同步檢查的時(shí)間間隔

    track_interface {
        eth0
    }

    # AWS 上 VRRP 協(xié)議的組播被禁止酝豪，因此這里配置心跳通知為單播模式
    unicast_src_ip 10.0.0.36  # 本機(jī) IP
    unicast_peer {            # 單播對(duì)象 IP
        10.0.0.56
    }
    # nopreempt                 # 設(shè)置 HA 集群的不搶占功能
    # preemtp_delay 300         # 設(shè)置搶占延時(shí)時(shí)間涛碑，單位是秒。

    authentication {          # 驗(yàn)證類型和密碼
        auth_type PASS
        auth_pass 123456
    }
    
    virtual_ipaddress {       # 虛擬 IP 地址
        10.0.0.100
    }

    # 切換虛擬 IP 的腳本文件
    notify_master "/etc/keepalived/scripts/assign_private_ip.sh eipalloc-09ce336dc7a1e8da7 10.0.0.100 i-0260f608cf698958c"
    notify_backup "/etc/keepalived/scripts/unassign_private_ip.sh eipalloc-09ce336dc7a1e8da7 10.0.0.100 i-0260f608cf698958c"
}

# LVS 虛擬服務(wù)器配置
virtual_server 10.0.0.100 80 {
    delay_loop 6              # 設(shè)置健康狀態(tài)檢查時(shí)間間隔孵淘，單位是秒蒲障。
    lb_algo rr                # 設(shè)置 LVS 負(fù)載調(diào)度算法，rr 為輪叫算法
    lb_kind DR                # 設(shè)置 LVS IP負(fù)載均衡模式瘫证，有NAT揉阎、TUN、DR三個(gè)模式
    protocol TCP              # 指定轉(zhuǎn)發(fā)協(xié)議類型背捌，TCP
    persistence_timeout 60    # 會(huì)話保持時(shí)間

    # Real Server Nginx 1 的配置
    real_server 10.0.0.80 80 {
        weight 3
    inhibit_on_failure
        TCP_CHECK {
            connect_timeout 10　　　　 # 響應(yīng)超時(shí)時(shí)間
            retry 3　　　　　　        # 超時(shí)重試次數(shù)
            delay_before_retry 3　　　 # 超時(shí)重試間隔
            connect_port 80
        }
    }

    # Real Server Nginx_2 的配置
    real_server 10.0.0.194 80 {
        weight 3
    inhibit_on_failure
        TCP_CHECK {
            connect_timeout 10
            retry 3
            delay_before_retry 3
            connect_port 80
        }
    }
}

2. EC2_02 Keepalived.conf 文件

! Configuration File for keepalived

# 全局配置
global_defs {

    # 郵件通知設(shè)置
    notification_email {
       testuser@163.com
    }
    notification_email_from andywhm@163.com
    smtp_server 192.168.200.1
    smtp_connect_timeout 30
    router_id LVS_Master

    # 通知腳本設(shè)置
    script_user root        # 設(shè)置腳本運(yùn)行賬戶為 root
    enable_script_security  # 設(shè)置腳本可運(yùn)行

}

# VRRP 的實(shí)例 Group_LVS_1 配置
vrrp_instance Group_LVS_1 {
    state BACKUP　　　　　    # 配置為從服務(wù)器
    interface eth0
    virtual_router_id 51      # 虛擬路由標(biāo)識(shí)
    priority 90               # 定義優(yōu)先級(jí)毙籽，數(shù)字越大，優(yōu)先級(jí)越高  
    advert_int 1              # 主備服務(wù)器之間同步檢查的時(shí)間間隔

    track_interface {
        eth0
    }

    # AWS 上 VRRP 協(xié)議的組播被禁止毡庆，因此這里配置心跳通知為單播模式
    unicast_src_ip 10.0.0.56  # 本機(jī) IP
    unicast_peer {            # 單播對(duì)象 IP
        10.0.0.36
    }
    # nopreempt                 # 設(shè)置 HA 集群的不搶占功能
    # preemtp_delay 300         # 設(shè)置搶占延時(shí)時(shí)間坑赡，單位是秒。

    authentication {          # 驗(yàn)證類型和密碼
        auth_type PASS
        auth_pass 123456
    }
    
    virtual_ipaddress {       # 虛擬 IP 地址
        10.0.0.100
    }

    # 切換虛擬 IP 的腳本文件
    notify_master "/etc/keepalived/scripts/assign_private_ip.sh eipalloc-09ce336dc7a1e8da7 10.0.0.100 i-0f74aba2dc5e49679"
    notify_backup "/etc/keepalived/scripts/unassign_private_ip.sh eipalloc-09ce336dc7a1e8da7 10.0.0.100 i-0f74aba2dc5e49679"
}

# LVS 虛擬服務(wù)器配置
virtual_server 10.0.0.100 80 {
    delay_loop 6              # 設(shè)置健康狀態(tài)檢查時(shí)間間隔么抗，單位是秒毅否。
    lb_kind DR                # 設(shè)置 LVS IP負(fù)載均衡模式，有NAT蝇刀、TUN螟加、DR三個(gè)模式
    lb_algo rr                # 設(shè)置 LVS 負(fù)載調(diào)度算法，rr 為輪叫算法
    protocol TCP              # 指定轉(zhuǎn)發(fā)協(xié)議類型，TCP
    persistence_timeout 60    # 會(huì)話保持時(shí)間

    # Real Server Nginx 1 的配置
    real_server 10.0.0.80 80 {
        weight 3
    inhibit_on_failure
        TCP_CHECK {
            connect_timeout 10　　　　 # 響應(yīng)超時(shí)時(shí)間
            retry 3　　　　　　        # 超時(shí)重試次數(shù)
            delay_before_retry 3　　　 # 超時(shí)重試間隔
            connect_port 80
        }
    }

    # Real Server Nginx_2 的配置
    real_server 10.0.0.194 80 {
        weight 3
    inhibit_on_failure
        TCP_CHECK {
            connect_timeout 10
            retry 3
            delay_before_retry 3
            connect_port 80
        }
    }
}

3. shell 腳本切換IP：/etc/keepalive/scripts/assign_private_ip.sh

#!/bin/bash
###### ###### ###### ###### ###### ###### ###### ######
# Description:
#
# attaches an IP of your choice to the primary NIC
# an instance you specify
#
# Setup:
#
# You need, at a minimum, the following permissions:
# {
# "Statement": [
# {
# "Action": [
# "ec2:AssignPrivateIpAddresses",
# "ec2:DescribeInstances"
# ],
# "Effect": "Allow",
# "Resource": "*"
# }
# ]
# }
#
# Usage:
#
# ./assign_private_ip.sh allocation_id private_ip_address instance_id
#
# Example:
# ./assign_private_ip.sh 'eipalloc-09ce336dc7a1e8da7' '10.0.0.100' 'i-100ffabd'
#
###### ###### ###### ###### ###### ###### ###### ######


# http://www.davidpashley.com/articles/writing-robust-shell-scripts/
set -o errexit
set -o nounset

ASSOCIATION_ID=$1
PRIVATE_IP=$2
INSTANCE_ID=$3

# 1.根據(jù)實(shí)例 ID 找到網(wǎng)卡 ID
ENI=$(\
  aws ec2 describe-instances \
  --instance-ids $INSTANCE_ID | \
  jq -r \
  '.Reservations[0].Instances[0].NetworkInterfaces[0].NetworkInterfaceId' \
)

# 2.綁定輔助私有 IP 地址到網(wǎng)卡
aws ec2 assign-private-ip-addresses \
  --network-interface-id $ENI \
  --private-ip-addresses $PRIVATE_IP \
  --allow-reassignment

# 3 關(guān)聯(lián)彈性 IP 地址到輔助私有 IP 地址
aws ec2 associate-address \
  --allocation-id  $ASSOCIATION_ID \
  --network-interface-id $ENI \
  --private-ip-address $PRIVATE_IP \
  --allow-reassociation

echo "Adding ELASTIC IP to ENI $ENI"

4. shell 腳本切換IP：/etc/keepalive/scripts/unassign_private_ip.sh

#!/bin/bash 
###### ###### ###### ###### ###### ###### ###### ######
# Description:
#
# attaches an IP of your choice to the primary NIC
# an instance you specify
#
# Setup:
#
# You need, at a minimum, the following permissions:
# {
# "Statement": [
# {
# "Action": [
# "ec2:AssignPrivateIpAddresses",
# "ec2:DescribeInstances"
# ],
# "Effect": "Allow",
# "Resource": "*"
# }
# ]
# }
#
# Usage:
#
# ./unassign_private_ip.sh ASSOCIATION_ID private_ip_address instance_id
#
# Example:
# ./unassign_private_ip.sh 'eipassoc-09fe640e36c9d53b1' '10.0.0.100' 'i-100ffabd'
#
###### ###### ###### ###### ###### ###### ###### ######


# http://www.davidpashley.com/articles/writing-robust-shell-scripts/
set -o errexit
set -o nounset

ASSOCIATION_ID=$1
PRIVATE_IP=$2
INSTANCE_ID=$3

# 1.根據(jù)實(shí)例 ID 找到網(wǎng)卡 ID
ENI=$(\
  aws ec2 describe-instances \
  --instance-ids $INSTANCE_ID | \
  jq -r \
  '.Reservations[0].Instances[0].NetworkInterfaces[0].NetworkInterfaceId' \
)

# 2.解綁輔助私有 IP 地址
aws ec2 unassign-private-ip-addresses \
  --network-interface-id $ENI \
  --private-ip-addresses $PRIVATE_IP

# 3.1 取消關(guān)聯(lián)彈性 IP 地址捆探，需要傳關(guān)聯(lián) ID（不是分配 ID）甸昏。
# aws ec2 disassociate-address --association-id $ASSOCIATION_ID

echo "Removing ELASTIC IP from ENI $ENI"

?? scripts 腳本文件需要設(shè)置用戶權(quán)限：

root@ip-10-0-0-56:/etc/keepalived# mkdir scripts
root@ip-10-0-0-56:/etc/keepalived# chmod 744 scripts/

root@ip-10-0-0-56:/etc/keepalived/scripts# vim assign_private_ip.sh
root@ip-10-0-0-56:/etc/keepalived/scripts# vim unassign_private_ip.sh
root@ip-10-0-0-56:/etc/keepalived/scripts# chmod -R 744 assign_private_ip.sh
root@ip-10-0-0-56:/etc/keepalived/scripts# chmod -R 744 unassign_private_ip.sh

四、EC2_03徐许、EC2_04 Script 文件

EC2_03施蜜、EC2_04 運(yùn)行 Nginx 服務(wù)：

$ apt-get update && apt-get upgrade
$ apt-get install nginx

設(shè)置 Script 文件（/etc/init.d/lvsrs）：

$ sudo -s
$ vim /etc/init.d/lvsrs
$ chmod 755 /etc/init.d/lvsrs
$ /etc/init.d/lvsrs start

/etc/init.d/lvsrs 文件

#!/bin/bash
# 配置realserver的lo和noarp
# chmod 755 /etc/init.d/lvsrs
# 執(zhí)行server，啟動(dòng)realserver的LVS服務(wù)雌隅，/etc/init.d/lvsrs start

VIP=10.0.0.100

/etc/rc.d/init.d/functions

case "$1" in
start)
 ifconfig lo:0 $VIP netmask 255.255.255.255 broadcast $VIP
 /sbin/route add -host $VIP dev lo:0
 echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
 echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
 echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
 echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
 sysctl -p >/dev/null 2>&1
 echo "RealServer Start OK"
 ;;
stop)
 ifconfig lo:0 down
 route del $VIP >/dev/null 2>&1
 echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
 echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
 echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
 echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
 echo "RealServer Stoped"
 ;;
*)
 echo "Usage: $0 {start|stop}"
 exit 1
esac

exit 0

AWS 搭建 LVS+keepalived 步驟

LVS+Keepalived 架構(gòu)

EC2 實(shí)例

一娶聘、編輯系統(tǒng)配置文件：vim /etc/sysctl.conf

二儒溉、下載安裝 Keepalived 等相關(guān)軟件

三发钝、keepalived.conf 配置文件

1. EC2_01 Keepalived.conf 文件

2. EC2_02 Keepalived.conf 文件

3. shell 腳本切換IP：/etc/keepalive/scripts/assign_private_ip.sh

4. shell 腳本切換IP：/etc/keepalive/scripts/unassign_private_ip.sh

四、EC2_03徐许、EC2_04 Script 文件

/etc/init.d/lvsrs 文件

一娶聘、編輯系統(tǒng)配置文件：`vim /etc/sysctl.conf`