企業(yè)業(yè)務(wù)量比較小的時(shí)候,單臺服務(wù)器就可以滿足業(yè)務(wù)需要了愉老。但是隨著業(yè)務(wù)發(fā)展舌稀,單服務(wù)器的問題就凸顯出來了:
- 當(dāng)服務(wù)器掛掉時(shí)啊犬,業(yè)務(wù)就會中斷
- 當(dāng)業(yè)務(wù)量增加,單臺服務(wù)器性能變差壁查,如何透明的擴(kuò)展服務(wù)器和帶寬觉至,增加服務(wù)器吞吐量
負(fù)載均衡器可以解決以上問題
1 負(fù)載均衡器拓?fù)鋱D
loadbalancer.png
本文會根據(jù)拓?fù)鋱D,用haproxy和keepalived搭建一個(gè)負(fù)載均衡器
2 準(zhǔn)備
2.1 準(zhǔn)備環(huán)境
準(zhǔn)備5臺CentOS7.3主機(jī)和一個(gè)VIP地址:
- 準(zhǔn)備一個(gè)可用IP用作虛擬IP(VIP):
- VIP: 192.168.1.100
- 負(fù)載均衡器會用到2臺主機(jī)睡腿,一主一備的架構(gòu)
- lb1(默認(rèn)為主): 192.168.1.101
- lb2(默認(rèn)為備): 192.168.1.102
- 后端服務(wù)器集群中主機(jī)的IP地址
- s1: 192.168.1.2
- s2: 192.168.1.3
- s3: 192.168.1.4
2.2 主機(jī)配置
2.2.1 所有主機(jī)上關(guān)閉防火墻
systemctl stop firewalld
systemctl disable firewalld
2.2.2 所有主機(jī)關(guān)閉selinux
setenforce 0
vi /etc/selinux/config
SELINUX=disabled
2.3 安裝haproxy和keepalived
lb1和lb2上安裝haproxy和keepalived
yum install haproxy keepalived -y
2.4 安裝nginx(可略過)
s1 s2 s3上安裝nginx语御,目的是把nginx作為后端,如果有其他后端程序嫉到,這一步可以省略
yum install epel-release -y
yum install nginx -y
2.5 配置keepalived
Keepalived是基于VRRP(Virtual Router Redundancy Protocol沃暗,虛擬路由冗余協(xié)議)實(shí)現(xiàn)的一個(gè)高可用方案,通過VIP(虛擬IP)和心跳檢測來實(shí)現(xiàn)高可用
Keepalived有兩個(gè)角色何恶,Master和Backup。一般會是1個(gè)Master,多個(gè)Backup嚼黔。
Master會綁定VIP到自己網(wǎng)卡上细层,對外提供服務(wù)。Master和Backup會定時(shí)確定對方狀態(tài)唬涧,當(dāng)Master不可用的時(shí)候疫赎,Backup會通知網(wǎng)關(guān),并把VIP綁定到自己的網(wǎng)卡上碎节,實(shí)現(xiàn)服務(wù)不中斷捧搞,高可用
2.5.1 配置Master
編輯lb1(192.168.1.101)上的/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
# 通知郵件服務(wù)器的配置
notification_email {
# 當(dāng)master失去VIP或則VIP的時(shí)候,會發(fā)一封通知郵件到y(tǒng)our-email@qq.com
your-email@qq.com
}
# 發(fā)件人信息
notification_email_from keepalived@qq.com
# 郵件服務(wù)器地址
smtp_server 127.0.0.1
# 郵件服務(wù)器超時(shí)時(shí)間
smtp_connect_timeout 30
# 郵件TITLE
router_id LVS_DEVEL
}
vrrp_instance VI_1 {
# 主機(jī): MASTER
# 備機(jī): BACKUP
state MASTER
# 實(shí)例綁定的網(wǎng)卡, 用ip a命令查看網(wǎng)卡編號
interface eno16777984
# 虛擬路由標(biāo)識狮荔,這個(gè)標(biāo)識是一個(gè)數(shù)字(1-255)胎撇,在一個(gè)VRRP實(shí)例中主備服務(wù)器ID必須一樣
virtual_router_id 88
# 優(yōu)先級,數(shù)字越大優(yōu)先級越高殖氏,在一個(gè)實(shí)例中主服務(wù)器優(yōu)先級要高于備服務(wù)器
priority 100
# 主備之間同步檢查的時(shí)間間隔單位秒
advert_int 1
# 驗(yàn)證類型和密碼
authentication {
# 驗(yàn)證類型有兩種 PASS和HA
auth_type PASS
# 驗(yàn)證密碼晚树,在一個(gè)實(shí)例中主備密碼保持一樣
auth_pass 11111111
}
# 虛擬IP地址,可以有多個(gè),每行一個(gè)
virtual_ipaddress {
192.168.1.100
}
}
virtual_server 192.168.1.100 443 {
# 健康檢查時(shí)間間隔
delay_loop 6
# 調(diào)度算法
# Doc: http://www.keepalived.org/doc/scheduling_algorithms.html
# Round Robin (rr)
# Weighted Round Robin (wrr)
# Least Connection (lc)
# Weighted Least Connection (wlc)
# Locality-Based Least Connection (lblc)
# Locality-Based Least Connection with Replication (lblcr)
# Destination Hashing (dh)
# Source Hashing (sh)
# Shortest Expected Delay (seq)
# Never Queue (nq)
# Overflow-Connection (ovf)
lb_algo rr
lb_kind NAT
persistence_timeout 50
protocol TCP
# 通過調(diào)度算法把Master切換到真實(shí)的負(fù)載均衡服務(wù)器上
# 真實(shí)的主機(jī)會定期確定進(jìn)行健康檢查雅采,如果MASTER不可用爵憎,則切換到備機(jī)上
real_server 192.168.1.101 443 {
weight 1
TCP_CHECK {
# 連接超端口
connect_port 443
# 連接超時(shí)時(shí)間
connect_timeout 3
}
}
real_server 192.168.1.102 443 {
weight 1
TCP_CHECK {
connect_port 443
connect_timeout 3
}
}
}
2.5.2 配置BACKUP
編輯lb2(192.168.1.102)上的/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
# 通知郵件服務(wù)器的配置
notification_email {
# 當(dāng)master失去VIP或則VIP的時(shí)候慨亲,會發(fā)一封通知郵件到y(tǒng)our-email@qq.com
your-email@qq.com
}
# 發(fā)件人信息
notification_email_from keepalived@qq.com
# 郵件服務(wù)器地址
smtp_server 127.0.0.1
# 郵件服務(wù)器超時(shí)時(shí)間
smtp_connect_timeout 30
# 郵件TITLE
router_id LVS_DEVEL
}
vrrp_instance VI_1 {
# 主機(jī): MASTER
# 備機(jī): BACKUP
state BACKUP
# 實(shí)例綁定的網(wǎng)卡, 用ip a命令查看網(wǎng)卡編號
interface eno16777984
# 虛擬路由標(biāo)識,這個(gè)標(biāo)識是一個(gè)數(shù)字(1-255)宝鼓,在一個(gè)VRRP實(shí)例中主備服務(wù)器ID必須一樣
virtual_router_id 88
# 優(yōu)先級刑棵,數(shù)字越大優(yōu)先級越高,在一個(gè)實(shí)例中主服務(wù)器優(yōu)先級要高于備服務(wù)器
priority 99
# 主備之間同步檢查的時(shí)間間隔單位秒
advert_int 1
# 驗(yàn)證類型和密碼
authentication {
# 驗(yàn)證類型有兩種 PASS和HA
auth_type PASS
# 驗(yàn)證密碼愚铡,在一個(gè)實(shí)例中主備密碼保持一樣
auth_pass 11111111
}
# 虛擬IP地址,可以有多個(gè)蛉签,每行一個(gè)
virtual_ipaddress {
192.168.1.100
}
}
virtual_server 192.168.1.100 443 {
# 健康檢查時(shí)間間隔
delay_loop 6
# 調(diào)度算法
# Doc: http://www.keepalived.org/doc/scheduling_algorithms.html
# Round Robin (rr)
# Weighted Round Robin (wrr)
# Least Connection (lc)
# Weighted Least Connection (wlc)
# Locality-Based Least Connection (lblc)
# Locality-Based Least Connection with Replication (lblcr)
# Destination Hashing (dh)
# Source Hashing (sh)
# Shortest Expected Delay (seq)
# Never Queue (nq)
# Overflow-Connection (ovf)
lb_algo rr
lb_kind NAT
persistence_timeout 50
protocol TCP
# 通過調(diào)度算法把Master切換到真實(shí)的負(fù)載均衡服務(wù)器上
# 真實(shí)的主機(jī)會定期確定進(jìn)行健康檢查,如果MASTER不可用茂附,則切換到備機(jī)上
real_server 192.168.1.101 443 {
weight 1
TCP_CHECK {
# 連接超端口
connect_port 443
# 連接超時(shí)時(shí)間
connect_timeout 3
}
}
real_server 192.168.1.102 443 {
weight 1
TCP_CHECK {
connect_port 443
connect_timeout 3
}
}
}
2.6 配置haproxy
編輯lb1(192.168.1.101)和lb2(192.168.1.102)上的/etc/haproxy/haproxy.cfg
把后端服務(wù)器IP(192.168.1.2, 192.168.1.3, 192.168.1.4)加到backend里
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4096
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
listen stats
bind *:9000
mode http
stats enable
stats hide-version
stats uri /stats
stats refresh 30s
stats realm Haproxy\ Statistics
stats auth admin:admin
frontend k8s-api
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend k8s-api-backend
backend k8s-api-backend
mode tcp
option tcplog
option tcp-check
balance roundrobin
server master1 192.167.1.2:80 maxconn 1024 weight 5 check
server master2 192.167.1.3:80 maxconn 1024 weight 5 check
server master3 192.167.1.4:80 maxconn 1024 weight 5 check
2.7 配置nginx
給nginx添加SSL證書正蛙,配置過程略
vi /usr/share/nginx/html/index.html
把index.html里面字符串Welcome to nginx改成Welcome to nginx HA
3 啟動服務(wù)
3.1 啟動nginx
sudo systemctl start nginx
sudo systemctl enable nginx
3.2 啟動haproxy
sudo systemctl start haproxy
sudo systemctl enable haproxy
3.3 啟動keepalived
sudo systemctl start keepalived
sudo systemctl enable keepalived
在MASTER上運(yùn)行ip a
eno16777984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:xx:xx:xx:3d:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.1.101/24 brd 192.168.1.255 scope global eno16777984
valid_lft forever preferred_lft forever
inet 192.168.1.100/32 scope global eno16777984
valid_lft forever preferred_lft forever
inet6 eeee:eeee:1c9d:2009:250:56ff:fe9c:3d0c/64 scope global noprefixroute dynamic
valid_lft 7171sec preferred_lft 7171sec
inet6 eeee::250:56ff:eeee:3d0c/64 scope link
valid_lft forever preferred_lft forever
會發(fā)現(xiàn)VIP(192.168.1.100)已經(jīng)綁定好了
inet 192.168.1.100/32 scope global eno16777984
valid_lft forever preferred_lft forever
如果發(fā)現(xiàn)VIP無法綁定
vi /etc/sysctl.conf
添加兩行
net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1
讓新配置生效
sysctl -p
4 驗(yàn)證
4.1 查看狀態(tài)
1. 在瀏覽器輸入 http://192.168.1.100:9000/stats 查看haproxy狀態(tài)
2. 在瀏覽器輸入 https://192.168.1.100 查看服務(wù)狀態(tài)
是否成功顯示為nginx歡迎頁面
4.2 主備切換
1. 在瀏覽器輸入 https://192.168.1.100 查看是否成功顯示nginx歡迎頁面
2. lb1(192.168.1.101)關(guān)機(jī),查看是否還可以訪問https://192.168.1.100营曼, 如果成功乒验,則說明VIP成功切換到備機(jī)
3. 在lb2(192.168.1.102)上執(zhí)行ip a,查看網(wǎng)卡是否綁定VIP(192.168.1.100)
3. 啟動lb1(192.168.1.101)
目的是為了驗(yàn)證VIP是否切回MASTER主機(jī)(因?yàn)镸ASTER端的配置文件中priority為100蒂阱,而BACKUP為99锻全,health check會自動把VIP綁定到priority高的主機(jī)上)
