安装步骤;
1.在Real server 上安装apache及php,并装载wordpress,为upload目录(client上传内容处)使用NFS
2.部署Mariadb server,及导出 NFS目录服务 (同时充当DNS服务器及CA服务器,实现域名解析和证书颁发)
3.部署LVS cluster ,分别使用RR及SH调度算法实现 (分别测试http及https服务)
4.使用iptables为client报文打标签,实现http及Telnet服务同时负载;
5.使用ldirectord 实现RS状态监测及下线
6.实现持续访问状态下的wordpress版本迭代更新;
地址规划;
LVS :VIP=192.168.10.184 DIP=192.168.20.242
RS1: 192.168.20.243
RS2:192.168.20.244
Mariadb and NFS :192.168.20.245
域名: www.ilinux.com
配置RS(RS1,与RS2配置相同,此处只演示RS1),及CA签署,DNS配置)
RS配置 192.168.20.243
1 1. 安装apache及相关必须组件 (此处使用centos 自带yum源) 2 yum install httpd php php-mysql mod_ssl -y 3 4 2. 修改httpd.conf配置文件部分内容 5 cd /etc/httpd 6 vim conf/httpd.conf 7 ServerName www.ilinux.com 8 DocumentRoot "/var/www/html" 9 10 3.修改ssl.conf配置文件内容 11 vim conf.d/ssl.conf 12 DocumentRoot "/var/www/html" 13 ServerName www.ilinux.com:443 14 SSLCertificateFile /etc/pki/CA/httpd.crt (指定证书路径) 15 SSLCertificateKeyFile /etc/pki/CA/private/httpd.key (指定证书私钥路径) 16 17 4. 生成私钥文件及请求证书 18 cd /etc/pki/CA/ 19 (umask 077;openssl genrsa -out private/httpd.key 4096) 20 openssh req -new -key private/httpd.key -out httpd.csr -days 365 21 { 22 Country Name (2 letter code) [XX]:CN 23 State or Province Name (full name) []:Bejing 24 Locality Name (eg, city) [Default City]:Bejing 25 Organization Name (eg, company) [Default Company Ltd]:MageEdu 26 Organizational Unit Name (eg, section) []:devops 27 Common Name (eg, your name or your server's hostname) []:www.ilinux.com (servername一定要指向公司被访问的域名) 28 Email Address []: 29 30 Please enter the following 'extra' attributes 31 to be sent with your certificate request 32 A challenge password []: 33 An optional company name []: 34 } 35 36 5. 将私钥文件发送到CA服务器签署 37 scp httpd.csr root@192.168.20.245:/etc/pki/CA/
38 6. 生成index.html 索引页面(用于测试) 39 vim /var/www/html/index.html 40 <h1> This is R1,192.168.20.243 </H1> 41 systemctl start httpd
CA及DNS配置 192.168.20.245
1 1. CA服务器生成自签证书 2 cd /etc/pki/CA/ 3 (umask 077;openssl genrsa -out private/cache.key 4096) 4 openssl req -new -x509 -key private/cache.key -out cacert.pem -days 365 5 { 6 Country Name (2 letter code) [XX]:CN 7 State or Province Name (full name) []:Bejing 8 Locality Name (eg, city) [Default City]:Bejing 9 Organization Name (eg, company) [Default Company Ltd]:MageEdu 10 Organizational Unit Name (eg, section) []:devops 11 Common Name (eg, your name or your server's hostname) []:MageEdu.com 12 Email Address []: 13 } 14 touch index.txt 15 echo 01 > serial 16 17 2. CA服务器签署RS的证书请求 18 openssl ca -in httpd.csr -out httpd.crt -days 365 19 { 20 Certificate Details: 21 Serial Number: 1 (0x1) 22 Validity 23 Not Before: Mar 10 02:41:27 2020 GMT 24 Not After : Mar 10 02:41:27 2021 GMT 25 Subject: 26 countryName = CN 27 stateOrProvinceName = Bejing 28 organizationName = MageEdu 29 organizationalUnitName = devops 30 commonName = www.ilinux.com 31 X509v3 extensions: 32 X509v3 Basic Constraints: 33 CA:FALSE 34 Netscape Comment: 35 OpenSSL Generated Certificate 36 X509v3 Subject Key Identifier: 37 F6:74:C5:8F:B6:15:3F:44:E7:B1:9D:CA:3C:E4:E7:64:65:6B:91:5E 38 X509v3 Authority Key Identifier: 39 keyid:C5:9E:C7:2A:12:73:6D:02:06:39:42:28:44:7D:31:9F:4A:85:31:72 40 41 Certificate is to be certified until Mar 10 02:41:27 2021 GMT (365 days) 42 Sign the certificate? [y/n]:y 43 44 45 1 out of 1 certificate requests certified, commit? [y/n]y 46 Write out database with 1 new entries 47 Data Base Updated 48 } 49 50 3.将签署好的证书发送到RS服务器 51 scp httpd.crt root@192.168.20.243:/etc/pki/CA/ 52 53 54 55 配置DNS服务器 56 1.安装DNS服务 57 yum install bind bind-utils 58 59 2.修改主配置文件相关参数 60 vim /etc/named.conf 61 listen-on port 53 { 127.0.0.1; 192.168.20.245; }; (监听本地地址) 62 allow-query { any; }; (允许所有请求) 63 dnssec-enable no; (关闭DNS校验) 64 dnssec-validation no; (关闭DNS校) 65 66 3.添加主区域解析记录 67 vim /etc/named.rfc1912.conf 68 zone "ilinux.com" IN { 69 type master; 70 file "ilinux.com.zone"; 71 }; 72 73 4. 添加区域解析库文件 74 vim /var/named/ilinux.com.zine 75 $TTL 3660 76 $ORIGIN ilinux.com. 77 @ IN SOA ns1 admin ( 78 10 (初始序列号,之后修改需要+1,便于从DNS服务器同步) 79 2H (从服务器刷新时间间隔) 80 10M (重传时间间隔) 81 1W (过期时间间隔) 82 1D (client缓存时间) 83 ) 84 @ IN NS ns1.ilinux.com. 85 ns1 IN A 192.168.20.245 86 www IN A 192.168.20.242 (主解析记录指向 LVS服务器) 87 88 5. DNS服务器域名配置 89 echo "nameserver 192.168.20.245" > /etc/resolv.conf 90 systemctl restart network 91 systemctl start named 92 93
RS2 配置: 192.168.20.244
同RS1相同,无需生成证书,将RS1证书及私钥文件拷贝到RS1目录下即可
测试 : http://192.168.20.243/244
https://192.168.20.243/244
Mariadb and NFS configuretiong 192.168.20.245
1 1. 服务安装 2 yum install mariadb-server 3 yum install nfs-utils 4 5 2. Mariadb 加固及数据库和权限添加 6 systemctl start mariadb 7 mysql_secure_installation (对Mariadb进行安全加固,包括设置root密码及删除匿名用户和多余数据库等) 8 vim /etc/my.cnf 9 skip_name_resolve=ON (跳过名称解析) 10 innodb_file_per_table=ON 11 wq 12 mysql -uroot -p (键入第二步添加的root密码 13 create databases wordpress; (创建wordpress数据库) 14 grant all on wordpress.* to 'wordpress'@'192.168.20.%' identified by 'wordpress'; (授权用户wordpress管理数据库wordpress) 15 flush privileges; (权限刷新) 16 exit 17 18 3. NFS 导出 19 useradd -r -u 48 apache (创建apache用户,该设备上为安装httpd) 20 mkdir /date/NFS (创建用于NFS导出的目录) 21 chown apache.apache /date/NFS (修改目录权限) 22 vim /etc/exports 23 /date/NFS 192.168.20.0/24(rw,root_squash) (添加导出目录及访问权限) 24 wq 25 exportfs -rav (导出所有目录) 26 systemctl start nfs (启动NFS) 27 28
RS主机配置wordpress 192.168.20.243 (1,2相同)
1.安装wordpress tar xf wordpress-4.9.4-zh_CN.tar.gz cp -R wordpress/ /var/www/html/ 2.wordpress配置 cd /var/www/html/wordpress cp wp-config-sample.php wp-config.php vim wp-config.php define('DB_NAME', 'wordpress'); /** MySQL数据库用户名 */ define('DB_USER', 'wordpress'); /** MySQL数据库密码 */ define('DB_PASSWORD', 'wordpress'); /** MySQL主机 */ define('192.168.20.245'); /** 创建数据表时默认的文字编码 */ define('DB_CHARSET', 'utf8'); /** 数据库整理类型。如不确定请勿更改 */ define('DB_COLLATE', ''); wq 3. 使用软链接方式映射URL ln -sv wordpress wdp 4. 为upload目录使用NFS,用于同步client上传的内容 cd wordpress/wp-content mount -t nfs 192.168.20.245:/date/NFS upload (挂载NFS文件系统到 upload 目录)
测试:
http://www.ilinux.com/wdp
LVS 配置 192.168.20.242 192.168.20.243 (RS配置与RS1相同)
192.168.20.242配置;
1 1. 配置DIP,及开启ipvsadm 2 yum install ipvsadmin 3 ifconfig ens192:0 192.168.20.241 netmask 255.255.255.255 broadcast 192.168.20.241 up (添加VIP地址) 4 ipvsadm -A -t 192.168.20.241:443 -s rr (添加调度策略 rr ,并监听地址及443端口 5 ipvsadm -a -t 192.168.20.241:443 -r 192.168.20.243 -g -w 1 (添加r1为Real server) 6 ipvsadm -a -t 192.168.20.241:443 -r 192.168.20.244 -g -w 1 (添加r2为Real server) 7 ipvsadm -A -t 192.168.20.241:80 -s rr (添加调度策略及监听80端口) 8 ipvsadm -a -t 192.168.20.241:80 -r 192.168.20.243 -g -w 1 9 ipvsadm -a -t 192.168.20.241:80 -r 192.168.20.244 -g -w 1 10 ipvsadm -ln (查看ipvsadm配置) 11
192.168.20.243 配置:
1 1.配置关闭arp广播及ARP响应,并开启lo接口 2 echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore (开启仅网卡物理地址响应arp,本机其它地址不响应arp) 3 echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore 4 echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce (不发送arp报文到广播域中) 5 echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce 6 ifconfig lo:0 192.168.20.241 netmask 255.255.255.255 broadcast 192.168.20.241 up (添加 lo 接口并配置 vip 地址) 7 route add -host 192.168.20.241 dev lo:0 (添加本地路由到lo,使响应报文经过lo,并将源地址设为lo地址)
在 192.168.20.244上作相同配置,开启 lo接口并配置VIP地址
测试: http://www.ilinux.com/wdp
https://www.ilinux.com/wdp
LVS 配置基于防火墙标签方式作负载
iptables -t mangle -A PREROUTING -d 192.168.20.241 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 3 (对目标地址为192.168.20.241,目标端口为80,443的报文打上标签 3 ipvsadm -A -f 3 -s sh (基于防火墙标记的标签 3 做匹配,使用sh调度模式) ipvsadm -a -f 3 -r 192.168.20.243 -g (添加RS1 ,-g 为dr 转发方式) ipvsadm -a -f 3 -r 192.168.20.244 -g (添加rs2) ipvsadm -ln
会话连接保持:在一定时间内,哪怕使用SH调度方式,也可以实现对服务的连接保持 ipvsadm -p number time
192.168.20.242 配置基于0端口(接受到的任何服务请求都转到后端服务器)的负载集群;
ipvsadm -C (清空原有规则) ipvsadm -A -t 192.168.20.241:0 -s rr -p 360 (配置0端口,调度模式为rr(轮询),会话保持时间360s,在指定时间内该用户的请求都会被转发至同一台后端服务器) ipvsadm -a -t 192.168.20.241:0 -r 192.168.20.243 -g (添加后端服务器R1) ipvsadm -a -t 192.168.20.241:0 -r 192.168.20.244 -g (添加后端服务器R2)
测试: 在两台后端服务器上安装 telnet-server systemctl start telnet.socket
telnet 192.168.20.241 (测试结果为远程请求被转发到后端服务器上,由RS响应)
基于0端口下任何服务都会被转到后端服务器
ldirectord 鉴于使用太少,有机会再作演示。