在做完load balancing之后我们就要做提供真实服务的Real 服务器了。
如果使用nat模式,这个没有什么问题,非常简单,只要每台机器的内容及服务正常就可以了,如果使用DR模式的话需要注意本地的网卡的广播问题,要不然就会出现只往一台服务器上发请求,而其他服务器无请求的情况,这里有几种解决方法。
lvs dr Disable ARP for VIP
1. Using arp_tables_jf to disable ARP arptables -F arptables -A IN -d $VIP -j DROP arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP
2. Using arp announce/arp ignore to disable ARP arp_announce - INTEGER Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface: 0 - (default) Use any local address, configured on any interface 1 - Try to avoid local addresses that are not in the target's subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2. 2 - Always use the best local address for this target. In this mode we ignore the source address in the IP packet and try to select local address that we prefer for talks with the target host. Such local address is selected by looking for primary IP addresses on all our subnets on the outgoing interface that include the target IP address. If no suitable local address is found we select the first local address we have on the outgoing interface or on all other interfaces, with the hope we will receive reply for our request and even sometimes no matter the source IP address we announce.
The max value from conf/{all,interface}/arp_announce is used.
Increasing the restriction level gives more chance for receiving answer from the resolved target while decreasing the level announces more valid sender's information.
arp_ignore - INTEGER Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP address is local address configured on the incoming interface 2 - reply only if the target IP address is local address configured on the incoming interface and both with the sender's IP address are part from same subnet on this interface 3 - do not reply for local addresses configured with scope host, only resolutions for global and link addresses are replied 4-7 - reserved 8 - do not reply for all local addresses
The max value from conf/{all,interface}/arp_ignore is used when ARP request is received on the {interface}
net.ipv4.conf.eth0.arp_ignore = 1 net.ipv4.conf.eth0.arp_announce = 2
3. Using the hidden interface to disable ARP
Linux kernel 2.4 and 2.6, you need to apply the hidden patch # Start the hiding interface functionality echo 1 > /proc/sys/net/ipv4/conf/all/hidden # Hide all addresses for this interface echo 1 > /proc/sys/net/ipv4/conf//hidden
# Insert the ipip module insmod ipip # Make the tunl0 device up ifconfig tunl0 up # Start the hiding interface functionality echo 1 > /proc/sys/net/ipv4/conf/all/hidden # Hide all addresses for this tunnel device echo 1 > /proc/sys/net/ipv4/conf/tunl0/hidden # Configure a VIP on an alias of tunnel device ifconfig tunl0:0 up
4. Using redirect to disable ARP iptables -t nat -A PREROUTING -p tcp -d --dport -j REDIRECT --to-port
5. Using policy routing to disable ARP # Block access from the LAN to the real server's VIP. By # this way we ignore the router's ARP probes. The drawback: # we ignore the client's probes too. We have to do this # because the client on the LAN can receive replies from all # real servers ip rule add prio 99 from 172.26.20/24 table 99 ip route add table 99 blackhole 172.26.20.118
# Now accept locally any other traffic, i.e. not from # 172.26.20/24 ip rule add prio 100 table 100 ip route add table 100 local 172.26.20.118 dev lo
6. Using the noarp module to disable ARP http://www.masarlabs.com/noarp/ noarpctl add VIP RIP
|
还有一点需要注意,尤其是在udp的服务器中更要注意:
在DR方式下,服务器程序需要bind到VIP地址上,这样响应报文的源地址是VIP,对客户端程序来说这样的响应报文是有效的。注:如果监听 0.0.0.0 在udp服务的包中默认使用网卡的实际地址回报,而不是vip地址,这样客户端访问就会出现问题。
阅读(945) | 评论(0) | 转发(0) |