公有云(华为)下的高可用负载均衡器

高可用负载均衡器选用方案 VIP+NGINX

nodeip
node110.0.0.11
node210.0.0.12
node310.0.0.13

VIP 10.0.0.10

在虚拟机上很容易操作,详情参看在京奋斗者的 nginx和keepalived实现nginx高可用

但是在公有云上就有些问题了,买了三台服务器部署在同一个VPC下,但是配置好Keepalived和Nginx,但是访问不了后端服务。

如下是在三个节点上的初步配置和测试。

root@hw1:~# service keepalived status
● keepalived.service - Keepalive Daemon (LVS and VRRP)
   Loaded: loaded (/lib/systemd/system/keepalived.service; enabled; vendor preset: enabl
   Active: active (running) since Tue 2020-02-18 17:48:57 CST; 2min 40s ago
  Process: 9058 ExecStart=/usr/sbin/keepalived $DAEMON_ARGS (code=exited, status=0/SUCCE
 Main PID: 9067 (keepalived)
    Tasks: 3 (limit: 4662)
   CGroup: /system.slice/keepalived.service
           ├─9067 /usr/sbin/keepalived
           ├─9072 /usr/sbin/keepalived
           └─9073 /usr/sbin/keepalived

Feb 18 17:48:57 hw1 Keepalived_vrrp[9073]: WARNING - default user 'keepalived_script' fo
Feb 18 17:48:57 hw1 Keepalived_vrrp[9073]: Unsafe permissions found for script '/etc/kee
Feb 18 17:48:57 hw1 Keepalived_vrrp[9073]: SECURITY VIOLATION - scripts are being execut
Feb 18 17:48:57 hw1 Keepalived_vrrp[9073]: Using LinkWatch kernel netlink reflector...
Feb 18 17:48:57 hw1 Keepalived_vrrp[9073]: VRRP_Instance(VI_1) Entering BACKUP STATE
Feb 18 17:48:57 hw1 Keepalived_vrrp[9073]: VRRP_Script(chk_nginx) succeeded
Feb 18 17:50:12 hw1 Keepalived_vrrp[9073]: VRRP_Instance(VI_1) Transition to MASTER STAT
Feb 18 17:50:13 hw1 Keepalived_vrrp[9073]: VRRP_Instance(VI_1) Entering MASTER STATE
Feb 18 17:50:18 hw1 Keepalived_vrrp[9073]: VRRP_Instance(VI_1) Received advert with high
Feb 18 17:50:18 hw1 Keepalived_vrrp[9073]: VRRP_Instance(VI_1) Entering BACKUP STATE
root@hw1:~# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: No route to host
root@hw1:~#

同样的keepalived都是启动的

root@hw2:~# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: No route to host

root@hw3:~# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: No route to host
root@hw3:~#

并且查看eth0网卡,并没有绑定上虚拟IP。

查阅资料发现,公有云为了安全,禁止我们直接配置一个IP进行漂移。

好在,腾讯云提供了高可用的虚拟IP可以完成keepalived+vip的任务。

我所使用的华为云,只有虚拟IP,并且每个虚拟IP只能绑定一个服务器。只能绑定一个服务器那还怎么漂移?

先在vpc上申请一个虚拟IP.

给node3绑定了VIP,在三个节点上测试。发现node3确实可以通过VIP访问到对应的服务了,但是其他节点仍是不能访问,且查看node3的eth0网卡,发现并没有绑定VIP。

root@hw1:~# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: No route to host
root@hw1:~#

root@hw2:~# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: No route to host
root@hw2:~#

root@hw3:~# curl 10.0.0.10
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx03!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx03!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@hw3:~# ifconfig |grep eth0 -n7
2-        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
3-        ether 02:42:6a:c3:06:a5  txqueuelen 0  (Ethernet)
4-        RX packets 0  bytes 0 (0.0 B)
5-        RX errors 0  dropped 0  overruns 0  frame 0
6-        TX packets 0  bytes 0 (0.0 B)
7-        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
8-
9:eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
10-        inet 10.0.0.13  netmask 255.255.255.0  broadcast 10.0.0.255
11-        inet6 fe80::f816:3eff:fe60:c6ec  prefixlen 64  scopeid 0x20<link>
12-        ether fa:16:3e:60:c6:ec  txqueuelen 1000  (Ethernet)
13-        RX packets 220545  bytes 312462163 (312.4 MB)
14-        RX errors 0  dropped 0  overruns 0  frame 0
15-        TX packets 66533  bytes 5748953 (5.7 MB)
16-        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
root@hw3:~#

接着测试关闭node3的keepalived服务。发现,vip确实漂移了,在node2上可以通过VIP访问到服务,但是其他节点都无法访问了。

root@hw3:~# service keepalived stop
root@hw3:~# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: No route to host
root@hw3:~#

root@hw2:~# curl 10.0.0.10
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx02!</title>
...
</head>
<body>
<h1>Welcome to nginx02!</h1>
...
</body>
</html>
root@hw2:~#


root@hw1:~# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: No route to host
root@hw1:~#

只能在VIP漂移到的节点上通过VIP访问本节点的服务,这叫什么高可用?

继续查阅资料,发现一篇博客Centos7.2下基于Nginx+Keepalived搭建高可用负载均衡(一.基于Keepalived搭建HA体系)
在华为云上也是通过虚拟IP实现了所以的IP漂移,但是比较恶心的是,他只是在管理node1的keeaplived服务后,再去node2上访问vip获取到服务的。也就是本文上述的测试过程。这根本说不通好吧。

继续查资料,羡慕腾讯云的高可用虚拟IP,再查华为云的虚拟IP文档,在VPC虚拟IP接口操作指导处发现了高可用字样。但是那一页写的是啥啥啥呀。

关闭源和目的检查(适用于高可用负载均衡集群场景)

尝试把所有主机上的源和目的检查关闭(在ecs主机网卡标签处关闭)。再次测试。所有节点都可以通过VIP访问服务了。注意刚在我们关闭了node3的keepalived的服务。

root@hw1:~# curl 10.0.0.10
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx02!</title>
...
</head>
...
</body>
</html>
root@hw1:~#

root@hw2:~# curl 10.0.0.10
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx02!</title>
...
</head>
<body>
<h1>Welcome to nginx02!</h1>
...
</body>
</html>
root@hw2:~#

root@hw3:~# service keepalived stop
root@hw3:~# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: No route to host
root@hw3:~# curl 10.0.0.10
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx02!</title>
...
</head>
<body>
...
</body>
</html>
root@hw3:~#

测试一下VIP漂移。
上述结果显示现在VIP在node2上,关闭node2上的keepalived,注意这时关闭了node3和node2的keepalived服务,VIP应该会漂移到node1上。如下的测试结果也证实了这一点,node2关闭keepalived服务后,访问VIP,访问到了node1上的服务。其他节点也均能通过VIP访问node1上的服务。这才是真正的高可用及IP漂移验证成功嘛!

root@hw2:~# service keepalived stop
root@hw2:~# curl 10.0.0.10
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx01!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx01!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
root@hw2:~#

root@hw1:~# curl 10.0.0.10
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx01!</title>
...
</head>
<body>
...
</body>
</html>
root@hw1:~#

root@hw3:~# curl 10.0.0.10
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx01!</title>
...
</head>
<body>
...
</body>
</html>
root@hw3:~#

总结,在华为云上要使用keepalived+vip实现IP漂移,需要做的是在保证所以节点在同一个vpc下,并且每个节点配置好keepalived,还需要在这个vpc下申请一个虚拟IP,最重要的是每个节点要关闭源和目的检查,否则也只能体验到VIP漂移,并没有什么作用。

回头看,华为云给虚拟IP的限制,每个虚拟IP只能绑定一个服务器。事实上测试发现,keepalived+vip根本不需要给服务器绑定虚拟IP,只需要我们申请一个就好。这个限制坑呀,明明没啥作用。但真正要注意的是关闭目的和源检查。

参考

华为云 【华为云网络技术分享】【第六弹】VIP特性典型应用案例指导
华为云 关闭源和目的检查(适用于高可用负载均衡集群场景)
腾讯云 VPC 内通过 keepalived 搭建高可用主备集群
腾讯云 高可用虚拟 IP
阿里云支持使用Keepalived搭建负载均衡软件吗?
Centos7.2下基于Nginx+Keepalived搭建高可用负载均衡(一.基于Keepalived搭建HA体系)

# 华为云
Logo
华为开发者空间

华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。

更多推荐

cover

解析openGauss账本数据库

avatar 华为开发者空间
cover

GaussDB高智能--库内AI引擎:模型管理&数据集管理

avatar 华为开发者空间
cover

GaussDB高智能--库内AI引擎:机器学习算法的训练和推理

avatar 华为开发者空间