搭建高可用负载均衡器：haproxy+keepalived

当企业业务量比较小的时候，单台服务器就可以满足业务需求。但是随着业务的发展，单台服务器的问题就凸显出来：当服务器挂了，业务就会中断。当业务量增大，单台服务器性能下降时，如何透明地扩展服务器和带宽，增加服务器吞吐量负载均衡器可以解决上述问题。本文将根据拓扑图使用haproxy和keepalived搭建一个负载均衡器。1负载均衡器拓扑图2准备工作2.1准备环境准备5台CentOS7.3主机和一个VIP地址：准备一个可用的IP作为VirtualIP（VIP）：VIP：192.168.1.100负载均衡器将使用2台主机，一台master和一个备份架构lb1（默认主）：192.168.1.101lb2（默认备用）：192.168.1.102后端服务器集群中主机的IP地址s1：192.168.1.2s2：192.168.1.3s3：192.168.1.42。2主机配置2.2.1禁用防火墙systemctlstopfirewalldsystemctldisablefirewalld2.2.2在所有主机上禁用selinuxsetenforce0vi/etc/selinux/configSELINUX=disabled2.3在lb1和lb2上安装haproxy和keepalived安装haproxy和keepalivedyuinstallhaproxykeepalived-y2.4安装nginx（如果有其他后端测试程序，此步可以省略）在s1s2s3上安装nginx，目的是使用nginx作为后端，如果有其他后端程序，此步可以省略yuminstallel-release-yyuminstallnginx-y2.3configurationkeepalivedKeepAlived是一种基于VRRP（VirtualRouterRedundancyProtocol，虚拟路由冗余协议）的高可用解决方案，通过VIP（虚拟IP）和心跳检测实现高可用Keepalived有Master和Backup两种角色。一般会有一个Master和多个Backup。Master会把VIP绑定到自己的网卡上，对外提供服务。Master和Backup会定期判断对方的状态。当Master不可用时，Backup会通知网关，并将VIP绑定到自己的网卡上，实现服务不中断和高可用。#通知邮件服务器配置notification_email{#当master丢失VIP或VIP时，会发送一封通知邮件到your-email@qq.comyour-email@qq.com}#发件人信息notification_email_fromkeepalived@qq.com#邮件服务器地址smtp_server127。0.0.1#邮件服务器超时时间smtp_connect_timeout30#MailTITLErouter_idLVS_DEVEL}vrrp_instanceVI_1{#Host:MASTER#Backupmachine:BACKUPstateMASTER#实例绑定的网卡，使用ipa命令查看网卡号interfaceeno16777984#虚路由标识，这个ID是一个数字(1-255)。在一个VRRP实例中，主备服务器ID必须相同。virtual_router_id88#Priority，数字越大，优先级越高。实例中，主服务器的优先级高于从服务器priority100#primary备份之间同步校验的时间间隔单位为advert_int1#认证类型和密码认证{#认证有两种：PASS和HAauth_typePASS#验证密码，实例主备密码不变auth_pass11111111}#虚拟IP地址，可以有多个，一行一个virtual_ipaddress{192.168.1.100}}virtual_server192.168.1.100443{#健康检查时间间隔delay_loop6#调度算法#Doc：http://www.keepalived.org/doc/scheduling_algorithms.html#RoundRobin(rr)#WeightedRoundRobin(wrr)#LeastConnection(lc)#WeightedLeastConnection(wlc)#Locality-BasedLeastConconnection(lblc)#Locality-BasedLeastConnectionwithReplication(lblcr)#DestinationHashing(dh)#SourceHashing(sh)#ShortestExpectedDelay(seq)#NeverQueue(nq)#Overflow-Connection(ovf)lb_algorrlb_kindNATpersistence_timeout50protocolTCP#通过调度将Master切换到真实负载algorithm在平衡服务器上#真主机会定时判断健康检查，如果MASTER不可用，切换到备机real_server192.168.1.101443{weight1TCP_CHECK{#连接超级端口connect_port443#连接超时时间connect_timeout3}}real_server192.168.1.102443{weight1TCP_CHECK{connect_port443connect_timeout3}}}2.3.2　配置BACKUP在lb2(192.168.1.102)上编辑/etc/keepalived/keepalived.conf!ConfigurationFileforkeepalivedglobal_defs{#通知邮件服务器的配置notification_email{#master丢失时VIP还是VIP，通知邮件会发到your-email@qq.comyour-email@qq.com}#SenderInformationnotification_email_fromkeepalived@qq.com#Mail服务器地址smtp_server127.0.0.1#邮件服务器超时smtp_connect_timeout30#EmailTITLErouter_idLVS_DEVEL}vrrp_instanceVI_1{#Host:MASTER#Backup:BACKUPstateBACKUP#Instance绑定网卡，使用ipa命令查看网卡号interfaceeno16777984#虚拟路由ID，这个ID是一个数字（1-255），在一个VRRP实例中备用服务器ID必须与virtual_router_id88#priority相同，数字越大，优先级越高。在一个实例中，主服务器的优先级高于备用服务器的优先级。HAauth_typePASS#验证密码，实例主备密码不变auth_pass11111111}#虚拟IP地址，可以有多个，一个virtual_ipaddress{192.168.1.100}}virtual_server192.168.1.100443{#健康检查时间间隔delay_loop6#Scheduling算法#Doc：http://www.keepalived.org/doc/scheduling_algorithms.html#RoundRobin(rr)#WeightedRoundRobin(wrr)#LeastConnection(lc)#WeightedLeastConnection(wlc)#Locality-BasedLeastConnection(lblc)#Locality-BasedLeastConnectionwithReplication(lblcr)#DestinationHashing(dh)#SourceHashing(sh)#ShortestExpectedDelay(seq)#NeverQueue(nq)#Overflow-Connection(ovf)lb_algorrlb_kindNATpersistence_timeout50protocolTCP#通过调度算法将Master切换到真实负载均衡服务器#真实主机会定时判断健康检查，如果MASTER不可用，则切换到备机haproxy在lb1（192.168.1.101）和lb2（192.168.1.102）上编辑/etc/haproxy/haproxy.cfg添加后端服务器IP(192.168.1.2,192.168.1.3,192.168.1.4)到后端#-------------------------------------------------＃全局设置＃------------------------------------------------------------------globallog127.0.0.1local2chroot/var/lib/haproxypidfile/var/run/haproxy.pidmaxconn4096userhaproxygrouphaproxydaemon#turnonstatsunixsocketstatssocket/var/lib/haproxy/statslistenstatsbind*:9000modehttpstatsenablestatshide-versionstatsuri/statsstatsrefresh30sstatsrealmHaproxy\Statisticsstatsauthadmin:adminfrontendk8s-apibind*:443modetcpoptiontcplogtcp-requestinspect-delay5stcp-requestcontentacceptif{req_ssl_hello_type1}default_backendk8s-api-backendbackendk8s-api-backendmodetcpoptiontcplogoptiontcp-checkbalanceroundrobinservermaster1192.167.1.2:80maxconn1024weight5checkservermaster2192.167.1.3:80maxconn1024weight5checkservermaster3192.167.1.4:80maxconn1024weight5check2.5配置nginx为nginx添加SSL证书，配置过程略为vi/usr/share/nginx/html/index.html把index.html里面字符串Welcometonginx改成WelcometonginxHA3启动服务3.1启动nginxsudosystemctlstartnginxsudosystemctlenablenginx3.2启动haproxysudosystemctlstarthaproxysudosystemctlenablehaproxy3.3启动keepalivedsudosystemctlstartkeepalivedsudosystemctlenablekeepalived在MASTER上运行ipaeno16777984:mtu1500qdiscmqstateUPqlen1000link/ether00:xx:xx:xx:3d:0cbrdff:ff:ff:ff:ff:ffinet192.168.1.101/24brd192.168.1.255scopeglobaleno16777984valid_lftforeverpreferred_lftforeverinet192.168.1.100/32scopeglobaleno16777984valid_lftforeverpreferred_lftforeverinet6eeee:eeee:1c9d:2009:250:56ff:fe9c:3d0c/64scopeglobalnoprefixroutedynamicvalid_lft7171secpreferred_lft7171secinet6eeee::250:56ff:eeee:3d0c/64scopelinkvalid_lftforeverpreferred_lftforeverwillfindthatVIP(192.168.1.100)hasbeenboundtoinet192.168.1.100/32scopeglobaleno16777984valid_lftforeverpreferred_lftforeverIfitisfoundthatVIPcannotbeboundvi/etc/sysctl.conf4addtwolinesnet..ip_forward=1net.ipv4.ip_nonlocal_bind=1Letthenewconfigurationtakeeffectsysctl-p4verification证书4.1查看状态1.浏览器输入http://192.168.1.100:9000/stats查看haproxy状态2.浏览器输入https://192.168.1.100查看服务状态是否成功显示nginx欢迎页面4.2主备切换1、在浏览器中输入https://192.168.1.100，查看是否成功显示nginx欢迎页面。2、关闭lb1（192.168.1.101），查看是否还能访问https://192.168.1.100。成功则表示VIP成功切换到备机3.在lb2(192.168.1.102)上执行ipa查看网卡是否绑定VIP(192.168.1.100)3.启动lb1(192.168.1.101)验证VIP是否切换回MASTER主机（因为MASTER端配置文件中优先级为100，BACKUP为99，健康检查会自动将VIP绑定到优先级最高的主机）