Maxaa la sameeyaa haddii awoodda hal server aysan ku filneyn in lagu shaqeeyo dhammaan codsiyada, iyo soo saaraha software uusan bixineynin dheelitirka culeyska? Waxaa jira xulashooyin badan, laga bilaabo iibsashada dheellitirka culeyska ilaa xaddididda tirada codsiyada. Midkee saxda ah waa in lagu go'aamiyaa xaalada, iyadoo la tixgelinayo xaaladaha jira. Maqaalkan waxaan kuugu sheegi doonaa waxaad samayn karto haddii miisaaniyadaada xadidan tahay oo aad haysato server bilaash ah.
Nidaam ahaan ay lagama maarmaan u ahayd in la dhimo culeyska mid ka mid ah server-yada, waxaan ka dooranay DLP (nidaamka ka hortagga daadinta macluumaadka) ee InfoWatch. Muuqaal ka mid ah hirgelinta ayaa ahaa meelaynta shaqada dheelitirka mid ka mid ah server-yada "dagaalka".
Mid ka mid ah dhibaatooyinka aan la kulannay waxay ahayd awood la'aanta isticmaalka Source NAT (SNAT). Sababta tan loogu baahday iyo sida dhibaatada loo xaliyay, waxaan sii sharxi doonaa.
Haddaba, markii hore jaantuska macquulka ah ee nidaamka jira wuxuu u ekaa sidan:
Taraafikada ICAP, SMTP, dhacdooyinka kombuyuutarrada isticmaalaha ayaa lagu farsameeyay server-ka Kormeerka Taraafikada (TM). Isla mar ahaantaana, server-ka keydka xogta ayaa si fudud ula qabsaday culeyska ka dib markii uu ka shaqeeyay dhacdooyinka TM-ka, laakiin culeyska TM-ka laftiisa ayaa ahaa mid culus. Tani waxay ka muuqatay muuqaalka safka fariinta ee server-ka Qalabka Monitor (DM), iyo sidoo kale CPU iyo culeyska xusuusta ee TM-ka.
Jaleecada hore, haddii aan ku darno server kale oo TM ah nidaamkan, ka dib ICAP ama DM midkood waa loo bedeli karaa, laakiin waxaan go'aansanay inaanan isticmaalin habkan, maadaama dulqaadka cilladaha la yareeyay.
Sharaxaada xalka
Habka raadinta xal ku habboon, waxaan dejinay software si xor ah loo qaybiyay wada jir ah . Sababtoo ah keepalived waxay xallisaa dhibaatada abuurista koox guuldaraystay waxayna sidoo kale maamuli kartaa dheellitiriyaha LVS.
Waxa aan rabnay in aan gaarno (yareyno culeyska saaran TM-ka oo aan ilaalino heerka dulqaadka cilladda) waa in ay u shaqeeyaan si waafaqsan nidaamka soo socda:
Marka la hubinayo shaqeynta, waxaa soo baxday in caadada RedHat ee lagu rakibay server-yada aysan taageerin SNAT. Xaaladeena, waxaan qorsheynay inaan isticmaalno SNAT si aan u hubinno in xirmooyinka soo socda iyo jawaabaha iyaga laga soo diro isla cinwaanka IP-ga, haddii kale waxaan heli doonnaa sawirka soo socda:
Tani waa wax aan la aqbali karin. Tusaale ahaan, server-ka wakiil ka ah, oo u soo diray baakado ciwaanka Virtual IP (VIP), wuxuu filanayaa jawaabta VIP, laakiin kiiskan wuxuu ka iman doonaa IP2 fadhiyada loo soo diro kaydinta. Xalka ayaa la helay: waxay ahayd lagama maarmaan in la abuuro miis kale oo marin ah kaydinta oo lagu xiro laba server TM oo leh shabakad gaar ah, sida hoos ku cad:
ΠΠ°ΡΡΡΠΎΠΉΠΊΠΈ
Waxaan hirgelin doonaa qorshe ka kooban laba adeegayaal oo wata adeegyada ICAP, SMTP, TCP 9100 iyo dheelli-dheelitir lagu rakibay mid iyaga ka mid ah.
Waxaan haynaa laba adeegayaal RHEL6, kuwaas oo kaydka caadiga ah iyo baakadaha qaarkood laga saaray.
Adeegyada aan u baahanahay si aan u dheellitirno:
β’ ICAP - tcp 1344;
SMTP β tcp 25.
Adeegga gudbinta taraafikada ee DM - tcp 9100.
Marka hore, waxaan u baahanahay inaan qorsheyno shabakada.
Ciwaanka IP-ga ee Virtual (VIP):
β’ IP: 10.20.20.105.
Adeegaha TM6_1:
β’ Dibadda IP: 10.20.20.101;
β’ Gudaha IP: 192.168.1.101.
Adeegaha TM6_2:
β’ Dibadda IP: 10.20.20.102;
β’ Gudaha IP: 192.168.1.102.
Kadibna waxaan awood u siineynaa gudbinta IP-ga laba server oo TM ah. Sida tan loo sameeyo ayaa lagu sharaxay RedHat .
Waxaan go'aansanay mid ka mid ah server-yada aan yeelan doono kan ugu weyn iyo midka noqon doona mid ka mid ah kaydinta. U ogolow sayidku ha noqdo TM6_1, kaydku ha ahaado TM6_2.
Kaydka waxaanu ku abuurnaa miis-wareejin cusub oo dheeli tiran iyo xeerar marineed:
[root@tm6_2 ~]echo 101 balancer >> /etc/iproute2/rt_tables
[root@tm6_2 ~]ip rule add from 192.168.1.102 table balancer
[root@tm6_2 ~]ip route add default via 192.168.1.101 table balancerAmarada kore waxay shaqeeyaan ilaa nidaamka dib loo bilaabo. Si loo hubiyo in waddooyinka la ilaaliyo ka dib dib-u-kicinta, waxaad geli kartaa /etc/rc.d/rc.local, laakiin si fiican iyada oo loo marayo faylka dejinta /etc/sysconfig/network-scripts/route-eth1 (xusuusin: syntax kala duwan ayaa halkan lagu isticmaalaa).
Ku rakib dhawrsanaanta labada adeeg ee TM. Waxaan u isticmaalnay rpmfind.net sida isha qaybinta:
[root@tm6_1 ~]#yum install https://rpmfind.net/linux/centos/6.10/os/x86_64/Packages/keepalived-1.2.13-5.el6_6.x86_64.rpmGoobaha dhawrista ah, waxa aanu mid ka mid ah server-yada ku meelayna master ahaan, kan kalena kayd ahaan. Kadibna waxaan dejinay VIP iyo adeegyo loogu talagalay isu dheelitirka culeyska. Faylka dejinta inta badan wuxuu yaal halkan: /etc/keepalived/keepalived.conf.
Dejinta Serverka TM1
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state MASTER
interface eth0
lvs_sync_daemon_inteface eth0
virtual_router_id 51
priority 151
advert_int 1
authentication {
auth_type PASS
auth_pass example
}
virtual_ipaddress {
10.20.20.105
}
}
virtual_server 10.20.20.105 1344 {
delay_loop 6
lb_algo wrr
lb_kind NAT
protocol TCP
real_server 192.168.1.101 1344 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 1344
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.1.102 1344 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 1344
nb_get_retry 3
delay_before_retry 3
}
}
}
virtual_server 10.20.20.105 25 {
delay_loop 6
lb_algo wrr
lb_kind NAT
protocol TCP
real_server 192.168.1.101 25 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 25
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.1.102 25 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 25
nb_get_retry 3
delay_before_retry 3
}
}
}
virtual_server 10.20.20.105 9100 {
delay_loop 6
lb_algo wrr
lb_kind NAT
protocol TCP
real_server 192.168.1.101 9100 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 9100
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.1.102 9100 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 9100
nb_get_retry 3
delay_before_retry 3
}
}
}Dejinta Serverka TM2
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
lvs_sync_daemon_inteface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass example
}
virtual_ipaddress {
10.20.20.105
}
}Waxaan ku rakibnaa LVS Master-ka, taas oo dheellitiri doonta taraafikada. Wax macno ah ma samaynayso in lagu rakibo dheellitirka server-ka labaad, maadaama aan haysanno laba server oo keliya qaabeynta.
[root@tm6_1 ~]##yum install https://rpmfind.net/linux/centos/6.10/os/x86_64/Packages/ipvsadm-1.26-4.el6.x86_64.rpmIsku-dheellitirka waxa maamuli doona dhawrista, kaas oo aanu horeba u habaysanay.
Si loo dhamaystiro sawirka, aan ku darno keepalive to autostart labada server:
[root@tm6_1 ~]#chkconfig keepalived ongunaanad
Hubinta natiijooyinka
Aynu ku socodsiino keepalive labada server:
service keepalived startHubinta helitaanka ciwaanka farsamada ee VRRP
Aan hubinno in VIP-du uu saaran yahay Master-ka:
Oo ma jiro VIP kayd ah:
Isticmaalka amarka ping, waxaan hubin doonaa helitaanka VIP:
Hadda waad xidhi kartaa master-ka oo aad mar labaad socodsiin kartaa amarka ping.
Natiijadu waa inay ahaataa sidii hore, oo kayd ahaan waxaan arki doonaa VIP:
Hubinta dheelitirka adeegga
Aan soo qaadano SMTP tusaale ahaan. Aynu isku mar bilowno laba xiriiriye 10.20.20.105:
telnet 10.20.20.105 25Master-ka waa inaan aragnaa in labada xiriiryadu ay firfircoon yihiin oo ay ku xiran yihiin servero kala duwan:
[root@tm6_1 ~]#watch ipvsadm βLn
Markaa, waxaanu hirgelinay qaabaynta u dulqaadka cilada leh ee adeegyada TM-ka annagoo ku rakibay xisaabiye mid ka mid ah server-yada TM-ka. Nidaamkeena, tani waxay hoos u dhigtay culeyska TM-ka nuska ah, taas oo suurtogal ka dhigtay in la xalliyo dhibaatada la'aanta miisaanka siman iyadoo la adeegsanayo nidaamka.
Xaaladaha intooda badan, xalkan si dhakhso ah ayaa loo fuliyaa oo aan lahayn kharashyo dheeraad ah, laakiin mararka qaarkood waxaa jira tiro xaddidan iyo dhibaatooyin qaabeynta, tusaale ahaan, marka la isku dheelitiro taraafikada UDP.
Source: www.habr.com