LVS Theory 3

LVS theory

LVS, Linuxvirtual Server, is a virtual server cluster system that implements a high-performance, highly available server with good scalability, reliability, and manageability.

The LVS cluster uses IP load balancing technology and content-based request distribution technology. The scheduler has a good throughput rate, the request balanced transfer to different servers to execute, and the scheduler automatically block out the server failure.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/87/5B/wKiom1feHfKxNYcgAAC7Ug2VYWo141.png "title=" Picture 2.png "style=" Float:none; "alt=" Wkiom1fehfkxnycgaac7ug2vywo141.png "/>

Virtual server is the basic architecture of load balancing system , it is divided into two tiers : Forwarder (Director) and real server

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/87/58/wKioL1feHfPxy28dAABwWTREguQ980.png "title=" Picture 3.png "style=" Float:none; "alt=" Wkiol1fehfpxy28daabwwtreguq980.png "/>

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/87/5B/wKiom1feHfiBvSOUAAHyw5kOueU229.png "title=" Picture 4.png "style=" Float:none; "alt=" Wkiom1fehfibvsouaahyw5koueu229.png "/>

(1) Client access to the cluster VIP, Request Web service. (Request message: Source CIP, target vip);

(2) the scheduler receives the request, modifies the destination IP to RIP, and sends the request to the backend Web server based on the appropriate scheduling algorithm (Request message: Source CIP, target RIP)

(3) The Web server receives the request, discovers that the destination IP is itself, and provides the corresponding service, responds to the request message, and sends it to the scheduler. (Corresponding message: source RIP, Target CIP)

(4) the dispatcher receives the corresponding message of the Web server, according to the corresponding mechanism to determine the user's target IP is the VIP, this will modify the source IP for VIP sent to the client response. (Source vip, Target CIP)

Insufficient

1. Rs/router Configuring Policy Routing

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/87/58/wKioL1feHfyBPCLGAAF83VQx1qM565.png "title=" Picture 5.png "style=" Float:none; "alt=" Wkiol1fehfybpclgaaf83vqx1qm565.png "/>

(1) the client sends the request to the scheduler's VIP;

(2) Scheduler selects a real server for forwarding, this time the source ip for cip , the target ip for ip is rip, so need to be in the vip to rip this process is encapsulated in a tunnel, encapsulating two ip header, forwarded message source cip target vip, but also in ip header add another ip header, the destination address is rip, this process requires support for tunneling protocols.

(3) when the real server receives the packet, the IP header's destination IP is itself, it is unpacked, and there is a header content for CIP to request its own VIP, Will respond to this request to CIP. (The source IP of the response message is the VIP and the target IP is CIP)

Insufficient

1. Complex RS configuration (Ipip module, etc. )

2. RS binding VIP, high risk ;

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/87/5B/wKiom1feHgHhqS3rAAGmq8Soeh4590.png "title=" Picture 6.png "style=" Float:none; "alt=" Wkiom1fehghhqs3raagmq8soeh4590.png "/>

(1) First, the client CIP the request is sent to the VIP of the LVS scheduler.

(2) after the LVS Scheduler receives the client's request package, will choose aReal Server,Change the MAC address of the packet toSelection ofREALServerMAC address and sent to the Rs server via the switch (data link layer) (because the mac address is rs The server, so thatRs can receive the datagram. ) Note: The purpose of the packet and the source IP address have not changed at this time.

(3)A.RsData link layer is sent from the link layer to the data message request .IPlayer, at this timeIPlayer needs to verify the target of the requestIPaddress. Because the target of the packageIP(i.e.VIP) is not the same as a regular datagramRSthe localIP, but only the purposeMACaddress isRSthe. So, inRSthe needbinding a VIP, The goal of this packageThe IP has not changed. And this VIP is hidden and does not respond to ARP parsing.

B . when the RS processing packet is completed, the answer is returned directly to the client, at this time the source IP is vip, the target is CIP, This process does not go through the scheduler.

Insufficient

1. Lvs-rs must be in the same VLAN

2. RS binding VIP, high risk ;

– A realserver down , what to do ?---health testing

– LVs itself down , what to do ?---LVs Redundancy

keepalived– LVS Management software

– Health Testing : Support 4/7 monitoring ;

– Primary and Standby redundancy : HeartBeat with VRRP protocol ;

– How to configure the ?---configuration file

keepalived–f/etc/keepalived/keepalived.conf

LVS each forwarding mode operation and maintenance cost is high

– New Forwarding Mode Fullnat: Implements lvs-realserver inter- VLAN communication , and in/out streams are passed LVS;

Lack of attack defense module

– Synproxy:synflood Attack Defense Module

– Other TCP FLAG DDoS attack Defense strategies

Performance does not scale linearly

– cluster deployment mode

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/87/58/wKioL1feHgeyzvu6AAIRa15vztc289.png "title=" Picture 7.png "style=" Float:none; "alt=" Wkiol1fehgeyzvu6aaira15vztc289.png "/>

(1) The client sends a request to the scheduler. (source CIP, target VIP)

(2) V IP is scheduled to be sent to real server. (source dip, Target RIP)

(3) R when the EAL server receives the request and discovers that the source address is a dip, it responds to the dip. (source RIP, target dip)

(4) after the Scheduler receives a response from the real server, it modifies the source address of the datagram to the VIP, and the destination address is the CIP response.

Main idea : introduce Local address (intranet IP address ), Cip-vip convert to Lip->rip, and lip and RIP is IDC Intranet IP, you can cross- VLAN Communication ;

This article from the "11841085" blog, reproduced please contact the author!

LVS Theory 3