2010年12月6日月曜日
Ultra Monkey L7 (L7 load balancer)
I installed Ultra Monkey L7. I’ve written the installation document below. Please give me advice/suggestions on it. I would appreciate any kind of advice/suggestion!
== Ultra Moneky L7 (heartbeat,l7directord)
== Install heartbeat
2回yumを実行
yum -y install heartbeat
yum -y install heartbeat
cp /usr/share/doc/heartbeat-2.1.3/ha.cf /etc/ha.d/.
cp /usr/share/doc/heartbeat-2.1.3/haresources /etc/ha.d/.
cp /usr/share/doc/heartbeat-2.1.3/authkeys /etc/ha.d/.
外側と内側のケーブルが抜けた時を想定し、両インタフェースをucastで監視する。
[# test1] vi /etc/ha.d/ha.cf
logfacility local0
ucast eth0 10.1.1.3 #<------- other server's IP
ucast eth1 192.168.2.242 #<------- other server's IP
auto_failback on
node test1.com
node test2.com
respawn hacluster /usr/lib64/heartbeat/ipfail
[# test2] vi /etc/ha.d/ha.cf
logfacility local0
ucast eth0 10.1.1.2 #<------- other server's IP
ucast eth1 192.168.2.241 #<------- other server's IP
auto_failback on
node test1.com
node test2.com
respawn hacluster /usr/lib64/heartbeat/ipfail
chmod 600 /etc/ha.d/authkeys
vi /etc/ha.d/authkeys
auth 2
2 sha1 PASSWORD
以下のtest1.comはプライマリーにするサーバーを設定
vi /etc/ha.d/haresources
test1.com IPaddr::10.1.1.10/24/eth0 IPaddr::192.168.2.240/24/eth1 l7vsd l7directord
== UltraMokey-L7
yum -y install apr*
cpan install Crypt::SSLeay
wget http://mirror.jimbojay.com/apache/logging/log4cxx/0.10.0/apache-log4cxx-0.10.0.tar.gz
cd apache-log4cxx-0.10.0
./autogen.sh
./configure --prefix=/usr --libdir=/usr/lib64
make
make install
tar zxvf ultramonkey-l7-2.0.0-0.tar.gz
cd ultramonkey-l7-2.0.0-0
./configure
automake --add-missing --copy
./configure
make
make install
cat /etc/ha.d/conf/l7directord.cf
checktimeout=3
checkinterval=1
autoreload=yes
logfile="/var/log/l7directord.log"
quiescent=yes
virtual=10.1.1.10:80
real=192.168.2.236:80 masq 1
real=192.168.2.237:80 masq 1
real=192.168.2.238:80 masq 1
module=cinsert --cookie-name 'monkey'
scheduler=wrr
checktype=negotiate
request="index.html"
receive="ok"
# chkconfig --list | grep heart
heartbeat 0:off 1:off 2:on 3:on 4:on 5:on 6:off
以下で起動
/etc/rc.d/init.d/heartbeat start
以下で接続状況確認
l7vsadm -l
内側のサーバーからNATで外にアクセスしたい場合はMasqueradeの設定を以下のように/etc/rc.d/init.d/iptablesに設定する。
*nat
: PREROUTING ACCEPT [60:3408]
: POSTROUTING ACCEPT [0:0]
: OUTPUT ACCEPT [3:243]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [301:35162]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
== stone (SSL Acceleration)
wget http://www.gcd.org/sengoku/stone/stone-2.3e.tar.gz
tar zxvf stone-2.3e.tar.gz
cd stone-2.3d-2.3.2.7
make linux-ssl
mv stone /usr/local/bin/stone
makedir /etc/stone/
cd /etc/stone/
openssl req -new -nodes -x509 -keyout key.pem -out cert.pem -days 36500
stone -z sid_ctx='test.com:443' -z key=/etc/stone/key.pem -z cert=/etc/stone/cert.pem 10.1.1.10:80 443/ssl
== Ultra Moneky L7 (heartbeat,l7directord)
[client] 10.1.1.24
|
-------------------------------------------------------------------
| 10.1.1.10 (VIP for web) |
| |
| |
|10.1.1.2(eth0) |10.1.1.3(eth0)
[LVS1] [LVS2]
|192.168.2.241(eth1) |192.168.20.109(eth1)
| |
| 192.168.2.240 (VIP for VRRP) |
| |
| |
----------------------------------------------------------------------------
| | |
| | |
|192.168.2.236(eth0) | 192.168.2.237(eth0) |192.168.2.238(eth0)
[web1] [web2] [web3]
192.168.2.240(GW) 192.168.2.240(GW) 192.168.2.240(GW)
== Install heartbeat
2回yumを実行
yum -y install heartbeat
yum -y install heartbeat
cp /usr/share/doc/heartbeat-2.1.3/ha.cf /etc/ha.d/.
cp /usr/share/doc/heartbeat-2.1.3/haresources /etc/ha.d/.
cp /usr/share/doc/heartbeat-2.1.3/authkeys /etc/ha.d/.
外側と内側のケーブルが抜けた時を想定し、両インタフェースをucastで監視する。
[# test1] vi /etc/ha.d/ha.cf
logfacility local0
ucast eth0 10.1.1.3 #<------- other server's IP
ucast eth1 192.168.2.242 #<------- other server's IP
auto_failback on
node test1.com
node test2.com
respawn hacluster /usr/lib64/heartbeat/ipfail
[# test2] vi /etc/ha.d/ha.cf
logfacility local0
ucast eth0 10.1.1.2 #<------- other server's IP
ucast eth1 192.168.2.241 #<------- other server's IP
auto_failback on
node test1.com
node test2.com
respawn hacluster /usr/lib64/heartbeat/ipfail
chmod 600 /etc/ha.d/authkeys
vi /etc/ha.d/authkeys
auth 2
2 sha1 PASSWORD
以下のtest1.comはプライマリーにするサーバーを設定
vi /etc/ha.d/haresources
test1.com IPaddr::10.1.1.10/24/eth0 IPaddr::192.168.2.240/24/eth1 l7vsd l7directord
== UltraMokey-L7
yum -y install apr*
cpan install Crypt::SSLeay
wget http://mirror.jimbojay.com/apache/logging/log4cxx/0.10.0/apache-log4cxx-0.10.0.tar.gz
cd apache-log4cxx-0.10.0
./autogen.sh
./configure --prefix=/usr --libdir=/usr/lib64
make
make install
tar zxvf ultramonkey-l7-2.0.0-0.tar.gz
cd ultramonkey-l7-2.0.0-0
./configure
automake --add-missing --copy
./configure
make
make install
cat /etc/ha.d/conf/l7directord.cf
checktimeout=3
checkinterval=1
autoreload=yes
logfile="/var/log/l7directord.log"
quiescent=yes
virtual=10.1.1.10:80
real=192.168.2.236:80 masq 1
real=192.168.2.237:80 masq 1
real=192.168.2.238:80 masq 1
module=cinsert --cookie-name 'monkey'
scheduler=wrr
checktype=negotiate
request="index.html"
receive="ok"
# chkconfig --list | grep heart
heartbeat 0:off 1:off 2:on 3:on 4:on 5:on 6:off
以下で起動
/etc/rc.d/init.d/heartbeat start
以下で接続状況確認
l7vsadm -l
内側のサーバーからNATで外にアクセスしたい場合はMasqueradeの設定を以下のように/etc/rc.d/init.d/iptablesに設定する。
*nat
: PREROUTING ACCEPT [60:3408]
: POSTROUTING ACCEPT [0:0]
: OUTPUT ACCEPT [3:243]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [301:35162]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
== stone (SSL Acceleration)
wget http://www.gcd.org/sengoku/stone/stone-2.3e.tar.gz
tar zxvf stone-2.3e.tar.gz
cd stone-2.3d-2.3.2.7
make linux-ssl
mv stone /usr/local/bin/stone
makedir /etc/stone/
cd /etc/stone/
openssl req -new -nodes -x509 -keyout key.pem -out cert.pem -days 36500
stone -z sid_ctx='test.com:443' -z key=/etc/stone/key.pem -z cert=/etc/stone/cert.pem 10.1.1.10:80 443/ssl
ラベル: Load balancer
# RINA さんの投稿 : 2:53
登録 投稿 [Atom]
コメントを投稿