基于centos的freeradius高可用lvs(UDP)

最近在做freeradius的高可用配置,使用lvs的vip做轮询:

  freeradius的配置见前面的文章;

  下面是lvs的keepalived的配置:

global_defs {       router_id LVS_DEVEL_TEST    }

vrrp_sync_group LVS_RA {       group {         VI_1       }    }

vrrp_instance VI_1 {       state MASTER    #主备       interface eth0       virtual_router_id 123   #局域网内的唯一标识       priority 80    #优先级       advert_int 3       authentication {         auth_type PASS         auth_pass 1111       }       virtual_ipaddress {          x.x.x.x     #虚拟ip地址       }       debug      }

virtual_server x.x.x.x 1812 {    #虚拟ip地址 UDP端口         delay_loop 6         lb_algo sh    #调度算法         lb_kind TUN    #lvs的转发模式        protocol UDP     #UDP协议

real_server x.x.x.x 1812 {   #real IP地址和UDP端口

  MISC_CHECK {     #MISC的检测方式            misc_path "/data/shell/UDP_CHECK.sh x.x.x.x 1812"  #UDP的检测脚本如下             misc_timeout 10 #脚本执行超时时间             misc_dynamic           }          }

real_server x.x.x.x 1812 {           MISC_CHECK {             misc_path "/data/shell/UDP_CHECK.sh x.x.x.x 1812"             misc_timeout 10             misc_dynamic           }         }

}

  UDP检测脚本/data/shell/UDP_CHECK.sh:

 #!/bin/bash     /usr/bin/nc -uz -w1 $1 $2 | grep succeeded > /dev/null     exit $?

注意:freeradius和keepalived不能在一台服务器上,会对包的转发产生影响

下面需要在real上绑定一下vip并且脚本需放到/etc/rc.d/init.d/目录底下,绑定脚本addVIP内容如下:

#!/bin/bash    IPADDR=(x.x.x.x)     //填写VIP地址    NUM=`expr ${#IPADDR[*]} - 1`

start_vip(){       for i in `seq 0 $NUM`;do         ifconfig lo:$i ${IPADDR[$i]} broadcast ${IPADDR[$i]} netmask 255.255.255.255 up         route add -host ${IPADDR[$i]} dev lo:$i         done

echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore         echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce         echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore         echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce         echo "0">/proc/sys/net/ipv4/conf/all/rp_filter         echo "0">/proc/sys/net/ipv4/conf/eth0/rp_filter         echo "0">/proc/sys/net/ipv4/conf/lo/rp_filter         echo "0">/proc/sys/net/ipv4/conf/default/rp_filter         /sbin/sysctl -p >/dev/null 2>&1    }

stop_vip(){         for i in `seq 0 $NUM`;do           /sbin/route del -host ${IPADDR[$i]} dev lo:$i           /sbin/ifconfig lo:$i ${IPADDR[$i]} broadcast ${IPADDR[$i]} netmask 255.255.255.255 down         done

  echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore           echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce           echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore           echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce           echo "0" >/proc/sys/net/ipv4/ip_forward           echo "1">/proc/sys/net/ipv4/conf/all/rp_filter           echo "1">/proc/sys/net/ipv4/conf/eth0/rp_filter           echo "1">/proc/sys/net/ipv4/conf/lo/rp_filter           echo "1">/proc/sys/net/ipv4/conf/default/rp_filter           /sbin/sysctl -p >/dev/null 2>&1          //这里的文件不一定全部存在,主要看系统    }

case $1 in       start|START)         start_vip         if [ $? == "0" ];then           echo "setting vip success"         else           echo "setting vip fault"         fi         ;;       stop|STOP)         stop_vip         if [ $? == "0" ];then           echo "remove vip success"         else           echo "remove vip fault"         fi         ;;       *)         echo "Usage: $0 {start|stop}"         exit 1         ;;    esac

在real上执行此脚本(前提是给定执行权限):#/etc/rc.d/init.d/addVIP  start  

  绑定效果如下;

  开启lvs服务器的keepalived服务,如果freeradius服务正常,则lvs看到效果如下:

基于centos的freeradius高可用lvs(UDP)

最后找一台服务器用radius的测试命令radtest去测试吧!

  说明一下为什么需要在real服务器上绑定VIP:在 DR 模式下,由于 UDP 是无连接状态的,当 RS 回应结果时默认采用原先的地址,Client 在转发数据包时,源地址不是原先请求的 IP(VS IP),所以会存 在问题 。

相关推荐