基于centos的freeradius高可用lvs(UDP)
最近在做freeradius的高可用配置,使用lvs的vip做轮询:
freeradius的配置见前面的文章;
下面是lvs的keepalived的配置:
global_defs { router_id LVS_DEVEL_TEST }
vrrp_sync_group LVS_RA { group { VI_1 } }
vrrp_instance VI_1 { state MASTER #主备 interface eth0 virtual_router_id 123 #局域网内的唯一标识 priority 80 #优先级 advert_int 3 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { x.x.x.x #虚拟ip地址 } debug }
virtual_server x.x.x.x 1812 { #虚拟ip地址 UDP端口 delay_loop 6 lb_algo sh #调度算法 lb_kind TUN #lvs的转发模式 protocol UDP #UDP协议
real_server x.x.x.x 1812 { #real IP地址和UDP端口
MISC_CHECK { #MISC的检测方式 misc_path "/data/shell/UDP_CHECK.sh x.x.x.x 1812" #UDP的检测脚本如下 misc_timeout 10 #脚本执行超时时间 misc_dynamic } }
real_server x.x.x.x 1812 { MISC_CHECK { misc_path "/data/shell/UDP_CHECK.sh x.x.x.x 1812" misc_timeout 10 misc_dynamic } }
}
UDP检测脚本/data/shell/UDP_CHECK.sh:
#!/bin/bash /usr/bin/nc -uz -w1 $1 $2 | grep succeeded > /dev/null exit $?
注意:freeradius和keepalived不能在一台服务器上,会对包的转发产生影响
下面需要在real上绑定一下vip并且脚本需放到/etc/rc.d/init.d/目录底下,绑定脚本addVIP内容如下:
#!/bin/bash IPADDR=(x.x.x.x) //填写VIP地址 NUM=`expr ${#IPADDR[*]} - 1`
start_vip(){ for i in `seq 0 $NUM`;do ifconfig lo:$i ${IPADDR[$i]} broadcast ${IPADDR[$i]} netmask 255.255.255.255 up route add -host ${IPADDR[$i]} dev lo:$i done
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce echo "0">/proc/sys/net/ipv4/conf/all/rp_filter echo "0">/proc/sys/net/ipv4/conf/eth0/rp_filter echo "0">/proc/sys/net/ipv4/conf/lo/rp_filter echo "0">/proc/sys/net/ipv4/conf/default/rp_filter /sbin/sysctl -p >/dev/null 2>&1 }
stop_vip(){ for i in `seq 0 $NUM`;do /sbin/route del -host ${IPADDR[$i]} dev lo:$i /sbin/ifconfig lo:$i ${IPADDR[$i]} broadcast ${IPADDR[$i]} netmask 255.255.255.255 down done
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce echo "0" >/proc/sys/net/ipv4/ip_forward echo "1">/proc/sys/net/ipv4/conf/all/rp_filter echo "1">/proc/sys/net/ipv4/conf/eth0/rp_filter echo "1">/proc/sys/net/ipv4/conf/lo/rp_filter echo "1">/proc/sys/net/ipv4/conf/default/rp_filter /sbin/sysctl -p >/dev/null 2>&1 //这里的文件不一定全部存在,主要看系统 }
case $1 in start|START) start_vip if [ $? == "0" ];then echo "setting vip success" else echo "setting vip fault" fi ;; stop|STOP) stop_vip if [ $? == "0" ];then echo "remove vip success" else echo "remove vip fault" fi ;; *) echo "Usage: $0 {start|stop}" exit 1 ;; esac
在real上执行此脚本(前提是给定执行权限):#/etc/rc.d/init.d/addVIP start
绑定效果如下;
开启lvs服务器的keepalived服务,如果freeradius服务正常,则lvs看到效果如下:
最后找一台服务器用radius的测试命令radtest去测试吧!
说明一下为什么需要在real服务器上绑定VIP:在 DR 模式下,由于 UDP 是无连接状态的,当 RS 回应结果时默认采用原先的地址,Client 在转发数据包时,源地址不是原先请求的 IP(VS IP),所以会存 在问题 。
相关推荐
freeradius的配置见前面的文章; global_defs { router_id LVS_DEVEL_TEST }. vrrp_sync_group LVS_RA { group { VI_1