ipvs / wifikzn.ru

Создано25.07.2022
Последнее обновление27.07.2022
отzamiloff
R1:
[root@r1 ~]# yum install -y ipvsadm Dependencies Resolved
...
Установлено:
  ipvsadm.x86_64 0:1.27-8.el7
...

[root@r1 ~]# ipvsadm -1
Try `ipvsadm -h' or 'ipvsadm --help' for more information.
[root@r1 ~]# ipvsadm -l
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn

[root@r1 ~]# yum install docker -y
...
Установлено:
  docker.x86_64 2:1.13.1-209.git7d71120.el7.centos
...
[root@r1 ~]# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: active (running) since Пн 2022-07-25 14:11:04 MSK; 7s ago
     Docs: http://docs.docker.com
 Main PID: 24609 (dockerd-current)
   CGroup: /system.slice/docker.service
           ├─24609 /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --d...
           └─24614 /usr/bin/docker-containerd-current -l unix:///var/run/docker/libcontainerd/docker-containerd.s...

июл 25 14:11:04 r1 dockerd-current[24609]: time="2022-07-25T14:11:04.682261170+03:00" level=info msg="libc...614"
июл 25 14:11:04 r1 dockerd-current[24609]: time="2022-07-25T14:11:04.764931362+03:00" level=info msg="Grap...nds"
июл 25 14:11:04 r1 dockerd-current[24609]: time="2022-07-25T14:11:04.765785955+03:00" level=info msg="Load...rt."
июл 25 14:11:04 r1 dockerd-current[24609]: time="2022-07-25T14:11:04.774294093+03:00" level=info msg="Fire...lse"
июл 25 14:11:04 r1 dockerd-current[24609]: time="2022-07-25T14:11:04.832272038+03:00" level=info msg="Defa...ess"
июл 25 14:11:04 r1 dockerd-current[24609]: time="2022-07-25T14:11:04.856979214+03:00" level=info msg="Load...ne."
июл 25 14:11:04 r1 dockerd-current[24609]: time="2022-07-25T14:11:04.887558394+03:00" level=info msg="Daem...ion"
июл 25 14:11:04 r1 dockerd-current[24609]: time="2022-07-25T14:11:04.887581115+03:00" level=info msg="Dock...13.1"
июл 25 14:11:04 r1 dockerd-current[24609]: time="2022-07-25T14:11:04.894462012+03:00" level=info msg="API ...ock"
июл 25 14:11:04 r1 systemd[1]: Started Docker Application Container Engine.
Hint: Some lines were ellipsized, use -l to show in full.

[root@r1 ~]# mkdir /srv/A /srv/B
[root@r1 ~]# echo "This is A" > /srv/A/index.html
[root@r1 ~]# echo "This is B" > /srv/B/index.html

[root@r1 ~]# 
Unable to find image 'nginx:latest' locally
Trying to pull repository docker.io/library/nginx ...
latest: Pulling from docker.io/library/nginx
461246efe0a7: Pull complete
060bfa6be22e: Pull complete
b34d5ba6fa9e: Pull complete
8128ac56c745: Pull complete
44d36245a8c9: Pull complete
ebcc2cc821e6: Pull complete
Digest: sha256:1761fb5661e4d77e107427d8012ad3a5955007d997e0f4a3d41acc9ff20467c7
Status: Downloaded newer image for docker.io/nginx:latest
5106891e4e5cc13c074ce17dcaaad03a4fd8e769fbb62a32dcc85bd8a49dd636

[root@r1 ~]# docker run --rm -d -v "/srv/B:/usr/share/nginx/html" --name nginx-B nginx
7de410bbf95728774430a1a9bfdfa2020002a5dc0dccfa6aa33a725ea1b98f39

[root@r1 ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
7de410bbf957        nginx               "/docker-entrypoin..."   10 seconds ago      Up 9 seconds        80/tcp              nginx-B
5106891e4e5c        nginx               "/docker-entrypoin..."   5 minutes ago       Up 5 minutes        80/tcp              nginx-A

[root@r1 ~]# docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nginx-A
172.17.0.2
[root@r1 ~]# docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nginx-B
172.17.0.3

[root@r1 ~]# curl 172.17.0.2                   # forbidden, скорее всего из-за неверного selinux-контекста
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.23.1</center>
</body>
</html>

[root@r1 ~]# ls -laZ /srv/*/index.html
-rw-r--r--. root root unconfined_u:object_r:var_t:s0   /srv/A/index.html
-rw-r--r--. root root unconfined_u:object_r:var_t:s0   /srv/B/index.html

[root@r1 ~]# semanage fcontext -a -t httpd_sys_content_t /srv/A/index.html

[root@r1 ~]# curl 172.17.0.2
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.23.1</center>
</body>
</html>

[root@r1 ~]# restorecon -v /srv/A/index.html
restorecon reset /srv/A/index.html context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

[root@r1 ~]# curl 172.17.0.2
This is A

[root@r1 ~]# semanage fcontext -a -t httpd_sys_content_t /srv/B/index.html

[root@r1 ~]# restorecon -v /srv/B/index.html
restorecon reset /srv/B/ index.html context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

[root@r1 ~]# curl 172.17.0.3
This is B

[root@r1 ~]# ls -laZ /srv/*/index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /srv/A/index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /srv/B/index.html

[root@r1 ~]# ipvsadm -l -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  111.111.111.111:80 rr

[root@r1 ~]# ipvsadm -a -t 111.111.111.111:80 -r 172.17.0.2 -m
[root@r1 ~]# ipvsadm -a -t 111.111.111.111:80 -r 172.17.0.3 -m
[root@r1 ~]# ipvsadm -l -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  111.111.111.111:80 rr
  -> 172.17.0.2:80                Masq    1      0          0
  -> 172.17.0.3:80                Masq    1      0          0

[root@r1 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@r1 ~]# firewall-cmd --zone=public --add-service=http
success
[root@r1 ~]# sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3 enp0s8 enp0s9
  sources:
  services: dhcpv6-client http ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# Проверим работоспособность сгенерировав 1000 запросов
111.1

[root@r3 ~]# for i in `seq 1 1000`; do curl http://111.111.111.111 -s; done | sort | uniq -c
    500 This is A
    500 This is B


[root@r1 ~]# ipvsadm -l -n --rate
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port                 CPS    InPPS   OutPPS    InBPS   OutBPS
  -> RemoteAddress:Port
TCP  111.111.111.111:80                 97      681      486    43847    49873
  -> 172.17.0.2:80                      49      340      243    21924    24937
  -> 172.17.0.3:80                      49      340      243    21923    24937

[root@r1 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
f9458c7b765f        nginx               "/docker-entrypoin..."   14 hours ago        Up 14 hours         80/tcp              nginx-B
b36c01e4a91c        nginx               "/docker-entrypoin..."   14 hours ago        Up 14 hours         80/tcp              nginx-A

[root@r1 ~]# docker logs f9458c7b765f | awk '{print$1}' | uniq -c
2022/07/25 16:30:56 [notice] 1#1: using the "epoll" event method
2022/07/25 16:30:56 [notice] 1#1: nginx/1.23.1
2022/07/25 16:30:56 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2022/07/25 16:30:56 [notice] 1#1: OS: Linux 3.10.0-1160.el7.x86_64
2022/07/25 16:30:56 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2022/07/25 16:30:56 [notice] 1#1: start worker processes
2022/07/25 16:30:56 [notice] 1#1: start worker process 30
      2 10-listen-on-ipv6-by-default.sh:
      1 111.111.111.111
      2 172.17.0.1
   1751 192.168.23.3
      6 /docker-entrypoint.sh:

# Убрать ошибки
[root@r1 ~]# docker logs f9458c7b765f 2>&1 | grep '192.168.23.3' | awk '{print$1}' | uniq -c
   2885 192.168.23.3
[root@r1 ~]# docker logs f9458c7b765f 2>/dev/null | grep '192.168.23.3' | awk '{print$1}' | uniq -c
   2885 192.168.23.3
How can we help?
