OPENVPN使用PAM及MYSQL进行用户认证
[
2010/01/07 08:56 | by suibing ]
2010/01/07 08:56 | by suibing ]
1.使用PAM模块
PAM简介:
Pluggable Authentication Module (PAM) 是行业标准验证框架。
PAM 为系统管理员提供了选择系统上可用的任何验证服务来执行验证的灵活性。使用 PAM 框架还可以插入新的验证服务模块,并且无需修改应用程序即可使用,
包含帐户管理,用户验证,口令管理,会话管理四个模块.指定如何处理同一个 service-name 和 module-type 的多个定义的关键字。它为下列值之一
required模块测试必须成功。
optional模块测试可以失败。
sufficient如果测试成功,则不执行进一步的测试。
1>OPENVPN服务器端配置:
plugin /usr/sharelib/openvpn-auth-pam.so login //指定模块的位置,该动态链接库在OPENVPN发生包里需要编译
client-cert-not-required //客户端数字证书无需指定
username-as-common-name //用户名作为common name
2>OPENVPN客户端配置:
auth-user-pass
3>服务器设置:
需要增加相应的用户名及密码,使用useradd password命令
重新启动OPENVPN,则在客户端登录OPENVPN的时候会提示输入用户名及密码
2.使用PAM-MYSQL
1>安装MYSQL,添加用户名vpn 密码设置为vpn,用户表为库openvpn中的user
2>安装pam_mysql ,下载位置http://internap.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.5.tar.gz
3>配置pam配置文件,在/etc/pam.d中新建openvpn内容如下
auth required pam_mysql.so user=vpn passwd=vpn host=192.168.1.11 db=openvpn table=user usercolumn=username
passwdcolumn=password
account required pam_mysql.so user=vpn passwd=vpn host=192.168.1.11 db=openvpn table=user usercolumn=username
passwdcolumn=password
注意:将pam_mysql.so文件拷入 /lib/security/位置;并且保证系统中有libmysqlclient.so文件,如果连接远程MYSQL数据库无需此文件
4>OPENVPN服务器配置
plugin /usr/sharelib/openvpn-auth-pam.so openvpn 其余配置与上同//加载/etc/pam.d/openvpn配置文件
5>客户端配置与上同
PAM简介:
Pluggable Authentication Module (PAM) 是行业标准验证框架。
PAM 为系统管理员提供了选择系统上可用的任何验证服务来执行验证的灵活性。使用 PAM 框架还可以插入新的验证服务模块,并且无需修改应用程序即可使用,
包含帐户管理,用户验证,口令管理,会话管理四个模块.指定如何处理同一个 service-name 和 module-type 的多个定义的关键字。它为下列值之一
required模块测试必须成功。
optional模块测试可以失败。
sufficient如果测试成功,则不执行进一步的测试。
1>OPENVPN服务器端配置:
plugin /usr/sharelib/openvpn-auth-pam.so login //指定模块的位置,该动态链接库在OPENVPN发生包里需要编译
client-cert-not-required //客户端数字证书无需指定
username-as-common-name //用户名作为common name
2>OPENVPN客户端配置:
auth-user-pass
3>服务器设置:
需要增加相应的用户名及密码,使用useradd password命令
重新启动OPENVPN,则在客户端登录OPENVPN的时候会提示输入用户名及密码
2.使用PAM-MYSQL
1>安装MYSQL,添加用户名vpn 密码设置为vpn,用户表为库openvpn中的user
2>安装pam_mysql ,下载位置http://internap.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.5.tar.gz
3>配置pam配置文件,在/etc/pam.d中新建openvpn内容如下
auth required pam_mysql.so user=vpn passwd=vpn host=192.168.1.11 db=openvpn table=user usercolumn=username
passwdcolumn=password
account required pam_mysql.so user=vpn passwd=vpn host=192.168.1.11 db=openvpn table=user usercolumn=username
passwdcolumn=password
注意:将pam_mysql.so文件拷入 /lib/security/位置;并且保证系统中有libmysqlclient.so文件,如果连接远程MYSQL数据库无需此文件
4>OPENVPN服务器配置
plugin /usr/sharelib/openvpn-auth-pam.so openvpn 其余配置与上同//加载/etc/pam.d/openvpn配置文件
5>客户端配置与上同
SSL-Explorer
[ 2010/01/07 08:55 | by suibing ]
2010/01/07 08:55 | by suibing ]
今天无聊不小心发现SSL-Explorer - Web Based SSL VPN. 它分二个版本付费的Enterprise Edition, Free的Community Edition.
可能因為有Commercial版本, 所以它有几个好处:
安装简单
文件"看起来"很完整, 有时还有Flash Demo教学
即使是Commuity Edition, 除了有Unix版本, 还有Windows版本
UI看起来很有质感
Fedora下安装步骤:
需要装apache ant: yum install ant-* => 就算动都装好了
安装JDK http://java.sun.com/j2se/1.5.0/download.jsp.
开始安装:
# tar zxvf sslexplorer-0.2.8_01-src.tar.gz
# cd sslexplorer-0.2.8_01/
# export JAVA_HOME=/usr/java/jdk1.5.0_09/
# ant install
开始自动安装... 会停在...
[java] .....Point your browser to http://:28080.
打开Browser输入http://:28080 开始做Configuration
目前我测只能用Build-in User Database, AD及Unix这二种我还设不起来, 要再研究.
其它就step-by-step很容易就设完了.
# ant install-service
之后要啟动SSL-Explorer
# /etc/init.d/sslexplorer start
这样就装好了
开始使用, 直接以Browser连至https://you_host_name, 以Super User进去设定Resource及policy
一般User也都直接以Browser连至https://your_host_name 即可开始使用.
使用心得:
就我一个无法无天的工程师而言, 用起来有点绑手绑脚. 不过这本来就是SSL VPN的特色, 做到Application的限制, 而且就一个严谨的IT管理, 这是应该的. 像ssh, 它就机车到一定要事先设定User Account, 所以就是你login的session name, 如果我SSL VPN是用tester登录, 我以SSH进入后端主机就不能用其它名字
它有付费及Free, 当然会有些功能无法在Free版本中使用, ex: Radius Authentication, Exchange, 不过如果可以用UNIX, AD, 其实Radius就还好, Exchange也可以用OWA解决
Available Resource:
Web Forward
Network Place
Application
SSL-Tunnel
Profile
Network Extension
目前试过的Resource:
ssh
vnc
web: ex: intranet web site, Exchange OWA,
其它当然还有CIFS, SMB等功能, 我还没试. Web又分好几种, 还要再细看Document, 才能好好善用.
其实整体用起来还不错, 我想50人内的小公司很适合.... 重点是... Free... 又可以access from any where.. 只要你有Browser.
可能因為有Commercial版本, 所以它有几个好处:
安装简单
文件"看起来"很完整, 有时还有Flash Demo教学
即使是Commuity Edition, 除了有Unix版本, 还有Windows版本
UI看起来很有质感
Fedora下安装步骤:
需要装apache ant: yum install ant-* => 就算动都装好了
安装JDK http://java.sun.com/j2se/1.5.0/download.jsp.
开始安装:
# tar zxvf sslexplorer-0.2.8_01-src.tar.gz
# cd sslexplorer-0.2.8_01/
# export JAVA_HOME=/usr/java/jdk1.5.0_09/
# ant install
开始自动安装... 会停在...
[java] .....Point your browser to http://:28080.
打开Browser输入http://:28080 开始做Configuration
目前我测只能用Build-in User Database, AD及Unix这二种我还设不起来, 要再研究.
其它就step-by-step很容易就设完了.
# ant install-service
之后要啟动SSL-Explorer
# /etc/init.d/sslexplorer start
这样就装好了
开始使用, 直接以Browser连至https://you_host_name, 以Super User进去设定Resource及policy
一般User也都直接以Browser连至https://your_host_name 即可开始使用.
使用心得:
就我一个无法无天的工程师而言, 用起来有点绑手绑脚. 不过这本来就是SSL VPN的特色, 做到Application的限制, 而且就一个严谨的IT管理, 这是应该的. 像ssh, 它就机车到一定要事先设定User Account, 所以就是你login的session name, 如果我SSL VPN是用tester登录, 我以SSH进入后端主机就不能用其它名字
它有付费及Free, 当然会有些功能无法在Free版本中使用, ex: Radius Authentication, Exchange, 不过如果可以用UNIX, AD, 其实Radius就还好, Exchange也可以用OWA解决
Available Resource:
Web Forward
Network Place
Application
SSL-Tunnel
Profile
Network Extension
目前试过的Resource:
ssh
vnc
web: ex: intranet web site, Exchange OWA,
其它当然还有CIFS, SMB等功能, 我还没试. Web又分好几种, 还要再细看Document, 才能好好善用.
其实整体用起来还不错, 我想50人内的小公司很适合.... 重点是... Free... 又可以access from any where.. 只要你有Browser.
sslexplorer vpn的安装
[ 2010/01/07 08:45 | by suibing ]
2010/01/07 08:45 | by suibing ]
最近本人安装了一个SSLEXPLORER VPN,是是开源的Web Based SSL VPN,有Community Edition和Enterprise Edition两个版本,前者是免费的,其官方网址是:http://3sp.com/。
****按下面的方法可以实现其Web Forwards ,Network Places ,SSL Tunnels ,Profiles 功能,但不能完成Applications ,本人想增加windows CDP client的应用功能,未找到实现方法,请大家指点,感谢。
安装SSLEXPLORER VPN的方法是:先设置好IP,然后安装JDK和ANT,最后才安装sslexplorer。linux的版本是在VMware-workstation 环境下安装的Redhat Enterprise Linux As v4.
安装是需要的软件软件(也要GCC,在安装系统时安装了GCC):
jdk-1_5_0_08-linux-i586-rpm.bin
apache-ant-1.6.5-bin.tar.gz
sslexplorer-0.2.8_01-src.tar.gz
一、设置IP
#####################
二、Linux上JDK的安装
1. 去" target="_blank">http://java.sun.com下载一个Linux Platform的JDK到/usr/local,建议下载RPM自解压格式的(RPM in self-extracting file,jdk-1_5_0_08-linux-i586-rpm.bin);
2. 上载到Linux服务器上,
进入 jdk 存放目录, 执行:
./ jdk-1_5_0_08-linux-i586-rpm.bin
出现 jdk 的安装 licence, 把它看完后, 会问你是否同意安装,键入 yes 回车安装.
EDo you agree to the above license terms? [yes or no] [/color]
yes
Unpacking...
Checksumming...
0
0
xtracting...
UnZipSFX 5.42 of 14 January 2001, by Info-ZIP (Zip-Bugs@lists.wku.edu[/color]).[/color]
inflating: jdk-1_5_0_08-linux-i586.rpm
Preparing... ########################################### [100%]
package jdk-1.5.0_08-fcs is already installed
[color=black]Done. [/color]
执行完后在当前目录中会存在jdk-1_5_0_08-linux-i586-rpm 文件, 你可以用 ls 命令查看. 然后执行
rpm -ivh jdk-1_5_0_08-linux-i586-rpm
这样, jdk 默认安装到 /usr 目录中去了, 我这里是: /usr/java/ jdk1.5.0_08
添加系统环境变量, 编辑 /etc/profile 文件 vi /etc/profile
在最后添加以下内容, jdk 路径请改为你相应的路径
export JAVA_HOME = /usr/java/ jdk1.5.0_08
export CLASSPATH = $JAVA_HOME/lib:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export PATH = $PATH:$JAVA_HOME/bin
保存退出
注销后, 在终端中键入 javac 或 java 等命令测试. 如出现 java 的帮助信息, 则安装成功.
[/color]
[color=#4b4b4b]要使JDK在所有的用户中使用,可以这样:vi /etc/profile.d/java.sh在新的java.sh中输入以下内容:
#set java environment
JAVA_HOME=/usr/java/jdk1.5.0_08
CLASSPATH=$JAVA_HOME/lib:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME CLASSPATH PATH
保存退出,然后给java.sh分配权限:chmod 755 /etc/profile.d/java.sh[/color]
###############################
三、Linux下ant安装(版本Apache Ant version 1.6.5)
1)下载源文件(apache-ant-1.6.5-bin.tar.gz)到/usr/local;
2)#tar zxpvf apache-ant-1.6.5-bin.tar.gz ##解压缩安装二进制文件包,将在/usr/local下生成目录/apache-ant-1.6.5
3)#ln -s apache-ant-1.6.5 ant ##关联命令,将在/usr/local下生成一个/ant目录
4)同jdk一样可以用3种方法来配置ant环境变量,如下:
export ANT_HOME=/usr/local/ant
PATH=$PATH:$ANT_HOME/bin
5)在命令行下,#ant -version 或 #ant 来判断安装成功否.
###############################
四、Linux下ssl explorer的安装:
1)到www.3sp.com,也可以到http://sourceforge.net/projects/sslexplorer/下载源文件(sslexplorer-0.2.8_01-src.tar.gz)到/opt;
2)cd /opt
tar -zxvf sslexplorer-0.2.8_01-src.tar.gz
cd sslexplorer-0.2.8_01
ant install
3)打开IE,http://IP:28080,进行sslexplorer的设置,详细的配置过程,请参阅基于windows的flash:[color=#000099]Installation
4)当3)配置完成后,将会退出ant install,然后:
ant start
ant install-service
5) (可用service sslexplorer start来启用sslexplorer),打开[url=https://ip[/url]https://IP[/url]
在IPTALBELS增加(最好是关闭IPTABLES):
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 28080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
6) 其它详细的配置,请参阅基于windows的flash:http://3sp.com/showSslExplorer.do 右边中间的flash.
Installation
Remote Administration
Web Forwarding (Reverse Proxy)
Web Forwarding (Tunneled Proxy)
Web Forwarding (Replacement Proxy)
Network Places
****基于sslexplorer-0.2.8_01-src.tar.gz结合FLASH的安装方法,可以完成Web Forwards ,Network Places ,SSL Tunnels ,Profiles 功能,但
不能完成Applications ,本人想增加windows CDP client的应用功能,未找到实现方法,请大家指点,感谢。
[/color][color=#0000cc]
****按下面的方法可以实现其Web Forwards ,Network Places ,SSL Tunnels ,Profiles 功能,但不能完成Applications ,本人想增加windows CDP client的应用功能,未找到实现方法,请大家指点,感谢。
安装SSLEXPLORER VPN的方法是:先设置好IP,然后安装JDK和ANT,最后才安装sslexplorer。linux的版本是在VMware-workstation 环境下安装的Redhat Enterprise Linux As v4.
安装是需要的软件软件(也要GCC,在安装系统时安装了GCC):
jdk-1_5_0_08-linux-i586-rpm.bin
apache-ant-1.6.5-bin.tar.gz
sslexplorer-0.2.8_01-src.tar.gz
一、设置IP
#####################
二、Linux上JDK的安装
1. 去" target="_blank">http://java.sun.com下载一个Linux Platform的JDK到/usr/local,建议下载RPM自解压格式的(RPM in self-extracting file,jdk-1_5_0_08-linux-i586-rpm.bin);
2. 上载到Linux服务器上,
进入 jdk 存放目录, 执行:
./ jdk-1_5_0_08-linux-i586-rpm.bin
出现 jdk 的安装 licence, 把它看完后, 会问你是否同意安装,键入 yes 回车安装.
EDo you agree to the above license terms? [yes or no] [/color]
yes
Unpacking...
Checksumming...
0
0
xtracting...
UnZipSFX 5.42 of 14 January 2001, by Info-ZIP (Zip-Bugs@lists.wku.edu[/color]).[/color]
inflating: jdk-1_5_0_08-linux-i586.rpm
Preparing... ########################################### [100%]
package jdk-1.5.0_08-fcs is already installed
[color=black]Done. [/color]
执行完后在当前目录中会存在jdk-1_5_0_08-linux-i586-rpm 文件, 你可以用 ls 命令查看. 然后执行
rpm -ivh jdk-1_5_0_08-linux-i586-rpm
这样, jdk 默认安装到 /usr 目录中去了, 我这里是: /usr/java/ jdk1.5.0_08
添加系统环境变量, 编辑 /etc/profile 文件 vi /etc/profile
在最后添加以下内容, jdk 路径请改为你相应的路径
export JAVA_HOME = /usr/java/ jdk1.5.0_08
export CLASSPATH = $JAVA_HOME/lib:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export PATH = $PATH:$JAVA_HOME/bin
保存退出
注销后, 在终端中键入 javac 或 java 等命令测试. 如出现 java 的帮助信息, 则安装成功.
[/color]
[color=#4b4b4b]要使JDK在所有的用户中使用,可以这样:vi /etc/profile.d/java.sh在新的java.sh中输入以下内容:
#set java environment
JAVA_HOME=/usr/java/jdk1.5.0_08
CLASSPATH=$JAVA_HOME/lib:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME CLASSPATH PATH
保存退出,然后给java.sh分配权限:chmod 755 /etc/profile.d/java.sh[/color]
###############################
三、Linux下ant安装(版本Apache Ant version 1.6.5)
1)下载源文件(apache-ant-1.6.5-bin.tar.gz)到/usr/local;
2)#tar zxpvf apache-ant-1.6.5-bin.tar.gz ##解压缩安装二进制文件包,将在/usr/local下生成目录/apache-ant-1.6.5
3)#ln -s apache-ant-1.6.5 ant ##关联命令,将在/usr/local下生成一个/ant目录
4)同jdk一样可以用3种方法来配置ant环境变量,如下:
export ANT_HOME=/usr/local/ant
PATH=$PATH:$ANT_HOME/bin
5)在命令行下,#ant -version 或 #ant 来判断安装成功否.
###############################
四、Linux下ssl explorer的安装:
1)到www.3sp.com,也可以到http://sourceforge.net/projects/sslexplorer/下载源文件(sslexplorer-0.2.8_01-src.tar.gz)到/opt;
2)cd /opt
tar -zxvf sslexplorer-0.2.8_01-src.tar.gz
cd sslexplorer-0.2.8_01
ant install
3)打开IE,http://IP:28080,进行sslexplorer的设置,详细的配置过程,请参阅基于windows的flash:[color=#000099]Installation
4)当3)配置完成后,将会退出ant install,然后:
ant start
ant install-service
5) (可用service sslexplorer start来启用sslexplorer),打开[url=https://ip[/url]https://IP[/url]
在IPTALBELS增加(最好是关闭IPTABLES):
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 28080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
6) 其它详细的配置,请参阅基于windows的flash:http://3sp.com/showSslExplorer.do 右边中间的flash.
Installation
Remote Administration
Web Forwarding (Reverse Proxy)
Web Forwarding (Tunneled Proxy)
Web Forwarding (Replacement Proxy)
Network Places
****基于sslexplorer-0.2.8_01-src.tar.gz结合FLASH的安装方法,可以完成Web Forwards ,Network Places ,SSL Tunnels ,Profiles 功能,但
不能完成Applications ,本人想增加windows CDP client的应用功能,未找到实现方法,请大家指点,感谢。
[/color][color=#0000cc]
xen3.4.0_another_install
[ 2010/01/06 19:39 | by suibing ]
2010/01/06 19:39 | by suibing ]
1. First we need to add the YUM repository holding the updated Xen. Only use ONE of the following files depending on your CPU architecture!
Create the following file with a text editor and save it as /etc/yum.repos.d/gitco.repo
# Name: RPM Repository for Red Hat Enterprise 5 - gitco
[gitco]
name = Red Hat Enterprise $releasever - gitco
baseurl = http://www.gitco.de/linux/i386/centos/5/rpms_testing/
enabled = 1
protect = 0
gpgcheck = 0
2. Uninstall old Virtualization files
yum groupremove Virtualization
3. Install the relevant packages using YUM
yum groupinstall -y Virtualization
Yum will probably want to upgrade some other files along with the ones we've chosen.
Warning! If you get an error message from grubby this is bad!
Installing: kernel-xen ####################### [ 9/13]
grubby fatal error: unable to find a suitable template
This means that your grub.conf file couldn't be written to for whaterver reason. I'm not sure yet why this is happening but it basically means the grub.conf will be pointing to your old xen-kernel instead of your new one so you won't be able to successfully reboot. If you get this message you need to edit your /boot/grub/grub.conf file and make the kernel lines match the kernel you installed. To get your installed xen-kernel version check it with rpm.
[ root@vs / ] rpm -q kernel-xen
kernel-xen-2.6.18-92.1.6.el5
Now edit your /boot/grub/grub.conf to match
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/vgsys/lvroot
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-92.1.6.el5xen)
root (hd0,0)
kernel /xen.gz-3.3.0
module /vmlinuz-2.6.18-92.1.6.el5xen ro root=/dev/vgsys/lvroot rhgb quiet
module /initrd-2.6.18-92.1.6.el5xen.img
4. Reboot - no really I mean it.
5. Try it out by using the xm dmesg command
[ root@vs ~ ] xm dmesg
__ __ _____ _ _ ___
\ \/ /___ _ __ |___ /| || | / _ \
\ // _ \ '_ \ |_ \| || |_| | | |
/ \ __/ | | | ___) |__ _| |_| |
/_/\_\___|_| |_| |____(_) |_|(_)___/
(XEN) Xen version 3.4.0 ( root@gitco.tld This e-mail address is being protected from spambots. You need JavaScript enabled to view it
That's about all. If you have any questions drop a comment here.
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* rpmforge: apt.sw.be
* extras: mirror01.idc.hinet.net
* updates: mirror01.idc.hinet.net
* base: mirror01.idc.hinet.net
* addons: mirror01.idc.hinet.net
Setting up Group Process
Checking for new repos for mirrors
Package virt-viewer-0.0.2-2.el5.i386 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package xen.i386 0:3.4.0-3.el5 set to be updated
--> Processing Dependency: xen-libs = 3.4.0-3.el5 for package: xen
--> Processing Dependency: libflask.so.1.0 for package: xen
--> Processing Dependency: libxenctrl.so.3.4 for package: xen
--> Processing Dependency: libxenguest.so.3.4 for package: xen
---> Package virt-manager.i386 0:0.7.0-1.el5 set to be updated
--> Processing Dependency: python-virtinst >= 0.400.3 for package: virt-manager
--> Processing Dependency: gtk-vnc-python >= 0.3.4 for package: virt-manager
--> Processing Dependency: libvirt-python >= 0.6.1 for package: virt-manager
---> Package gnome-applet-vm.i386 0:0.1.2-1.el5 set to be updated
---> Package libvirt.i386 0:0.6.4-3.el5 set to be updated
--> Processing Dependency: /usr/bin/qemu-img for package: libvirt
--> Processing Dependency: cyrus-sasl-md5 for package: libvirt
--> Processing Dependency: iscsi-initiator-utils for package: libvirt
---> Package kernel-xen.i686 0:2.6.18-164.el5 set to be installed
--> Processing Dependency: libvirt = 0.3.3 for package: libvirt-devel
--> Running transaction check
---> Package libvirt-devel.i386 0:0.6.4-3.el5 set to be updated
---> Package iscsi-initiator-utils.i386 0:6.2.0.868-0.18.el5_3.1 set to be updated
---> Package libvirt-python.i386 0:0.6.4-3.el5 set to be updated
---> Package qemu.i386 0:0.10.5-1.el5.rf set to be updated
---> Package gtk-vnc-python.i386 0:0.3.7-2 set to be updated
--> Processing Dependency: gtk-vnc = 0.3.7 for package: gtk-vnc-python
--> Processing Dependency: libxenctrl.so.3.0 for package: xen-devel
--> Processing Dependency: libxenguest.so.3.0 for package: xen-devel
--> Processing Dependency: xen-libs = 3.0.3-80.el5_3.3 for package: xen-devel
---> Package xen-libs.i386 0:3.4.0-3.el5 set to be updated
---> Package cyrus-sasl-md5.i386 0:2.1.22-4 set to be updated
---> Package python-virtinst.noarch 0:0.400.3-1.el5 set to be updated
--> Running transaction check
---> Package xen-devel.i386 0:3.4.0-3.el5 set to be updated
---> Package gtk-vnc.i386 0:0.3.7-2 set to be updated
--> Processing Dependency: libgdkglext-x11-1.0.so.0 for package: gtk-vnc
--> Processing Dependency: libgtkglext-x11-1.0.so.0 for package: gtk-vnc
--> Running transaction check
---> Package gtkglext-libs.i386 0:1.2.0-6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
gnome-applet-vm i386 0.1.2-1.el5 base 76 k
kernel-xen i686 2.6.18-164.el5 updates 17 M
xen i386 3.4.0-3.el5 gitco 9.1 M
Updating:
gtk-vnc i386 0.3.7-2 gitco 78 k
gtk-vnc-python i386 0.3.7-2 gitco 13 k
libvirt i386 0.6.4-3.el5 gitco 2.1 M
libvirt-devel i386 0.6.4-3.el5 gitco 260 k
libvirt-python i386 0.6.4-3.el5 gitco 139 k
python-virtinst noarch 0.400.3-1.el5 gitco 383 k
virt-manager i386 0.7.0-1.el5 gitco 1.4 M
xen-devel i386 3.4.0-3.el5 gitco 252 k
xen-libs i386 3.4.0-3.el5 gitco 161 k
Installing for dependencies:
cyrus-sasl-md5 i386 2.1.22-4 base 45 k
gtkglext-libs i386 1.2.0-6 gitco 145 k
iscsi-initiator-utils i386 6.2.0.868-0.18.el5_3.1 updates 566 k
qemu i386 0.10.5-1.el5.rf rpmforge 26 M
Transaction Summary
================================================================================
Install 7 Package(s)
Update 9 Package(s)
Remove 0 Package(s)
Total size: 57 M
Total download size: 57 M
Downloading Packages:
--------------------------------------------------------------------------------
Total 62 kB/s | 57 MB 15:36
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : xen-libs [ 1/25]
Installing : qemu [ 2/25]
Installing : cyrus-sasl-md5 [ 3/25]
Installing : gtkglext-libs [ 4/25]
Updating : gtk-vnc [ 5/25]
Updating : gtk-vnc-python [ 6/25]
Installing : iscsi-initiator-utils [ 7/25]
Updating : xen-devel [ 8/25]
Installing : kernel-xen [ 9/25]
Updating : libvirt [10/25]
Updating : libvirt-python [11/25]
Updating : python-virtinst [12/25]
Updating : libvirt-devel [13/25]
Installing : xen [14/25]
warning: /etc/xen/scripts/locking.sh created as /etc/xen/scripts/locking.sh.rpmnew
warning: /etc/xen/scripts/network-bridge created as /etc/xen/scripts/network-bridge.rpmnew
warning: /etc/xen/scripts/network-nat created as /etc/xen/scripts/network-nat.rpmnew
warning: /etc/xen/scripts/vif-common.sh created as /etc/xen/scripts/vif-common.sh.rpmnew
warning: /etc/xen/scripts/xen-hotplug-cleanup created as /etc/xen/scripts/xen-hotplug-cleanup.rpmnew
warning: /etc/xen/xend-config.sxp created as /etc/xen/xend-config.sxp.rpmnew
Updating : virt-manager [15/25]
Installing : gnome-applet-vm [16/25]
Cleanup : gtk-vnc [17/25]
Cleanup : libvirt-devel [18/25]
Cleanup : xen-libs [19/25]
Cleanup : libvirt-python [20/25]
Cleanup : virt-manager [21/25]
Cleanup : libvirt [22/25]
Cleanup : gtk-vnc-python [23/25]
Cleanup : xen-devel [24/25]
Cleanup : python-virtinst [25/25]
Installed: gnome-applet-vm.i386 0:0.1.2-1.el5 kernel-xen.i686 0:2.6.18-164.el5 xen.i386 0:3.4.0-3.el5
Dependency Installed: cyrus-sasl-md5.i386 0:2.1.22-4 gtkglext-libs.i386 0:1.2.0-6 iscsi-initiator-utils.i386 0:6.2.0.868-0.18.el5_3.1 qemu.i386 0:0.10.5-1.el5.rf
Updated: gtk-vnc.i386 0:0.3.7-2 gtk-vnc-python.i386 0:0.3.7-2 libvirt.i386 0:0.6.4-3.el5 libvirt-devel.i386 0:0.6.4-3.el5 libvirt-python.i386 0:0.6.4-3.el5 python-virtinst.noarch 0:0.400.3-1.el5 virt-manager.i386 0:0.7.0-1.el5 xen-devel.i386 0:3.4.0-3.el5 xen-libs.i386 0:3.4.0-3.el5
Create the following file with a text editor and save it as /etc/yum.repos.d/gitco.repo
# Name: RPM Repository for Red Hat Enterprise 5 - gitco
[gitco]
name = Red Hat Enterprise $releasever - gitco
baseurl = http://www.gitco.de/linux/i386/centos/5/rpms_testing/
enabled = 1
protect = 0
gpgcheck = 0
2. Uninstall old Virtualization files
yum groupremove Virtualization
3. Install the relevant packages using YUM
yum groupinstall -y Virtualization
Yum will probably want to upgrade some other files along with the ones we've chosen.
Warning! If you get an error message from grubby this is bad!
Installing: kernel-xen ####################### [ 9/13]
grubby fatal error: unable to find a suitable template
This means that your grub.conf file couldn't be written to for whaterver reason. I'm not sure yet why this is happening but it basically means the grub.conf will be pointing to your old xen-kernel instead of your new one so you won't be able to successfully reboot. If you get this message you need to edit your /boot/grub/grub.conf file and make the kernel lines match the kernel you installed. To get your installed xen-kernel version check it with rpm.
[ root@vs / ] rpm -q kernel-xen
kernel-xen-2.6.18-92.1.6.el5
Now edit your /boot/grub/grub.conf to match
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/vgsys/lvroot
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-92.1.6.el5xen)
root (hd0,0)
kernel /xen.gz-3.3.0
module /vmlinuz-2.6.18-92.1.6.el5xen ro root=/dev/vgsys/lvroot rhgb quiet
module /initrd-2.6.18-92.1.6.el5xen.img
4. Reboot - no really I mean it.
5. Try it out by using the xm dmesg command
[ root@vs ~ ] xm dmesg
__ __ _____ _ _ ___
\ \/ /___ _ __ |___ /| || | / _ \
\ // _ \ '_ \ |_ \| || |_| | | |
/ \ __/ | | | ___) |__ _| |_| |
/_/\_\___|_| |_| |____(_) |_|(_)___/
(XEN) Xen version 3.4.0 ( root@gitco.tld This e-mail address is being protected from spambots. You need JavaScript enabled to view it
That's about all. If you have any questions drop a comment here.
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* rpmforge: apt.sw.be
* extras: mirror01.idc.hinet.net
* updates: mirror01.idc.hinet.net
* base: mirror01.idc.hinet.net
* addons: mirror01.idc.hinet.net
Setting up Group Process
Checking for new repos for mirrors
Package virt-viewer-0.0.2-2.el5.i386 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package xen.i386 0:3.4.0-3.el5 set to be updated
--> Processing Dependency: xen-libs = 3.4.0-3.el5 for package: xen
--> Processing Dependency: libflask.so.1.0 for package: xen
--> Processing Dependency: libxenctrl.so.3.4 for package: xen
--> Processing Dependency: libxenguest.so.3.4 for package: xen
---> Package virt-manager.i386 0:0.7.0-1.el5 set to be updated
--> Processing Dependency: python-virtinst >= 0.400.3 for package: virt-manager
--> Processing Dependency: gtk-vnc-python >= 0.3.4 for package: virt-manager
--> Processing Dependency: libvirt-python >= 0.6.1 for package: virt-manager
---> Package gnome-applet-vm.i386 0:0.1.2-1.el5 set to be updated
---> Package libvirt.i386 0:0.6.4-3.el5 set to be updated
--> Processing Dependency: /usr/bin/qemu-img for package: libvirt
--> Processing Dependency: cyrus-sasl-md5 for package: libvirt
--> Processing Dependency: iscsi-initiator-utils for package: libvirt
---> Package kernel-xen.i686 0:2.6.18-164.el5 set to be installed
--> Processing Dependency: libvirt = 0.3.3 for package: libvirt-devel
--> Running transaction check
---> Package libvirt-devel.i386 0:0.6.4-3.el5 set to be updated
---> Package iscsi-initiator-utils.i386 0:6.2.0.868-0.18.el5_3.1 set to be updated
---> Package libvirt-python.i386 0:0.6.4-3.el5 set to be updated
---> Package qemu.i386 0:0.10.5-1.el5.rf set to be updated
---> Package gtk-vnc-python.i386 0:0.3.7-2 set to be updated
--> Processing Dependency: gtk-vnc = 0.3.7 for package: gtk-vnc-python
--> Processing Dependency: libxenctrl.so.3.0 for package: xen-devel
--> Processing Dependency: libxenguest.so.3.0 for package: xen-devel
--> Processing Dependency: xen-libs = 3.0.3-80.el5_3.3 for package: xen-devel
---> Package xen-libs.i386 0:3.4.0-3.el5 set to be updated
---> Package cyrus-sasl-md5.i386 0:2.1.22-4 set to be updated
---> Package python-virtinst.noarch 0:0.400.3-1.el5 set to be updated
--> Running transaction check
---> Package xen-devel.i386 0:3.4.0-3.el5 set to be updated
---> Package gtk-vnc.i386 0:0.3.7-2 set to be updated
--> Processing Dependency: libgdkglext-x11-1.0.so.0 for package: gtk-vnc
--> Processing Dependency: libgtkglext-x11-1.0.so.0 for package: gtk-vnc
--> Running transaction check
---> Package gtkglext-libs.i386 0:1.2.0-6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
gnome-applet-vm i386 0.1.2-1.el5 base 76 k
kernel-xen i686 2.6.18-164.el5 updates 17 M
xen i386 3.4.0-3.el5 gitco 9.1 M
Updating:
gtk-vnc i386 0.3.7-2 gitco 78 k
gtk-vnc-python i386 0.3.7-2 gitco 13 k
libvirt i386 0.6.4-3.el5 gitco 2.1 M
libvirt-devel i386 0.6.4-3.el5 gitco 260 k
libvirt-python i386 0.6.4-3.el5 gitco 139 k
python-virtinst noarch 0.400.3-1.el5 gitco 383 k
virt-manager i386 0.7.0-1.el5 gitco 1.4 M
xen-devel i386 3.4.0-3.el5 gitco 252 k
xen-libs i386 3.4.0-3.el5 gitco 161 k
Installing for dependencies:
cyrus-sasl-md5 i386 2.1.22-4 base 45 k
gtkglext-libs i386 1.2.0-6 gitco 145 k
iscsi-initiator-utils i386 6.2.0.868-0.18.el5_3.1 updates 566 k
qemu i386 0.10.5-1.el5.rf rpmforge 26 M
Transaction Summary
================================================================================
Install 7 Package(s)
Update 9 Package(s)
Remove 0 Package(s)
Total size: 57 M
Total download size: 57 M
Downloading Packages:
--------------------------------------------------------------------------------
Total 62 kB/s | 57 MB 15:36
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : xen-libs [ 1/25]
Installing : qemu [ 2/25]
Installing : cyrus-sasl-md5 [ 3/25]
Installing : gtkglext-libs [ 4/25]
Updating : gtk-vnc [ 5/25]
Updating : gtk-vnc-python [ 6/25]
Installing : iscsi-initiator-utils [ 7/25]
Updating : xen-devel [ 8/25]
Installing : kernel-xen [ 9/25]
Updating : libvirt [10/25]
Updating : libvirt-python [11/25]
Updating : python-virtinst [12/25]
Updating : libvirt-devel [13/25]
Installing : xen [14/25]
warning: /etc/xen/scripts/locking.sh created as /etc/xen/scripts/locking.sh.rpmnew
warning: /etc/xen/scripts/network-bridge created as /etc/xen/scripts/network-bridge.rpmnew
warning: /etc/xen/scripts/network-nat created as /etc/xen/scripts/network-nat.rpmnew
warning: /etc/xen/scripts/vif-common.sh created as /etc/xen/scripts/vif-common.sh.rpmnew
warning: /etc/xen/scripts/xen-hotplug-cleanup created as /etc/xen/scripts/xen-hotplug-cleanup.rpmnew
warning: /etc/xen/xend-config.sxp created as /etc/xen/xend-config.sxp.rpmnew
Updating : virt-manager [15/25]
Installing : gnome-applet-vm [16/25]
Cleanup : gtk-vnc [17/25]
Cleanup : libvirt-devel [18/25]
Cleanup : xen-libs [19/25]
Cleanup : libvirt-python [20/25]
Cleanup : virt-manager [21/25]
Cleanup : libvirt [22/25]
Cleanup : gtk-vnc-python [23/25]
Cleanup : xen-devel [24/25]
Cleanup : python-virtinst [25/25]
Installed: gnome-applet-vm.i386 0:0.1.2-1.el5 kernel-xen.i686 0:2.6.18-164.el5 xen.i386 0:3.4.0-3.el5
Dependency Installed: cyrus-sasl-md5.i386 0:2.1.22-4 gtkglext-libs.i386 0:1.2.0-6 iscsi-initiator-utils.i386 0:6.2.0.868-0.18.el5_3.1 qemu.i386 0:0.10.5-1.el5.rf
Updated: gtk-vnc.i386 0:0.3.7-2 gtk-vnc-python.i386 0:0.3.7-2 libvirt.i386 0:0.6.4-3.el5 libvirt-devel.i386 0:0.6.4-3.el5 libvirt-python.i386 0:0.6.4-3.el5 python-virtinst.noarch 0:0.400.3-1.el5 virt-manager.i386 0:0.7.0-1.el5 xen-devel.i386 0:3.4.0-3.el5 xen-libs.i386 0:3.4.0-3.el5
Nginx+PHP+MySQL双机互备、全自动切换方案
[ 2010/01/04 21:43 | by suibing ]
2010/01/04 21:43 | by suibing ]
[文章作者:张宴 本文版本:v1.0 最后修改:2008.11.19 转载请注明原文链接:http://blog.s135.com/post/379/]
在生产应用中,某台“Nginx+PHP+MySQL”接口数据服务器,扮演的角色十分重要,如果服务器硬件或Nginx、MySQL发生故障,而短时间内无法恢复,后果将非常严重。为了避免单点故障,我设计了此套方案,编写了failover.sh脚本,实现了双机互备、全自动切换,故障转移时间只需几十秒。
一、双机互备、全自动切换方案:
1、拓扑图:
2、解释:
(1)、假设外网域名blog.s135.com解析到外网虚拟IP 72.249.146.214上,内网hosts设置db10对应内网虚拟IP 192.168.146.214
(2)、默认情况下,由主机绑定内、外网虚拟IP,备机作为备份,当主机的MySQL、Nginx或服务器出现故障无法访问时,备机会自动接管内、外网虚拟IP。两台服务器都启动负责监控、自动切换虚拟IP的守护进程/usr/bin/nohup /bin/sh /usr/local/webserver/failover/failover.sh 2>&1 > /dev/null &
(3)、主机和备机上的MySQL服务器互为主从,互相同步。在主机处于活动状态(即由主机绑定虚拟IP)时,读写主机的MySQL,写到主机的数据会同步到备机;在备机处于活动状态时,读写备机的MySQL,写到备机的数据会同步到主机(如果主机上的MySQL死掉暂时无法同步,主机上的MySQL恢复后,数据会自动从备机上同步过来,反之亦然)。
(4)、主机处于活动状态时,每20秒会把/data0/htdocs/(网页、程序、图片存放目录)、/usr/local/webserver/php/etc/(php.ini等配置文件目录)、/usr/local/webserver/nginx/conf/(Nginx配置文件目录)三个目录下的文件通过rsync推送到备机服务器上的对应目录(增量推送,两台服务器上一样的文件不会重复推送),反之如果备机处于活动状态时,每20秒会尝试把文件推送到主机。rsync的配置文件见两台服务器的/etc/rsyncd.conf,rsync守护进程的启动命令为rsync --daemon
3、自动切换流程
(1)、主机默认绑定内、外网虚拟IP,当主机的MySQL、Nginx无法访问或服务器宕机,主机上的failover.sh守护进程会自动摘除自己绑定的内、外网虚拟IP(如果主机上的failover.sh死掉,无法摘除自己绑定的虚拟IP也没关系),备机上的failover.sh守护进程会自动接管备机原来绑定的内、外网虚拟IP,并发送ARPing包给内、外网网关更新MAC,强行接管。
(2)、备机绑定虚拟IP后,会发送ARPing包给内、外网网关,通知网关更新虚拟IP的MAC地址为备机的MAC地址,从而保证了切换后能够通过虚拟IP及时访问到备机。
(3)、如果主机的MySQL、Nginx启动起来,全部恢复正常访问,主机上的failover.sh守护进程会检测主机上的MySQL数据是否已经完全从备机上同步过来。如果同步延迟时间为0,主机会自动接管内、外网虚拟IP,并发送ARPing包给内、外网网关,而备机也会自动摘除内、外网虚拟IP。
(4)、整个切换流程均由failover.sh自动完成,无需人工处理。
4、注意事项(很重要):
(1)、crontab里的文件没有做自动同步,如果修改,需要手工在两台服务器上都做修改。
(2)、/data0/htdocs/目录内任何用ln -s建立的软连接,rsync不会自动同步,如果在一台服务器上建了软连接,需要手工在另外一台服务器上也建相同的软连接。
(3)、如果要删除/data0/htdocs/目录内的某些文件或目录,需要先删除处于活动状态(即绑定了虚拟IP)服务器上的文件或目录,再删除处于备用状态服务器上的文件或目录。
(4)、除了/data0/htdocs/(网页、程序、图片存放目录)、/usr/local/webserver/php/etc/(php.ini等配置文件目录)、/usr/local/webserver/nginx/conf/(Nginx配置文件目录)三个目录之外的其他配置修改,需要在两台服务器上都做修改。
二、配置文档与脚本:
1、主机、备机两台服务器的rsync配置(配置相同)
(1)、rsync配置文件
vi /etc/rsyncd.conf
输入一些内容并保存:
引用
uid = root
gid = root
use chroot = no
max connections = 20
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log
[data0_htdocs]
path = /data0/htdocs/
ignore errors
read only = no
hosts allow = 192.168.146.0/24
hosts deny = 0.0.0.0/32
[php_etc]
path = /usr/local/webserver/php/etc/
ignore errors
read only = no
hosts allow = 192.168.146.0/24
hosts deny = 0.0.0.0/32
[nginx_conf]
path = /usr/local/webserver/nginx/conf/
ignore errors
read only = no
hosts allow = 192.168.146.0/24
hosts deny = 0.0.0.0/32
(2)、启动rsync守护进程
/usr/bin/rsync --daemon
2、两台MySQL互为主从的配置
这里就不详细写出互为主从的配置过程了,如果不懂的朋友可以在Google上搜一下。有一点需要指出,my.cnf配置文件中请加上skip-name-resolve参数,使用IP来进行MySQL帐号验证。
3、主机、备机两台服务器负载监控、虚拟IP自动切换的failover.sh守护进程
(1)、启动failover.sh守护进程(为了开机能够自动运行,请将以下语句添加到/etc/rc.local文件中):
/usr/bin/nohup /bin/sh /usr/local/webserver/failover/failover.sh 2>&1 > /dev/null &
(2)、停止failover.sh守护进程:
ps -ef | grep failover.sh
会显示以下信息:
root 15428 1 0 Nov17 ? 00:00:03 /bin/sh /usr/local/webserver/failover/failover.sh
root 20123 6878 0 16:16 pts/2 00:00:00 grep failover.sh
然后杀死failover.sh的进程:
kill -9 15428
(3)、failover.sh代码内容(请注意其中的type设置,主机设为master,备机设为slave):
#!/bin/sh
LANG=C
date=$(date -d "today" +"%Y-%m-%d %H:%M:%S")
#---------------配置信息(开始)---------------
#类型:主机设为master,备机设为slave
type="master"
#主机、备机切换日志路径
logfile="/var/log/failover.log"
#MySQL可执行文件地址,例如/usr/local/mysql/bin/mysql;MySQL用户名;密码;端口
mysql_bin="/usr/local/webserver/mysql/bin/mysql"
mysql_username="root"
mysql_password="123456"
mysql_port="3306"
#内网网关
gateway_eth0="192.168.146.1"
#主机内网真实IP
rip_eth0_master="192.168.146.213"
#备机内网真实IP
rip_eth0_slave="192.168.146.215"
#主机、备机内网共用的虚拟IP
vip_eth0_share="192.168.113.214"
#外网网关
gateway_eth1="72.249.146.193"
#主机外网真实IP
rip_eth1_master="72.249.146.213"
#备机外网真实IP
rip_eth1_slave="72.249.146.215"
#主机、备机外网共用的虚拟IP
vip_eth1_share="72.249.146.214"
#---------------配置信息(结束)---------------
#绑定内、外网虚拟IP
function_bind_vip()
{
/sbin/ifconfig eth0:vip ${vip_eth0_share} broadcast ${vip_eth0_share} netmask 255.255.255.255 up
/sbin/route add -host ${vip_eth0_share} dev eth0:vip
/sbin/ifconfig eth1:vip ${vip_eth1_share} broadcast ${vip_eth1_share} netmask 255.255.255.255 up
/sbin/route add -host ${vip_eth1_share} dev eth1:vip
/usr/local/webserver/php/sbin/php-fpm reload
kill -USR1 `cat /usr/local/webserver/nginx/logs/nginx.pid`
/sbin/service crond start
}
#解除内、外网虚拟IP
function_remove_vip()
{
/sbin/ifconfig eth0:vip ${vip_eth0_share} broadcast ${vip_eth0_share} netmask 255.255.255.255 down
/sbin/ifconfig eth1:vip ${vip_eth1_share} broadcast ${vip_eth1_share} netmask 255.255.255.255 down
/sbin/service crond stop
}
#主机向备机推送文件的函数
function_rsync_master_to_slave()
{
/usr/bin/rsync -zrtuog /data0/htdocs/ ${rip_eth0_slave}::data0_htdocs/ > /dev/null 2>&1
/usr/bin/rsync -zrtuog /usr/local/webserver/php/etc/ ${rip_eth0_slave}::php_etc/ > /dev/null 2>&1
/usr/bin/rsync -zrtuog /usr/local/webserver/nginx/conf/ ${rip_eth0_slave}::nginx_conf/ > /dev/null 2>&1
}
#备机向主机推送文件的函数
function_rsync_slave_to_master()
{
/usr/bin/rsync -zrtuog /data0/htdocs/ ${rip_eth0_master}::data0_htdocs/ > /dev/null 2>&1
/usr/bin/rsync -zrtuog /usr/local/webserver/php/etc/ ${rip_eth0_master}::php_etc/ > /dev/null 2>&1
/usr/bin/rsync -zrtuog /usr/local/webserver/nginx/conf/ ${rip_eth0_master}::nginx_conf/ > /dev/null 2>&1
}
#虚拟IP ARPing
function_vip_arping()
{
/sbin/arping -I eth0 -c 3 -s ${vip_eth0_share} ${gateway_eth0} > /dev/null 2>&1
/sbin/arping -I eth1 -c 3 -s ${vip_eth1_share} ${gateway_eth1} > /dev/null 2>&1
}
while true
do
#用HTTP协议检查虚拟IP
if (curl -m 30 -G http://${vip_eth1_share}/ > /dev/null 2>&1) && (${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${vip_eth0_share}" -e"show slave status\G" > /dev/null 2>&1)
then
#取得与内网VIP绑定的服务器内网IP
eth0_active_server=$(${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${vip_eth0_share}" -e"show slave status\G" | grep "Master_Host" | awk -F ': ' '{printf $2}')
#如果内网VIP=主机内网IP(主机MySQL中的Master_Host显示的是备机的域名或IP),且本机为主机
if [ "${eth0_active_server}" = "${rip_eth0_slave}" ] && [ "${type}" = "master" ]
then
function_rsync_master_to_slave
function_vip_arping
#如果内网VIP=备机内网IP(备机MySQL中的Master_Host显示的是主机的域名或IP)
elif [ "${eth0_active_server}" = "${rip_eth0_master}" ]
then
if (curl -m 30 -G http://${rip_eth1_master}/ > /dev/null 2>&1) && (${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${rip_eth0_master}" -e"show slave status\G" | grep "Seconds_Behind_Master: 0" > /dev/null 2>&1)
then
#如果主机能够访问,数据库同步无延迟,且本机就是主机,那么由本机绑定虚拟IP
if [ "${type}" = "master" ]
then
#如果本机为主机
function_bind_vip
function_vip_arping
echo "${date} 主机已绑定虚拟IP!(Type:1)" >> ${logfile}
else
#如果本机为备机
function_remove_vip
echo "${date} 备机已去除虚拟IP!(Type:2)" >> ${logfile}
fi
else
if [ "${type}" = "slave" ]
then
#如果本机为备机
function_rsync_slave_to_master
function_vip_arping
fi
fi
fi
else
#虚拟IP无法访问时,判断主机能否访问
if (curl -m 30 -G http://${rip_eth1_master}/ > /dev/null 2>&1) && (${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${rip_eth0_master}" -e"show slave status\G" > /dev/null 2>&1)
then
#如果主机能够访问,且本机就是主机,那么由本机绑定虚拟IP
if [ "${type}" = "master" ]
then
function_bind_vip
function_vip_arping
echo "${date} 主机已绑定虚拟IP!(Type:3)" >> ${logfile}
else
function_remove_vip
echo "${date} 备机已去除虚拟IP!(Type:4)" >> ${logfile}
fi
elif (curl -m 30 -G http://${rip_eth1_slave}/ > /dev/null 2>&1) && (${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${rip_eth0_slave}" -e"show slave status\G" > /dev/null 2>&1)
then
#如果主机不能访问而备机能够访问,且本机就是备机,那么由备机绑定虚拟IP
if [ "${type}" = "slave" ]
then
function_bind_vip
function_vip_arping
echo "${date} 备机已绑定虚拟IP!(Type:5)" >> ${logfile}
else
function_remove_vip
echo "${date} 主机已去除虚拟IP!(Type:6)" >> ${logfile}
fi
else
echo "${date} 主机、备机全部无法访问!(Type:7)" >> ${logfile}
fi
fi
#每次循环暂停20秒(即间隔20秒检测一次)
sleep 20
done
在生产应用中,某台“Nginx+PHP+MySQL”接口数据服务器,扮演的角色十分重要,如果服务器硬件或Nginx、MySQL发生故障,而短时间内无法恢复,后果将非常严重。为了避免单点故障,我设计了此套方案,编写了failover.sh脚本,实现了双机互备、全自动切换,故障转移时间只需几十秒。
一、双机互备、全自动切换方案:
1、拓扑图:
2、解释:
(1)、假设外网域名blog.s135.com解析到外网虚拟IP 72.249.146.214上,内网hosts设置db10对应内网虚拟IP 192.168.146.214
(2)、默认情况下,由主机绑定内、外网虚拟IP,备机作为备份,当主机的MySQL、Nginx或服务器出现故障无法访问时,备机会自动接管内、外网虚拟IP。两台服务器都启动负责监控、自动切换虚拟IP的守护进程/usr/bin/nohup /bin/sh /usr/local/webserver/failover/failover.sh 2>&1 > /dev/null &
(3)、主机和备机上的MySQL服务器互为主从,互相同步。在主机处于活动状态(即由主机绑定虚拟IP)时,读写主机的MySQL,写到主机的数据会同步到备机;在备机处于活动状态时,读写备机的MySQL,写到备机的数据会同步到主机(如果主机上的MySQL死掉暂时无法同步,主机上的MySQL恢复后,数据会自动从备机上同步过来,反之亦然)。
(4)、主机处于活动状态时,每20秒会把/data0/htdocs/(网页、程序、图片存放目录)、/usr/local/webserver/php/etc/(php.ini等配置文件目录)、/usr/local/webserver/nginx/conf/(Nginx配置文件目录)三个目录下的文件通过rsync推送到备机服务器上的对应目录(增量推送,两台服务器上一样的文件不会重复推送),反之如果备机处于活动状态时,每20秒会尝试把文件推送到主机。rsync的配置文件见两台服务器的/etc/rsyncd.conf,rsync守护进程的启动命令为rsync --daemon
3、自动切换流程
(1)、主机默认绑定内、外网虚拟IP,当主机的MySQL、Nginx无法访问或服务器宕机,主机上的failover.sh守护进程会自动摘除自己绑定的内、外网虚拟IP(如果主机上的failover.sh死掉,无法摘除自己绑定的虚拟IP也没关系),备机上的failover.sh守护进程会自动接管备机原来绑定的内、外网虚拟IP,并发送ARPing包给内、外网网关更新MAC,强行接管。
(2)、备机绑定虚拟IP后,会发送ARPing包给内、外网网关,通知网关更新虚拟IP的MAC地址为备机的MAC地址,从而保证了切换后能够通过虚拟IP及时访问到备机。
(3)、如果主机的MySQL、Nginx启动起来,全部恢复正常访问,主机上的failover.sh守护进程会检测主机上的MySQL数据是否已经完全从备机上同步过来。如果同步延迟时间为0,主机会自动接管内、外网虚拟IP,并发送ARPing包给内、外网网关,而备机也会自动摘除内、外网虚拟IP。
(4)、整个切换流程均由failover.sh自动完成,无需人工处理。
4、注意事项(很重要):
(1)、crontab里的文件没有做自动同步,如果修改,需要手工在两台服务器上都做修改。
(2)、/data0/htdocs/目录内任何用ln -s建立的软连接,rsync不会自动同步,如果在一台服务器上建了软连接,需要手工在另外一台服务器上也建相同的软连接。
(3)、如果要删除/data0/htdocs/目录内的某些文件或目录,需要先删除处于活动状态(即绑定了虚拟IP)服务器上的文件或目录,再删除处于备用状态服务器上的文件或目录。
(4)、除了/data0/htdocs/(网页、程序、图片存放目录)、/usr/local/webserver/php/etc/(php.ini等配置文件目录)、/usr/local/webserver/nginx/conf/(Nginx配置文件目录)三个目录之外的其他配置修改,需要在两台服务器上都做修改。
二、配置文档与脚本:
1、主机、备机两台服务器的rsync配置(配置相同)
(1)、rsync配置文件
vi /etc/rsyncd.conf
输入一些内容并保存:
引用
uid = root
gid = root
use chroot = no
max connections = 20
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log
[data0_htdocs]
path = /data0/htdocs/
ignore errors
read only = no
hosts allow = 192.168.146.0/24
hosts deny = 0.0.0.0/32
[php_etc]
path = /usr/local/webserver/php/etc/
ignore errors
read only = no
hosts allow = 192.168.146.0/24
hosts deny = 0.0.0.0/32
[nginx_conf]
path = /usr/local/webserver/nginx/conf/
ignore errors
read only = no
hosts allow = 192.168.146.0/24
hosts deny = 0.0.0.0/32
(2)、启动rsync守护进程
/usr/bin/rsync --daemon
2、两台MySQL互为主从的配置
这里就不详细写出互为主从的配置过程了,如果不懂的朋友可以在Google上搜一下。有一点需要指出,my.cnf配置文件中请加上skip-name-resolve参数,使用IP来进行MySQL帐号验证。
3、主机、备机两台服务器负载监控、虚拟IP自动切换的failover.sh守护进程
(1)、启动failover.sh守护进程(为了开机能够自动运行,请将以下语句添加到/etc/rc.local文件中):
/usr/bin/nohup /bin/sh /usr/local/webserver/failover/failover.sh 2>&1 > /dev/null &
(2)、停止failover.sh守护进程:
ps -ef | grep failover.sh
会显示以下信息:
root 15428 1 0 Nov17 ? 00:00:03 /bin/sh /usr/local/webserver/failover/failover.sh
root 20123 6878 0 16:16 pts/2 00:00:00 grep failover.sh
然后杀死failover.sh的进程:
kill -9 15428
(3)、failover.sh代码内容(请注意其中的type设置,主机设为master,备机设为slave):
#!/bin/sh
LANG=C
date=$(date -d "today" +"%Y-%m-%d %H:%M:%S")
#---------------配置信息(开始)---------------
#类型:主机设为master,备机设为slave
type="master"
#主机、备机切换日志路径
logfile="/var/log/failover.log"
#MySQL可执行文件地址,例如/usr/local/mysql/bin/mysql;MySQL用户名;密码;端口
mysql_bin="/usr/local/webserver/mysql/bin/mysql"
mysql_username="root"
mysql_password="123456"
mysql_port="3306"
#内网网关
gateway_eth0="192.168.146.1"
#主机内网真实IP
rip_eth0_master="192.168.146.213"
#备机内网真实IP
rip_eth0_slave="192.168.146.215"
#主机、备机内网共用的虚拟IP
vip_eth0_share="192.168.113.214"
#外网网关
gateway_eth1="72.249.146.193"
#主机外网真实IP
rip_eth1_master="72.249.146.213"
#备机外网真实IP
rip_eth1_slave="72.249.146.215"
#主机、备机外网共用的虚拟IP
vip_eth1_share="72.249.146.214"
#---------------配置信息(结束)---------------
#绑定内、外网虚拟IP
function_bind_vip()
{
/sbin/ifconfig eth0:vip ${vip_eth0_share} broadcast ${vip_eth0_share} netmask 255.255.255.255 up
/sbin/route add -host ${vip_eth0_share} dev eth0:vip
/sbin/ifconfig eth1:vip ${vip_eth1_share} broadcast ${vip_eth1_share} netmask 255.255.255.255 up
/sbin/route add -host ${vip_eth1_share} dev eth1:vip
/usr/local/webserver/php/sbin/php-fpm reload
kill -USR1 `cat /usr/local/webserver/nginx/logs/nginx.pid`
/sbin/service crond start
}
#解除内、外网虚拟IP
function_remove_vip()
{
/sbin/ifconfig eth0:vip ${vip_eth0_share} broadcast ${vip_eth0_share} netmask 255.255.255.255 down
/sbin/ifconfig eth1:vip ${vip_eth1_share} broadcast ${vip_eth1_share} netmask 255.255.255.255 down
/sbin/service crond stop
}
#主机向备机推送文件的函数
function_rsync_master_to_slave()
{
/usr/bin/rsync -zrtuog /data0/htdocs/ ${rip_eth0_slave}::data0_htdocs/ > /dev/null 2>&1
/usr/bin/rsync -zrtuog /usr/local/webserver/php/etc/ ${rip_eth0_slave}::php_etc/ > /dev/null 2>&1
/usr/bin/rsync -zrtuog /usr/local/webserver/nginx/conf/ ${rip_eth0_slave}::nginx_conf/ > /dev/null 2>&1
}
#备机向主机推送文件的函数
function_rsync_slave_to_master()
{
/usr/bin/rsync -zrtuog /data0/htdocs/ ${rip_eth0_master}::data0_htdocs/ > /dev/null 2>&1
/usr/bin/rsync -zrtuog /usr/local/webserver/php/etc/ ${rip_eth0_master}::php_etc/ > /dev/null 2>&1
/usr/bin/rsync -zrtuog /usr/local/webserver/nginx/conf/ ${rip_eth0_master}::nginx_conf/ > /dev/null 2>&1
}
#虚拟IP ARPing
function_vip_arping()
{
/sbin/arping -I eth0 -c 3 -s ${vip_eth0_share} ${gateway_eth0} > /dev/null 2>&1
/sbin/arping -I eth1 -c 3 -s ${vip_eth1_share} ${gateway_eth1} > /dev/null 2>&1
}
while true
do
#用HTTP协议检查虚拟IP
if (curl -m 30 -G http://${vip_eth1_share}/ > /dev/null 2>&1) && (${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${vip_eth0_share}" -e"show slave status\G" > /dev/null 2>&1)
then
#取得与内网VIP绑定的服务器内网IP
eth0_active_server=$(${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${vip_eth0_share}" -e"show slave status\G" | grep "Master_Host" | awk -F ': ' '{printf $2}')
#如果内网VIP=主机内网IP(主机MySQL中的Master_Host显示的是备机的域名或IP),且本机为主机
if [ "${eth0_active_server}" = "${rip_eth0_slave}" ] && [ "${type}" = "master" ]
then
function_rsync_master_to_slave
function_vip_arping
#如果内网VIP=备机内网IP(备机MySQL中的Master_Host显示的是主机的域名或IP)
elif [ "${eth0_active_server}" = "${rip_eth0_master}" ]
then
if (curl -m 30 -G http://${rip_eth1_master}/ > /dev/null 2>&1) && (${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${rip_eth0_master}" -e"show slave status\G" | grep "Seconds_Behind_Master: 0" > /dev/null 2>&1)
then
#如果主机能够访问,数据库同步无延迟,且本机就是主机,那么由本机绑定虚拟IP
if [ "${type}" = "master" ]
then
#如果本机为主机
function_bind_vip
function_vip_arping
echo "${date} 主机已绑定虚拟IP!(Type:1)" >> ${logfile}
else
#如果本机为备机
function_remove_vip
echo "${date} 备机已去除虚拟IP!(Type:2)" >> ${logfile}
fi
else
if [ "${type}" = "slave" ]
then
#如果本机为备机
function_rsync_slave_to_master
function_vip_arping
fi
fi
fi
else
#虚拟IP无法访问时,判断主机能否访问
if (curl -m 30 -G http://${rip_eth1_master}/ > /dev/null 2>&1) && (${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${rip_eth0_master}" -e"show slave status\G" > /dev/null 2>&1)
then
#如果主机能够访问,且本机就是主机,那么由本机绑定虚拟IP
if [ "${type}" = "master" ]
then
function_bind_vip
function_vip_arping
echo "${date} 主机已绑定虚拟IP!(Type:3)" >> ${logfile}
else
function_remove_vip
echo "${date} 备机已去除虚拟IP!(Type:4)" >> ${logfile}
fi
elif (curl -m 30 -G http://${rip_eth1_slave}/ > /dev/null 2>&1) && (${mysql_bin} -u"${mysql_username}" -p"${mysql_password}" -P"${mysql_port}" -h"${rip_eth0_slave}" -e"show slave status\G" > /dev/null 2>&1)
then
#如果主机不能访问而备机能够访问,且本机就是备机,那么由备机绑定虚拟IP
if [ "${type}" = "slave" ]
then
function_bind_vip
function_vip_arping
echo "${date} 备机已绑定虚拟IP!(Type:5)" >> ${logfile}
else
function_remove_vip
echo "${date} 主机已去除虚拟IP!(Type:6)" >> ${logfile}
fi
else
echo "${date} 主机、备机全部无法访问!(Type:7)" >> ${logfile}
fi
fi
#每次循环暂停20秒(即间隔20秒检测一次)
sleep 20
done
