$ sudo iptables -t nat -L KUBE-SERVICES -n
Chain KUBE-SERVICES (2 references)
target prot opt source destination
KUBE-SVC-4N57TFCL4MD7ZTDA tcp --0.0.0.0/010.3.0.156/* default/nginx: cluster IP */ tcp dpt:80
KUBE-MARK-MASQ tcp --0.0.0.0/0172.17.8.201/* default/nginx: external IP */ tcp dpt:80
KUBE-SVC-4N57TFCL4MD7ZTDA tcp --0.0.0.0/0172.17.8.201/* default/nginx: external IP */ tcp dpt:80 PHYSDEV match !--physdev-is-in ADDRTYPE match src-type !LOCAL
KUBE-SVC-4N57TFCL4MD7ZTDA tcp --0.0.0.0/0172.17.8.201/* default/nginx: external IP */ tcp dpt:80 ADDRTYPE match dst-type LOCAL
KUBE-SVC-NPX46M4PTMTKRN6Y tcp --0.0.0.0/010.3.0.1/* default/kubernetes:https cluster IP */ tcp dpt:443
KUBE-NODEPORTS all --0.0.0.0/00.0.0.0/0/* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL
$ docker run --privileged -it --rm --net host luizbafilho/ipvsadm
/# ipvsadm
IP VirtualServer version 1.2.1(size=4096)ProtLocalAddress:PortSchedulerFlags->RemoteAddress:PortForwardWeightActiveConnInActConn/# ipvsadm -A -t 172.17.8.201:80/# ipvsadm -a -t 172.17.8.201:80 -r 172.17.8.11:80 -g/# ipvsadm -a -t 172.17.8.201:80 -r 172.17.8.12:80 -g/# ipvsadm
IP VirtualServer version 1.2.1(size=4096)ProtLocalAddress:PortSchedulerFlags->RemoteAddress:PortForwardWeightActiveConnInActConn
TCP 172.17.8.201:http wlc
->172.17.8.11:http Route100->172.17.8.12:http Route100
可以看到,我们成功建立了从VIP到后端服务器的转发。
验证转发效果
首先使用curl来测试是否能够正常访问nginx服务。
$ curl http://172.17.8.201<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>
body {
width:35em;
margin:0auto;
font-family:Tahoma,Verdana,Arial, sans-serif;}</style>
</head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed and
working.Further configuration is required.</p><p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you forusing nginx.</em></p></body>
</html>
接下来在172.17.8.11上抓包来确认IPVS的工作情况。
$ sudo tcpdump -i any port 80
tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
04:09:07.503858 IP 172.17.8.1.51921>172.17.8.201.http:Flags[S], seq 2747628840, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1332071005 ecr 0,sackOK,eol], length 004:09:07.504241 IP 10.2.0.1.51921>10.2.0.3.http:Flags[S], seq 2747628840, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1332071005 ecr 0,sackOK,eol], length 004:09:07.504498 IP 10.2.0.1.51921>10.2.0.3.http:Flags[S], seq 2747628840, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1332071005 ecr 0,sackOK,eol], length 004:09:07.504827 IP 10.2.0.3.http >10.2.0.1.51921:Flags[S.], seq 3762638044, ack 2747628841, win 28960, options [mss 1460,sackOK,TS val 153786592 ecr 1332071005,nop,wscale 7], length 004:09:07.504827 IP 10.2.0.3.http >172.17.8.1.51921:Flags[S.], seq 3762638044, ack 2747628841, win 28960, options [mss 1460,sackOK,TS val 153786592 ecr 1332071005,nop,wscale 7], length 004:09:07.504888 IP 172.17.8.201.http >172.17.8.1.51921:Flags[S.], seq 3762638044, ack 2747628841, win 28960, options [mss 1460,sackOK,TS val 153786592 ecr 1332071005,nop,wscale 7], length 004:09:07.505599 IP 172.17.8.1.51921>172.17.8.201.http:Flags[.], ack 1, win 4117, options [nop,nop,TS val 1332071007 ecr 153786592], length 0
zone "." IN { //定义一个名为"."的区,查询类为IN type hint; //类型为hint file "named.root"; //区文件是named.root }; zone "1.10.10.in-addr.arpa" IN { //定义一个名为1.10.10.in-addr.arpa的区,查询类为IN type master; //类型为master file "named.1.10.10"; //区文件是named.1.10.10 allow-update { none; }; //不允许任何客户端对数据进行更新 };