rh358 003 ansible部署雙網路卡繫結 DNS原理 bind正向解析
2022-09-03 21:01:51
雙網路卡繫結
繫結多張網路卡成為邏輯口,從而實現鏈路冗餘,以及資料流量的負載均衡
1.建立team口
[root@servera ~]# nmcli connection add type team con-name team0 ifname team0 team.runner activebackup ipv4.method manual ipv4.address 192.168.0.200/24
Connection 'team0' (3eb2f94e-3653-4aa2-a3f1-0826a02b26d1) successfully added.
建立了連結
[root@servera ~]# nmcli connection show
NAME UUID TYPE DEVICE
team0 e4a115a2-5444-4d16-975b-5d1fc62a2503 team team0
建立了連結組態檔
[root@servera ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0
TEAM_CONFIG="{ \"runner\": { \"name\": \"activebackup\" } }"
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=team0
UUID=e4a115a2-5444-4d16-975b-5d1fc62a2503
DEVICE=team0
ONBOOT=yes
DEVICETYPE=Team
[root@servera ~]#
建立了team0裝置
[root@servera ~]# nmcli device
DEVICE TYPE STATE CONNECTION
eth0 ethernet connected Wired connection 1
eth1 ethernet connected eth1
team0 team [connecting (getting IP configuration)] team0
team邏輯口一直無法獲取dhcp,那麼他會自動消失
如果是manual則無視此問題
也可以使用modify修改 team0
2.把物理網路卡加入team中
建議刪除網路卡關聯的舊連結
[root@servera ~]# nmcli connection delete 'Wired connection 2'
Connection 'Wired connection 2' (8f9a19e2-d15a-3772-b71d-320159e6753d) successfully deleted.
[root@servera ~]# nmcli connection delete 'eth1'
Connection 'eth1' (1e60e42a-10e8-4a27-ba92-c5698ae322c1) successfully deleted.
[root@servera ~]#
新增新連結,繫結邏輯介面
[root@servera ~]# nmcli connection add type ethernet slave-type team con-name eth1 ifname eth1 master team0
Connection 'eth1' (17ef3f96-7b48-42a4-a0bd-11341eaec928) successfully added.
[root@servera ~]# nmcli connection add type ethernet slave-type team con-name eth2 ifname eth2 master team0
Connection 'eth2' (18fc1852-1b11-4f98-89a1-fb898f5e6bb2) successfully added.
[root@servera ~]#
[root@servera ~]# nmcli connection show
NAME UUID TYPE DEVICE
mqy bffa0efd-a0c4-40c6-ad27-ff42ccd5dc1c ethernet eth1
team0 e4a115a2-5444-4d16-975b-5d1fc62a2503 team team0
Wired connection 1 4ae4bb9e-8f2d-3774-95f8-868d74edcc3c ethernet eth0
eth2 18fc1852-1b11-4f98-89a1-fb898f5e6bb2 ethernet eth2
eth1 17ef3f96-7b48-42a4-a0bd-11341eaec928 ethernet --
[root@servera ~]# nmcli device
DEVICE TYPE STATE CONNECTION
eth0 ethernet connected Wired connection 1
team0 team connected team0
eth1 ethernet connected eth1
eth2 ethernet connected eth2
如果team0無ip地址,則使用nmcli connection down 然後 up
7: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:02:fa:0a brd ff:ff:ff:ff:ff:ff
inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute team0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel [master team0 state UP] group default qlen 1000
link/ether 52:54:00:02:fa:0a brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel [master team0 state UP] group default qlen 1000
需要注意幾個點
物理網路卡不需要設定ip地址,所有的ip地址都在team口設定
只有當物理介面存在up的情況下team口才會up
3.檢視team設定網路資訊
檢視team資訊
[root@servera ~]# teamdctl team0 state
setup:
runner: activebackup
ports:
eth1
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool 使用ethtool來監控
link: up
down count: 0
eth2
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
down count: 0
runner:
active port: eth1
檢視設定資訊
[root@servera ~]# teamdctl team0 config dump
{
"device": "team0",
"mcast_rejoin": {
"count": 1
},
"notify_peers": {
"count": 1
},
"ports": {
"eth1": {
"link_watch": {
"name": "ethtool"
}
},
"eth2": {
"link_watch": {
"name": "ethtool"
}
}
},
"runner": {
"name": "activebackup"
}
}
[root@servera ~]#
team0 config dump noport#不要介面資訊
直接檢視介面狀態
[root@servera ~]# teamnl team0 ports
4: eth2: up 4294967295Mbit FD
3: eth1: up 4294967295Mbit FD
team口的網路卡組態檔
[root@servera ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0
TEAM_CONFIG="{ \"runner\": { \"name\": \"activebackup\" } }"
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=192.168.0.200
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=team0
UUID=3eb2f94e-3653-4aa2-a3f1-0826a02b26d1
DEVICE=team0
ONBOOT=yes
DEVICETYPE=Team
[root@servera ~]#
[root@servera ~]# teamdctl team0 config dump > t1.json
[root@servera ~]# vi t1.json
"runner": {
"name": "roundrobin"
}
}
[root@servera ~]# nmcli connection modify team0 team.config t1.json
[root@servera ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0
TEAM_CONFIG=$'{\n \"device\": \"team0\",\n \"mcast_rejoin\": {\n \"count\": 1\n },\n \"notify_peers\": {\n \"count\": 1\n },\n \"ports\": {\n \"eth1\": {\n \"link_watch\": {\n \"name\": \"ethtool\"\n }\n },\n \"eth2\": {\n \"link_watch\": {\n \"name\": \"ethtool\"\n }\n }\n },\n \"runner\": {\n \"name\": \"roundrobin\"\n }\n}\n'
PROXY_METHOD=none
第二種改法
[root@servera ~]# nmcli connection modify team0 team.runner activebackup
[root@servera ~]# nmcli connection up team0
Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/27)
[root@servera ~]#
[root@servera ~]# teamdctl team0 config dump
{
"device": "team0",
"mcast_rejoin": {
"count": 1
},
"notify_peers": {
"count": 1
},
"ports": {
"eth1": {
"link_watch": {
"name": "ethtool"
}
},
"eth2": {
"link_watch": {
"name": "ethtool"
}
}
},
"runner": {
"name": "activebackup"
}
}
無論如何都得 nmcli connection up team0 來開啟team0,去讀取組態檔
利用ansible
使用系統role提供正確的變數,就可以完成任務
[student@workstation ~]$ lab netlink-automation start
Starting netlink-automation exercise.
· Create Ansible project directory............................ SUCCESS
· Download Ansible configuration.............................. SUCCESS
· Download Ansible inventory.................................. SUCCESS
· Configuring eth1 network interface on serverd............... SUCCESS
[student@workstation ~]$
肯定需要這個角色包
[student@workstation ~]$ sudo yum -y install rhel-system-roles
準備劇本
[student@workstation ~]$ ll
total 0
drwxr-xr-x. 2 student student 42 Sep 3 22:10 netlink-automation
drwxr-xr-x. 2 student student 42 Aug 29 08:02 servicemgmt-automation
[student@workstation ~]$ cd netlink-automation/
[student@workstation netlink-automation]$ ls
ansible.cfg inventory
[student@workstation netlink-automation]$ ansible-galaxy list
# /usr/share/ansible/roles
- linux-system-roles.kdump, (unknown version)
- linux-system-roles.network, (unknown version)
- linux-system-roles.postfix, (unknown version)
- linux-system-roles.selinux, (unknown version)
- linux-system-roles.storage, (unknown version)
- linux-system-roles.timesync, (unknown version)
[root@servera ~]# nmcli device
DEVICE TYPE STATE CONNECTION
eth0 ethernet connected Wired connection 1
team0 team connected team0
eth1 ethernet connected eth1
eth2 ethernet connected eth2
[root@servera ~]# teamdctl team0 config dump
{
"device": "team0",
"ports": {
"eth1": {
"link_watch": {
"name": "ethtool"
}
},
"eth2": {
"link_watch": {
"name": "ethtool"
}
}
},
"runner": {
"name": "roundrobin"
}
}
[root@servera ~]#
此角色無更改runner的功能,繼續更改playbook
[root@servera ~]# teamdctl team0 config dump
{
"device": "team0",
"mcast_rejoin": {
"count": 1
},
"notify_peers": {
"count": 1
},
"ports": {
"eth1": {
"link_watch": {
"name": "ethtool"
}
},
"eth2": {
"link_watch": {
"name": "ethtool"
}
}
},
"runner": {
"name": "activebackup"
}
}
[root@servera ~]#
成功
但是這無法體現冪等性,最後三條command總會重複執行,沒有意義。增加判斷條件
第一個is not defined 首先判斷這個介面是否存在,不存在執行roles
第二個not in 判斷這個是否有activebackup 有則改,無則跳過
反覆執行不會有多餘的操作
bond比team更適應交換機
管理DNS
DNS的層級結構
樹狀結構
.代表根域-->每個域都有對應的DNS伺服器:域名->IP
根域伺服器: 13臺 (iPv4)
根域下面就是二級子域 .com .cn .net .edu .gov 域名
舉個例子
lab.example.com(三級)是example.com(二級)的子域
example.com是.com(一級)的子域
fqdn:完全合格名稱 --> ip (能被dns解析)
主機名得與fqdn區分
DNS伺服器到底儲存了什麼內容
1: DNS伺服器:到底儲存了什麼內容,DNS的工作原理
lab.example.com<域名> DNSserver Servera
1> 授權的子域,以及子域的DNS服務
ocp4.lab.example.com<域名>是lab.example.com的子域
master01.ocp4.lab.example.com <serverb.lab.example >
你必須在lab.example.com 的DNS伺服器設定ocp4.lab.example.com 的DNS伺服器在serverb.lab.example.com.
也就是上級域,必須要有下級域名的DNS伺服器
2> 該域下所有的FQDN的解析也成為區域組態檔
servera.lab.example.com 172.25.250.10
serverb.lab.example.com 172.25.250.11
3> 根域伺服器的IP地址
DNS解析過程分為: 一個是遞迴
這是在沒有DNS快取伺服器的情況下,去找根域。很麻煩
有快取伺服器的情況下就不需要找根域,更有效率
實驗:通過bind實現正向,方向,轉發,主從,各種資源記錄 (未完結)
1> 安裝軟體包: serverb
[root@serverb ~]# yum install -y bind
2> 修改組態檔
[root@serverb ~]# vim /etc/named.conf 組態檔路徑
//代表註釋
options {
// listen-on port 53 { 127.0.0.1; };監聽的埠是53:
DNS既監聽UDP53還有TCP53,TCP53埠用於主從同步用的UDP53用於查詢的
listen-on port 53 { 172.25.250.11;127.0.0.1; };
directory "/var/named"; 類似於定於了一個/目錄,資料檔案都放哪裡
dump-file "/var/named/data/cache_dump.db";備份檔案
statistics-file "/var/named/data/named_stats.txt"; 統計
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; }; 允許誰來查尋
allow-query { 172.25.250.0/24; };
recursion yes; 是否允許遞迴查詢。如果你的DNS服務僅僅是解析自己域內FQDN,則不需要遞迴,如果需要解析其他域內的FQDN則需要設定遞迴,設定為YES
dnssec-enable no;
dnssec-validation no; 有關安全的 祕鑰之類
logging {
channel default_debug {
file "data/named.run";->/var/named/data/named.run
severity dynamic; #紀錄檔路徑
};
};
3> 設定區域組態檔zone...區域組態檔,指定的是該域內所有資源解析的檔案FQND-->ip (重點,fqdn的對應關係)
分為正向解析區域組態檔,反向解析區域組態檔
正向區域組態檔:
zone "." IN {
type hint;
file "named.ca";
};
根域地址
zone "example.com" IN {
type master ;
file "example.com" 該域:example.com的區域組態檔在/var/named/example.com
};
4> 準備這個區域組態檔
[root@serverb ~]# cp /var/named/named.empty /var/named/example.com
[root@serverb ~]# chown root:named /var/named/example.com 屬組一定要是這個named這個組
[root@serverb ~]# chmod 640 /var/named/example.com
[root@serverb ~]# ll -lZ /var/named/example.com
-rw-r-----. 1 root named unconfined_u:object_r:named_zone_t:s0 152 Sep 3 19:40 /var/named/example.com
[root@serverb ~]# vim /var/named/example.com
$TTL 3H # 快取時間 # @代表本域(example.com) # SOA 記錄表示此域名的權威解析伺服器地址 從域名到ip記錄稱之為A記錄 soa後面是管理者郵箱 root後面不能是@
@ IN SOA serverb.example.com. root.serverb.example.com. (
0 ; serial [改了組態檔這個數位+1 就可以同步]
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
servera IN A 172.25.250.10
serverb IN A 172.25.250.11
serverc IN A 172.25.250.12
serverd IN A 172.25.250.13
kevin IN CNAME serverc
5>啟動服務,開放防火牆
[root@serverb ~]# systemctl enable --now named.service
[root@serverb ~]#
[root@serverb ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverb ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverb ~]# firewall-cmd --reload
6> 登入servera
[root@servera ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lab.example.com example.com
nameserver 172.25.250.11
[root@servera ~]# ping kevin
PING serverc.example.com (172.25.250.12) 56(84) bytes of data.
64 bytes from serverc.lab.example.com (172.25.250.12): icmp_seq=1 ttl=64 time=0.728 ms
64 bytes from serverc.lab.example.com (172.25.250.12): icmp_seq=2 ttl=64 time=0.733 ms
^C
--- serverc.example.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 32ms
rtt min/avg/max/mdev = 0.728/0.730/0.733/0.027 ms
[root@servera ~]# ping serverc
PING serverc.lab.example.com (172.25.250.12) 56(84) bytes of data.
64 bytes from serverc.lab.example.com (172.25.250.12): icmp_seq=1 ttl=64 time=1.71 ms
^C
--- serverc.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.709/1.709/1.709/0.000 ms
[root@servera ~]# ping serverd
PING serverd.lab.example.com (172.25.250.13) 56(84) bytes of data.
64 bytes from serverd.lab.example.com (172.25.250.13): icmp_seq=1 ttl=64 time=3.95 ms
64 bytes from serverd.lab.example.com (172.25.250.13): icmp_seq=2 ttl=64 time=1.16 ms
^C
--- serverd.lab.example.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 1.163/2.557/3.952/1.395 ms