双网卡绑定
绑定多张网卡成为逻辑口,从而实现链路冗余,以及数据流量的负载均衡
1.创建team口
[root@servera ~]# nmcli connection add type team con-name team0 ifname team0 team.runner activebackup ipv4.method manual ipv4.address 192.168.0.200/24 Connection 'team0' (3eb2f94e-3653-4aa2-a3f1-0826a02b26d1) successfully added. 创建了链接 [root@servera ~]# nmcli connection show NAME UUID TYPE DEVICE team0 e4a115a2-5444-4d16-975b-5d1fc62a2503 team team0 创建了链接配置文件 [root@servera ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0 TEAM_CONFIG="{ "runner": { "name": "activebackup" } }" PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=dhcp DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=team0 UUID=e4a115a2-5444-4d16-975b-5d1fc62a2503 DEVICE=team0 ONBOOT=yes DEVICETYPE=Team [root@servera ~]# 创建了team0设备 [root@servera ~]# nmcli device DEVICE TYPE STATE CONNECTION eth0 ethernet connected Wired connection 1 eth1 ethernet connected eth1 team0 team [connecting (getting IP configuration)] team0 team逻辑口一直无法获取dhcp,那么他会自动消失 如果是manual则无视此问题 也可以使用modify修改 team0 2.把物理网卡加入team中
建议删除网卡关联的旧链接 [root@servera ~]# nmcli connection delete 'Wired connection 2' Connection 'Wired connection 2' (8f9a19e2-d15a-3772-b71d-320159e6753d) successfully deleted. [root@servera ~]# nmcli connection delete 'eth1' Connection 'eth1' (1e60e42a-10e8-4a27-ba92-c5698ae322c1) successfully deleted. [root@servera ~]# 添加新链接,绑定逻辑接口 [root@servera ~]# nmcli connection add type ethernet slave-type team con-name eth1 ifname eth1 master team0 Connection 'eth1' (17ef3f96-7b48-42a4-a0bd-11341eaec928) successfully added. [root@servera ~]# nmcli connection add type ethernet slave-type team con-name eth2 ifname eth2 master team0 Connection 'eth2' (18fc1852-1b11-4f98-89a1-fb898f5e6bb2) successfully added. [root@servera ~]# [root@servera ~]# nmcli connection show NAME UUID TYPE DEVICE mqy bffa0efd-a0c4-40c6-ad27-ff42ccd5dc1c ethernet eth1 team0 e4a115a2-5444-4d16-975b-5d1fc62a2503 team team0 Wired connection 1 4ae4bb9e-8f2d-3774-95f8-868d74edcc3c ethernet eth0 eth2 18fc1852-1b11-4f98-89a1-fb898f5e6bb2 ethernet eth2 eth1 17ef3f96-7b48-42a4-a0bd-11341eaec928 ethernet -- [root@servera ~]# nmcli device DEVICE TYPE STATE CONNECTION eth0 ethernet connected Wired connection 1 team0 team connected team0 eth1 ethernet connected eth1 eth2 ethernet connected eth2 如果team0无ip地址,则使用nmcli connection down 然后 up 7: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:02:fa:0a brd ff:ff:ff:ff:ff:ff inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute team0 valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel [master team0 state UP] group default qlen 1000 link/ether 52:54:00:02:fa:0a brd ff:ff:ff:ff:ff:ff 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel [master team0 state UP] group default qlen 1000 需要注意几个点
物理网卡不需要配置ip地址,所有的ip地址都在team口配置
只有当物理接口存在up的情况下team口才会up
3.查看team配置网络信息
查看team信息
[root@servera ~]# teamdctl team0 state setup: runner: activebackup ports: eth1 link watches: link summary: up instance[link_watch_0]: name: ethtool 使用ethtool来监控 link: up down count: 0 eth2 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 0 runner: active port: eth1 查看配置信息
[root@servera ~]# teamdctl team0 config dump { "device": "team0", "mcast_rejoin": { "count": 1 }, "notify_peers": { "count": 1 }, "ports": { "eth1": { "link_watch": { "name": "ethtool" } }, "eth2": { "link_watch": { "name": "ethtool" } } }, "runner": { "name": "activebackup" } } [root@servera ~]# team0 config dump noport#不要接口信息 直接查看接口状态 [root@servera ~]# teamnl team0 ports 4: eth2: up 4294967295Mbit FD 3: eth1: up 4294967295Mbit FD team口的网卡配置文件
[root@servera ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0 TEAM_CONFIG="{ "runner": { "name": "activebackup" } }" PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none IPADDR=192.168.0.200 PREFIX=24 DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=team0 UUID=3eb2f94e-3653-4aa2-a3f1-0826a02b26d1 DEVICE=team0 ONBOOT=yes DEVICETYPE=Team [root@servera ~]# [root@servera ~]# teamdctl team0 config dump > t1.json [root@servera ~]# vi t1.json "runner": { "name": "roundrobin" } } [root@servera ~]# nmcli connection modify team0 team.config t1.json [root@servera ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0 TEAM_CONFIG=$'{n "device": "team0",n "mcast_rejoin": {n "count": 1n },n "notify_peers": {n "count": 1n },n "ports": {n "eth1": {n "link_watch": {n "name": "ethtool"n }n },n "eth2": {n "link_watch": {n "name": "ethtool"n }n }n },n "runner": {n "name": "roundrobin"n }n}n' PROXY_METHOD=none 第二种改法
[root@servera ~]# nmcli connection modify team0 team.runner activebackup [root@servera ~]# nmcli connection up team0 Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/27) [root@servera ~]# [root@servera ~]# teamdctl team0 config dump { "device": "team0", "mcast_rejoin": { "count": 1 }, "notify_peers": { "count": 1 }, "ports": { "eth1": { "link_watch": { "name": "ethtool" } }, "eth2": { "link_watch": { "name": "ethtool" } } }, "runner": { "name": "activebackup" } } 无论如何都得 nmcli connection up team0 来打开team0,去读取配置文件
利用ansible
使用系统role提供正确的变量,就可以完成任务
[student@workstation ~]$ lab netlink-automation start Starting netlink-automation exercise. · Create Ansible project directory............................ SUCCESS · Download Ansible configuration.............................. SUCCESS · Download Ansible inventory.................................. SUCCESS · Configuring eth1 network interface on serverd............... SUCCESS [student@workstation ~]$ 肯定需要这个角色包 [student@workstation ~]$ sudo yum -y install rhel-system-roles 准备剧本 [student@workstation ~]$ ll total 0 drwxr-xr-x. 2 student student 42 Sep 3 22:10 netlink-automation drwxr-xr-x. 2 student student 42 Aug 29 08:02 servicemgmt-automation [student@workstation ~]$ cd netlink-automation/ [student@workstation netlink-automation]$ ls ansible.cfg inventory [student@workstation netlink-automation]$ ansible-galaxy list # /usr/share/ansible/roles - linux-system-roles.kdump, (unknown version) - linux-system-roles.network, (unknown version) - linux-system-roles.postfix, (unknown version) - linux-system-roles.selinux, (unknown version) - linux-system-roles.storage, (unknown version) - linux-system-roles.timesync, (unknown version)
[root@servera ~]# nmcli device DEVICE TYPE STATE CONNECTION eth0 ethernet connected Wired connection 1 team0 team connected team0 eth1 ethernet connected eth1 eth2 ethernet connected eth2 [root@servera ~]# teamdctl team0 config dump { "device": "team0", "ports": { "eth1": { "link_watch": { "name": "ethtool" } }, "eth2": { "link_watch": { "name": "ethtool" } } }, "runner": { "name": "roundrobin" } } [root@servera ~]# 此角色无更改runner的功能,继续更改playbook
[root@servera ~]# teamdctl team0 config dump { "device": "team0", "mcast_rejoin": { "count": 1 }, "notify_peers": { "count": 1 }, "ports": { "eth1": { "link_watch": { "name": "ethtool" } }, "eth2": { "link_watch": { "name": "ethtool" } } }, "runner": { "name": "activebackup" } } [root@servera ~]# 成功
但是这无法体现幂等性,最后三条command总会重复执行,没有意义。增加判断条件
第一个is not defined 首先判断这个接口是否存在,不存在执行roles
第二个not in 判断这个是否有activebackup 有则改,无则跳过
反复执行不会有多余的操作
bond比team更适应交换机
管理DNS
DNS的层级结构
树状结构
.代表根域-->每个域都有对应的DNS服务器:域名->IP
根域服务器: 13台 (iPv4)
根域下面就是二级子域 .com .cn .net .edu .gov 域名
举个例子
lab.example.com(三级)是example.com(二级)的子域
example.com是.com(一级)的子域
fqdn:完全合格名称 --> ip (能被dns解析)
主机名得与fqdn区分
DNS服务器到底保存了什么内容
1: DNS服务器:到底保存了什么内容,DNS的工作原理 lab.example.com<域名> DNSserver Servera 1> 授权的子域,以及子域的DNS服务 ocp4.lab.example.com<域名>是lab.example.com的子域 master01.ocp4.lab.example.com <serverb.lab.example > 你必须在lab.example.com 的DNS服务器配置ocp4.lab.example.com 的DNS服务器在serverb.lab.example.com. 也就是上级域,必须要有下级域名的DNS服务器 2> 该域下所有的FQDN的解析也成为区域配置文件 servera.lab.example.com 172.25.250.10 serverb.lab.example.com 172.25.250.11 3> 根域服务器的IP地址 DNS解析过程分为: 一个是递归
这是在没有DNS缓存服务器的情况下,去找根域。很麻烦
有缓存服务器的情况下就不需要找根域,更有效率
实验:通过bind实现正向,方向,转发,主从,各种资源记录 (未完结)
1> 安装软件包: serverb [root@serverb ~]# yum install -y bind 2> 修改配置文件 [root@serverb ~]# vim /etc/named.conf 配置文件路径 //代表注释 options { // listen-on port 53 { 127.0.0.1; };监听的端口是53: DNS既监听UDP53还有TCP53,TCP53端口用于主从同步用的UDP53用于查询的 listen-on port 53 { 172.25.250.11;127.0.0.1; }; directory "/var/named"; 类似于定于了一个/目录,数据文件都放哪里 dump-file "/var/named/data/cache_dump.db";备份文件 statistics-file "/var/named/data/named_stats.txt"; 统计 memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; 允许谁来查寻 allow-query { 172.25.250.0/24; }; recursion yes; 是否允许递归查询。如果你的DNS服务仅仅是解析自己域内FQDN,则不需要递归,如果需要解析其他域内的FQDN则需要配置递归,设置为YES dnssec-enable no; dnssec-validation no; 有关安全的 秘钥之类 logging { channel default_debug { file "data/named.run";->/var/named/data/named.run severity dynamic; #日志路径 }; }; 3> 配置区域配置文件zone...区域配置文件,指定的是该域内所有资源解析的文件FQND-->ip (重点,fqdn的对应关系) 分为正向解析区域配置文件,反向解析区域配置文件 正向区域配置文件: zone "." IN { type hint; file "named.ca"; }; 根域地址 zone "example.com" IN { type master ; file "example.com" 该域:example.com的区域配置文件在/var/named/example.com }; 4> 准备这个区域配置文件 [root@serverb ~]# cp /var/named/named.empty /var/named/example.com [root@serverb ~]# chown root:named /var/named/example.com 属组一定要是这个named这个组 [root@serverb ~]# chmod 640 /var/named/example.com [root@serverb ~]# ll -lZ /var/named/example.com -rw-r-----. 1 root named unconfined_u:object_r:named_zone_t:s0 152 Sep 3 19:40 /var/named/example.com [root@serverb ~]# vim /var/named/example.com $TTL 3H # 缓存时间 # @代表本域(example.com) # SOA 记录表示此域名的权威解析服务器地址 从域名到ip记录称之为A记录 soa后面是管理者邮箱 root后面不能是@ @ IN SOA serverb.example.com. root.serverb.example.com. ( 0 ; serial [改了配置文件这个数字+1 就可以同步] 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS serverb.example.com. servera IN A 172.25.250.10 serverb IN A 172.25.250.11 serverc IN A 172.25.250.12 serverd IN A 172.25.250.13 kevin IN CNAME serverc 5>启动服务,开放防火墙 [root@serverb ~]# systemctl enable --now named.service [root@serverb ~]# [root@serverb ~]# firewall-cmd --permanent --add-port=53/tcp success [root@serverb ~]# firewall-cmd --permanent --add-port=53/udp success [root@serverb ~]# firewall-cmd --reload 6> 登录servera [root@servera ~]# cat /etc/resolv.conf # Generated by NetworkManager search lab.example.com example.com nameserver 172.25.250.11 [root@servera ~]# ping kevin PING serverc.example.com (172.25.250.12) 56(84) bytes of data. 64 bytes from serverc.lab.example.com (172.25.250.12): icmp_seq=1 ttl=64 time=0.728 ms 64 bytes from serverc.lab.example.com (172.25.250.12): icmp_seq=2 ttl=64 time=0.733 ms ^C --- serverc.example.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 32ms rtt min/avg/max/mdev = 0.728/0.730/0.733/0.027 ms [root@servera ~]# ping serverc PING serverc.lab.example.com (172.25.250.12) 56(84) bytes of data. 64 bytes from serverc.lab.example.com (172.25.250.12): icmp_seq=1 ttl=64 time=1.71 ms ^C --- serverc.lab.example.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.709/1.709/1.709/0.000 ms [root@servera ~]# ping serverd PING serverd.lab.example.com (172.25.250.13) 56(84) bytes of data. 64 bytes from serverd.lab.example.com (172.25.250.13): icmp_seq=1 ttl=64 time=3.95 ms 64 bytes from serverd.lab.example.com (172.25.250.13): icmp_seq=2 ttl=64 time=1.16 ms ^C --- serverd.lab.example.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 3ms rtt min/avg/max/mdev = 1.163/2.557/3.952/1.395 ms 
