FreeBSD 上的高可用 DHCP 服务器
作者:𝚟𝚎𝚛𝚖𝚊𝚍𝚎𝚗
2018/08
今天我想分享在 FreeBSD 系统上搭建高可用 DHCP 服务器的方法,但在其他 UNIX 和类 UNIX 系统上也应该一样简单。我将在这里使用最显而易见的选择——Internet Systems Consortium 的实现——ISC DHCP server——它也可以在 FreeBSD Ports 和软件包中获得。
因为一些时间的推进,ISC 正在开发一款新的 DHCP 服务器——Kea——他们打算最终在大多数服务器实现中用它替代 ISC DHCP。他们也建议新的实现者考虑使用 Kea 而不是 ISC DHCP,仅在 Kea 无法满足需求时才实现 ISC DHCP。例如,Kea 当前不包含客户端和中继。也许我以后会对这篇文章进行更新或者单独再写一篇文章。
同时 Kea 在一个月前刚拥有了高可用模式,因此如果我更早写这篇文章,那么这样的设置在 Kea 上将不可行。这也显示了 Kea 实现是多么年轻,所以目前我会坚持使用 ISC DHCP server,并在后续“观察” Kea 的发展。
架构
下面是我们的 ISC DHCP 设置的 POOR MAN’S ASCII 架构图 图。
+-------------+ +-------------+
| {primary} | | {secondary} |
| DHCPs1 | ==== HA ==== | DHCPs2 |
| 10.0.10.251 | | 10.0.10.252 |
+-------------+ +-------------+
\ /
+------------------------------------------+
| ADDRESS POOL 10.0.10.x/24 ADDRESS POOL |
+------------------------------------------+
\ /
+----------------+
| {DHCP CLIENTS} |
+----------------+每个 DHCP 服务器节点的设置都非常简单。它的 FreeBSD 11.2-RELEASE 安装在 4 GB 的 GPT 分区上,/ 文件系统是 UFS,如下所示只使用了 666 MB。
root@DHCPs1:/ # uname -v
FreeBSD 11.2-RELEASE #0 r335510: Fri Jun 22 04:32:14 UTC 2018 [email protected]:/usr/obj/usr/src/sys/GENERIC
root@DHCPs1:/ # gpart show
=> 40 8388528 ada0 GPT (4.0G)
40 1024 1 freebsd-boot (512K)
1064 8386560 2 freebsd-ufs (4.0G)
8387624 944 - free - (472K)
root@DHCPs1:/ # du -smc * | sort -n
0 sys
1 COPYRIGHT
1 dev
1 entropy
1 libexec
1 media
1 mnt
1 net
1 proc
1 root
1 tmp
2 bin
4 etc
7 sbin
8 var
10 rescue
12 lib
128 boot
499 usr
666 total对于少量客户端来说 128 MB 的内存已经足够。仍然有 32 MB 的空闲内存,以及 32 MB 的 Inactive 和 Buffered 内存可以被交换出去。更不用说每个 getty 进程大约占用 2 MB 内存,而你只需要其中 1 个,而不是 8 个。换言之,即使只有 64 MB 的内存,你也能跑起来。
root@DHCPs1:~ # top -b -o res
last pid: 15205; load averages: 0.13, 0.25, 0.29 up 0+07:39:11 20:03:48
16 processes: 2 running, 14 sleeping
Mem: 1688K Active, 30M Inact, 26M Wired, 3800K Buf, 32M Free
Swap:
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
38897 dhcpd 1 20 0 16424K 10724K select 0:00 0.00% dhcpd
30199 root 1 20 0 13160K 8036K RUN 0:00 0.00% sshd
15106 root 1 28 0 12848K 7136K select 0:00 0.00% sshd
53100 root 1 20 0 9180K 5040K select 0:02 0.00% devd
31079 root 1 20 0 7412K 3640K pause 0:00 0.00% csh
15205 root 1 20 0 7916K 3060K RUN 0:00 0.00% top
15960 root 1 20 0 6464K 2480K nanslp 0:00 0.00% cron
69084 root 1 20 0 6412K 2364K select 0:01 0.00% syslogd
28412 root 1 52 0 6408K 2124K ttyin 0:00 0.00% getty
28188 root 1 52 0 6408K 2124K ttyin 0:00 0.00% getty
28504 root 1 52 0 6408K 2124K ttyin 0:00 0.00% getty
28972 root 1 52 0 6408K 2124K ttyin 0:00 0.00% getty
29736 root 1 52 0 6408K 2124K ttyin 0:00 0.00% getty
29080 root 1 52 0 6408K 2124K ttyin 0:00 0.00% getty
30106 root 1 52 0 6408K 2124K ttyin 0:00 0.00% getty
29392 root 1 52 0 6408K 2124K ttyin 0:00 0.00% gettyDHCP 节点 DHCPs1 和 DHCPs2 的 /etc/rc.conf 文件是相同的(除了主机名和地址不同)。
``sh root@DHCPs1:/ # cat /etc/rc.conf hostname=DHCPs1 ifconfig_em0="inet 10.0.10.251/24 up" sshd_enable=YES sendmail_enable=NONE clear_tmp_enable=YES syslogd_flags="-ss" dumpdev=NO
`/etc/sysctl.conf` 和 `/boot/loader.conf` 文件不需要修改。
现在你需要安装 ISC DHCP 服务器,由于当前版本是 4.4.x,软件包名相应为 `isc-dhcp44-server`,我们使用命令 `pkg(8)` 来安装。
```sh
root@DHCPs1:/ # pkg update -f -y
The package management tool is not yet installed on your system.
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64//quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[nextcloud] Installing pkg-1.10.5...
[nextcloud] Extracting pkg-1.10.5: 100%
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
[nextcloud] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
[nextcloud] Fetching packagesite.txz: 100% 6 MiB 530.8kB/s 00:12
Processing entries: 100%
FreeBSD repository update completed. 31134 packages processed.
All repositories are up to date.
root@DHCPs1:/ # echo ?
0
root@DHCPs1:/ #现在让我们安装软件包 isc-dhcp44-server。
root@DHCPs1:/ # pkg install isc-dhcp44-server
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
isc-dhcp44-server: 4.4.1_3 [FreeBSD]
Number of packages to be installed: 1
The process will require 6 MiB more space.
Proceed with this action? [y/N]: y
[1/1] Installing isc-dhcp44-server-4.4.1_3...
===> Creating groups.
Creating group 'dhcpd' with gid '136'.
===> Creating users
Creating user 'dhcpd' with uid '136'.
[1/1] Extracting isc-dhcp44-server-4.4.1_3: 100%
Message from isc-dhcp44-server-4.4.1_3:
**** To setup dhcpd, please edit /usr/local/etc/dhcpd.conf.
**** This port installs the dhcp daemon, but doesn't invoke dhcpd by default.
If you want to invoke dhcpd at startup, add these lines to /etc/rc.conf:
dhcpd_enable="YES" # dhcpd enabled?
dhcpd_flags="-q" # command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf" # configuration file
dhcpd_ifaces="" # ethernet interface(s)
dhcpd_withumask="022" # file creation mask
**** If compiled with paranoia support (the default), the following rc.conf
options are also supported:
dhcpd_chuser_enable="YES" # runs w/o privileges?
dhcpd_withuser="dhcpd" # user name to run as
dhcpd_withgroup="dhcpd" # group name to run as
dhcpd_chroot_enable="YES" # runs chrooted?
dhcpd_devfs_enable="YES" # use devfs if available?
dhcpd_rootdir="/var/db/dhcpd" # directory to run in
dhcpd_includedir="" # directory with config-
files to include
**** WARNING: never edit the chrooted or jailed dhcpd.conf file but
/usr/local/etc/dhcpd.conf instead which is always copied where
needed upon startup.现在更新 pkg(8) 仓库数据,并在 DHCPs2 节点上安装 isc-dhcp44-server。
配置使用单一网络段 10.0.10.0/24,为客户端分配最后一段在 10-250 的地址。参数 split 128 会将负载在 DHCP 服务器节点之间平均分配。由于这只是示例,我们将使用 1.1.1.1 和 9.9.9.9 作为 DNS 服务器,以及 domain.com 作为域名。需要说明的是,仅在 primary 节点(在我们的例子中为 DHCPs1)上设置参数 split 128。正如 man dhcpd.conf 页面所建议的,我们将 “为两个服务器使用相同的主配置文件,并有一个单独的文件包含对等声明以及主文件。”,这样做 “有助于避免配置不一致。”
root@DHCPs1:/ # cat /usr/local/etc/dhcpd.conf
# CORE
failover peer "ha-dhcp" {
primary;
address 10.0.10.251;
port 678;
peer address 10.0.10.252;
peer port 678;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
split 128;
load balance max seconds 3;
}
include "/usr/local/etc/dhcpd.conf.SHARED";root@DHCPs1:/ # cat /usr/local/etc/dhcpd.conf.SHARED
# CLIENTS
subnet 10.0.10.0 netmask 255.255.255.0 {
default-lease-time 604800;
max-lease-time 604800;
option routers 10.0.10.254;
option broadcast-address 10.0.10.255;
option subnet-mask 255.255.255.0;
option domain-search "domain.com";
option domain-name-servers 1.1.1.1,9.9.9.9;
pool {
failover peer "ha-dhcp";
range 10.0.10.10 10.0.10.250;
}
}……secondary 节点
root@DHCPs2:~ # cat /usr/local/etc/dhcpd.conf
# CORE
failover peer "ha-dhcp" {
secondary;
address 10.0.10.252;
port 678;
peer address 10.0.10.251;
peer port 678;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
load balance max seconds 3;
}
include "/usr/local/etc/dhcpd.conf.SHARED";root@DHCPs2:/ # cat /usr/local/etc/dhcpd.conf.SHARED
# CLIENTS
subnet 10.0.10.0 netmask 255.255.255.0 {
default-lease-time 604800;
max-lease-time 604800;
option routers 10.0.10.254;
option broadcast-address 10.0.10.255;
option subnet-mask 255.255.255.0;
option domain-search "domain.com";
option domain-name-servers 1.1.1.1,9.9.9.9;
pool {
failover peer "ha-dhcp";
range 10.0.10.10 10.0.10.250;
}
}/usr/local/etc/dhcpd.conf.SHARED 文件在两个节点上是相同的。
现在让我们在两个节点上启动 DHCP 服务器。
root@DHCPs1:~ # sysrc dhcpd_enable=YES
dhcpd_enable: -> YES
root@DHCPs1:~ # service isc-dhcpd start
Starting dhcpd.
Internet Systems Consortium DHCP Server 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /usr/local/etc/dhcpd.conf
Database file: /var/db/dhcpd/dhcpd.leases
PID file: /var/run/dhcpd/dhcpd.pid
Wrote 122 leases to leases file.
Listening on BPF/em0/08:00:27:3c:ab:c8/10.0.10.0/24
Sending on BPF/em0/08:00:27:3c:ab:c8/10.0.10.0/24
Sending on Socket/fallback/fallback-net
failover peer ha-dhcp: I move from normal to startup……在 secondary 节点上也是一样。
root@DHCPs2:~ # sysrc dhcpd_enable=YES
dhcpd_enable: -> YES
root@DHCPs2:~ # service isc-dhcpd onestart
Starting dhcpd.
Internet Systems Consortium DHCP Server 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /usr/local/etc/dhcpd.conf
Database file: /var/db/dhcpd/dhcpd.leases
PID file: /var/run/dhcpd/dhcpd.pid
Wrote 122 leases to leases file.
Listening on BPF/em0/08:00:27:de:9b:3d/10.0.10.0/24
Sending on BPF/em0/08:00:27:de:9b:3d/10.0.10.0/24
Sending on Socket/fallback/fallback-net
failover peer ha-dhcp: I move from communications-interrupted to startup现在,由于高可用 DHCP 服务器的两个节点都已启动,让我们在 DHCP 客户端——在我们的示例中为 DHCPc——上尝试获取 DHCP 租约。
root@DHCPc:~ # dhclient em0
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPACK from 10.0.10.251
bound to 10.0.10.131 -- renewal in 302119 seconds.root@DHCPc:~ # ifconfig em0
em0: flags=8843 metric 0 mtu 1500
options=9b
ether 08:00:27:d9:45:96
hwaddr 08:00:27:d9:45:96
inet 10.0.10.131 netmask 0xffffff00 broadcast 10.0.10.255
nd6 options=29
media: Ethernet autoselect (1000baseT )
status: active我们可以看到 DHCP 客户端 DHCPc 获得了 10.0.10.131 的地址。
当然,我们可以在 /usr/local/etc/dhcpd.conf.SHARED 配置文件中使用 host 选项为它设置固定地址,如下所示。
所需的“额外配置”如下。
group
{
host DHCPc {
hardware ethernet 08:00:27:d9:45:96;
fixed-address 10.0.10.9;
}
}需要在两个节点的 /usr/local/etc/dhcpd.conf.SHARED 配置文件中都添加,新的共享配置文件如下所示。
root@DHCPs1:~ # cat /usr/local/etc/dhcpd.conf.SHARED
# CLIENTS
subnet 10.0.10.0 netmask 255.255.255.0 {
default-lease-time 604800;
max-lease-time 604800;
option routers 10.0.10.254;
option broadcast-address 10.0.10.255;
option subnet-mask 255.255.255.0;
option domain-search "domain.com";
option domain-name-servers 1.1.1.1,9.9.9.9;
group
{
host DHCPc {
hardware ethernet 08:00:27:d9:45:96;
fixed-address 10.0.10.9;
}
}
pool {
failover peer "ha-dhcp";
range 10.0.10.10 10.0.10.250;
}
}现在将 /usr/local/etc/dhcpd.conf.SHARED 文件复制到第二个节点。
让我们再次尝试从同一 DHCP 客户端获取地址。
root@DHCPs1:~ # cat /usr/local/etc/dhcpd.conf.SHARED
# CLIENTS
subnet 10.0.10.0 netmask 255.255.255.0 {
default-lease-time 604800;
max-lease-time 604800;
option routers 10.0.10.254;
option broadcast-address 10.0.10.255;
option subnet-mask 255.255.255.0;
option domain-search "domain.com";
option domain-name-servers 1.1.1.1,9.9.9.9;
group
{
host DHCPc {
hardware ethernet 08:00:27:d9:45:96;
fixed-address 10.0.10.9;
}
}
pool {
failover peer "ha-dhcp";
range 10.0.10.10 10.0.10.250;
}
}现在将 /usr/local/etc/dhcpd.conf.SHARED 文件复制到第二个节点。
让我们再次尝试从同一 DHCP 客户端获取地址。
root@DHCPc:~ # pkill dhclient
root@DHCPc:~ # service netif restart
root@DHCPc:~ # dhclient em0
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPACK from 10.0.10.252
bound to 10.0.10.131 -- renewal in 1665 seconds.
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPNAK from 10.0.10.252
DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 3
DHCPOFFER from 10.0.10.251
DHCPOFFER from 10.0.10.252
DHCPOFFER already seen.
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPACK from 10.0.10.252
bound to 10.0.10.9 -- renewal in 302400 seconds.root@DHCPc:~ # ifconfig em0
em0: flags=8843 metric 0 mtu 1500
options=9b
ether 08:00:27:d9:45:96
hwaddr 08:00:27:d9:45:96
inet 10.0.10.9 netmask 0xffffff00 broadcast 10.0.10.255
nd6 options=29
media: Ethernet autoselect (1000baseT )
status: active现在我们已经获得了固定地址 10.0.10.9。
你现在可以在 /etc/rc.conf 文件中尝试修改以下值:
dhcpd_flagsdhcpd_ifacesdhcpd_withumaskdhcpd_chuser_enabledhcpd_withuserdhcpd_withgroupdhcpd_chroot_enabledhcpd_devfs_enabledhcpd_rootdirdhcpd_includedirnclude
……以及 man dhcpd.conf 页面上所有其他可能的选项 🙂
最后更新于
这有帮助吗?