一、高可用集群keepalived
解决问题:可以实现当lvs即挂了以后,架构依然可用,客户端依然能够连接到服务器
1.1 集群类型
LB:Load Balance 负载均衡
LVS/HAProxy/nginx(http/upstream, stream/upstream)
HA:High Availability 高可用集群
数据库、Redis
SPoF: Single Point of Failure,解决单点故障
HPC:High Performance Computing 高性能集群
1.2 系统可用性
SLA:Service-Level Agreement 服务等级协议(提供服务的企业与客户之间就服务的品质、水准、性能 等方面所达成的双方共同认可的协议或契约)
A = MTBF / (MTBF+MTTR)
例如:99.95%:(60X24X30)X(1-0.9995)=21.6分钟 #一般按一个月停机时间统计
指标 :99.9%, 99.99%, 99.999%,99.9999%
计算结果越大,越可用
1.3 实现高可用
提升系统高用性的解决方案:降低MTTR- Mean Time To Repair(平均故障时间) 解决方案:建立冗余机制
- active/passive 主/备
- active/active 双主
- active --> HEARTBEAT --> passive
- active <–> HEARTBEAT <–> active
1.4 vrrp
思路:虚拟一个网关,让终端连接这个虚拟网关。同时真实的路由器会竞争这个虚拟网关的身份,竞争成功则成为主网关,竞争失败则成为从网关,当主网关挂了以后,从网关就会晋升为主网关,从而实现备份效果。
二、keepalived部署
vrrp协议的软件设计,原生设计目的为了高可用 ipvs服务
支持nginx、haproxy等服务
官网: http://keepalived.org/
2.1 环境准备
四台:linux7,一个网卡,net模式
KA1:172.25.254.10
KA2:172.25.254.20
realserver1:172.25.254.110
realserver2:172.25.254.120
VIP:172.25.254.100
realserver1
[root@realserver1 ~]# vmset.sh eth0 172.25.254.110 realserver1.timinglee.org
realserver2
[root@realserver2 ~]# vmset.sh eth0 172.25.254.120 realserver.timinglee.org
KA1
[root@ka1 ~]# vmset.sh eth0 172.25.254.10 ka1.timinglee.org
KA1
[root@ka2 ~]# vmset.sh eth0 172.25.254.20 ka2.timinglee.org
ALL
查看selinux状态
[root@local ~]# getenforce
Disabled
查看防火墙状态—确认为防火墙关闭
[root@ka1 ~]# systemctl status firewalld
● firewalld.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
realserver1
下载httpd
[root@realserver1 ~]# yum install httpd -y
在静态网页中写入172.25.254.110
[root@realserver1 ~]# echo 172.25.254.110 > /var/www/html/index.html
设置为开机自启动
[root@realserver1 ~]# systemctl enable --now httpd
realserver2
下载httpd
[root@realserver2 ~]# yum install httpd -y
在静态网页中写入172.25.254.120
[root@realserver2 ~]# echo 172.25.254.120 > /var/www/html/index.html
设置为开机自启动
[root@realserver2 ~]# systemctl enable --now httpd
2.2 keepalived配置
配置文件:/etc/keepalived/keepalived.conf
配置文件组成
GLOBAL CONFIGURATION
Global definitions: 定义邮件配置,route_id,vrrp配置,多播地址等
VRRP CONFIGURATION
VRRP instance(s): 定义每个vrrp虚拟路由器
LVS CONFIGURATION
Virtual server group(s)
Virtual server(s): LVS集群的VS和RS
KA1
安装keepalived
[root@ka1 ~]# yum install keepalived -y
全局配置—修改发送警报邮件的邮箱
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
notification_email {
1540509690@qq.com
}
notification_email_from keepalived@timinglee.org
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka1.timinglee.org
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
vrrp_mcast_group4 224.0.0.18
}
配置vrrp
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 100
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
}
开机自启动keepalived
[root@ka1 ~]# systemctl enable --now keepalived.service
传递配置给ka2
[root@ka1 ~]# scp /etc/keepalived/keepalived.conf root@172.25.254.20:/etc/keepalived/keepalived.conf
The authenticity of host '172.25.254.20 (172.25.254.20)' can't be established.
ECDSA key fingerprint is SHA256:E3qE8JvU9z/9Q6iQNWX4FB2C7Of1r+MKoHRNklKH9ow.
ECDSA key fingerprint is MD5:26:47:a1:e9:a2:08:3a:f9:fa:eb:2d:a8:99:11:bf:6b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.20' (ECDSA) to the list of known hosts.
root@172.25.254.20's password:
keepalived.conf 100% 3552 3.9MB/s 00:00
测试
[root@ka1 ~]# tcpdump -i eth0 -nn host 224.0.0.18
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:31:10.631725 IP 172.25.254.10 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
20:31:11.632742 IP 172.25.254.10 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
KA2
安装keepalived
[root@ka2 ~]# yum install keepalived -y
全局配置
[root@ka2 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 100
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
}
[root@ka2 ~]# systemctl enable --now keepalived.service
测试
realserver1
远程登录ka1
[root@realserver1 ~]# ssh -l root 172.25.254.10
The authenticity of host '172.25.254.10 (172.25.254.10)' can't be established.
ECDSA key fingerprint is SHA256:E3qE8JvU9z/9Q6iQNWX4FB2C7Of1r+MKoHRNklKH9ow.
ECDSA key fingerprint is MD5:26:47:a1:e9:a2:08:3a:f9:fa:eb:2d:a8:99:11:bf:6b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.10' (ECDSA) to the list of known hosts.
root@172.25.254.10's password:
Last login: Sun Aug 11 19:28:30 2024 from 172.25.254.1
在realserver1机上远程登陆ka1,关闭服务,模拟ka1的keepalived服务故障
[root@ka1 ~]# systemctl stop keepalived.service
在ka1机上检查
[root@ka1 ~]# tcpdump -i eth0 -nn host 224.0.0.18
20:32:37.737668 IP 172.25.254.10 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
20:32:38.129269 IP 172.25.254.10 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 0, authtype simple, intvl 1s, length 20
20:32:38.817522 IP 172.25.254.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 80, authtype simple, intvl 1s, length 20
20:32:39.819082 IP 172.25.254.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 80, authtype simple, intvl 1s, length 20
# ka1挂了以后,ka2无缝衔接
在realserver1机上恢复ka1的keepalived服务
[root@ka1 ~]# systemctl start keepalived.service
在ka1机上检查
[root@ka1 ~]# tcpdump -i eth0 -nn host 224.0.0.18
20:32:55.827526 IP 172.25.254.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 80, authtype simple, intvl 1s, length 20
20:32:56.828071 IP 172.25.254.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 80, authtype simple, intvl 1s, length 20
20:32:56.828462 IP 172.25.254.10 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
20:32:57.829287 IP 172.25.254.10 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
#因为为抢占模式,所以恢复为ka1的服务
2.3 keepalived’开启通信功能
linux7可以使用,linux9不可以
在全局里面添加该参数,允许vip可以通信
ka1机
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
notification_email {
1540509690@qq.com
}
notification_email_from keepalived@timinglee.org
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka1.timinglee.org
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
vrrp_mcast_group4 224.0.0.18
vrrp_iptables
}
[root@ka1 ~]# systemctl restart keepalived.service
ka2机
[root@ka2 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
notification_email {
1540509690@qq.com
}
notification_email_from keepalived@timinglee.org
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka1.timinglee.org
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
vrrp_mcast_group4 224.0.0.18
vrrp_iptables
}
[root@ka2 ~]# systemctl restart keepalived.service
测试
[root@realserver1 ~]# ping 172.25.254.100
PING 172.25.254.100 (172.25.254.100) 56(84) bytes of data.
64 bytes from 172.25.254.100: icmp_seq=1 ttl=64 time=0.237 ms
64 bytes from 172.25.254.100: icmp_seq=2 ttl=64 time=0.583 ms
ka1机
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
notification_email {
1540509690@qq.com
}
notification_email_from keepalived@timinglee.org
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka1.timinglee.org
vrrp_skip_check_adv_addr
#vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
vrrp_mcast_group4 224.0.0.18
#vrrp_iptables
}
[root@ka1 ~]# systemctl restart keepalived.service
ka2机
[root@ka2 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
notification_email {
1540509690@qq.com
}
notification_email_from keepalived@timinglee.org
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka1.timinglee.org
vrrp_skip_check_adv_addr
#vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
vrrp_mcast_group4 224.0.0.18
#vrrp_iptables
}
[root@ka2 ~]# systemctl restart keepalived.service
测试
[root@realserver1 ~]# ping 172.25.254.100
PING 172.25.254.100 (172.25.254.100) 56(84) bytes of data.
64 bytes from 172.25.254.100: icmp_seq=1 ttl=64 time=0.237 ms
64 bytes from 172.25.254.100: icmp_seq=2 ttl=64 time=0.583 ms
2.4 keepalived配置独立日志
ka1机
[root@ka1 ~]# vim /etc/sysconfig/keepalived
# --log-facility -S 0-7 Set local syslog facility (default=LOG_DAEMON)
#
KEEPALIVED_OPTIONS="-D -S 6"
[root@ka1 ~]# systemctl restart keepalived.service
[root@ka1 ~]# vim /etc/rsyslog.conf
# Save boot messages also to boot.log
local7.* /var/log/boot.log
local6.* /var/log/keepalived.log
[root@ka1 ~]# systemctl restart rsyslog.service
[root@ka1 ~]# systemctl restart keepalived.service
测试
[root@ka1 ~]# ll /var/log/keepalived.log
-rw------- 1 root root 8168 Aug 11 21:11 /var/log/keepalived.log
2.5 keepalived配置独立子配置文件
独立子配置文件:将配置改到子配置文件中
注释以后,虚拟路由消失
ka1机
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
#vrrp_instance VI_1 {
# state MASTER
# interface eth0
# virtual_router_id 100
# priority 100
# advert_int 1
# authentication {
# auth_type PASS
# auth_pass 1111
# }
# virtual_ipaddress {
# 172.25.254.100/24 dev eth0 label eth0:1
# }
#}
include "/etc/keepalived/conf.d/*.conf"
[root@ka1 ~]# systemctl restart keepalived.service
# 因为找不到conf.d目录,所以报错
Job for keepalived.service failed because the control process exited with error code. See "systemctl status keepalived.service" and "journalctl -xe" for details.
[root@ka1 ~]# mkdir -p /etc/keepalived/conf.d
[root@ka1 ~]# vim /etc/keepalived/conf.d/172.25.254.100.conf
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 100
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
}
[root@ka1 ~]# systemctl restart keepalived.service
三、工作过程
3.1 抢占模式和非抢占模式、延迟抢占
抢占模式:优先级高的直接抢
非抢占模式:等优先级低的挂了在抢
延迟抢占:优先级高的在指定时间后抢占
非抢占模式配置
ka1
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 100
priority 100
advert_int 1
nopreempt #设置非抢占模式
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
}
#include "/etc/keepalived/conf.d/*.conf"
[root@ka1 ~]# systemctl restart keepalived.service
ka2
[root@ka2 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 100
priority 80
advert_int 1
nopreempt #设置非抢占模式
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
}
[root@ka2 ~]# systemctl restart keepalived.service
测试:ka1:ip a
延迟抢占模式配置
ka1
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 100
priority 100
advert_int 1
preempt_delay 5s #设置延迟5s抢占
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
}
#include "/etc/keepalived/conf.d/*.conf"
[root@ka1 ~]# systemctl restart keepalived.service
ka2
[root@ka2 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 100
priority 80
advert_int 1
preempt_delay 5s #设置延迟5s抢占
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
}
[root@ka2 ~]# systemctl restart keepalived.service
测试:ka1:ip a
3.2 VIP单播配置
默认keepalived主机之间利用多播相互通告消息,会造成网络拥塞,可以替换成单播,减少网络流量
组播换成单播配置
前提,两个ka机中,全局配置global_defs 中vrrp_strict参数要注释掉,因为它不支持单播
ka1
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 100
priority 100
advert_int 1
#nopreempt
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
unicast_src_ip 172.25.254.10
unicast_peer {
172.25.254.20
}
}
#include "/etc/keepalived/conf.d/*.conf"
[root@ka1 ~]# systemctl restart keepalived.service
ka2
[root@ka2 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 100
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
unicast_src_ip 172.25.254.20
unicast_peer {
172.25.254.10
}
}
[root@ka2 ~]# systemctl restart keepalived.service
测试
ka1和ka2同时使用该命令
[root@ka1 ~]# tcpdump -i eth0 -nn src host 172.25.254.10 and dst 172.25.254.20
[root@ka2 ~]# tcpdump -i eth0 -nn src host 172.25.254.20 and dst 172.25.254.10
终端中
[root@realserver1 ~]# ssh -l root 172.25.254.10
[root@ka1 ~]# systemctl stop keepalived.service
[root@ka1 ~]# systemctl start keepalived.service
一方获得ip地址以后,另一方就停止:ka1有结果时,ka2就无结果。当ka1挂了以后,ka2立马就有结果
四、邮件通知
让linux可以发邮件
4.1 给qq邮箱发邮件
让linux的邮件发送到qq邮箱中,前提:QQ邮箱->账户与安全->安全设置->POP3/IMAP/SMTP/Exchange/CardDAV 服务开启
ka1配置
[root@ka1 ~]# yum install mailx -y
[root@ka1 ~]# vim /etc/mail.rc
# For Linux and BSD, this should be set.
set bsdcompat
set from=1540509690@qq.com
set smtp=smtp.qq.com
set smtp-auth-user=1540509690@qq.com
set smtp-auth-password=pbqcsmebsewfbabi
set smtp-auth=login
set ssl-verify=ignore
测试
给自己的qq邮箱发邮件
[root@ka1 ~]# echo hello world | mail -s test 1540509690@qq.com
ka2
[root@ka2 ~]# yum install mailx -y
[root@ka2 ~]# vim /etc/mail.rc
# For Linux and BSD, this should be set.
set bsdcompat
set from=1540509690@qq.com
set smtp=smtp.qq.com
set smtp-auth-user=1540509690@qq.com
set smtp-auth-password=pbqcsmebsewfbabi
set smtp-auth=login
set ssl-verify=ignore
测试
给自己的qq邮箱发邮件
[root@ka2 ~]# echo hello world2 | mail -s test 1540509690@qq.com
4.2 脚本编写
ka1、2
[root@ka1 ~]# vim /etc/keepalived/mail.sh
#! /bin/bash
mail_dst="1540509690@qq.com"
send_message()
{
mail_sub="$HOSTNAME to be $1 vip move"
mail_msg="`date +%F\ %T`:vrrp move $HOSTNAME chage $1"
echo $mail_msg | mail -s "$mail_sub" $mail_dst
}
case $1 in
master)
send_message master
;;
backup)
send_message backup
;;
fault)
send_message fault
;;
*)
;;
esac
~
[root@ka1 ~]# chmod +x /etc/keepalived/mail.sh
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 100
priority 100
advert_int 1
#nopreempt
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
unicast_src_ip 172.25.254.10
unicast_peer {
172.25.254.20
}
#如下为添加的配置
notify_master "/etc/keepalived/mail.sh master"
notify_backup "/etc/keepalived/mail.sh backup"
notify_fault "/etc/keepalived/mail.sh fault"
}
#include "/etc/keepalived/conf.d/*.conf"
[root@ka1 ~]# systemctl restart keepalived.service
测试
[root@ka1 ~]# /etc/keepalived/mail.sh fault
五、实现keepalived双主结构
给两台keepalived一台配置一个vip
配置
ka1
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 100
priority 100
advert_int 1
#nopreempt
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
unicast_src_ip 172.25.254.10
unicast_peer {
172.25.254.20
}
}
vrrp_instance VI_2 {
state BACKUP
interface eth0
virtual_router_id 200
priority 80
advert_int 1
#nopreempt
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.200/24 dev eth0 label eth0:2
}
unicast_src_ip 172.25.254.10
unicast_peer {
172.25.254.20
}
}
[root@ka1 ~]# systemctl restart keepalived.service
ka2
[root@ka2 ~]# vim /etc/keepalived/keepalived.conf
以下为两个,第一个保持不变,变更名称即可,下图为复制的
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 100
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
unicast_src_ip 172.25.254.20
unicast_peer {
172.25.254.10
}
}
vrrp_instance VI_2 {
state MASTER
interface eth0
virtual_router_id 200
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.200/24 dev eth0 label eth0:2
}
unicast_src_ip 172.25.254.20
unicast_peer {
172.25.254.10
}
}
[root@ka2 ~]# systemctl restart keepalived.service
六、实现ipvs的高可用性(lvs+keepalived)
6.1 虚拟·服务器配置结构
virtual_server IP port {
...
real_server {
...
}
real_server {
...
}
…
}
6.2 虚拟服务器配置
virtual_server IP port { #VIP和PORT
delay_loop <INT> #检查后端服务器的时间间隔
lb_algo rr|wrr|lc|wlc|lblc|sh|dh #定义调度方法
lb_kind NAT|DR|TUN #集群的类型,注意要大写
persistence_timeout <INT> #持久连接时长
protocol TCP|UDP|SCTP #指定服务协议,一般为TCP
sorry_server <IPADDR> <PORT> #所有RS故障时,备用服务器地址
real_server <IPADDR> <PORT> { #RS的IP和PORT
weight <INT> #RS权重
notify_up <STRING>|<QUOTED-STRING> #RS上线通知脚本
notify_down <STRING>|<QUOTED-STRING> #RS下线通知脚本
HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHECK { ... } #定义当前主机健康状
态检测方法
}
}
#注意:括号必须分行写,两个括号写在同一行,如: }} 会出错
6.3 应用层检测
应用层检测:HTTP_GET|SSL_GET
HTTP_GET|SSL_GET {
url {
path <URL_PATH> #定义要监控的URL
status_code <INT> #判断上述检测机制为健康状态的响应码,一般为 200
}
connect_timeout <INTEGER> #客户端请求的超时时长, 相当于haproxy的timeout server
nb_get_retry <INT> #重试次数
delay_before_retry <INT> #重试之前的延迟时长
connect_ip <IP ADDRESS> #向当前RS哪个IP地址发起健康状态检测请求
connect_port <PORT> #向当前RS的哪个PORT发起健康状态检测请求
bindto <IP ADDRESS> #向当前RS发出健康状态检测请求时使用的源地址
bind_port <PORT> #向当前RS发出健康状态检测请求时使用的源端口
}
6.4 TCP检测
传输层检测:TCP_CHECK
TCP_CHECK {
connect_ip <IP ADDRESS> #向当前RS的哪个IP地址发起健康状态检测请求
connect_port <PORT> #向当前RS的哪个PORT发起健康状态检测请求
bindto <IP ADDRESS> #发出健康状态检测请求时使用的源地址
bind_port <PORT> #发出健康状态检测请求时使用的源端口
connect_timeout <INTEGER> #客户端请求的超时时长
#等于haproxy的timeout server
}
6.5 实现双主的LVS-DR模式
rs1
[root@realserver1 ~]# ip a a 172.25.254.100/32 dev lo
[root@realserver1 ~]# cd /etc/sysconfig/network-scripts/
[root@realserver1 network-scripts]# vim ifcfg-lo
DEVICE=lo
IPADDR0=127.0.0.1
NETMASK0=255.0.0.0
IPADDR1=172.25.254.100
NETMASK1=255.255.255.255
NETWORK=127.0.0.0
# If you're having problems with gated making 127.0.0.0/8 a martian,
# you can change this to something else (255.255.255.255, for example)
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback
[root@realserver1 network-scripts]# systemctl restart network
Job for network.service failed because the control process exited with error code. See "systemctl status network.service" and "journalctl -xe" for details.
删除多余网卡-ens33
[root@realserver1 network-scripts]# rm -fr ifcfg-ens33
[root@realserver1 network-scripts]# systemctl restart network
rs2
[root@realserver2 ~]# ip a a 172.25.254.100/32 dev lo
[root@realserver2 ~]# vim /etc/sysctl.d/arp.conf
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_ignore=1
net.ipv4.conf.lo.arp_announce=2
查看是否生效
[root@realserver2 ~]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
kernel.yama.ptrace_scope = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
kernel.kptr_restrict = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/arp.conf ...
#查看如下内容
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
* Applying /etc/sysctl.conf ...
[root@realserver2 ~]# scp /etc/sysctl.d/arp.conf root@172.25.254.110:/etc/sysctl.d/arp.conf
The authenticity of host '172.25.254.110 (172.25.254.110)' can't be established.
ECDSA key fingerprint is SHA256:E3qE8JvU9z/9Q6iQNWX4FB2C7Of1r+MKoHRNklKH9ow.
ECDSA key fingerprint is MD5:26:47:a1:e9:a2:08:3a:f9:fa:eb:2d:a8:99:11:bf:6b.
Are you sure you want to continue connecting (yes/no)? yes #输入yes
Warning: Permanently added '172.25.254.110' (ECDSA) to the list of known hosts.
root@172.25.254.110's password: #输入密码
arp.conf 100% 127 162.7KB/s 00:00
查看结果
[root@realserver2 ~]# sysctl --system
[root@realserver2 ~]# cat /etc/sysctl.d/arp.conf
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_ignore=1
net.ipv4.conf.lo.arp_announce=2
ka1
[root@ka1 ~]# yum install ipvsadm -y
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
#include "/etc/keepalived/conf.d/*.conf"
virtual_server 172.25.254.100 80 {
delay_loop 6
lb_algo wrr
lb_kind DR
#persistence_timeout 50
protocol TCP
#################################################################
real_server 172.25.254.110 80 {
weight 1
SSL_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 2
delay_before_retry 2
}
}
###############################################################
real_server 172.25.254.120 80 {
weight 1
SSL_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 2
delay_before_retry 2
}
}
#################################################################
}
[root@ka1 ~]# systemctl restart keepalived.service
ka2
[root@ka2 ~]# yum install ipvsadm -y
查询是否能curl 172.25.254.100
[root@ka2 ~]# curl 172.25.254.100
172.25.254.110
[root@ka2 ~]# vim /etc/keepalived/keepalived.conf
virtual_server 172.25.254.100 80{
delay_loop 6
lb_algo wrr
lb_kind DR
#persistence_timeout 50
protocol TCP
real_server 172.25.254.110 80 {
weight 1
SSL_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 2
delay_before_retry 2
}
}
##################################################################
real_server 172.25.254.120 80 {
weight 1
SSL_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 2
delay_before_retry 2
}
}
}
[root@ka2 ~]# systemctl restart keepalived.service
6.6 实现其他应用的高可用性 vrrp script(haproxy+keepalived)
6.6.1 利用脚本实现主从角色切换
ka1
[root@ka1 ~]# vim /etc/keepalived/test.sh
#! /bin/bash
[ ! -f /mnt/lee ]
[root@ka1 ~]# sh /etc/keepalived/test.sh
[root@ka1 ~]# echo $?
0
[root@ka1 ~]# touch /mnt/lee
[root@ka1 ~]# sh /etc/keepalived/test.sh
[root@ka1 ~]# echo $?
1
[root@ka1 ~]# chmod +x /etc/keepalived/test.sh
[root@ka1 ~]# vim /etc/keepalived/keepalived.conf
vrrp_script check_file {
script "/etc/keepalived/test.sh"
interval 1
weight -30
fall 2
rise 2
timeout 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 100
priority 100
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 100
priority 100
advert_int 1
#nopreempt
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:1
}
unicast_src_ip 172.25.254.10
unicast_peer {
172.25.254.20
}
track_script {
check_file
}
}
[root@ka1 ~]# systemctl restart keepalived.service
check_file后的空格删除干净
[root@ka1 ~]# ls /mnt/lee
/mnt/lee
测试
[root@ka1 ~]# tcpdump -i eth0 -nn src host 172.25.254.10 and dst host 172.25.254.20
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:43:30.217900 ARP, Request who-has 172.25.254.20 tell 172.25.254.10, length 28
01:43:31.218509 ARP, Request who-has 172.25.254.20 tell 172.25.254.10, length 28
01:43:32.220167 ARP, Request who-has 172.25.254.20 tell 172.25.254.10, length 28
01:43:34.222801 ARP, Request who-has 172.25.254.20 tell 172.25.254.10, length 28
01:43:35.224120 ARP, Request who-has 172.25.254.20 tell 172.25.254.10, length 28
6.6.2 haproxy+keepalived实现高可用的配置
ka1
root@ka1 ~]# yum install haproxy -y
[root@ka1 ~]# vim /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_nonlocal_bind=1
[root@ka1 ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
ka2
root@ka1 ~]# yum install haproxy -y
[root@ka1 ~]# vim /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_nonlocal_bind=1
[root@ka2 ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
ka1
[root@ka1 ~]# vim /etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
balance roundrobin
server app1 127.0.0.1:5001 check
server app2 127.0.0.1:5002 check
server app3 127.0.0.1:5003 check
server app4 127.0.0.1:5004 check
listen webcluster
bind 172.25.254.100:80
balance roundrobin
server web1 172.25.254.110:80 check inter 3 fall 2 rise 5
server web2 172.25.254.120:80 check inter 3 fall 2 rise 5
[root@ka1 ~]# systemctl enable --now haproxy.service