keepalived配置和使用
安装:
yum安装
yum install -y keepalived
编译安装
# 安装编译环境
yum install -y gcc openssh-server openssh-clients openssl openssl-devel libnl3-devel libnl3 make
cd /usr/local/src
wget --no-check-certificate https://keepalived.org/software/keepalived-2.2.4.tar.gz
tar xf keepalived-2.2.4.tar.gz
cd keepalived-2.2.4/
./configure --prefix=/apps/keepalived --disable-fwmark
# --disable-fwmark 关闭防火墙标记功能
make && make install
mkdir /etc/keepalived
cp ./keepalived/etc/keepalived/keepalived.conf /etc/keepalived/
配置文件
! Configuration File for keepalived
global_defs {
notification_email { # 邮件配置
acassen@firewall.loc # keepalived 发生故障切换时邮件发送的对象,可以按行区分写多个
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL # route_id
vrrp_skip_check_adv_addr # 所有报文都检查比较消耗性能,此配置为如果收到的报文和上一个报文是同一个路由器则跳过检查报文中的源地址
# vrrp_strict # 严格遵守VRRP协议,不允许状况:1,没有VIP地址,2.配置了单播邻居,3.在VRRP版本2中有IPv6地址.
vrrp_garp_interval 0 # ARP报文发送延迟
vrrp_gna_interval 0 # 消息发送延迟
#vrrp_iptables # yum安装会自动生成防火墙策略,可以删除或禁止生成
}
vrrp_instance VI_1 {
state MASTER # 启动时,当前节点在此虚拟路由器上的初始状态。
interface eth0 # 心跳传输的网卡
virtual_router_id 51 # 当前虚拟路由器的惟一标识,范围是0-255,MASTER和BACKUP的值需要一样。
priority 100 # 当前主机在此虚拟路径器中的优先级;范围1-254;
advert_int 1 # vrrp通告的时间间隔;主备间通告时间检查的时间间隔,单位为s,默认1s
authentication { # 认证机制
auth_type PASS
auth_pass 1111 # 仅前8位有效
}
virtual_ipaddress { #虚拟IP
192.168.200.16
}
}
keepalived 结合nginx 实现高可用
允许绑定不存在的ip地址
echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
sysctl -p
keepalived-master端
! Configuration File for keepalived
global_defs {
router_id 119.103
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_script chk_nginx {
script "/etc/keepalived/chk_nginx.sh"
interval 1
weight -80
fall 3
rise 5
timeout 2
}
vrrp_instance VI_1 {
state MASTER
interface ens32
virtual_router_id 55
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.119.100
}
track_script {
chk_nginx
}
}
keepalived-backup端
! Configuration File for keepalived
global_defs {
router_id 119.104
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_script chk_nginx {
script "/etc/keepalived/chk_nginx.sh"
interval 1
weight -80
fall 3
rise 5
timeout 2
}
vrrp_instance VI_1 {
state BACKUP
interface ens32
virtual_router_id 55
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.119.100
}
track_script {
chk_nginx
}
}
cat /etc/keepalived/chk_nginx.sh
#!/bin/bash
killall -0 nginx
# killall命令需要用到psmisc包
# yum install psmisc -y
chmod +x /etc/keepalived/chk_nginx.sh
# 此脚本只判断nginx进程是否存在,如果不存在,返回错误。
脑裂以及脑裂产生的原因
脑裂:
在高可用(HA)系统中,当联系2个节点的“心跳线”断开时,本来为一整体分裂成为2个独立的个体。由于相互失去了联系,都以为是对方出了故障。两个节点上的HA软件像“裂脑人”一样,争抢“共享资源”、争起“应用服务”,就会发生严重后果——或者共享资源被瓜分、2边“服务”都起不来了;或者2边“服务”都起来了,但同时读写“共享存储”,导致数据损坏。
产生脑裂的原因:
服务器对之间心跳线链路发生故障,导致无法正常通信
因心跳线间连接的设备故障
心跳网卡地址等信息配置不正确,导致发送心跳失败
Keepalived配置里同一 VRRP实例如果virtual_router_id两端参数配置不一致会导致裂脑问题发生。
keepalived 进程被强制kill后,虚拟 ip 移除不掉,导致脑裂的现象。
解决办法
同时用两条心跳线路,这样一条线路坏了,另一个还是好的,依然能传送心跳消息
做好对裂脑的监控报警(如邮件及手机短信等或值班).在问题发生时人为第一时间介入仲裁,降低损失。
实现keeplived监控
Keepalived通知配置
发件人配置:
[root@localhost ~]# yum install mailx -y
[root@localhost ~]# vim /etc/mail.rc
set from=wslzr120@163.com
set smtp=smtp.163.com
set smtp-auth-user=wslzr120@163.com
set smtp-auth-password=ABAUKQEMLEKAHFSU
set smtp-auth=login
set ssl-verify=ignore
定义通知脚本:
notify_master <STRING>|<QUOTED-STRING>:
当前节点成为主节点时触发的脚本
notify_backup <STRING>|<QUOTED-STRING>:
当前节点转为备节点时触发的脚本
notify_fault <STRING>|<QUOTED-STRING>:
当前节点转为“失败”状态时触发的脚本
notify <STRING>|<QUOTED-STRING>:
通用格式的通知触发机制,一个脚本可完成以上三种状态的转换时的通知
Keepalived通知脚本
[root@localhost keepalived]# cat /etc/keepalived/notify.sh
#!/bin/bash
contact='61864003@qq.com'
notify() {
mailsubject="$(hostname) to be $1, vip 转移"
mailbody="$(date +'%F %T'): vrrp transition, $(hostname) changed to be $1"
echo "$mailbody" | mail -s "$mailsubject" $contact
}
case $1 in
master)
notify master
;;
backup)
notify backup
;;
fault)
notify fault
;;
*)
echo "Usage: $(basename $0) {master|backup|fault}"
exit 1
;;
esac
脚本的调用方法:
notify_master "/etc/keepalived/notify.sh master"
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
# 脚本要加执行权限
chmod +x /etc/keepalived/notify.sh
停止keepalived服务,验证IP 切换后是否收到通知邮件: