系统追求高可用,采用 keepalived + nginx 实现前置代理主机互备,部署过程中踩了几个坑,折腾了两天才搞定。现将问题及解决方法整理如下,供大家参考。
主机环境是CentOS Linux release 7.9.2009 (Core),以root用户全程操作,采用 yum -y install keepalived 命令安装keepalived。
keepalived运行状态查看及启停命令为:
systemctl status keepalived
systemctl stop keepalived
systemctl start keepalived
问题一:
12月 16 14:08:09 localhost.localdomain Keepalived_vrrp[11459]: WARNING - script '/etc/keepalived/check_nginx.sh' is not executable for uid:gid 0:0 - disabling.
解决:
chmod +x check_nginx.sh
问题二:
12月 16 14:10:49 localhost.localdomain Keepalived_vrrp[11533]: WARNING - default user 'keepalived_script' for script execution does not exist - please create.
解决:
global_defs配置增加 script_user root
问题三:
12月 16 14:16:22 localhost.localdomain Keepalived_vrrp[13195]: SECURITY VIOLATION - scripts are being executed but script_security not enabled.
解决:
global_defs配置增加 enable_script_security
问题四:
12月 16 14:30:48 localhost.localdomain Keepalived_vrrp[17450]: /etc/keepalived/check_nginx.sh exited with status 127
解决:
将SELinux状态更改为permissive模式,命令为setenforce 0
注意:主机重启后得重新设置
check_nginx.sh完整代码:
[root@localhost keepalived]# cat check_nginx.sh
if [ `ps -C nginx --no-header | wc -l` -eq 0 ]; then
systemctl stop keepalived.service
fi
keepalived.conf完整代码:
[root@localhost keepalived]# cat keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
script_user root
enable_script_security
}
vrrp_script check_nginx {
script "/etc/keepalived/check_nginx.sh"
}
vrrp_instance VI_1 {
state BACKUP
interface ens5
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.100.100
}
track_script {
check_nginx
}
}