通过抓包分析keepalived的浮动IP是如何飘移的

首先介绍下环境:

两台机器：192.168.100.101（MASTER）,192.168.100.102 （BACKUP）
浮动IP：192.168.100.10

在两台机器上安装配置keepalived，此文不做安装具体步骤描述，可以参考我的另一篇文章keepalived安装配置

贴出此环境使用的配置文件：

! Configuration File for keepalived
global_defs {                                                   #全局定义主要设置 keepalived 的通知机制和标识
        notification_email {
                root@localhost
                }
        notification_email_from keepalived@localhost
        smtp_server 127.0.0.1
        smtp_connect_timeout 30
        router_id HAproxy1
        }

vrrp_instance VI_1 {            #VRRP(虚拟路由冗余协议)实例配置
        state BACKUP                        #另一个 Director 标记为 BACKUP！！！
        nopreempt                 #非抢占模式.当两个都为BACKUP时才生效。不然MASTER还是会抢占
        interface eth1                          #实例绑定的网卡
        virtual_router_id 51            #VRID 虚拟路由标识 00-00-5e-00-01-{VRID}
        priority 150                                    #优先级高为master，master 至少要高于 backup 50 ！！！
        ###BACKUP上优先级配置为100
        advert_int 1                            #检查间隔
        authentication {
                auth_type PASS          #验证:主备之间做身份验证  主备之间一定一致
                auth_pass 1111
                }
        virtual_ipaddress {             #浮动ip
                192.168.100.10/24
                }
        }

先启动MASTER上的keepalived并观察日志：

[root@MASTER ~]# service keepalived start
Starting keepalived:                                       [  OK  ]
[root@MASTER ~]# tail -f /var/log/messages
Aug 10 14:17:36 jia1 Keepalived[18350]: Starting Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Aug 10 14:17:36 jia1 Keepalived[18350]: Unable to resolve default script username 'keepalived_script' - ignoring
Aug 10 14:17:36 jia1 Keepalived[18350]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 10 14:17:36 jia1 Keepalived[18351]: Starting Healthcheck child process, pid=18353
Aug 10 14:17:36 jia1 Keepalived[18351]: Starting VRRP child process, pid=18354
Aug 10 14:17:36 jia1 Keepalived_vrrp[18354]: Registering Kernel netlink reflector
Aug 10 14:17:36 jia1 Keepalived_vrrp[18354]: Registering Kernel netlink command channel
Aug 10 14:17:36 jia1 Keepalived_vrrp[18354]: Registering gratuitous ARP shared channel
Aug 10 14:17:36 jia1 Keepalived_vrrp[18354]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 10 14:17:36 jia1 Keepalived_healthcheckers[18353]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 10 14:17:36 jia1 Keepalived_vrrp[18354]: VRRP_Instance(VI_1) removing protocol VIPs.
Aug 10 14:17:36 jia1 Keepalived_vrrp[18354]: Using LinkWatch kernel netlink reflector...
Aug 10 14:17:36 jia1 Keepalived_vrrp[18354]: VRRP_Instance(VI_1) Entering BACKUP STATE
Aug 10 14:17:36 jia1 Keepalived_vrrp[18354]: VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(10,11)]
Aug 10 14:17:39 jia1 Keepalived_vrrp[18354]: VRRP_Instance(VI_1) Transition to MASTER STATE
Aug 10 14:17:40 jia1 Keepalived_vrrp[18354]: VRRP_Instance(VI_1) Entering MASTER STATE
Aug 10 14:17:40 jia1 Keepalived_vrrp[18354]: VRRP_Instance(VI_1) setting protocol VIPs.
Aug 10 14:17:40 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10
Aug 10 14:17:40 jia1 Keepalived_vrrp[18354]: VRRP_Instance(VI_1) Sending/queueing gratuitous ARPs on eth1 for 192.168.100.10
Aug 10 14:17:40 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10
Aug 10 14:17:40 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10
Aug 10 14:17:40 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10
Aug 10 14:17:40 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10
Aug 10 14:17:45 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10
Aug 10 14:17:45 jia1 Keepalived_vrrp[18354]: VRRP_Instance(VI_1) Sending/queueing gratuitous ARPs on eth1 for 192.168.100.10
Aug 10 14:17:45 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10
Aug 10 14:17:45 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10
Aug 10 14:17:45 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10
Aug 10 14:17:45 jia1 Keepalived_vrrp[18354]: Sending gratuitous ARP on eth1 for 192.168.100.10

观察日志可以看到整个工作流程，

1. 启动主进程
2. 打开配置文件
3. 启动健康检查和vrrp两个子进程
4. 注册一些内核模块
5. 打开配置文件，根据内容做vrrp_instance
6. 因为我配置的是双机器都是BACKUP模式，所以先进入backup状态，然后根据优先级进入MASTER模式
7. 进入MASTER模式之后，设置浮动IP好，并发送ARP信息，告诉其他机器浮动IP在我的eth1网卡上。

然后我们启动BACKUP机器上的keepalived,在观察日志：

[root@BACKUP ~]# service keepalived start
Starting keepalived:                                       [  OK  ]
[root@BACKUP ~]# tail -f /var/log/messages
Aug 10 14:28:47 jia2 Keepalived[46713]: Starting Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Aug 10 14:28:47 jia2 Keepalived[46713]: Unable to resolve default script username 'keepalived_script' - ignoring
Aug 10 14:28:47 jia2 Keepalived[46713]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 10 14:28:47 jia2 Keepalived[46714]: Starting Healthcheck child process, pid=46716
Aug 10 14:28:47 jia2 Keepalived[46714]: Starting VRRP child process, pid=46717
Aug 10 14:28:47 jia2 Keepalived_vrrp[46717]: Registering Kernel netlink reflector
Aug 10 14:28:47 jia2 Keepalived_vrrp[46717]: Registering Kernel netlink command channel
Aug 10 14:28:47 jia2 Keepalived_vrrp[46717]: Registering gratuitous ARP shared channel
Aug 10 14:28:47 jia2 Keepalived_vrrp[46717]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 10 14:28:47 jia2 Keepalived_healthcheckers[46716]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 10 14:28:48 jia2 Keepalived_vrrp[46717]: VRRP_Instance(VI_1) removing protocol VIPs.
Aug 10 14:28:48 jia2 Keepalived_vrrp[46717]: Using LinkWatch kernel netlink reflector...
Aug 10 14:28:48 jia2 Keepalived_vrrp[46717]: VRRP_Instance(VI_1) Entering BACKUP STATE
Aug 10 14:28:48 jia2 Keepalived_vrrp[46717]: VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(10,11)]

启动步骤前面和MASTER机器一致，不过进入BACKUP状态之后发现已经有高优先级的进入MASTER状态时，则运行在BACKUP状态。

然后重点来了，我们使用tcpdump进行抓包，在MASTER机器上执行如下命令，将抓到的包写入到/tmp/keepalived.pcap文件中。

[root@MASTER ~]# tcpdump -i eth1 vrrp -w /tmp/keepalived.pcap

接下来我们停掉MASTER机器上的keepalived，让浮动IP飘移到BACKUP机器上。

[root@MASTER ~]# service keepalived stop Stopping keepalived: [ OK ]

然后我们可以来分析抓到的包，下载MASTER机器上的/tmp/keepalived.pacp文件,并用wireshark打开，如下图：

图中，黄框框起来的time列可以看到，正常是每秒发送一条vrrp消息，在第14秒时，停掉了MASTER机器的keepalived，发生了浮动IP飘移，源地址也由192.168.100.101变为了192.168.100.102，这时浮动IP已经跑到了BACKUP机器上。
另外图下方的红框中，包内容部分还可以看到的信息和配置文件一致，

  	route id:51 			
      优先级：150 			
      认证：1111 			
      VIP：192.168.100.10

然后我们看源地址是MASTER的最后一个包：

需要注意的是这个包里的优先级由150变成了0，看后面的备注知道，这是正常停止时MASTER发出的最后一个包。
优先级：0（当前Master已经停止参与VRRP）

继续往下看，看切换到BACKUP时的第一个包

优先级为100，正是BACKUP机器，从这个包开始，BACKUP机器接管了浮动IP。

另外当一台机器获得VIP时，回发送ARP包，已告知其他机器VIP在这里。
这里简单的抓一下包看一下，当获得VIP时的ARP包。

[root@BACKUP ~]# tcpdump -i eth1 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
15:00:15.324399 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46
15:00:16.324499 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46
15:00:16.665305 ARP, Request who-has 192.168.100.101 (00:0c:29:88:c3:ee (oui Unknown)) tell 192.168.100.1, length 46
15:00:16.666767 ARP, Reply 192.168.100.101 is-at 00:0c:29:88:c3:ee (oui Unknown), length 46
15:00:17.085544 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:17.085713 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:17.085847 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:17.085946 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:17.086043 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:17.383674 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46
15:00:18.383623 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46
15:00:19.384611 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46
15:00:20.438910 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46
15:00:21.438653 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46
15:00:21.665534 ARP, Request who-has 192.168.100.2 tell 192.168.100.102, length 28
15:00:21.665966 ARP, Reply 192.168.100.2 is-at 00:50:56:e8:5d:63 (oui Unknown), length 46
15:00:22.087648 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:22.087854 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:22.087958 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:22.088056 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:22.088148 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28
15:00:22.438731 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46
15:00:23.493692 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46
15:00:24.493780 ARP, Request who-has 192.168.100.103 tell 192.168.100.101, length 46

因为网络中每时每刻都有ARP报文，部分信息可以忽略，看下面这一行
15:00:22.087648 ARP, Request who-has 192.168.100.10 (Broadcast) tell 192.168.100.10, length 28

这和日志中的记录相对应

看到这里我们可以知道keepalived是怎么工作的，通过vrrp协议做主备之间的心跳，当发生切换备获得浮动IP时，发送ARP包告诉其他机器现在VIP对应的mac地址已经变成了备机的网卡的mac地址。这时如果有新的机器要和VIP通信时，找到的就是备机，从而实现的高可用。