文章目录
一、Keepalived是什么?
Keepalived 是一个用于 Linux 系统的高可用性(High Availability, HA)软件,主要用于提供服务器故障转移功能。它常用于负载均衡器(如 LVS)和路由器之间,以确保某一节点故障时能够自动切换到备用节点。作用是维护服务器集群的高可用性,通过 VRRP(虚拟路由冗余协议)来实现主备切换。应用在高可用性集群中使用,以确保服务的持续可用性。
Keepalive配置文件语法:
#全局配置
! Configuration File for keepalived
global_defs {
notification_email {
#分写多个
zhangsan@163.com
}
重名不影响
test@qq.com #keepalived 发生故障切换时邮件发送的目标邮箱,可以按行区
notification_email_from test@KA1.org #发邮件的地址
smtp_server 127.0.0.1 #邮件服务器地址
smtp_connect_timeout 30 #邮件服务器连接timeout
router_id KA1.timinglee.org #每个keepalived主机唯一标识
#建议使用当前主机名,但多节点
vrrp_skip_check_adv_addr #对所有通告报文都检查,会比较消耗性能
#启用此配置后,如果收到的通告报文和上一个报文是同一 #个路由器,则跳过检查,默认值为全检查
vrrp_strict #严格遵循vrrp协议
#启用此项后以下状况将无法启动服务:
#1.无VIP地址
#2.配置了单播邻居
#3.在VRRP版本2中有IPv6地址
#4.无法设置抢占延迟模式
#建议不加此项配置
vrrp_garp_interval 0 #报文发送延迟,0表示不延迟
vrrp_gna_interval 0 #消息发送延迟
vrrp_mcast_group4 224.0.0.18 #指定组播IP地址范围:
}
# 配置虚拟路由器
vrrp_instance VI_1 {
state MASTER
interface eth0 #绑定为当前虚拟路由器使用的物理接口,如:eth0,可以和VIP不在一
个网卡
virtual_router_id 51 #每个虚拟路由器惟一标识,范围:0-255,每个虚拟路由器此值必须唯一
#否则服务无法启动
#同属一个虚拟路由器的多个keepalived节点必须相同
#务必要确认在同一网络中此值必须唯一
priority 100 #当前物理节点在此虚拟路由器的优先级,范围:1-254
#值越大优先级越高,每个keepalived主机节点此值不同
advert_int 1 #vrrp通告的时间间隔,默认1s
authentication { #认证机制
auth_type AH|PASS #AH为IPSEC认证(不推荐),PASS为简单密码(建议使用)
uth_pass 1111 #预共享密钥,仅前8位有效
#同一个虚拟路由器的多个keepalived节点必须一样
}
virtual_ipaddress { #虚拟IP,生产环境可能指定上百个IP地址
<IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label <LABEL>
172.25.254.100 #指定VIP,不指定网卡,默认为eth0,注意:不指定/prefix,默认32
172.25.254.101/24 dev eth1
172.25.254.102/24 dev eth2 label eth2:1
}
}
二、Keepalive实践
(一)、Keepalive部署
环境准备:
RHEL7.9 主机5台 处于同一网络(10.211.55.0/24) Client、HA1、HA2、RS1、RS2的IP依次为10–50
关闭防火墙、SELinux、各主机时间同步
1.下载软件包
[root@KA1 ~]# yum install keepalived -y
#软件包名:keepalived
#主程序文件:/usr/sbin/keepalived
#主配置文件:/etc/keepalived/keepalived.conf
2.修改配置文件
! Configuration File for keepalived
global_defs {
notification_email {
test@qq.com #一般设为自己的邮件地址即可,这里只是测试
}
notification_email_from keepalived@ka.org
smtp_server 127.0.0.1 #邮件服务器的server为本机
smtp_connect_timeout 30
router_id KA1 #一般设为主机名即可
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
vrrp_mcast_group4 224.0.0.18 #设置默认组播地址
}
vrrp_instance VI_1 {
state MASTER #设为MASTER 主
interface eth0
virtual_router_id 100 #VR-ID 如果设置主备需要一致
priority 100 #优先级
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
#添加虚拟IP(VIP)
virtual_ipaddress {
10.211.55.100/24 dev eth0 lable eth0:1
}
}
...
#启动服务
[root@KA1 ~]# systemctl enable --now keepalived.service
KA2上一样操作
vrrp_instance VI_1 {
state BACKUP #工作状态为BACKUP 备
interface eth0
virtual_router_id 100 #router——ID不变
priority 80 #优先级设置为80
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
3.测试keepalive状态
[root@ka1 ~]# tcpdump -i eth0 -nn host 224.0.0.18
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:55:10.787443 IP 10.211.55.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
11:55:11.788585 IP 10.211.55.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
11:55:12.799023 IP 10.211.55.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
10:58:23.647748 IP 10.211.55.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 20
#关闭KA1上的keepalive服务,自动切换到KA2
10:58:24.096049 IP 10.211.55.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 0, authtype none, intvl 1s, length 20
10:58:24.790525 IP 10.211.55.30 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 80, authtype none, intvl 1s, length 20
10:58:41.912846 IP 10.211.55.30 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 80, authtype none, intvl 1s, length 20
#再启动KA1服务 ,KA1到优先级高,所以VIP又到了KA1手上
10:58:42.177287 IP 10.211.55.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 20
(二)、开启Keepalive 日志功能
1.编辑Keepalive的Unit File的环境配置文件:/etc/sysconfig/keepalived
[root@ka1 ~]# vim /etc/sysconfig/keepalived
KEEPALIVED_OPTIONS="-D -S 6"
2.在rsyslog配置文件中添加一行日志记录
[root@ka1 ~]# vim /etc/rsyslog.conf
local6.* /var/log/keepalived.log
#重启rsyslog 再重启keepalived
3.查看keepalive日志
[root@ka1 ~]# cat /var/log/keepalived.log
Aug 14 12:10:55 ka1 Keepalived[3862]: Starting Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Aug 14 12:10:55 ka1 Keepalived[3862]: Opening file '/etc/keepalived/keepalived.conf'.
Aug 14 12:10:55 ka1 Keepalived[3863]: Starting Healthcheck child process, pid=3864
Aug 14 12:10:55 ka1 Keepalived[3863]: Starting VRRP child process, pid=3865
...
(三)、配置独立子配置文件
为了方便不同功能配置文件的管理,可以采用子配置文件的方式
1.创建子配置文件目录
[root@KA1 ~]# mkdir /etc/keepalived/conf.d
#文件命名只需要以.conf结尾就行了
2.在主配置文件中包含子配置文件目录下的所有.conf结尾的文件
include "/etc/keepalived/conf.d/*.conf"
(四)、Keepalive 的VIP策略模式
1.抢占模式(默认)
keepalive默认采取这分钟模式,无需加入更多配置
2.非抢占模式(nopreempt)
通俗的话来讲:没有MASTER、忽略优先级、谁不坏就一直用谁
KA1、KA2均需要设置为BACKUP工作模式
vrrp_instance VI_1 {
state BACKUP #备
interface eth0
virtual_router_id 100
priority 100
advert_int 1
nopreempt #非抢占模式
...
}
**实验现象:**KA1配置玩重启,VIP到KA2上,KA2配置完,VIP到KA1上; KA1停止keepalive,KA2拿到,再次KA1启动后,仍然在KA2上
3.延迟抢占模式(preempt_delay)
同样两台都为BACKUP 、 且在全局设置里关闭vrrp_strict
在默认抢占到基础上设定一定时间后再抢占.
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 100
priority 100
advert_int 1
preempt_delay 10s #延迟抢占模式 延迟时间为10s
...
}
实验现象: KA1 优先级高 默认VIP在KA1,然后停掉KA1,VIP到KA2,再次启动KA1,等待10秒后,KA1拿到VIP
(五)、单播模式
vrrp_strict需要注释掉
#KA1、KA2在vrrp_instance VI_1{内添加}
unicast_src_ip 10.211.55.20
unicast_peer { 10.211.55.30 }
测试结果
[root@KA1 ~]# tcpdump -i eth0 -nn src host 10.211.55.20 and dst 10.211.55.30
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:47:10.271886 IP 10.211.55.20 > 10.211.55.30: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
14:47:11.277146 IP 10.211.55.20 > 10.211.55.30: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20
#关闭KA1 把VIP给KA2
[root@KA1 ~]# systemctl stop keepalived.service
[root@KA2 ~]# tcpdump -i eth0 -nn src host 10.211.55.30 and dst 10.211.55.20
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:50:58.037330 IP 10.211.55.30 > 10.211.55.20: VRRPv2, Advertisement, vrid 100, prio 80, authtype simple, intvl 1s, length 20
14:50:59.042998 IP 10.211.55.30 > 10.211.55.20: VRRPv2, Advertisement, vrid 100, prio 80, authtype simple, intvl 1s, length 20
14:51:00.045127 IP 10.211.55.30 > 10.211.55.20: VRRPv2, Advertisement, vrid 100, prio 80, authtype simple, intvl 1s, length 20
14:51:00.046893 ARP, Request who-has 10.211.55.20 tell 10.211.55.30, length 28
(六)、开启Keepalive邮件通知
1.在自己的邮箱开启smtp服务,并获取授权码. (这里以QQ邮箱为例子)
2.拿到授权码后即可通过SMTP服务器登陆QQ邮箱📮
#下载mailx邮件客户端
[root@ka1 ~]# yum install mailx -y
3.添加SMTP配置
[root@ka1 ~]# vim /etc/mail.rc #最后添加
set from=12345678@qq.com
set smtp=smtp.qq.com
set smtp-auth-user=12345678@qq.com
set smtp-auth-password=wwxxxxxxxxxcabd
set smtp-auth=login
set ssl-verify=ignore
4.编写邮件发送脚本
#!/bin/bash
mail_dest="12345678@qq.com"
mail_send()
{
mail_subj="$HOSTNAME to be $1 VIP 转移 "
mail_mess="`date +%F\ %T` : VRRP 转移,$HOSTNAME 变为 $1 "
echo "$mail_mess" | mail -s "$mail_subj" $mail_dest
}
case $1 in
master)
mail_send master
;;
backup)
mail_send backup
;;
fault)
mail_send fault
;;
*)
exit 1
;;
esac
5.在keepalive配置文件中开启邮件通知
#KA1、KA2在vrrp_instance VI_1{内添加}
notify_master "/etc/keepalived/mail.sh master"
notify_backup "/etc/keepalived/mail.sh backup"
notify_fault "/etc/keepalived/mail.sh fault"
#重启keepalive
6.测试
[root@ka1 ~]# killall keepalived
[root@ka1 ~]# systemctl start keepalived.service
[root@ka1 ~]# systemctl stop keepalived.service
#KA2也可以测试 起起停停
(七)、Keepalive+LVS(DR)
Virtual_Server配置:
virtual_server IP port { #VIP和PORT
delay_loop <INT> #检查后端服务器的时间间隔
lb_algo rr|wrr|lc|wlc|lblc|sh|dh #定义调度方法
lb_kind NAT|DR|TUN #集群的类型,注意要大写
persistence_timeout <INT> #持久连接时长
protocol TCP|UDP|SCTP #指定服务协议,一般为TCP
sorry_server <IPADDR> <PORT> #所有RS故障时,备用服务器地址
real_server <IPADDR> <PORT> { #RS的IP和PORT
weight <INT> #RS权重
notify_up <STRING>|<QUOTED-STRING> #RS上线通知脚本
notify_down <STRING>|<QUOTED-STRING> #RS下线通知脚本
HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHECK { ... } #定义当前主机健康状态检测方法
}
}
#注意:括号必须分行写,两个括号写在同一行,如: }} 会出错
应用层检测:
HTTP_GET|SSL_GET {
url {
path <URL_PATH> #定义要监控的URL
status_code <INT> #判断上述检测机制为健康状态的响应码,
一般为 200
}
connect_timeout <INTEGER> #客户端请求的超时时长, 相当于haproxy的timeout server
nb_get_retry <INT> #重试次数
delay_before_retry <INT> #重试之前的延迟时长
connect_ip <IP ADDRESS> #向当前RS哪个IP地址发起健康状态检测请求
connect_port <PORT> #向当前RS的哪个PORT发起健康状态检测请求
bindto <IP ADDRESS> #向当前RS发出健康状态检测请求时使用的源地址
bind_port <PORT> #向当前RS发出健康状态检测请求时使用的源端口
}
- RS1、 2 添加环回地址 10.211.55.100/32 、关闭ARP接收[ 临时 ]
ip a a 10.211.55.100/32 dev lo #添加环回IP
[root@rs1 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@rs1 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@rs1 ~]# echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
[root@rs1 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
- KA1、KA2上在主配置文件添加虚拟主机规则
#加载末尾即可
virtual_server 10.211.55.100 80 {
delay_loop 6
lb_algo wrr #负载均衡算法 加权轮询
lb_kind DR #直连路由
protocol TCP #TCP协议
real_server 10.211.55.40 80{
weight 1 #权重
HTTP_GET { #HTTP访问模式
url {
path / #测试站点根目录
status_code 200 #如果状态码是200则表示RS1可用
}
connect_timeout 3
retry 2
delay_before_retry 2
}
}
real_server 10.211.55.50 80{
weight 1
HTTP_GET {
url {
path /
status_code 200
}
connect_timeout 3
retry 2
delay_before_retry 2
}
}
}
3.查看自动生成的LVS规则
[root@ka1 ~]# ipvsadm -C
[root@ka1 ~]# systemctl restart keepalived.service
[root@ka1 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.211.55.100:80 wrr
-> 10.211.55.40:80 Route 1 0 0
-> 10.211.55.50:80 Route 1 0 0
4.客户端测试结果,KA1下线依然访问不断,无感转移到KA2
[root@client ~]# for i in {1..10};do curl 10.211.55.100 ;done
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
(八) 、 HAProxy+Keepalive
自定义VRRP脚本
vrrp_script <SCRIPT_NAME> { #定义一个检测脚本,在global_defs 之外配置
script <STRING>|<QUOTED-STRING> #shell命令或脚本路径
interval <INTEGER> #间隔时间,单位为秒,默认1秒
timeout <INTEGER> #超时时间
weight <INTEGER:-254..254> #默认为0,如果设置此值为负数,
#当上面脚本返回值为非0时
#会将此值与本节点权重相加可以降低本节点权重,
#即表示fall.
#如果是正数,当脚本返回值为0,
#会将此值与本节点权重相加可以提高本节点权重
#即表示 rise.通常使用负值
fall <INTEGER> #执行脚本连续几次都失败,则转换为失败,建议设为2以上
rise <INTEGER> #执行脚本连续几次都成功,把服务器从失败标记为成功
user USERNAME [GROUPNAME] #执行监测脚本的用户或组
init_fail #设置默认标记为失败状态,监测成功之后再转换为成功状态
}
调用
vrrp_instance test {]
...
track_script { <SCRIPT_NAME> }
}
1.开启允许非本地IP
[root@ka1 ~]# vim /etc/sysctl.conf
#添加一行: net.ipv4.ip_nonlocal_bind = 1
[root@ka1 ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
2.配置haproxy
[root@ka1 ~]# vim /etc/haproxy/haproxy.cfg
#最后添加
listen webclst
bind 10.211.55.100:80
mode http
balance roundrobin
server web1 10.211.55.40:80 check inter 2 fall 2 rise 2
server web1 10.211.55.50:80 check inter 2 fall 2 rise 2
[root@ka1 ~]# systemctl restart haproxy.service
3.创建检测haproxy存活脚本
[root@KA1 ~]# vim /etc/keepalived/test.sh
#!/bin/bash
/usr/bin/killall -0 haproxy #通过killall -0 确认进程是否存在
4.配置Keepalive
...
vrrp_mcast_group4 224.0.0.18
}
vrrp_script check_haproxy {
script "/etc/keepalived/test.sh"
interval 1
weight -30
fall 2
rise 2
timeout 2
}
vrrp_instance VI_1 {
state MASTER
...
track_script{
check_haproxy
}
}
5.测试 中间停掉KA1,客户端访问是无感的
[root@client ~]# while true ; do curl 10.211.55.100 ; sleep 0.75 ;done
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
[root@ka1 ~]# systemctl stop keepalived.service
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
[root@ka1 ~]# systemctl restart keepalived.service
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
Welcome to RS2 10.211.55.50
Welcome to RS1 10.211.55.40
^C
(九)、Keepalive双主架构
master/slave的单主架构,同一时间只有一个Keepalived对外提供服务,此主机繁忙,而另一台主机却
很空闲,利用率低下,可以使用master/master的双主架构,解决此问题。
master/master 的双主架构:
即将两个或以上VIP分别运行在不同的keepalived服务器,以实现服务器并行提供web访问的目的,提高
服务器资源利用率
#在主配置文件添加一个新的即可 设置为BACKUP
vrrp_instance VI_2 {
state BACKUP
interface eth0
virtual_router_id 200
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.211.55.200/24 dev eth0 lable eth0:2
}
}
#重启服务器
#查看VIP开启情况
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:1c:42:19:13:a1 brd ff:ff:ff:ff:ff:ff
inet 10.211.55.20/24 brd 10.211.55.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 10.211.55.100/24 scope global secondary eth0
valid_lft forever preferred_lft forever
inet 10.211.55.200/24 scope global secondary eth0
1440
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
