做个笔记
搜了一圈,没有想要的
什么版本支持非root运行
准确的说,从v2.2.5开始,官方才开始正式支持以非root运行。
如何安装
新建用户
新建用户keepalived,用于运行keepalived
useradd keepalived
获取源码编译keepalived
本次直接拿的v2.2.7版本编译的,下载源码后直接(如果没有openssl的开发库,需要安装):
./configure #会检查openssl开发库有没有安装
make -j16
cp bin/keepalived /usr/local/bin/
chown keepalived:keepalived /usr/local/bin/keepalived
准备配置文件
keepalived.service中配置目录是/etc/keepalived/keepalived.conf,修改权限
chown keepalived:keepalived /etc/keepalived/keepalived.conf
配置文件keepalived.conf
使用最简单的可用配置,非抢占式。
2台机器都以BACKUP启动,谁先启动,谁是主。
A先启动,A变成主。A挂掉后,B变成主。A再次启动,B任然还是主。VIP不会发生抢占和漂移
vrrp_instance VI_1 {
state BACKUP #角色
interface ens33 #网卡名
virtual_router_id 50 #在同一个虚拟路由里,id号必须相同
nopreempt #非抢占
#priority 6 #优先级,越高越可能是主
advert_int 3 #心跳时间间隔
unicast_src_ip 192.168.3.119 #本机ip
unicast_peer {
192.168.3.163 #另一台机器ip
}
authentication { #密码组内交流
auth_type PASS
auth_pass 1111qwer
}
virtual_ipaddress { #对外虚拟ip
192.168.3.11 #dev ens33 label ens33:0
}
}
服务文件keepalived.service
脚本内容很重要,如果你不知道如何修改,请保持原样!
# This systemd service file allows keepalived to be run as a non-root user.
# To use this, edit the permissions according to your needs, and install the
# file in /usr/lib/systemd/system as keepalived.service
[Unit]
Description=LVS and VRRP High Availability Monitor
After=network-online.target syslog.target
Requires=network-online.target
# Wants=
Documentation=man:keepalived(8)
Documentation=man:keepalived.conf(5)
Documentation=man:genhash(1)
Documentation=https://keepalived.org
[Service]
Type=forking
NotifyAccess=all
# CAP_CHOWN needed if using FIFOs and specify the owner/group
AmbientCapabilities=CAP_CHOWN
# CAP_KILL needed if running notify scripts, FIFO scripts, or using track_scripts, CHECK_MISC or startup/shutdown scripts
AmbientCapabilities=CAP_KILL
# CAP_NET_ADMIN is needed for VRRP, IPVS
AmbientCapabilities=CAP_NET_ADMIN
# CAP_NET_BIND_SERVICE needed for VRRP
AmbientCapabilities=CAP_NET_BIND_SERVICE
# CAP_NET_RAW needed for VRRP and IPVS if not using netlink (unlikely)
AmbientCapabilities=CAP_NET_RAW
# CAP_SETUID and CAP_SETGID needed if running any scripts and user keepalived_script exists or the user/group of any script is specified
AmbientCapabilities=CAP_SETUID
AmbientCapabilities=CAP_SETGID
# CAP_NET_MODULE needed to load ip_vs module (IPVS) and xt_set (VRRP with iptables)
# Alternatively add a file in /usr/lib/modules-load.d with ip_vs and xt_set and
# don't enable CAP_NET_MODULE, at set ProtectKernelModules=yes
AmbientCapabilities=CAP_SYS_MODULE
# CAP_SYS_NICE needed for keepalived to set its nice priority. If in use, also remove LimitNICE=0
AmbientCapabilities=CAP_SYS_NICE
# CAP_SYS_RESOURCE needed for keepalived to adjust its realtime priority, or to increase the number of sockets (files) or corefile size.
# If not allowing realtime scheduling, and LimitNOFILE and LimitCORE are specified below
AmbientCapabilities=CAP_SYS_RESOURCE
# Each capability allowed in AmbientCapabilities needs to have a corresponding CapabilityBoundingSet=CAP_... below
CapabilityBoundingSet=CAP_CHOWN
CapabilityBoundingSet=CAP_KILL
CapabilityBoundingSet=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_RAW
CapabilityBoundingSet=CAP_SETUID
CapabilityBoundingSet=CAP_SETGID
CapabilityBoundingSet=CAP_SYS_MODULE
CapabilityBoundingSet=CAP_SYS_NICE
CapabilityBoundingSet=CAP_SYS_RESOURCE
# Enable the following to make keepalived run with realtime scheduling
# CPUScheduling=rr
DeviceAllow=/dev/null
DevicePolicy=strict
# Edit the following line if needed - for Ubuntu it should be -@sysconfdir/default/%N
# EnvironmentFile=-/usr/local/etc/sysconfig/%N
# ExecReload=/bin/kill -HUP $MAINPID
RuntimeDirectory=keepalived
ExecStart=/usr/local/bin/keepalived -f /etc/keepalived/keepalived.conf --pid=/var/run/keepalived/keepalived.pid --vrrp_pid=/var/run/keepalived/vrrp.pid --checkers_pid=/var/run/keepalived/keepalived_checkers.pid
IOSchedulingClass=realtime
KillMode=process
KillSignal=SIGTERM
# Set the following if not allowing CAP_SYS_RESOURCE
# LimitCORE=infinity
LimitMEMLOCK=infinity
# Add LimitNICE=0 if using realtime scheduling or to stop keepalived increasing its priority
# LimitNICE=0
# Set the following if not allowing CAP_SYS_RESOURCE
# LimitNOFILE=500000
NoNewPrivileges=yes
OOMScoreAdjust=-500
PrivateTmp=yes
#ProtectHome=read-only #注意,实测开启该项会导致 通知脚本调用失效
Restart=always
RestartSec=5
# AF_INET if using any IPv4, AF_INET6 if using any IPv6. AF_NETLINK for VRRP and IPVS. AF_PACKET for VRRP. AF_UNIX always needed.
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_UNIX AF_PACKET
SystemCallArchitectures=native
UMask=0007
User=keepalived
Group=keepalived
TimeoutStopSec=30
[Install]
WantedBy=multi-user.target
开机启动
systemctl enable keepalived
systemctl start keepalived