高可用组件keepalived 如何以非root方式运行

ww_250

已于 2023-05-09 21:46:03 修改

阅读量1.1k

点赞数 1

文章标签： keepalived 非抢占

于 2023-04-16 16:59:52 首次发布

本文链接：https://blog.csdn.net/qq_15328161/article/details/130183713

版权

做个笔记

搜了一圈，没有想要的

什么版本支持非root运行

准确的说，从v2.2.5开始，官方才开始正式支持以非root运行。

如何安装

新建用户

新建用户keepalived，用于运行keepalived

useradd keepalived

获取源码编译keepalived

本次直接拿的v2.2.7版本编译的，下载源码后直接（如果没有openssl的开发库，需要安装）：

./configure #会检查openssl开发库有没有安装
make -j16
cp bin/keepalived /usr/local/bin/
chown keepalived:keepalived /usr/local/bin/keepalived

准备配置文件

keepalived.service中配置目录是/etc/keepalived/keepalived.conf，修改权限

chown keepalived:keepalived /etc/keepalived/keepalived.conf

配置文件keepalived.conf

使用最简单的可用配置，非抢占式。
2台机器都以BACKUP启动，谁先启动，谁是主。
A先启动，A变成主。A挂掉后，B变成主。A再次启动，B任然还是主。VIP不会发生抢占和漂移

vrrp_instance VI_1 {
    state BACKUP #角色
    interface ens33 #网卡名
    virtual_router_id 50 #在同一个虚拟路由里,id号必须相同
    nopreempt #非抢占
    #priority 6 #优先级,越高越可能是主
    advert_int 3 #心跳时间间隔

    unicast_src_ip 192.168.3.119 #本机ip
    unicast_peer {
	192.168.3.163 #另一台机器ip
    }
    authentication { #密码组内交流
        auth_type PASS
        auth_pass 1111qwer
    }
    virtual_ipaddress { #对外虚拟ip
        192.168.3.11 #dev ens33 label ens33:0
    }
}

服务文件keepalived.service

脚本内容很重要，如果你不知道如何修改，请保持原样！

# This systemd service file allows keepalived to be run as a non-root user.
#  To use this, edit the permissions according to your needs, and install the
#  file in /usr/lib/systemd/system as keepalived.service
[Unit]
Description=LVS and VRRP High Availability Monitor
After=network-online.target syslog.target
Requires=network-online.target
# Wants=
Documentation=man:keepalived(8)
Documentation=man:keepalived.conf(5)
Documentation=man:genhash(1)
Documentation=https://keepalived.org

[Service]
Type=forking
NotifyAccess=all
# CAP_CHOWN needed if using FIFOs and specify the owner/group
AmbientCapabilities=CAP_CHOWN
# CAP_KILL needed if running notify scripts, FIFO scripts, or using track_scripts, CHECK_MISC or startup/shutdown scripts
AmbientCapabilities=CAP_KILL
# CAP_NET_ADMIN is needed for VRRP, IPVS
AmbientCapabilities=CAP_NET_ADMIN
# CAP_NET_BIND_SERVICE needed for VRRP
AmbientCapabilities=CAP_NET_BIND_SERVICE
# CAP_NET_RAW needed for VRRP and IPVS if not using netlink (unlikely)
AmbientCapabilities=CAP_NET_RAW
# CAP_SETUID and CAP_SETGID needed if running any scripts and user keepalived_script exists or the user/group of any script is specified
AmbientCapabilities=CAP_SETUID
AmbientCapabilities=CAP_SETGID
# CAP_NET_MODULE needed to load ip_vs module (IPVS) and xt_set (VRRP with iptables)
# Alternatively add a file in /usr/lib/modules-load.d with ip_vs and xt_set and
#  don't enable CAP_NET_MODULE, at set ProtectKernelModules=yes
AmbientCapabilities=CAP_SYS_MODULE
# CAP_SYS_NICE needed for keepalived to set its nice priority. If in use, also remove LimitNICE=0
AmbientCapabilities=CAP_SYS_NICE
# CAP_SYS_RESOURCE needed for keepalived to adjust its realtime priority, or to increase the number of sockets (files) or corefile size.
# If not allowing realtime scheduling, and LimitNOFILE and LimitCORE are specified below
AmbientCapabilities=CAP_SYS_RESOURCE
# Each capability allowed in AmbientCapabilities needs to have a corresponding CapabilityBoundingSet=CAP_... below
CapabilityBoundingSet=CAP_CHOWN
CapabilityBoundingSet=CAP_KILL
CapabilityBoundingSet=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_RAW
CapabilityBoundingSet=CAP_SETUID
CapabilityBoundingSet=CAP_SETGID
CapabilityBoundingSet=CAP_SYS_MODULE
CapabilityBoundingSet=CAP_SYS_NICE
CapabilityBoundingSet=CAP_SYS_RESOURCE
# Enable the following to make keepalived run with realtime scheduling
# CPUScheduling=rr
DeviceAllow=/dev/null
DevicePolicy=strict
# Edit the following line if needed - for Ubuntu it should be -@sysconfdir/default/%N
# EnvironmentFile=-/usr/local/etc/sysconfig/%N
# ExecReload=/bin/kill -HUP $MAINPID
RuntimeDirectory=keepalived
ExecStart=/usr/local/bin/keepalived -f /etc/keepalived/keepalived.conf --pid=/var/run/keepalived/keepalived.pid --vrrp_pid=/var/run/keepalived/vrrp.pid --checkers_pid=/var/run/keepalived/keepalived_checkers.pid
IOSchedulingClass=realtime
KillMode=process
KillSignal=SIGTERM
# Set the following if not allowing CAP_SYS_RESOURCE
# LimitCORE=infinity
LimitMEMLOCK=infinity
# Add LimitNICE=0 if using realtime scheduling or to stop keepalived increasing its priority
# LimitNICE=0
# Set the following if not allowing CAP_SYS_RESOURCE
# LimitNOFILE=500000
NoNewPrivileges=yes
OOMScoreAdjust=-500
PrivateTmp=yes
#ProtectHome=read-only #注意，实测开启该项会导致 通知脚本调用失效
Restart=always
RestartSec=5
# AF_INET if using any IPv4, AF_INET6 if using any IPv6. AF_NETLINK for VRRP and IPVS. AF_PACKET for VRRP. AF_UNIX always needed.
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_UNIX AF_PACKET
SystemCallArchitectures=native
UMask=0007
User=keepalived
Group=keepalived
TimeoutStopSec=30

[Install]
WantedBy=multi-user.target

开机启动

systemctl enable keepalived
systemctl start keepalived