本文使用的镜像名:
haproxytech/haproxy-debian:2.3
osixia/keepalived:2.0.20
Kernel:5.4.158-1.el7.elrepo.x86_64
System:CentOS Linux release 7.9.2009 (Core)
docker:20.10.10
这里不赘述docker部署过程及docker加速等。网上一堆百度就好
注意:拷贝配置文件时请将以"#"注释删掉
haproxy.cfg配置文件
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend kube-apiserver
mode tcp
bind *:6443
option tcplog
default_backend kube-apiserver
listen stats
mode http
bind *:8888
stats auth admin:123456
stats refresh 5s
stats realm HAProxy\ Statistics
stats uri /stats
log 127.0.0.1 local3 err
backend kube-apiserver # 后端服务器组
mode tcp
balance roundrobin
server kubernetesmaster1 1.1.1.2:6443 check
server kubernetesmaster2 1.1.1.3:6443 check
server kubernetesmaster3 1.1.1.4:6443 check
启动haproxy
docker run -d --name k8s-haproxy \
--net=host \
--restart=always \
-v /xxxx/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro \
-v /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro \
haproxytech/haproxy-debian:2.3
keepalived.conf配置文件
! Configuration File for keepalived
global_defs {
router_id LVS_2
script_user root # 脚本执行用户
enable_script_security # 开启脚本安全权限
}
vrrp_script checkhaproxy
{
script "/usr/bin/check-haproxy.sh" # 这个地址写的事容器内脚本路径
interval 2
weight -30
}
vrrp_instance VI_1 {
state MASTER # 部署多个点其他均为:BACKUP
interface ens192
virtual_router_id 51
priority 100
advert_int 1
virtual_ipaddress {
1.1.1.7/24 dev ens192
}
authentication {
auth_type PASS
auth_pass password
}
track_script {
checkhaproxy
}
}
启动keepalived
docker run -d --name k8s-keepalived \
--restart=always \
--net=host \
--cap-add=NET_ADMIN --cap-add=NET_BROADCAST --cap-add=NET_RAW \
-v /xxxx/keepalived.conf:/container/service/keepalived/assets/keepalived.conf \
-v /xxxx/check-haproxy.sh:/usr/bin/check-haproxy.sh \
-v /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro \
osixia/keepalived:2.0.20 --copy-service
check-haproxy.sh 脚本
#!/bin/bash
count=`netstat -apn | grep 6443 | wc -l`
if [ $count -gt 0 ]; then
exit 0
else
exit 1
fi
测试是否部署成功,有返回结果就没问题
[root@haproxykeepalived1 ]$curl https://1.1.1.7:6443 -k
{
“kind”: “Status”,
“apiVersion”: “v1”,
“metadata”: {
},
“status”: “Failure”,
“message”: “Unauthorized”,
“reason”: “Unauthorized”,
“code”: 401
}
遇到的问题:
- keepalived 2.3版本需要内核4.19.36版本,所以我直接升级到5.4版本
" WARNING - keepalived was build for newer Linux 4.19.36, running on Linux 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020"
内核升级参考:https://blog.csdn.net/qq_39698849/article/details/121230128 - 侦测haproxy脚本无法执行,其实执行路径应该写容器里的路径,我写错了。并且脚本要配置744权限和执行用户
WARNING - default user ‘keepalived_script’ for script execution does not exist - please create.
Script /home/haproxy/sbin/check-haproxy.sh cannot be accessed - No such file or directory