一、簡介
vrrp協定的軟體實作,原生設計目的為了高可用ipvs服務
功能
- 基于vrrp協定完成位址流動
- 為vip位址所在的節點生成ipvs規則(在配置檔案中預先定義)
- 為ipvs叢集的各RS做健康狀态檢測
- 基于腳本調用接口通過執行腳本完成腳本中定義的功能,進而影響叢集事務,以此支援nginx、haproxy等服務
元件
- 使用者空間核心元件
- vrrp stack-VIP消息通告
- checkers-監測real server
- system call-标記real server權重
- SMTP-郵件元件
- ipvs wrapper-生成IPVS規則
- Netlink Reflector-網絡接口
- WatchDog-監控程序
- 控制元件:配置檔案解析器
- IO複用器
- 記憶體管理元件
術語
- 虛拟路由器:Virtual Router
- 虛拟路由器辨別:VRID(0-255),唯一辨別虛拟路由器
- 實體路由器:
- master:主裝置
- backup:備用裝置
- priority:優先級
- VIP:Virtual IP
- VMAC:Virutal MAC (00-00-5e-00-01-VRID)
工作
- 通告:心跳,優先級等;周期性
- 工作方式:搶占式,非搶占式
- 安全工作:
-
認證:
無認證
簡單字元認證:預共享密鑰
-
- 工作模式:
- 主/備:單虛拟路由器
- 主/主:主/備(虛拟路由器1),備/主(虛拟路由器2)
二、安裝使用
1、yum及apt安裝
# yum install keepalived (CentOS)
# apt-get install keepalived (Ubuntu)
2、編譯安裝
2.1、下載下傳并安裝
[[email protected] ~]# cd /usr/local/src/
#下載下傳源碼包
[[email protected] src]# wget https://keepalived.org/software/keepalived-2.0.20.tar.gz
[[email protected] src]# tar -xf keepalived-2.0.20.tar.gz
#安裝依賴包
[[email protected] keepalived-2.0.20]# yum install libnfnetlink-devel libnfnetlink ipvsadm libnl libnl-devel \
libnl3 libnl3-devel lm_sensors-libs net-snmp-agent-libs net-snmp-libs openssh-server openssh-clients openssl \
openssl-devel automake iproute
#安裝
[[email protected] keepalived-2.0.20]# ./configure --prefix=/usr/local/keepalived --disable-fwmark
[[email protected] keepalived-2.0.20]# make && make install
2.2、複制配置檔案
[[email protected] keepalived-2.0.20]# cp /usr/local/src/keepalived-2.0.20/bin/keepalived /usr/sbin/
[[email protected] keepalived-2.0.20]# mkdir /etc/keepalived
[[email protected] keepalived]# cp /usr/local/src/keepalived-2.0.20/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/
#啟動
[[email protected] keepalived]# systemctl start keepalived
3、程式環境
- 主配置檔案:/etc/keepalived/keepalived.conf
- 主程式檔案:/usr/sbin/keepalived
- Unit File:
- /usr/lib/systemd/system/keepalived.service (CentOS)
- /lib/systemd/system/keepalived.service (Ubuntu)
- Unit File的環境配置檔案:
- /etc/sysconfig/keepalived
4、配置文法
配置虛拟路由器
vrrp_instance <STRING> {
....
}
配置參數
- state MASTER|BACKUP:目前節點在此虛拟路由器上的初始狀态,狀态為MASTER或者BACKUP
- interface IFACE_NAME:綁定為目前虛拟路由器使用的實體接口ens32,eth0,bond0,br0
- virtual_router_id VRID:目前虛拟路由器惟一辨別,範圍是0-255
- priority 100:目前實體節點在此虛拟路由器中的優先級;範圍1-254
- advert_int 1:vrrp通告的時間間隔,預設1s
#認證機制
authentication {
auth_type AH|PASS
auth_pass <PASSWORD> 僅前8位有效
}
#虛拟IP
virtual_ipaddress {
<IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label <LABEL>
192.168.200.17/24 dev eth1
192.168.200.18/24 dev eth2 label eth2:1
}
#配置監控網絡接口,一旦出現故障,則轉為FAULT狀态實作位址轉移
track_interface {
eth0
eth1
…
}
4、示例
4.1 多點傳播配置
MASTER配置
! Configuration File for keepalived
global_defs {
notification_email {
#keepalived 發生故障切換時郵件發送的對象,可以按行區分寫多個
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ha1.example.com
#所有封包都檢查比較消耗性能,此配置為如果收到的封包和上一個封包是同一個路由器則跳過檢查封包中的源位址
vrrp_skip_check_adv_addr
#嚴格遵守VRRP協定,不允許狀況:1,沒有VIP位址,2.配置了單點傳播鄰居,3.在VRRP版本2中有IPv6位址.
vrrp_strict
#ARP封包發送延遲
vrrp_garp_interval 0
#消息發送延遲
vrrp_gna_interval 0
#預設多點傳播IP位址,224.0.0.0到239.255.255.255
vrrp_mcast_group4 224.0.0.18
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 80
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.100.110 dev eth0 label eth0:0
}
}
BACKUP配置
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ha1.example.com
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
vrrp_mcast_group4 224.0.0.18
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 80
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.100.110 dev eth0 label eth0:0
}
}
啟動檢視
#啟動
[[email protected] ~]# systemctl start keepalived
#檢視vip
[[email protected] ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:0a:19:ae brd ff:ff:ff:ff:ff:ff
inet 10.10.100.106/24 brd 10.10.100.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 10.10.100.110/32 scope global eth0:0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe0a:19ae/64 scope link
valid_lft forever preferred_lft forever
[[email protected] ~]#
VIP測試
4.2 單點傳播配置
#指定單點傳播的源IP
unicast_src_ip
#指定單點傳播的對方IP
unicast_peer {
目标主機IP
}
MASTER配置
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ha1.example.com
vrrp_skip_check_adv_addr
#單點傳播需要關閉改選項
# vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
vrrp_mcast_group4 224.0.0.18
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 80
priority 100
advert_int 1
#指定單點傳播的源IP
unicast_src_ip 10.10.100.106
#指定單點傳播的對方IP
unicast_peer {
10.10.100.107
}
BACKUP配置
...
unicast_src_ip 10.10.100.107
unicast_peer {
10.10.100.106
}
...
重新開機檢視
[[email protected] ~]# systemctl restart keepalived
[[email protected] ~]# tcpdump -i eth0 host -nn 10.10.100.106 and host 10.10.100.107
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:29:10.177008 IP 10.10.100.106 > 10.10.100.107: VRRPv2, Advertisement, vrid 80, prio 100, authtype simple, intvl 1s, length 20
22:29:11.178314 IP 10.10.100.106 > 10.10.100.107: VRRPv2, Advertisement, vrid 80, prio 100, authtype simple, intvl 1s, length 20
22:29:12.179164 IP 10.10.100.106 > 10.10.100.107: VRRPv2, Advertisement, vrid 80, prio 100, authtype simple, intvl 1s, length 20
22:29:13.180201 IP 10.10.100.106 > 10.10.100.107: VRRPv2, Advertisement, vrid 80, prio 100, authtype simple, intvl 1s, length 20
22:29:14.181897 IP 10.10.100.106 > 10.10.100.107: VRRPv2, Advertisement, vrid 80, prio 100, authtype simple, intvl 1s, length 20
22:29:15.182902 IP 10.10.100.106 > 10.10.100.107: VRRPv2, Advertisement, vrid 80, prio 100, authtype simple, intvl 1s, length 20
4.3 非搶占
keepliaved預設為搶占模式,可以通過nopreempt參數關閉VIP搶占
- nopreempt #關閉VIP搶占,需要各keepalived伺服器state為BACKUP
#節點1
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 80
priority 100
advert_int 1
nopreempt
...
#節點2
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 80
priority 90
advert_int 1
nopreempt
...
#重新開機測試可以發現,主節點故障恢複後并不會搶占VIP
4.4 搶占延遲模式
- preempt_delay 60s #搶占延遲模式,預設延遲300s,需要各keepalived伺服器state為BACKUP
#節點1
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 80
priority 100
advert_int 1
preempt_delay 60s
#節點2
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 80
priority 90
advert_int 1
preempt_delay 60s
4.5 雙主配置
- 兩個或以上VIP分别運作在不同的keepalived伺服器,以實作伺服器并行提供web通路的目的,提高伺服器資源使用率。
#節點1
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 80
priority 100
advert_int 1
preempt_delay 60s
unicast_src_ip 10.10.100.106
unicast_peer {
10.10.100.107
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.100.110 dev eth0 label eth0:0
}
}
vrrp_instance VI_2 {
state BACKUP
interface eth0
virtual_router_id 81
priority 80
advert_int 1
unicast_src_ip 10.10.100.106
unicast_peer {
10.10.100.107
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.100.111 dev eth0 label eth0:0
}
#節點2
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 80
priority 90
advert_int 1
preempt_delay 60s
unicast_src_ip 10.10.100.107
unicast_peer {
10.10.100.106
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.100.110 dev eth0 label eth0:0
}
}
vrrp_instance VI_2 {
state MASTER
interface eth0
virtual_router_id 81
priority 100
advert_int 1
unicast_src_ip 10.10.100.107
unicast_peer {
10.10.100.106
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.100.111 dev eth0 label eth0:0
}
}
重新開機檢視
節點1 為10.10.100.110主節點,10.10.100.111備節點
節點2為10.10.100.111主節點,10.10.100.110備節點
4.6 通知配置
#郵箱配置
[[email protected] ~]# yum install mailx -y
[[email protected] ~]# vim /etc/mail.rc
set from=***@qq.com
set smtp=smtp.qq.com
set smtp-auth-user=***@qq.com
set smtp-auth-password=exffioleeuzxbbhb
set smtp-auth=login
set ssl-verify=ignore
#通知腳本
[[email protected] ~]# cat /etc/keepalived/notify.sh
#!/bin/bash
contact='[email protected]'
notify() {
mailsubject="$(hostname) to be $1, vip 轉移"
mailbody="$(date +'%F %T'): vrrp transition, $(hostname) changed to be $1"
echo "$mailbody" | mail -s "$mailsubject" $contact
}
case $1 in
master)
notify master
;;
backup)
notify backup
;;
fault)
notify fault
;;
*)
echo "Usage: $(basename $0) {master|backup|fault}"
exit 1
;;
esac
#腳本調用配置
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 80
priority 100
advert_int 1
unicast_src_ip 10.10.100.106
unicast_peer {
10.10.100.107
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.100.110 dev eth0 label eth0:0
}
##調用通知腳本
notify_master "/etc/keepalived/notify.sh master"
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
}
驗證檢視