一. 在172.17.60.39主机上部署haproxy+keepalived:
1. 安装haproxy环境
[root@myhost ~]#yum -y install libnl libnl-devel libnfnetlink libnfnetlink-devel kernel-devel popt-devel openssl-devel gcc [root@myhost ~]#systemctl stop firewalld [root@myhost ~]#systemctl disable firewalld [root@myhost ~]#setenforce 0 [root@myhost ~]#mkdir -pv /services/current_apps
[root@myhost ~]#mkdir -pv /services/download_soft_v
[root@myhost ~]#cd /services/download_soft_v
2.下载haproxy-1.8.13版本并解压
[root@myhost download_soft_v]#wget -c http://10.10.9.250/Linux-SYS/haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#tar zxvf haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#cd haproxy-1.8.13
3. 用uname -a 确认好系统版本信息(改×××部分)
[root@myhosthaproxy-1.8.13]make TARGET=linux310 USE_OPENSSL=1 ADDLIB=-lz PREFIX=/services/current_apps/haproxy-1.8.13
4. 用make install安装到指定目录
[root@myhosthaproxy-1.8.13]make install PREFIX=/services/current_apps/haproxy-1.8.13
5. 创建haproxy用户和相关目录
[root@myhosthaproxy-1.8.13]useradd -s /sbin/nologin haproxy
[root@myhosthaproxy-1.8.13]mkdir -pv /var/lib/haproxy
[root@myhosthaproxy-1.8.13]mkdir -pv /services/current_apps/haproxy-1.8.13/ssl
[root@myhosthaproxy-1.8.13]chown -R haproxy:haproxy /var/lib/haproxy
[root@myhosthaproxy-1.8.13]cp /services/download_soft_v/haproxy-1.8.13/examples/haproxy.init /etc/init.d/haproxy
[root@myhosthaproxy-1.8.13]chmod +x /etc/init.d/haproxy
[root@myhosthaproxy-1.8.13]ln -sf /services/current_apps/haproxy-1.8.13 /etc/haproxy
[root@myhosthaproxy-1.8.13]ln -s /etc/haproxy/sbin/haproxy /usr/sbin/
6. 设定haproxy日志目录
[root@myhosthaproxy-1.8.13]mkdir -pv /services/haproxy_logs
[root@myhosthaproxy-1.8.13]echo 'local0.* /services/haproxy_logs/haproxy.log'>>/etc/rsyslog.conf
7. 编辑rsyslog开启UDP(去掉下面两行前面的#号),并添加local0.none
[root@myhosthaproxy-1.8.13]vi /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages
8. 改完重启rsyslog
[root@myhosthaproxy-1.8.13]systemctl restart rsyslog
9. 设置haproxy日志切割,清空这个文件并黏贴以下代码
[root@myhosthaproxy-1.8.13]vi /etc/logrotate.d/haproxy
/services/haproxy_logs/haproxy.log {
daily
rotate 30
missingok
notifempty
dateext
compress
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
service haproxy reload
endscript
}
10. 设置内核优化和ip转发
[root@myhosthaproxy-1.8.13]echo "net.ipv4.ip_nonlocal_bind = 1" >>/etc/sysctl.conf [root@myhosthaproxy-1.8.13]echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf [root@myhosthaproxy-1.8.13]sysctl -p
11. 配置haproxy.cfg,复制以下代码
[root@myhosthaproxy-1.8.13]vi /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local0 info
log 127.0.0.1 local1 notice
maxconn 75535
ulimit-n 655350
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
nbproc 8 #按照实际CPU核数设置
#-----------------------------------
# status page.
#-----------------------------------
defaults
log global
mode http
option httplog
retries 3
maxconn 75535
balance leastconn
timeout connect 30s
timeout client 60s
timeout server 60s
timeout http-request 30s
timeout http-keep-alive 30s
timeout queue 1m
timeout check 30s
frontend web_in
bind *:80
no option http-server-close
option forwardfor
acl mzj_web_zxft_acl path_beg -i /zxft
acl mzj_web_jzcx_acl path_beg -i /jzcx
acl mzj_web_login_acl path_beg -i /login
acl mzj_web_welfare_acl path_beg -i /welfare
acl mzj_web_xzsp-web_acl path_beg -i /xzsp-web
acl mzj_web_volunteer_acl path_beg -i /volunteer
acl mzj_web_edu_acl path_beg -i /edu
acl mzj_web_shsw_acl path_beg -i /shsw
acl mzj_web_acl hdr_reg(host) -i mzj.sh.gov.cn
use_backend mzj_web_zxft if mzj_web_zxft_acl
use_backend mzj_web_login if mzj_web_login_acl
use_backend mzj_web_jzcx if mzj_web_jzcx_acl
use_backend mzj_web_welfare if mzj_web_welfare_acl
use_backend mzj_web_xzsp-web if mzj_web_xzsp-web_acl
use_backend mzj_web_volunteer if mzj_web_volunteer_acl
use_backend mzj_web_edu if mzj_web_edu_acl
use_backend mzj_web_shsw if mzj_web_shsw_acl
use_backend mzj_web if mzj_web_acl
default_backend refuse-url
#((
capture request header Host len 64
capture request header User-Agent len 128
capture request header X-Forwarded-For len 100
capture request header Referer len 200
capture response header Server len 40
capture response header Server-ID len 40
\#capture捕获信息
log-format %ci:%cp\ %si:%sp\ %B\ %U\ %ST\ %r\ %b\ %f\ %bi\ %hrl\ %hsl\
#))
#
backend refuse-url
mode http
balance source
server refuse-url 192.168.3.55:80 check rise 2 inter 5000 fall 3
backend mzj_web
mode http
balance roundrobin
cookie SERVERID
server 60.66_80 172.17.60.66:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_login
mode http
balance roundrobin
cookie SERVERID
server 181.45_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_jzcx
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_welfare
mode http
balance roundrobin
cookie SERVERID
server 60.15_80 172.17.60.15:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_xzsp-web
mode http
balance roundrobin
cookie SERVERID
server 60.12_80 172.17.60.12:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_zxft
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_volunteer
mode http
balance roundrobin
cookie SERVERID
server 60.9_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_edu
mode http
balance roundrobin
cookie SERVERID
server 60.29_3001 172.17.60.29:3001 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_shsw
mode http
balance roundrobin
cookie SERVERID
server 60.29_80 172.17.60.29:80 cookie web1 inter 3000 rise 3 fall 3 check
#-----------------------------------
# monitor status page.
#-----------------------------------
listen stats
bind 0.0.0.0:8011
mode http
stats enable
stats refresh 60s
stats hide-version
stats uri / hastats
stats realm Haproxy \ statistic
stats auth admin:wdit2017
timeout connect 10000
timeout client 50000
timeout server 50000
bind-process 1
12. 设置开机自启动和目录权限
[root@myhosthaproxy-1.8.13]chown -R haproxy:haproxy /etc/haproxy
[root@myhosthaproxy-1.8.13]chkconfig haproxy on
13. 下载keepalived
[root@myhost haproxy-1.8.13]cd /services/download_soft_v
[root@myhost download_soft_v]wget -c http://104.225.234.20/keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]tar -zxvf keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]cd keepalived-2.0.11
14. 编译安装
[root@myhost keepalived-2.0.11]./configure --prefix=/services/current_apps/keepalived-2.0.11
[root@myhost keepalived-2.0.11]make && make install
15. 设置一些keepalived环境
[root@myhost keepalived-2.0.11]cp /services/download_soft_v/keepalived-2.0.11/keepalived/etc/init.d/keepalived /etc/init.d/
[root@myhost keepalived-2.0.11]ln -sf /services/current_apps/keepalived-2.0.11 /etc/keepalived
[root@myhost keepalived-2.0.11]ln -s /etc/keepalived/sbin/keepalived /usr/sbin/
[root@myhost keepalived-2.0.11]chkconfig keepalived on
[root@myhost keepalived-2.0.11]mkdir -pv /etc/keepalived/script
16. 编辑检测ha脚本文件
[root@myhost keepalived-2.0.11]vi /etc/keepalived/script/check_haproxy_process.sh #!/bin/bash if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then /etc/init.d/haproxy start fi sleep 5 if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then /etc/init.d/keepalived stop fi
17. 编辑notify-master.sh脚本
[root@myhost keepalived-2.0.11]vi /etc/keepalived/script/notify-master.sh #!/bin/bash HOST_IP="
/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'" echo "uptime; ip addr show eth0; echo" | mail -s "${HOST_IP}-HA change to master." liya@wdit.com.cn
18. 添加两个脚本权限
[root@myhost keepalived-2.0.11]chmod +x /etc/keepalived/script/check_haproxy_process.sh [root@myhost keepalived-2.0.11]chmod +x /etc/keepalived/script/notify-master.sh
19.编辑 /usr/lib/systemd/system/keepalived.service,把unit替换成下面这段
root@myhost keepalived-2.0.11]vi /usr/lib/systemd/system/keepalived.service
[Unit]
Description=LVS and VRRP High Availability Monitor
After=syslog.target network-online.target haproxy.service
Requires=haproxy.service
20. 编辑vi /root/ulimit.sh,黏贴以下代码
[root@myhost keepalived-2.0.11]vi /root/ulimit.sh
#!/bin/bash
DATE=`date +%F`
### Limits.conf
cp -f /etc/security/limits.conf /etc/security/limits.conf_$(date +%F)
if [ $? -eq 0 ];then
cat >/etc/security/limits.conf<<EOF
* soft nofile 755350
* hard nofile 755350
* soft nproc 185534
* hard nproc 185534
* soft stack 1024
* hard stack 1024
EOF
else
echo 'limits.conf change error, please check ???'
sleep 5
fi
cp -f /etc/security/limits.d/90-nproc.conf /etc/security/limits.d/90-nproc.conf_$(date +%F)
if [ $? -eq 0 ];then
cat >/etc/security/limits.d/90-nproc.conf<<eof
* soft nproc 185534
eof
else
echo '90-nproc.conf error, please check ???'
sleep 5
fi
# Sysctl
cp /etc/sysctl.conf /etc/sysctl.conf_$DATE
cat >/etc/sysctl.conf<<EOF
kernel.sysrq = 0
kernel.panic = 30
kernel.softlockup_panic=1
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 25769803776
kernel.shmall = 4294967296
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
kernel.hung_task_timeout_secs = 0
kernel.core_pattern = core
fs.file-max = 655350
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 40960
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_sack = 1
net.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_mem = 3097431 4129911 6194862
net.ipv4.tcp_rmem = 4096 87380 6291456
net.ipv4.tcp_wmem = 4096 65536 4194304
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_keepalive_probes = 2
net.ipv4.tcp_keepalive_intvl = 15
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
vm.swappiness = 5
vm.zone_reclaim_mode = 0
vm.overcommit_memory = 1
vm.panic_on_oom = 0
vm.drop_caches = 1
vm.dirty_ratio = 30
vm.dirty_background_ratio = 30
vm.dirty_writeback_centisecs = 50000
vm.vfs_cache_pressure = 200
vm.min_free_kbytes = 1024000
EOF
sysctl -p
21. 执行ulimit脚本
[root@myhost keepalived-2.0.11]sh /root/ulimit.sh
22. 编辑policy.sh
[root@myhost keepalived-2.0.11]vi /root/policy.sh #!/bin/bash sed -i '25c PASS_MAX_DAYS 90' /etc/login.defs sed -i '27c PASS_MIN_LEN 7' /etc/login.defs sed -i '$a\TMOUT=600' /etc/profile sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config useradd mzj echo "wdit@123"|passwd --stdin mzj sed -i '91a mzj ALL=(ALL) NOPASSWD:ALL' /etc/sudoers for i in adm lp sync shutdown halt mail uucp operator games gopher;do usermod -L $i;done service sshd restart
23.执行policy.sh
[root@myhost keepalived-2.0.11]sh /root/policy.sh
24. 编辑keepalived主配置文件
[root@myhost keepalived-2.0.11]vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
liya@wdit.com.cn
}
notification_email_from liya@wdit.com.cn
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
router_id HAProxy_CIIE_Slave
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 36.1 {
state BACKUP
interface eth0
virtual_router_id 202
priority 90
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}
25. 开启服务并自启动
[root@myhost keepalived-2.0.11]service keepalived restart [root@myhost keepalived-2.0.11]systemctl enable haproxy
二. 在172.17.60.41主机上部署haproxy+keepalived:
1.从1-23步骤一模一样重复做一遍
2. 编辑 /etc/keepalived/keepalived.conf文件黏贴以下代码
[root@myhost keepalived-2.0.11]vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
liya@wdit.com.cn
}
notification_email_from liya@wdit.com.cn
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
#router_id MUST BE different in the same network
router_id HAProxy_CIIE_Master
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 60.77 {
state MASTER
interface eth0
#ID MUST BE different in the same network
virtual_router_id 202
priority 100
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}
3. 开启服务并自启动
[root@myhost keepalived-2.0.11]service keepalived restart [root@myhost keepalived-2.0.11]systemctl enable haproxy
