Keepalived实例演示:
利用keepalived流动一个VIP,在提供LVS的高可用以及实现对LVS后端的real server做健康状态检测,最后实现高可用nginx。
HA Cluster配置前提:
1、本机的主机名,要与hostname(uname -n)获得的名称保持一致;
CentOS 6: /etc/sysconfig/network
CentOS 7: hostnamectl set-hostname HOSTNAME
各节点要能互相解析主机名;一般建议通过hosts文件进行解析;
2、各节点时间同步;
3、确保iptables及selinux不会成为服务阻碍;
示例演示
这里利用两台主机进行演示192.168.184.141/142
# cat /etc/centos-release //查看版本
CentOS Linux release 7.4.1708 (Core)
# hostname
node1
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.184.141 node1 /此处对应的是node1
192.168.184.142 node2
为了测试两个主机时间是否一致 http://www.zsythink.net/archives/2375
# date; ssh node2 'date' //这里需要用到两台主机免密码交互
# ssh-keygen //回车到底
# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.184.142 //把node1生成的公钥发送至node2上
# ssh root@192.168.184.142 //进行测试
Last login: Sat Dec 1 10:55:23 2018 from 192.168.184.141
# date; ssh node2 'date'
Sat Dec 1 11:01:33 CST 2018 //两台主机差一秒钟
Sat Dec 1 11:01:32 CST 2018
这里使用ntp同步时间
配置前先使用命令:ntpdate -u cn.pool.ntp.org,同步服务器,如果这个命令不生效可使用:#ntpd -u cn.pool.ntp.org
# date; ssh node2 'date'
Sat Dec 1 11:35:06 CST 2018
Sat Dec 1 11:35:06 CST 2018
# yum install keepalived -y //两天主机分别安装上keepalived
下面配置keeplived
在Master节点(192.168.184.141)进行配置
# cp keepalived.conf{,.backup} //首先对/etc/keepalived下的文件进行备份
# vim /etc/keepalived/keepalived.conf
:.,$s/^/#/g //现在virtual host是用不到的,所以在第一个virtual host到最后一行的前面全部添加#
1 ! Configuration File for keepalived
2
3 global_defs { //全局定义
4 notification_email { //警告信息发送的目标邮箱,下面三个邮箱
5 acassen@firewall.loc
6 failover@firewall.loc
7 sysadmin@firewall.loc
root@localroot //把上面三个修改为此行
8 }
9 notification_email_from Alexandre.Cassen@firewall.loc //指明发件人
10 smtp_server 192.168.200.1 //指明由哪个邮件服务器把警告发出
11 smtp_connect_timeout 30
12 router_id LVS_DEVEL //定义当前物理设备的唯一标识
13 vrrp_skip_check_adv_addr
14 vrrp_strict
15 vrrp_garp_interval 0
16 vrrp_gna_interval 0
9-16行修改如下notification_email_from kaadmin@localhost //修改上面的发件人如此行,可以随便修改
smtp_server 127.0.0.1 //每一个主机在安装完成服务器后默认邮件服务127.0.0.1都是开放的
vrrp_mcast_group4 224.0.0.141 //指定多播组,这里要注意会有冲突
smtp_connect_timeout 30
router_id node117 }
18
19 vrrp_instance VI_1 { //虚拟路由实例
20 state MASTER //定义初始状态,如果是master,优先级最高,因为工作在抢占模式下,这个优先级比其他服务器低的话会被会被其他服务器抢走
21 interface eth0 //vrrp主要是流动IP地址,这里指定IP地址配置的网卡,vrrp会自动使用ifconfig或者ip命令在物理网卡上以定义别名的方式或者添加辅助地址的方式配置VIP地址
22 virtual_router_id 51 //虚拟路由器的id号,必须唯一,这个是VRID,0-255,这个VRID也是做VMAC最后一段的地址,虚拟MAC地址的格式为00-00-5E-00-01-{VRID}
23 priority 100 //定义优先级,0-255,数字越大优先级越高
24 advert_int 1 //定义心跳信息发送的时间间隔。通告、广播。主节点需要周期性的向其他备用节点通告自己的优先级和状态信息即心跳。这里默认是1秒
25 authentication { //简单字符认证
26 auth_type PASS
27 auth_pass 1111
28 }
29 virtual_ipaddress { //配置虚拟IP地址,配置在上面eth0的辅助地址或者别名上
30 192.168.184.150/24 (dev eth0 label eth0:0这些内容在centos6可以用) //这里的VIP一定不能和master和backup中的任何一台主机的IP相冲突
33 }virtual_ipaddress { //配置虚拟IP地址的格式
<IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label <LABEL>
IP地址 /掩码 广播地址 dev配置在哪个设备上 scope作用域,默认是全局的 label定义别名,因为IP应该配置在网卡的别名上。
192.168.200.17/24 dev eth1
192.168.200.18/24 dev eth2 label eth2:1
}
nopreempt:非抢占模式;默认为抢占模式;
34 }
35
36 # virtual_server 192.168.200.100 443 {
# ...
# ...
上面配置完成后需要把master配置的keepalived.conf文件复制到node2的/etc/keepalived目录下
# scp keepalived.conf node2:/etc/keepalived/ //注意这里已经使用了免密交互
# vim /etc/keepalived/keepalived.conf //在node2即192.168.184.142上进行修改
router_id node2 //可以改也可以不改,两台路由器相同也没有问题
state BACKUP //必须改
priority 99 //这个要改的比master小
virtual_router_id 51 //这个一定要和master保持一致,因为master和backup构建为同一个虚拟路由,这里表示虚拟路由的id
# systemctl start keepalived; ssh node2 'systemctl start keepalived' //在node1上即master(192.168.184.141)上同时启动两台主机的keepalived
# ps -aux //查看启动进程
# ip addr list //在master(192.168.184.141)上查看配置的VIP,但是在BACKUP(192.168.184.142)上查看ip就没有,因为VIP只绑定一下路由设备
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ce:f8:04 brd ff:ff:ff:ff:ff:ff
inet 192.168.184.141/24 brd 192.168.184.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.184.150/24 scope global secondary eth0 //配置的VIP已经绑定了
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fece:f804/64 scope link
valid_lft forever preferred_lft forever
由于keepalived的默认日志是LOG_DAEMON,但是#cat /etc/rsyslog.conf文件中的信息是没有DAEMON的,
所以要修改配置文件/etc/sysconfig/keepalived添加日志,
当然日志并不一定非要打开,此时如果修改master和backup都要做修改
# vim /etc/sysconfig/keepalived
1 # Options for keepalived. See `keepalived --help' output and keepalived(8) and
2 # keepalived.conf(5) man pages for a list of all options. Here are the most
3 # common ones :
4 #
5 # --vrrp -P Only run with VRRP subsystem.
6 # --check -C Only run with Health-checker subsystem.
7 # --dont-release-vrrp -V Dont remove VRRP VIPs & VROUTEs on daemon stop.
8 # --dont-release-ipvs -I Dont remove IPVS topology on daemon stop.
9 # --dump-conf -d Dump the configuration data.
10 # --log-detail -D Detailed log messages.
11 # --log-facility -S 0-7 Set local syslog facility (default=LOG_DAEMON) //修改日志级别
12 #
13
14 KEEPALIVED_OPTIONS="-D -S 3" 修改次数,开启日志
# vim /etc/rsyslog.conf
1 # Save boot messages also to boot.log
2 local7.* /var/log/boot.log
3 local3.* /var/log/keepalived.log //插入此行
# systemctl restart rsyslog.service //重载日志服务
# systemctl restart keepalived //因为/etc/sysconfig/keepalived做了修改,所以这里也要重新启动
# tail /var/log/keepalived.log //此时就有日志了
Dec 1 20:42:49 node1 Keepalived_vrrp[2489]: Sending gratuitous ARP on eth0 for 192.168.184.150
Dec 1 20:42:54 node1 Keepalived_vrrp[2489]: Sending gratuitous ARP on eth0 for 192.168.184.150
Dec 1 20:42:54 node1 Keepalived_vrrp[2489]: VRRP_Instance(VI_1) Sending/queueing gratuitous ARPs on eth0 for 192.168.184.150
Dec 1 20:42:54 node1 Keepalived_vrrp[2489]: Sending gratuitous ARP on eth0 for 192.168.184.150
Dec 1 20:42:54 node1 Keepalived_vrrp[2489]: Sending gratuitous ARP on eth0 for 192.168.184.150
Dec 1 20:42:54 node1 Keepalived_vrrp[2489]: Sending gratuitous ARP on eth0 for 192.168.184.150
Dec 1 20:42:54 node1 Keepalived_vrrp[2489]: Sending gratuitous ARP on eth0 for 192.168.184.150
以上配置成功了
下面把master节点的keepalived停止,查看VIP是否迁移到backup上
# systemctl stop keepalived
# ip addr list //这时候再查看IP已经没有VIP即192.168.184.150/24
# ip addr list //在backup即192.168.184.142节点上查看,VIP已经迁移到此节点了
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:67:09:fe brd ff:ff:ff:ff:ff:ff
inet 192.168.184.142/24 brd 192.168.184.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.184.150/24 scope global secondary eth0
valid_lft forever preferred_lft forever
下面再把之前的master即192.168.184.141启动起来
# systemctl start keepalived //在master上操作,因为141主机的优先级高且处于抢占模式下,所以当master的keepalived启动后,立刻就把VIP抢回来了
[root@node1 log]# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ce:f8:04 brd ff:ff:ff:ff:ff:ff
inet 192.168.184.141/24 brd 192.168.184.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.184.150/24 scope global secondary eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fece:f804/64 scope link
valid_lft forever preferred_lft forever
如何在master节点上不停止keepalived服务的情况下,把Master手动调度换成Backup?-->改变master的优先级
# vim /etc/keepalived/keepalived.conf //无论master还是backup都要修改此文件
1 ! Configuration File for keepalived
2
3 global_defs {
4 notification_email {
5 root@localhost
6 }
7 notification_email_from kaadmin@localhost
8 smtp_server 127.0.0.1
9 smtp_connect_timeout 30
10 router_id node1
11 vrrp_skip_check_adv_addr
12 vrrp_strict
13 vrrp_garp_interval 0
14 vrrp_gna_interval 0
15 }
16
17 vrrp_script chk_schedown { //vrrp_script是vrrp专用脚本,是vrrp的一个扩展,注意这个脚本要在vrrp_instance之外定义,但是却在vrrp_instance内部调用这个脚本
18 script "[[ -f /etc/keepalived/down ]] && exit 1 || exit 0" //执行脚本script,用""引起来的是脚本的内容。返回错误码1就证明脚本执行成功。返回正确码0证明脚本是执行失败,
19 interval 1 //每隔2秒执行一次script这个脚本 //此处的意义是如果存在文件down,则证明管理员想手动减少本主机的优先级,即手动宕掉master换成backup,
20 weight -2 //优先级减少2 //文件down存在,则返回错误码1,执行后面19、20两行,如果文件down不存在,则返回正确码0,不执行后面的操作了
21 }
22
23 vrrp_instance VI_1 {
24 state MASTER
25 interface eth0
26 virtual_router_id 51
27 priority 100
28 advert_int 1
29 authentication {
30 auth_type PASS
31 auth_pass 1111
32 }
33 virtual_ipaddress {
34 192.168.184.150/24
35 }
36 track_script { //定义指明在vrrp虚拟实例中调用脚本
37 chk_schedown
38 }
39 }
# systemctl restart keepalived.service; ssh node2 'systemctl restart keepalived.service' //master节点和backup节点配置好后都重启
# touch down //此时按照正常是应该实现IP漂移的,但是并没有,所以只能另找他法了。
这里把vrrp_script段的脚本内容([[ -f /etc/keepalived/down ]] && exit 1 || exit 0)写到一个脚本中,并把这个脚本的路径写到此处
# vim /etc/keepalived/down.sh //注意:无论是master还是backup都需要修改
#! /bin/bash
[[ -f /etc/keepalived/down ]] && exit 1 || exit 0
# chmod +x /etc/keepalived/down.sh
# vim /etc/keepalived/keepalived.conf
vrrp_script chk_down {
script "/etc/keepalived/down.sh"
interval 1
weight -10
}
#systemctl restart keepalived; ssh node2 'systemctl restart keepalived'
# touch /etc/keepalived/down //此时就实现了IP漂移
# ip addr list
NAT模型的LVS,后端是两个real server(web服务器集群),如何做高可用?高可用LVS
基于NAT模型做高可用,后端的real server的网关应该指向路由设备的DIP,为了把路由做高可用,应该为路由设备提供一个VIP,以方便互联网上的用户可以访问,
外部接口有自己的地址,同时在外部接口上配置一个别名地址当互联网上请求的地址,一旦路由设备A宕机,别名地址就流转到路由设备B,路由设备B同样有自己的外部接口
VIP,所以把别名地址就附加在外部接口上。同时后端的real server指向路由设备的网关同样要迁移到路由设备B,但是地址写死在接口上不可能迁移,所以仿照外部接口
的别名地址的方法,在内网接口上添加别名地址,把别名地址当DIP即内部real server的网关。外部接口的别名地址VIP在那个路由设备上内部接口的别名地址DIP就在
那个路由设备上,路由设备A和路由设备B此时各为一个实例,这两个实例上的两个别名地址要同步进退。
就把上述定义为vrrp的实例同步组:vrrp_sync_group,但很少使用LVS做负载均衡集群。# man keepalived.conf //配置方法
VRRP synchronization group(s)
#string, name of group of IPs that failover together
vrrp_sync_group VG_1 {
group {
inside_network # name of the vrrp_instance (see below)
outside_network # One for each movable IP
...
}
VIP和DIP无论必须同时迁移到同一个主机上
vrrp_sync_group VG_1 { //定义把哪些实例定义为一个组
group { //表示把VI_1和VI_2定义为一个组
VI_1 # name of vrrp_instance (below)
VI_2 # One for each moveable IP.
}
}
vrrp_instance VI_1 { //实例1
eth0 //外网网卡
vip //外网网卡定义的别名
}
vrrp_instance VI_2 {
eth1 //内网网卡
dip //内网网卡定义的别名
}
以上只有在LVS的NAT模型下采用到此功能,因为NAT模型下后端的real server的网关需要指向dip
另一种情形:双主模型,两个路由设备都工作起来,各承担一部分的工作(这里做LVS集群,但不考虑DIP做网关的场景)
作为一个路由/负载均衡器来讲必须有一个外网接口的流动地址接收客户端的请求,这个地址流动的,它在那个主机上那个主机就是主节点,上述情景总有一个路由器是空闲的。为了充分利用,可以把域名解析为两个A记录(VIP1和VIP2),而且这两个VIP都配置在外网接口上,即两个外网辅助地址,但是不在同一路由设备上,这是为了实现双主都活动的目的。为了让两个流动IP不同步进退,要把两个路由设备做成两个实例,对于第一个实例来讲router1优先级高,router2优先级低,流动IP在router1上;对于第二个实例router2来讲,router2优先级高,router1优先级低,流动IP配置在router2上的外网接口上。一旦router1出现故障,就把router1的流动IP漂移到router2的外网网卡接口上,这样两个流动IP全在router2上,他们使用不同的别名或者向网卡配置两个不同的辅助地址,一旦router1上线,流动IP就重新迁回router1的外网网卡上。
以上就可以实现均衡的效果,上述是两个虚拟实例,但是这两个实例不是同进退。
或理解为
有三个虚拟路由器存在:
虚拟路由器1:Device A作为Master路由器,Device B和Device C作为Backup路由器。
虚拟路由器2:Device B作为Master路由器,Device A和Device C作为Backup路由器。
虚拟路由器3:Device C作为Master路由器,Device A和Device B作为Backup路由器。
为了实现业务流量在Device A、Device B和Device C之间进行负载分担,需要将局域网内的主机的默认网关分别设置为虚拟路由器1、2和3。在配置优先级时,需要确保三个虚拟路由器中各路由器的VRRP优先级形成一定的交叉,使得一台路由器尽可能不同时充当2个Master路由器。
示例演示
# vim /etc/keepalived/keepalived.conf //现在master即192.168.184.141上修改
:.,40y //从当前行复制到第40行
1 ! Configuration File for keepalived
2
3 global_defs {
4 notification_email {
5 root@localhost
6 }
7 notification_email_from kaadmin@localhost
8 smtp_server 127.0.0.1
9 smtp_connect_timeout 30
10 router_id node1
11 vrrp_skip_check_adv_addr
12 vrrp_strict
13 vrrp_garp_interval 0
14 vrrp_gna_interval 0
15 }
16
17 vrrp_script chk_down {
18 script "/etc/keepalived/down.sh"
19 interval 1
20 weight -10
21 }
22
23 vrrp_instance VI_1 {
24 state MASTER
25 interface eth0
26 virtual_router_id 50
27 priority 100
28 advert_int 1
29 authentication {
30 auth_type PASS
31 auth_pass 1111
32 }
33 virtual_ipaddress {
34 192.168.184.150/24
35 }
36
37 track_script {
38 chk_down
39 }
40 }
41
42 vrrp_instance VI_2 { //vrrp虚拟实例的名字不能相同
43 state BACKUP //修改
44 interface eth0
45 virtual_router_id 51 //router ID能一样
46 priority 99 //修改
47 advert_int 1
48 authentication {
49 auth_type PASS
50 auth_pass 2222 //修改
51 }
52 virtual_ipaddress {
53 192.168.184.151/24 //这里代表router2的流动IP
54 }
55
56 track_script { //这里最好修改,如果不修改可能同步掉线
57 chk_down
58 }
59 }
修改完141主机的下面把修改好的keepalived.conf复制到142上
# scp keepalived.conf root@node2:/etc/keepalived/ //这里两台主机是免密的,另外/etc/hosts可以解析node2
# vim keepalived.conf //在192.168.184.142修改如下
1 ! Configuration File for keepalived
2
3 global_defs {
4 notification_email {
5 root@localhost
6 }
7 notification_email_from kaadmin@localhost
8 smtp_server 127.0.0.1
9 smtp_connect_timeout 30
10 router_id node2 //修改如下
11 vrrp_skip_check_adv_addr
12 vrrp_strict
13 vrrp_garp_interval 0
14 vrrp_gna_interval 0
15 }
16
17 vrrp_script chk_down {
18 script "/etc/keepalived/down.sh"
19 interval 1
20 weight -10
21 }
22
23 vrrp_instance VI_1 {
24 state BACKUP //修改如下
25 interface eth0
26 virtual_router_id 50
27 priority 99 //修改如下
28 advert_int 1
29 authentication {
30 auth_type PASS
31 auth_pass 1111
32 }
33 virtual_ipaddress {
34 192.168.184.150/24
35 }
36
37 track_script {
38 chk_down
39 }
40 }
41
42 vrrp_instance VI_2 {
43 state MASTER //修改如下
44 interface eth0
45 virtual_router_id 51
46 priority 100 //修改如下
47 advert_int 1
48 authentication {
49 auth_type PASS
50 auth_pass 2222
51 }
52 virtual_ipaddress {
53 192.168.184.151/24
54 }
55
56 track_script {
57 chk_down
58 }
59 }
# systemctl restart keepalived.service; ssh node2 'systemctl restart keepalived.service'
# ip addr list //在router1上
# touch down //在141上创建down文件
故障总结:
1、日志?
2、每个vrrp_instance需要专用的组播地址;
