1.keepalived介绍
keepalived集群管理中保证集群高可用的一个服务软件
vrrp协议的软件实现,原生设计目的为了高可用ipvs服务
作用:检测web服务器的状态,剔除故障的web服务器;web服务器正常工作后,自动将web
服务器加入到服务器集群中
解决静态路由单点故障问题功能
基于vrrp协议完成地址流动
为vip地址所在的节点生成ipvs规则(在配置文件中预先定义)
为ipvs集群的各RS做健康状态检测
基于脚本调用接口,通过执行脚本完成脚本中定义的功能,进而影响集群事务,以此支持
nginx、haproxy等服务keepalived以VRRP(Virtual Router Redundancy Protocol 虚拟路由冗余协议)协议为实现基础
VRRP:可认为是实现路由器高可用的协议,即:多台提供相同功能的路由器组成一个
路由器组,这个组里面有一个master和多个backup,master上有一个对外提供服务的
vip,master不断向backup发送心跳信息,告诉backup自己存活,当backup接受不到
心跳信息,就认为master宕机,这时根据VRRP的优先级来选举一个backup为master,
从而保证高可用。2.keepalived模块
#keepalived主要有三个模块,分别是core、check和vrrp。
#1)core
是keepalived的核心,负责主进程的启动和维护,全局配置文件的加载解析等
#2)check
负责healthchecker(健康检查),包括了各种健康检查方式,以及对应的配置的解析;包括LVS的配置解析;
可基于脚本对IPVS后端服务器健康状况进行检查
#3)vrrp
VRRPD子进程,VRRPD子进程就是来实现VRRP协议的工作原理
Keepalived高可用对之间是通过VRRP进行通信的, VRRP是通过竞选机制来确定主备
的,主的优先级高于备,因此,工作时主会优先获得所有的资源,备节点处于等待状态,当
主宕机的时候,备节点就会接管主节点的资源,然后顶替主节点对外提供服务
在Keepalived服务对之间,只有作为主的服务器会一直发送VRRP广播包,告诉备它还活
着,此时备不会抢占主,当主不可用时,即备监听不到主发送的广播包时,就会启动相关服
务接管资源,保证业务的连续性.接管速度最快3.组件
用户空间核心组件
vrrp stack #VIP消息通告
checkers #监测real server
system call #标记real server权重
SMTP #邮件组件
ipvs wrapper #生成IPVS规则
NetlinkReflector #网络接口
WatchDog #监控进程控制组件:配置文件分析器
IO复用器
内存管理组件
4.Keepalived环境准备
各节点时间必须同步(ntp,chrony)
关闭selinux和防火墙
各节点之间可通过主机名互相通信(对KA并非必须)
各节点之间的root用户可以基于密钥认证的ssh服务完成互相通信(对KA并非必须)5.Keepalived安装
yum install keepalived #(CentOS)
apt-get install keepalived #(Ubuntu)安装环境
[root@control2 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)[root@control2 ~]# rpm -ql keepalived
/etc/keepalived
/etc/keepalived/keepalived.conf #主配置文件
/etc/sysconfig/keepalived #Unit File的环境配置文件
/usr/bin/genhash
/usr/lib/systemd/system/keepalived.service #Unit File
/usr/libexec/keepalived
/usr/sbin/keepalived #主程序文件
/usr/share/doc/keepalived-1.3.5
/usr/share/doc/keepalived-1.3.5/AUTHOR
/usr/share/doc/keepalived-1.3.5/CONTRIBUTORS
/usr/share/doc/keepalived-1.3.5/COPYING
/usr/share/doc/keepalived-1.3.5/ChangeLog
/usr/share/doc/keepalived-1.3.5/NOTE_vrrp_vmac.txt
/usr/share/doc/keepalived-1.3.5/README
/usr/share/doc/keepalived-1.3.5/TODO
/usr/share/doc/keepalived-1.3.5/keepalived.conf.SYNOPSIS
/usr/share/doc/keepalived-1.3.5/samples
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.HTTP_GET.port
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.IPv6
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.SMTP_CHECK
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.SSL_GET
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.fwmark
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.inhibit
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.misc_check
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.misc_check_arg
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.quorum
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.sample
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.status_code
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.track_interface
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.virtual_server_group
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.virtualhost
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.vrrp
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.vrrp.localcheck
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.vrrp.lvs_syncd
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.vrrp.routes
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.vrrp.rules
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.vrrp.scripts
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.vrrp.static_ipaddress
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.vrrp.sync
/usr/share/doc/keepalived-1.3.5/samples/sample.misccheck.smbcheck.sh
/usr/share/man/man1/genhash.1.gz
/usr/share/man/man5/keepalived.conf.5.gz
/usr/share/man/man8/keepalived.8.gz
/usr/share/snmp/mibs/KEEPALIVED-MIB.txt
/usr/share/snmp/mibs/VRRP-MIB.txt
/usr/share/snmp/mibs/VRRPv3-MIB.txt6.Keepalived配置文件
[root@control2 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
#1.
global_defs {
notification_email { #keepalived发生故障切换时邮件发送的对象
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
#root@localhost
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL #路由器Id,唯一值
vrrp_skip_check_adv_addr #所有报文都检查比较消耗性能,此配置为如果收到的报文和上一个报文是同一个路由器则跳过检查报文中的源地址
vrrp_strict #严格遵守VRRP协议,不允许状况:1.没有VIP地址 2.单播邻居 3.在VRRP版本2中有IPv6地址
vrrp_garp_interval 0 #ARP报文发送延迟
vrrp_gna_interval 0 #消息发送延迟
#vrrp_iptables #不生成的防火墙策略
#vrrp_mcast_group4 224.0.0.18 #默认组播IP地址,224.0.0.0到239.255.255.255
}
#2.
#vrrp_script <SCRIPT_NAME> {#定义一个检测脚本,在global_defs之外配置
# script <STRING>|<QUOTED-STRING> # shell命令或脚本路径
# interval <INTEGER> # 间隔时间,单位为秒,默认1秒
# timeout <INTEGER> # 超时时间
# weight <INTEGER:-254..254> # 权重,监测失败后会执行权重+操作
# fall <INTEGER> # 脚本几次失败转换为失败
# rise <INTEGER> # 脚本连续监测成果后,把服务器从失败标记为成功的次数
# user USERNAME [GROUPNAME] # 执行监测的用户或组
# init_fail # 设置默认标记为失败状态,监测成功之后再转换为成功状态
#}
#vrrp_script chk_down{#基于第三方仲裁设备
# script "/bin/bash -c '[[ -f /etc/keepalived/down ]]' && exit 7 || exit 0"
# interval 1
# weight -80
# fall 3
# rise 5
# timeout 2
#}
#3.
vrrp_instance VI_1 {#虚拟路由器
state MASTER #当前节点在此虚拟路由器上的初始状态,状态为MASTER或者BACKUP
interface eth0 #绑定为当前虚拟路由器使用的物理接口ens32,eth0,bond0,br0
virtual_router_id 51 #当前虚拟路由器组惟一标识,范围是0-255
priority 100 #当前物理节点在此虚拟路由器中的优先级;范围1-254
advert_int 1 #vrrp通告的时间间隔,默认1s
#nopreempt #非抢占模式,是当主节挂了再次起来后不再抢回VIP
#两个节点的state都必须配置为BACKUP,两个节点都必须加上配置nopreempt
preempt_delay 300 #抢占式模式,节点上线后触发新选举操作的延迟时长,默认模式
authentication { #认证机制
auth_type PASS
auth_pass 1111 #仅前8位有效
}
virtual_ipaddress {#虚拟IP
192.168.200.16
192.168.200.17
192.168.200.18
#192.168.7.248/24 dev eth0 label eth0:0 #192.168.7.248/24 不加子网掩码,默认是32
}
#track_interface {#配置监控网络接口,一旦出现故障,则转为FAULT状态实现地址转移
#eth0
#eth1
#…
#}
#track_script{
#chk_down
#}
#notify_master "/etc/keepalived/notify.sh master" #当前节点成为主节点时触发的脚本
#notify_backup "/etc/keepalived/notify.sh backup" #当前节点转为备节点时触发的脚本
#notify_fault "/etc/keepalived/notify.sh fault" #当前节点转为"失败"状态时触发的脚本
#notify "/etc/keepalived/notify.sh" #通用格式的通知触发机制,一个脚本可完成以上三种状态的转换时的通知
}
#4.虚拟服务器配置参数
virtual_server IP port #定义虚拟主机IP地址及其端口
virtual_server fwmark int #ipvs的防火墙打标,实现基于防火墙的负载均衡集群
virtual_server group string #将多个虚拟服务器定义成组,将组定义成虚拟服务
virtual_server 192.168.200.100 443 {
delay_loop 6 #检查后端服务器的时间间隔
lb_algo rr #定义调度方法 rr|wrr|lc|wlc|lblc|sh|dh
lb_kind NAT #集群的类型 NAT|DR|TUN
persistence_timeout 50 #持久连接时长
protocol TCP #指定服务协议 TCP|UDP|SCTP
#sorry_server<IPADDR> <PORT>: #所有RS故障时,备用服务器地址
real_server 192.168.201.100 443 {
weight 1 #RS权重
#notify_up <STRING>|<QUOTED-STRING> #RS上线通知脚本
#notify_down <STRING>|<QUOTED-STRING> #RS下线通知脚本
#HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHEC K { ... } #定义当前主机的健康状态检测方法
SSL_GET {
url {
path /
digest ff20ad2481f97b1754ef3e12ecd3a9cc
}
url {
path /mrtg/
digest 9b3a0c85a887a256d6939da88aabd8cd
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
#TCP_CHECK {
# connect_timeout 5 #连接请求的超时时长
# nb_get_retry 3
# delay_before_retry 3
# connect_port 80 #向当前RS的哪个PORT发起健康状态检测请求
# connect_ip <IP ADDRESS>: #向当前RS的哪个IP地址发起健康状态检测请求
# bindto <IP ADDRESS>: #发出健康状态检测请求时使用的源地址
# bind_port <PORT>: #发出健康状态检测请求时使用的源端口
# }
#HTTP_GET|SSL_GET {
# url{
# path <URL_PATH>: #定义要监控的URL
# status_code<INT>: #判断上述检测机制为健康状态的响应码
# digest <STRING>: #判断为健康状态的响应的内容的校验码
# }
connect_timeout<INTEGER>: #连接请求的超时时长
nb_get_retry<INT>: #重试次数
delay_before_retry<INT>: #重试之前的延迟时长
connect_ip<IP ADDRESS>: #向当前RS哪个IP地址发起健康状态检测请求
connect_port<PORT>: #向当前RS的哪个PORT发起健康状态检测请求
bindto<IP ADDRESS>: #发出健康状态检测请求时使用的源地址
bind_port<PORT>: #发出健康状态检测请求时使用的源端口
}
#HTTP_GET {
#url{
#path /index.html
#status_code200
#}
#connect_timeout 5
#nb_get_retry 3
#delay_before_retry 3
}
}同步组
LVS NAT模型VIP和DIP需要同步,需要同步组
vrrp_sync_group VG_1 {
group {
VI_1 # name of vrrp_instance (below)
VI_2 # One for each moveable IP
}
}
vrrp_instance VI_1 {
eth0
vip
}
vrrp_instance VI_2 {
eth1
dip
}
