https://github.com/acassen/keepalived/blob/master/doc/keepalived.conf.SYNOPSIS
此文件描述所有可获得的Keepalived关键字。keepalived.conf
文件由三个配置部分组成 :
* Globals 配置
* VRRP 配置
* LVS 配置
* BFD 配置(2层转发相关)
0. 注释
两种有效的注释字符串 : 如果要写注释就使用 # 或者 !
0.1. 参数语法
<BOOL> 这些值中选一个:on|off|true|false|yes|no,或者省略,默认值为on
0.2. 条件配置和配置id
1). config-id默认是节点名的第一部分。可以通过keepalived的-i或者--config-id来进行覆盖,任何以'@'开头的配置行就是条件配置行。跟在@后面的那个单词与-i(或者--config-id)指定的id名进行比较,如果不匹配,则忽略。
2). 另外,'@^'是一个消极的比较,如果其他配置都不匹配,那么就匹配这个。
3).这样做的目的是一个配置文件可以被不同的系统使用,其中唯一的区别可能是router_id,vrrp实例优先级,可能还有接口名
例子:
global_defs
{
@main router_id main_router
@backup router_id backup_router
}
...
vrrp_instance VRRP1 {
...
@main unicast_src_ip 1.2.3.4
@backup unicast_src_ip 1.2.3.5
@backup2 unicast_src_ip 1.2.3.6
unicast_peer {
@^main 1.2.3.4
@^backup 1.2.3.5
@^backup2 1.2.3.6
}
}
4). 如果用-i main来调用keepalived(使用上面的配置),或者如果使用-i,配置id没有指定,那么配置id默认就是main.xxxx(xxx为其他字符串)那么keepalived将会使用router_id为main_router。如果用-i backup来调用keepalived或者配置id为backup,那么backup_router会被使用。如果没有使用-i backup来调用keepalived或者配置id部位main或backup,而是-i带了别的参数。那么backup_router就不会被使用
5). 如果用-i backup调用keepalived,或者配置id为backup,则使用backup_router,如果没有使用-i调用,则节点名不是main或backup或者带的是其他参数,router_id则将不会被设置。
6). 配置id为main的unicast peers配置则为1.2.3.5和1.2.3.6.(1.2.3.4)
0.3. 脚本
三种类型的脚本可以被配置执行。
a. 通知脚本:当vrrp实例或vrrp组的状态时发生变化,或者虚拟服务器的状态发生了up或者down时候调用的通知脚本
b. vrrp跟踪脚本:这些脚本的调用如果退出码为非0会导致vrrp实例退出,或者如果权值被指定,那么将会加减vrrp实例相应的优先级
c. lvs checker misc脚本:如果脚本以非零值退出,那么会直接down调real server服务.
默认这些脚本会以用户keepalived_script来执行,如果用户不存在,且没有指定root来执行。那就以每一个脚本的指定用户/组来执行
为了能够被SIGTERM终止,所有的脚本必须有写权限。当父进程终止的时候,脚本会收到SIGTERM信号。keepalived会等待脚本运行结束
0.4 配置导入
这个可以让支持多文件导入.
include directive格式为:
include FILENAME
0.5 配置文件语法解析
1. 全局配置
这个块有5个子块
* Global definitions
* Static track groups
* Static addresses
* Static rules
* Static routes
1.1. Global definitions
The configuration block 如下:
global_defs { # 块的标识
notification_email { # 告警邮件地址
<EMAIL ADDRESS> # 标准邮件地址
<EMAIL ADDRESS>
...
}
notification_email_from <EMAIL ADDRESS> # 发件人(smtp协议)
# defaults to keepalived@<local host name>
smtp_server <ADDRESS>|<DOMAIN_NAME> [<PORT>]
# SMTP 服务器IP地址或者域名
# 端口可选 (默认是25)
smtp_helo_name <HOST_NAME> # 指定在HELO消息中所使用的名称。默认为本地主机名。
smtp_connect_timeout <INTEGER> # smtp服务器连接超时时间
smtp_alert <BOOL> # 设置所有smtp_alerts的默认状态,当master状态变迁时激活smtp通知
smtp_alert_vrrp <BOOL> # 设置vrrp的smtp_alerts的状态
smtp_alert_checker <BOOL> # 设置checker的smtp_alerts的状态
no_email_faults # 当处于fault状态时不发送smtp alerts
router_id <STRING> # router标识
vrrp_garp_interval <DECIMAL> # 默认的免费arp之间的发送间隔,单位秒,可以精确到毫秒
vrrp_gna_interval <DECIMAL> # 默认的ipv6 NA之间的发送间隔,单位秒,可以精确到毫秒
vrrp_mcast_group4 <IPv4 ADDRESS> # 指定发送VRRP组播消息使用的IPV4组播地址。默认是224.0.0.18
vrrp_mcast_group6 <IPv6 ADDRESS> # 指定发送VRRP组播消息所使用的IPV6组播地址。默认是ff02::12
vrrp_skip_check_adv_addr <BOOL> # 默认是不跳过检查。检查收到的VRRP通告中的所有地址,设置此命令的意思是,如果通告与接收的上一个通告来自相同的master路由器,则不执行检查(跳过检查)。
default_interface <INTERFACE> # 为static address设置默认接口,默认是eth0
lvs_sync_daemon <INTERFACE> <VRRP_INSTANCE> [id <SYNC_ID>] [maxlen <LEN>] [port <PORT>] [ttl <TTL>] [group <IP ADDR>]
# 设置LVS同步服务的相关内容。可以同步LVS的状态信息。
# INTERFACE:指定同步服务绑定的接口。
# VRRP_INSTANCE:指定同步服务绑定的VRRP实例。
# id <SYNC_ID>:指定同步服务所使用的SYNCID,只有相同的SYNCID才会同步。范围是0-255.
# maxlen:指定数据包的最大长度。范围是1-65507
# port:指定同步所使用的UDP端口。
# group:指定组播IP地址
# 注意:maxlen, port, ttl and group 只能在Linux 4.3或者之后的版本使用.
lvs_flush # 在keepalived启动时,刷新所有已经存在的LVS配置。(在1.2.7版本上不可用,1.3.5可用)
vrrp_garp_master_delay <INTEGER> # 当转换为MASTER状态时,延迟多少秒发送第二组的免费ARP。默认为5s,0表示不发送第二组免的免费ARP。(在1.2.7版本上不可用,1.3.5可用)
vrrp_garp_master_repeat <INTEGER> # 当转换为MASTER状态时,在一组中一次发送的免费ARP数量。默认是5.
vrrp_garp_lower_prio_delay <INTEGER> # 当MASTER收到更低优先级的通告时,延迟多少秒发送第二组的免费ARP。
vrrp_garp_lower_prio_repeat <INTEGER> # 当MASTER收到更低优先级的通告时,在一组中一次发送的免费ARP数量。
vrrp_garp_master_refresh <INTEGER> # 当keepalived成为MASTER以后,刷新免费ARP的最小时间间隔(会再次发送免费ARP)。默认是0,表示不会刷新。
vrrp_garp_master_refresh_repeat <INTEGER> # 当keepalived成为MASTER以后,每次刷新会发送多少个免费ARP。默认是1
vrrp_lower_prio_no_advert [<BOOL>] # 默认是false。如果收到低优先级的通告,不发送任何通告。
vrrp_higher_prio_send_advert [<BOOL>] # 如果我们是master,收到一个更高优先级的vrrp,在我们变成backup之前发送一个通告。这意味如果其他master设置了garp_lower_priority_repeat,他将重新发送免费arp信息。这是为了解决出现双master的情况,且最后一个看到的免费arp是从我们为您这里发出的。
vrrp_version <INTEGER:2..3> # vrrp版本,默认是vrrp version 2
vrrp_iptables [keepalived_in [keepalived_out]] # 默认是INPUT,指定iptables chains添加。如果没有指定,则不添加
vrrp_ipsets ipset4 [ipset6 [ipset_if6]] # 设置ipset的名字,如果没设置就不被使用。默认值为keepalived
# 人如果ipset6没有指定,那么名字为ipset的名字后面加个6,如果ipset_if6没有被指定,那就删除ipset6中的那个6,然后加上_if6
vrrp_check_unicast_src # 在单播模式中,开启对VRRP数据包的源地址做检查,源地址必须是单播邻居之一。
vrrp_strict # 严格遵守VRRP协议。下列情况将会阻止启动Keepalived:1. 没有VIP地址。2. 单播邻居。3. 在VRRP版本2中有IPv6地址(1.2.7中无效,1.3.5有效)
vrrp_priority <INTEGER:-20..19> # 设置VRRP进程的优先级。
checker_priority <INTEGER:-20..19> # 设置checker进程的优先级。
bfd_priority <INTEGER:-20..19> # 设置BFD进程的优先级。(高版本才有BFD)
vrrp_no_swap # vrrp进程不能够被交换
checker_no_swap # checker进程不能够被交换
bfd_no_swap # checker进程不能够被交换
vrrp_rt_priority <INTEGER:1..99> # 将vrrp子进程设置为在指定的优先级使用实时调度(1.3.5版本无此功能)
checker_rt_priority <INTEGER:1..99> # 将checker子进程设置为在指定的优先级使用实时调度(1.3.5版本无此功能)
bfd_rt_priority <INTEGER:1..99> # 将bfd子进程设置为在指定的优先级使用实时调度(1.3.5版本无此功能)
vrrp_rlimit_rtime <INTEGER> # 设置阻塞系统调用之间的CPU时间限制,以微秒为单位(默认为1000)
checker_rlimit_rtime <INTEGER> # 设置阻塞系统调用之间的CPU时间限制,以微秒为单位(默认为1000)e
bfd_rlimit_rtime <INTEGER> # 设置阻塞系统调用之间的CPU时间限制,以微秒为单位(默认为1000)
#
# 如果keepalived编译了SNMP的支持
# 那么以下的这些是可用的
# Note: keepalived, checker and rfc support can be
# individually enabled/disabled
snmp_socket <PROTOCOL>:<ADDRESS>[:<PORT>] # specify socket to use for connecting to SNMP master agent (default unix:/var/agentx/master)
# (see source module keepalived/vrrp/vrrp_snmp.c for more details)
enable_snmp_vrrp # enable SNMP handling of vrrp element of KEEPALIVED MIB
enable_snmp_checker # enable SNMP handling of checker element of KEEPALIVED MIB
enable_snmp_rfc # enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs
enable_snmp_rfcv2 # enable SNMP handling of RFC2787 VRRPv2 MIB
enable_snmp_rfcv3 # enable SNMP handling of RFC6527 VRRPv3 MIB
enable_traps # enable SNMP trap generation
#
enable_dbus # 使能DBus接口
dbus_service_name SERVICE_NAME # dbus服务名,默认是org.keepalived.Vrrp1
# 如果你想运行多个keepalived进程才有用
#
script_user USERNAME [GROUPNAME] # 设置运行脚本默认用户和组。如果没有指定,则默认用户为keepalived_script(需要该用户存在),否则为root用户。默认groupname同username。
enable_script_security # 如果脚本路径的任一部分对于非root用户来说,都具有可写权限,则不会以root身份运行脚本。
notify_fifo FIFO_NAME # 向FIFO写入通知事件,输出格式参见vrrp_notify_fifo和lvs_notify_fifo,有关详细信息,请参见vrrp_sync_group下的描述,doc/sample/sample_notify_fifo.sh的示例用法。
notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# keepalived运行的脚本,用来处理通知事件,FIFO名称将作为最后一个参数传递给脚本
vrrp_notify_fifo FIFO_NAME # FIFO要将vrrp通知事件写入(必须与其他FIFO名称不同),写入的字符串将是表单的一行:INSTANCE "VI_1" MASTER 100,并将以新的行字符结束。有关输出的详细信息,请参见vrrp_sync_group下的描述。和doc/sample/sample_notify_fifo.sh的示例用法。
vrrp_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# keepalived运行的脚本,用来处理通知事件,FIFO名称将作为最后一个参数传递给脚本
lvs_notify_fifo FIFO_NAME # FIFO要将notify healthchecker事件写入(必须与其他FIFO名称不同),所写的字符串将是表单的一行:
# VS [192.168.201.15]:tcp:80 {UP|DOWN}
# RS [1.2.3.4]:tcp:80 [192.168.201.15]:tcp:80 {UP|DOWN}
# 以换行符为结束符.
lvs_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# script to be run by keepalived to process healthchecher notify events
# The FIFO name will be passed to the script as the last parameter
dynamic_interfaces # 允许配置包含启动时不存在的接口。这允许keepalived使用可能被删除的接口,并恢复,也允许VMAC接口上的虚拟和静态路由和规则
# The following options are only needed for large configurations, where either
# keepalived creates a large number of interface, or the system has a large
# number of interface. These options only need using if
# "Netlink: Receive buffer overrun" messages are seen in the system logs.
# If the buffer size needed exceeds the value in /proc/sys/net/core/rmem_max
# the corresponding force option will need to be set.
vrrp_netlink_cmd_rcv_bufs BYTES # Set netlink receive buffer size. This is useful for
vrrp_netlink_cmd_rcv_bufs_force <BOOL> # very large configurations where a large number of interfaces exist, and
vrrp_netlink_monitor_rcv_bufs BYTES # the initial read of the interfaces on the system causes a netlink buffer
vrrp_netlink_monitor_rcv_bufs_force <BOOL> # overrun.
lvs_netlink_cmd_rcv_bufs BYTES # The vrrp netlink command and monitor socket and the checker command
lvs_netlink_cmd_rcv_bufs_force <BOOL> # and monitor socket buffer sizes can be independently set.
lvs_netlink_monitor_rcv_bufs BYTES # The force flag means to use SO_RCVBUFFORCE, so that the buffer size can
lvs_netlink_monitor_rcv_bufs_force <BOOL> # exceed /proc/sys/net/core/rmem_max.
# When a socket is opened, the kernel configures the max rx buffer size for
# the socket to /proc/sys/net/core/rmem_default. On some systems this can be
# very large, and even generally this can be much larger than necessary.
# This isn't a problem so long as keepalived is reading all queued data from
# it's sockets, but if rmem_default was set sufficiently large, and if for
# some reason keepalived stopped reading, it could consume all system memory.
# The vrrp_rx_bufs_policy allows configuring of the rx bufs size when the
# sockets are opened. If the policy is MTU, the rx buf size is configured
# to the total of interface's MTU * vrrp_rx_bufs_multiplier for each vrrp
# instance using the socket. Likewise, if the policy is ADVERT, then it is
# the total of each vrrp instances advert packet size * multiplier.
# If policy is set to a number, the rx buf size is configured to that number.
vrrp_rx_bufs_policy [MTU|ADVERT|NUMBER] # default is to use system default
vrrp_rx_bufs_multiplier NUMBER # default 3
rs_init_notifies # Send notifies at startup for real servers that are starting up
no_checker_emails # Don't send an email every time a real server checker changes state;
# only send email when a real server is added or removed
}
net_namespace NAME # 设置命名空间
# The directory /var/run/keepalived will be created as an unshared mount point,
# for example for pid files.
# syslog entries will have _NAME appended to the ident.
# Note: the namespace cannot be changed on a configuration reload
namespace_with_ipsets # ipsets wasn't network namespace aware until Linux 3.13, and so if running with
# an earlier version of the kernel, by default use of ipsets is disabled if using
# a namespace and vrrp_ipsets isn't specified.
# This options overrides the default and allows ipsets to be used
# with a namespace on kernels prior to 3.13.
instance NAME # 如果多个keepalived实例在相同的名称空间中运行,则会出现这种情况。在/var/run/keepalived中以名称作为文件名的一部分创建pid文件。注意:在重新加载配置时不能更改实例名
use_pid_dir # Create pid files in /var/run/keepalived
linkbeat_use_polling # Use media link failure detection polling fashion
child_wait_time SECS # Time for main process to allow for child processes to exit on termination
# in seconds (default 5). This can be needed for very large configurations.
1.2. Static track groups
Static track groups are used to allow vrrp instances to track static addresses
routes and rules. If an static address/route/rule specifies a track group, then
if the address/route/rule is deleted, the vrrp instance will transition to backup
or to fault state if the address/route/rule cannot be re-added.
The syntax for a track group is:
track_group GROUP1 {
group {
VI_1
VI_2
}
}
1.3. Static addresses
The configuration block looks like :
static_ipaddress { # block identification
# If no dev element is specified, it defaults to the default_interface (default eth0)
# The track_group specification refers to a named track_group which lists the vrrp instances which
# will track the address, i.e. if the address is deleted and cannot be restored the vrrp instances
# will transition to fault state.
# no_track means that the address will not be reinstated if it is deleted
# Note: the broadcast address may be specified as '-' or '+' to clear or set the host
# bits of the address.
<IP ADDRESS>[/<MASK>] [brd <IP ADDRESS>] [dev <STRING>] [scope <SCOPE>] [label <LABEL>] [peer <IP ADDRESS>] [home] [-nodad] [mngtmpaddr] [noprefixroute] [autojoin] [track_group GROUP|no_track]
<IP ADDRESS>[/<MASK>] ...
...
}
SCOPE can take the following values :
* site
* link
* host
* nowhere
* global
1.4. Static rules
static_rules { # block identification
# The syntax is that same as for ip rule add, without "ip rule add"
# with the addition of tunnel-id option (except shortened option names
# aren't supported due to ambiguities).
# For a description of track_group and no_track, see static_addresses
# NOTE: since rules without preferences can be added in different orders
# due to vrrp instances transitioning from master to backup etc, rules need
# to have a preference. If a preference is not specified, keepalived will
# assign one, but it will probably not be what you want.
from 192.168.28.0/24 to 192.168.29.0/26 table small iif p33p1 oif wlan0 tos 22 fwmark 24/12 preference 39 realms 30/20 track_group GROUP1
to 1:2:3:4:5:6:7:0/112 from 7:6:5:4:3:2::/96 table 6908 uidrange 10000-19999 no_track
to 1:2:3:4:6:6:7:0/112 from 8:6:5:4:3:2::/96 l3mdev protocol 12 ip_proto UDP sport 10-20 dport 20-30
}
1.5. Static routes
The configuration block looks like :
static_routes { # block identification
# The syntax is the same as ip route add, without "ip route add"
# (except shorted option names aren't supported due to ambiguities)
# For a description of track_group and no_track, see static_addresses
# Use "default" or "default6" to specify the default IPv4 or IPv6 route
192.168.100.0/24 table 6909 nexthop via 192.168.101.1 dev wlan0 onlink weight 1 nexthop via 192.168.101.2 dev wlan0 onlink weight 2
192.168.200.0/24 dev p33p1.2 table 6909 tos 0x04 protocol bird scope link priority 12 mtu 1000 hoplimit 100 advmss 101 rtt 102 rttvar 103 reordering 104 window 105 cwnd 106 ssthresh lock 107 realms PQA/0x14 rto_min 108 initcwnd 109 initrwnd 110 features ecn track_group GROUP1
2001:470:69e9:1:2::4 dev p33p1.2 table 6909 tos 0x04 protocol bird scope link priority 12 mtu 1000 hoplimit 100 advmss 101 rtt 102 rttvar 103 reordering 104 window 105 cwnd 106 ssthresh lock 107 rto_min 108 initcwnd 109 initrwnd 110 features ecn fastopen_no_cookie 1 no_track
}
2. VRRP configuration
This block is divided in 5 sub-blocks:
* VRRP scripts
* VRRP track files
* VRRP track BFDs
* VRRP synchronization group
* VRRP gratuitous ARP/NA intervals
* VRRP instance
2.1. VRRP scripts
The configuration block looks like :
vrrp_script <STRING> { # VRRP script declaration
script <QUOTED_STRING> # script to run periodically
interval <INTEGER> # run the script this every seconds
timeout <INTEGER> # script considered failed after 'timeout' seconds
weight <INTEGER:-253..253> # adjust priority by this weight
fall <INTEGER> # required number of failures for KO switch
rise <INTEGER> # required number of successes for OK switch
user USERNAME [GROUPNAME] # specify user/group to run script under
init_fail # assume script initially is in failed state
}
The script will be executed periodically, every <interval> seconds. Its exit
code will be recorded for all VRRP instances which monitor it.
Note that the script will only be executed if at least one VRRP instance
monitors it.
The default weight equals 0, which means that any VRRP instance monitoring
the script will transition to the fault state after <fall> consecutive failures
of the script. After that, <rise> consecutive successes will cause VRRP instances to
leave the fault state, unless they are also in the fault state due to other scripts
or interfaces that they are tracking.
A positive weight means that <rise> successes will add <weight> to the priority of all
VRRP instances which monitor it. On the opposite, a negative weight will be subtracted
from the initial priority in case of <fall> failures.
2.2. VRRP track files
The configuration block looks like:
vrrp_track_file <STRING> { # VRRP track file declaration
file <QUOTED_STRING> # file to monitor
weight <-254..254> # default weight (default is 1)
init_file [VALUE] [overwrite] # create the file and/or initialise the value
# This causes VALUE (default 0) to be written to
# the specified file at startup if the file doesn't
# exist, unless overwrite is specified in which case
# any existing file contents will be overwritten with
# the specified value.
}
The file will be read whenever it is modified. The value in the file
will be recorded for all VRRP instances and sync groups which monitor it.
Note that the file will only be read if at least one VRRP instance or
sync group monitors it.
A value will be read as a number in text from the file. If the weight
configured against the track_file is 0, a non-zero value in the file will
be treated as a failure status, and a zero value will be treated as
an OK status, otherwise the value will be multiplied by the weight configured
in the track_file statement. If the result is less than -253 any VRRP
instance or sync group monitoring the script will transition to the fault state
(the weight can be 254 to allow for a negative value being read from the file).
If the vrrp instance or sync group is not the address owner and the result is between
-253 and 253, the result will be added to the initial priority of the VRRP instance
(a negative value will reduce the priority), although the effective priority will
be limited to the range [1,254].
If a vrrp instance using a track_file is a member of a sync group, unless
sync_group_tracking_weight is set on the group weight 0 must be set.
Likewise, if the vrrp instance is the address owner, weight 0 must also be set.
2.3. BFD Configuration
This is an implementation of RFC5880 (Bidirectional forwarding detection),
and this can be configured to work between 2 keepalived instances, but using
unweighted track_bfds between a master/backup pair of VRRP instances means that
the VRRP instance will only be able to come up if both VRRP instance are running,
which somewhat defeats the purpose of VRRP.
This imlpementation has been tested with OpenBFDD (available at
https://github.com/dyninc/OpenBFDD).
The configuration block looks like :
bfd_instance <STRING> {
neighbor_ip <IP ADDRESS> # BFD Neighbor IP (synonym neighbour_ip)
source_ip <IP ADDRESS> # Source IP to use (optional)
mix_rx <INTEGER> # Required min RX interval, in ms
# (default is 10 ms)
min_tx <INTEGER> # Desired min TX interval, in ms
# (default is 10 ms)
idle_tx <INTEGER> # Desired idle TX interval, in ms
# (default is 1000 ms)
multiplier <INTEGER> # Number of missed packets after
# which the session is declared down
# (default is 5)
passive # Operate in passive mode (default is active)
ttl <INTEGER 0..255> # outgoing IPv4 ttl to use (default 255)
hoplimit <INTEGER 0..255> # outgoing IPv6 hoplimit to use (default 64)
max_hops <INTEGER 0..255> # maximum reduction of ttl/hoplimit in received packet (default 0)
# (255 disables hop count checking)
weight # Default tracking weight
vrrp|checker # Only notify vrrp or checker process. Default is notify both.
}
2.4. VRRP synchronization group
The configuration block looks like :
vrrp_sync_group <STRING> { # VRRP sync group declaration
group { # group of instance to sync together
<STRING> # a
<STRING> # set
... # of VRRP_Instance string
}
global_tracking # DEPRECATED. Use track_interface, track_script and
# track_file on vrrp_sync_groups instead.
sync_group_tracking_weight # allow sync groups to use differing weights. This
# probably WON'T WORK, but is a replacement for
# global_tracking in case different weights were used
# across different vrrp instances in the same sync
# group.
track_interface { # Interfaces state we monitor
<STRING>
<STRING>
<STRING> weight <INTEGER:-253..253>
...
}
track_script { # Scripts state we monitor
<STRING>
<STRING> weight <INTEGER:-253..253>
...
}
track_file { # Files state we monitor
<STRING> # weight defaults to value configured in the vrrp_track_file
<STRING> weight <INTEGER: -254..254>
...
}
track_bfd { # BFD instance we monitor
<STRING>
<STRING>
<STRING> weight <INTEGER: -253..253>
...
}
# The username and groupname specify the user and group
# under which the scripts should be run. If username is
# specified, the group defaults to the group of the user.
# If username is not specified, they default to the
# global script_user and script_group
notify_master <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run during MASTER transit
notify_backup <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run during BACKUP transit
notify_fault <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run during FAULT transit
notify_stop <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when stopping vrrp
notify <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run during ANY state transit (1)
smtp_alert <BOOL> # Send email notification during state transit
# (default no, unless global smtp_alert/smtp_alert_vrrp set)
}
Synchronization group tracking scripts and files will update
the status/priority of all VRRP instances which are members of
the sync group.
(1) The "notify" script is called AFTER the corresponding notify_* script has
been called, and is given 4 additional arguments following the configured
arguments:
$(n-3) = A string indicating whether it's a "GROUP" or an "INSTANCE"
$(n-2) = The name of said group or instance
$(n-1) = The state it's transitioning to ("MASTER", "BACKUP", "FAULT" or "STOP")
$(n) = The priority value
$(n-3) and $(n-1) are ALWAYS sent in uppercase, and the possible strings sent are the
same ones listed above ("GROUP"/"INSTANCE", "MASTER"/"BACKUP"/"FAULT"/"STOP")
(note: STOP is only applicable to instances)
Important: for a SYNC group to run reliably, it is vital that all instances in
the group are MASTER or that they are all either BACKUP or FAULT. A
situation with half instances having higher priority on machine A
half others with higher priority on machine B will lead to constant
re-elections. For this reason, when instances are grouped, any
track scripts/files configured against member VRRP instances will have
their tracking weights automatically set to zero, in order to avoid
inconsistent priorities across instances.
(2) The notify fifo output is the same as the last 4 parameters for the "notify"
script, with the addition of "MASTER_RX_LOWER_PRI" instead of state for an
instance. This is used if a master needs to set some external state, such as
setting a secondary IP address when using Amazon AWS; if another keepalived
has transitioned to master due to a communications break, the lower priority
instance will have taken over the secondary IP address, and the proper master
needs to be able to restore it.
2.5. VRRP gratuitous ARP/NA intervals
This section allows the setting of delays between sending gratuitous ARPs
and unsolicited neighbour advertisements. This is intended for when an
upstream switch is unable to handle being flooded with ARPs/NAs.
Use interface when the limits apply on the single physical interface.
Use interfaces when a group of interfaces are linked to the same switch
and the limits apply to the switch as a whole.
Note: Only one of interface or interfaces should be used per block.
garp_group {
garp_interval <DECIMAL> # Sets the interval between Gratuitous ARP
# (in seconds, resolution microseconds)
gna_interval <DECIMAL> # Sets the default interval between unsolicited NA
# (in seconds, resolution microseconds)
interface <STRING> # The physical interface to which the intervals apply
interfaces { # A list of interfaces across which the delays are
<STRING> # aggregated.
<STRING>
...
}
}
If the global vrrp_garp_interval and/or vrrp_gna_interval are set, any
interfaces that aren't specified in a garp_group will inherit the global
settings.
2.6. VRRP instance
The configuration block looks like :
vrrp_instance <STRING> { # VRRP instance declaration
use_vmac [<NAME>] # Use VRRP Virtual MAC, optional NAME of interface
# NOTE: If sysctl net.ipv4.conf.all.rp_filter is set,
# and this vrrp_instance is an IPv4 instance, using
# this option will cause the individual interfaces to be
# updated to the greater of their current setting and
# all.rp_filter, as will default.rp_filter, and all.rp_filter
# will be set to 0.
# The original settings are restored on termination.
version <INTEGER:2..3> # VRRP version to use
vmac_xmit_base # Send/Recv VRRP messages from base
# interface instead of VMAC interface
native_ipv6 # Force instance to use IPv6 (this option is deprecated since
# the virtual addresses determine whether IPv4 or IPv6 is used)
state MASTER|BACKUP # Start-up default state
interface <STRING> # Binding interface
accept # Allow a non address-owner to process packets
# destined to VIPs and eVIPs. This is the default
# unless strict mode is set.
no_accept # Set non-accept mode (default if strict mode)
#
skip_check_adv_addr [BOOL] # See description of global vrrp_skip_check_adv_addr, which
# sets the default value. Defaults to vrrp_skip_check_adv_addr
track_interface { # Interfaces state we monitor
<STRING>
<STRING>
<STRING> weight <INTEGER:-253..253>
...
}
track_script { # Scripts state we monitor
<STRING>
<STRING> weight <INTEGER:-253..253>
...
}
track_file { # Files state we monitor
<STRING>
<STRING>
<STRING> weight <INTEGER: -254..254>
...
}
track_bfd { # BFD instance we monitor
<STRING>
<STRING>
<STRING> weight <INTEGER: -253..253>
...
}
dont_track_primary # (default unset) ignore VRRP interface faults.
# useful for cross-connect VRRP config.
mcast_src_ip <IP ADDRESS> # src_ip to use into the VRRP packets
unicast_src_ip <IP ADDRESS> # src_ip to use into the VRRP packets (alias to mcast_src_ip)
track_src_ip # if the configured src_ip doesn't exist or is removed
# put the instance into fault state
unicast_peer { # Do not use multicast, instead send VRRP
<IP ADDRESS> # adverts to following list of ip address
... # in unicast design fashion
}
old_unicast_checksum [never] # The checksum calculation when using VRRPv3 changed after v1.3.6.
# Setting this flag forces the old checksum algorithm to be used
# to maintain backward compatibility, although keepalived will
# attempt to maintain compatibility anyway if it sees an old
# version checksum. Specifying never will turn off autodetection
# of old checksums. [This option may not be enabled - check output
# of `keepalived -v` for OLD_CHKSUM_COMPAT.]
# The following garp parameters take their defaults from the global config for vrrp_garp_...
# See their descriptions for the meaning of the parameters.
garp_master_delay <INTEGER>
garp_master_repeat <INTEGER>
garp_lower_priority_delay <INTEGER>
garp_lower_priority_repeat <INTEGER>
garp_master_refresh <INTEGER>
garp_master_refresh_repeat <INTEGER>
virtual_router_id <INTEGER-1..255> # VRRP VRID
priority <INTEGER-1..255> # VRRP PRIO
advert_int <FLOAT> # VRRP Advert interval (use default)
lower_prio_no_advert [<BOOL>] # If a lower priority advert is received, don't
# send another advert. This causes adherence
# to the RFCs (defaults to global
# vrrp_lower_priority_dont_send_advert).
higher_prio_send_advert [<BOOL>] # If we are master and receive a higher priority
# advert, send an advert (which will be lower priority
# than the other master), before we transition to
# backup. This means that if the other master has
# garp_lower_priority_repeat set, it will resend garp
# messages. This is to get around the problem of their
# having been two simultaneous masters, and the last GARP
# messages seen were from us.
# Note: authentication was removed from the VRRPv2 specification by RFC3768 in 2004.
# Use of this option is non-compliant and can cause problems; avoid using if possible,
# except when using unicast, when it can be helpful.
authentication { # Authentication block
auth_type PASS|AH # Simple password or IPSEC AH
auth_pass <STRING> # Password string (up to 8 characters)
}
# For virutal_ipaddress and virtual_ipaddress_excluded most of the options match the options
# of the command ip address add, likewise for virtual_routes and virtual_rules and the
# respective ip route/rule add commands. no_track is specific to keepalived and means that the
# vrrp_instance will not transition out of master state if the address/route/rule is deleted
# and the address/route/rule will not be reinstated until the vrrp instance next transitions
# to master.
# The track_group option only applies to static addresses/routes/rules.
virtual_ipaddress { # VRRP IP addres block
<IP ADDRESS>[/<MASK>] [brd <IP ADDRESS>] [dev <STRING>] [scope <SCOPE>] [label <LABEL>] [peer <IP ADDRESS>] [home] [-nodad] [mngtmpaddr] [noprefixroute] [autojoin] [no_track]
<IP ADDRESS>[/<MASK>] ...
...
}
virtual_ipaddress_excluded { # VRRP IP excluded from VRRP packets
<IP ADDRESS>[/<MASK>] [brd <IP ADDRESS>] [dev <STRING>] [scope <SCOPE>] [label <LABEL>] [peer <IP ADDRESS>] [home] [-nodad] [mngtmpaddr] [noprefixroute] [autojoin] [no_track]
<IP ADDRESS>[/<MASK>] ...
...
}
promote_secondaries # Set the promote_secondaries flag on the interface to stop other
# addresses in the same CIDR being removed when 1 of them is removed
virtual_routes { # VRRP virtual routes
# The syntax is the same as static_routes with the additional option [no_track]
# and excluding track_group.
}
virtual_rules { # VRRP virtual rules
# The syntax is the same as static_rules with the additional option [no_track]
# and excluding track_group.
}
nopreempt # Override VRRP RFC preemption default
preempt_delay <FLOAT> # Seconds after startup or seeing a lower priority master
# until preemption. 0 (default) to 1,000
strict_mode [<BOOL>] # See description of global vrrp_strict
# If vrrp_strict is not specified, it takes the value of vrrp_strict
# If strict_mode without a parameter is specified, it defaults to on
debug <LEVEL> # Debug level. LEVEL is a number in the range 0 to 4.
notify_master <STRING>|<QUOTED-STRING> [username [groupname]]
# Same as vrrp_sync_group
notify_backup <STRING>|<QUOTED-STRING> [username [groupname]]
# Same as vrrp_sync_group
notify_fault <STRING>|<QUOTED-STRING> [username [groupname]]
# Same as vrrp_sync_group
notify_stop <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when stopping vrrp
notify <STRING>|<QUOTED-STRING> [username [groupname]]
# Same as vrrp_sync_group
notify_master_rx_lower_pri <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run if a master receives a lower priority advert
smtp_alert <BOOL> # Same as vrrp_sync_group
# (default no, unless global smtp_alert/smtp_alert_vrrp set)
kernel_rx_buf_size # Set socket receive buffer size (see global_defs
# vrrp_rx_bufs_policy for explanation)
}
SCOPE can take the following values :
* site
* link
* host
* nowhere
* global
LABEL is optional and creates a name for the alias. For compatibility with
"ifconfig", it should be of the form <realdev>:<anytext>, for example
eth0:1 for an alias on eth0.
METRIC is optional and specify a route priority.
When a weight is specified in track_interface, instead of setting the vrrp
instance to the FAULT state in case of failure, its priority will be
increased by the weight when the interface is up (for positive weights),
or decreased by the weight's absolute value when the interface is down
(for negative weights). The weight must be comprised between -254 and +254
inclusive. 0 is the default behaviour which means that a failure implies a
FAULT state. The common practice is to use positive weights to count a
limited number of good services so that the server with the highest count
becomes master. Negative weights are better to count unexpected failures
among a high number of interfaces, as it will not saturate even with high
number of interfaces.
The same principle can be applied to track_script entries, except that an
unspecified weight means that the default weight declared in the script
will be used (which itself defaults to 0).
3. LVS configuration
This block is divided in 2 sub-block :
* Virtual server group
* Virtual server
* SSL config
3.1. Virtual server group
The configuration block looks like :
virtual_server_group <STRING> {
<IP ADDRESS> <PORT> # VIP VPORT
<IP ADDRESS> <PORT>
...
<IP ADDRESS RANGE> <PORT> # VIP range VPORT
<IP ADDRESS RANGE> <PORT>
...
fwmark <INTEGER> # fwmark
fwmark <INTEGER>
...
}
Note: <IP ADDRESS RANGE> has the form of : XXX.YYY.ZZZ.WWW-VVV, define
the IP address range starting at WWW and monotonaly incremented by
one to VVV. Example : 192.168.200.1-10 means .1 to .10 IP addresses.
3.2. Virtual server
The configuration block looks like :
A virtual_server can be either :
* vip vport declaration
* fwmark declaration
* group declaration
Note: Where an option can be configured for a virtual server, real server,
and possibly checker, the virtual server setting is the default for real servers,
and the real server setting is the default for checkers.
Note 2: Tunnelled real/sorry servers can differ from the address family of
the virtual server and non tunnelled real/sorry servers, which all have to be the
same. If a virtual server uses a fwmark, and all the real/sorry servers are
tunnelled, the address family of the virtual server will be the same as the
address family of the real/sorry servers if they are all the same, otherwise
it will default to IPv4 (use ip_family inet6 to override this).
virtual_server <IP ADDRESS> <PORT> { # VS IP/PORT declaration
virtual_server fwmark <INTEGER> { # VS fwmark declaration
virtual_server group <STRING> { # VS group declaration
ip_family inet|inet6 # Address family
delay_loop <INTEGER> # delay timer for service polling
lvs_sched rr|wrr|lc|wlc|lblc|sh|dh|fo|ovf|lblcr|sed|nq
# LVS scheduler used
hashed # Apply hashing
flag-1 # Apply scheduler flag 1
flag-2 # Apply scheduler flag 2
flag-3 # Apply scheduler flag 3
sh-port # Apply sh-port scheduler flag (only for sh scheduler,
# same as flag-2 for sh scheduler)
sh-fallback # Apply sh-fallback scheduler flag (only for sh scheduler,
# same as flag-1 for sh scheduler)
ops # Apply One-Packet-Scheduling (only for UDP)
lvs_method NAT|DR|TUN # default LVS method to use
persistence_engine <STRING> # LVS persistence engine name
persistence_timeout [<INTEGER>] # LVS persistence timeout, default 6 minutes
persistence_granularity <NETMASK> # LVS granularity mask
protocol TCP|UDP|SCTP # L4 protocol
ha_suspend # If VS IP address is not set, suspend
# healthcheckers activity
virtualhost <STRING> # Default VirtualHost string to use for
# HTTP_GET or SSL_GET
# Assume silently all RSs down and healthchecks
# failed on start. This helps preventing false
# positive actions on startup. Alpha mode is
# disabled by default.
alpha
# On daemon shutdown, consider quorum and RS
# down notifiers for execution, where appropriate.
# Omega mode is disabled by default.
omega
# Minimum total weight of all live servers in
# the pool necessary to operate VS with no
# quality regression. Defaults to 1.
quorum <INT>
# Tolerate this much weight units compared to the
# nominal quorum, when considering quorum gain
# or loss. A flap dampener. Defaults to 0.
hysteresis <INT>
# Script to launch when quorum is gained.
quorum_up <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when quorum is lost.
quorum_down <STRING>|<QUOTED-STRING> [username [groupname]]
sorry_server <IP ADDRESS> <PORT> # RS to add to LVS topology when the
# quorum isn't achieved.
# If a sorry server is configured, all
# real servers will be brought down when
# the quorum is not achieved.
sorry_server_inhibit # applies inhibit_on_failure behaviour
# to the sorry_server
sorry_server_lvs_method NAT|DR|TUN # LVS method to use for sorry server
retry <INTEGER> # number of retries before fail
delay_before_retry <INTEGER> # delay before retry (default 1 unless otherwise specified)
warmup <INTEGER> # random delay for maximum N seconds
delay_loop <INTEGER> # delay timer for service polling
inhibit_on_failure # Set weight to 0 on healthchecker failure
smtp_alert <BOOL> # Send email notification when quorum gained/lost
# (default no, unless global smtp_alert/smtp_alert_checker set)
real_server <IP ADDRESS> <PORT> { # RS declaration
weight <INTEGER> # weight to use (default: 1)
lvs_method NAT|DR|TUN # LVS method to use
notify_up <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when
# healthchecker consider service
# as up.
notify_down <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when
# healthchecker consider service
# as down.
uthreshold <INTEGER> # maximum number of connections to server
lthreshold <INTEGER> # minimum number of connections to server
alpha <BOOL> # see above
retry <INTEGER> # see above
delay_before_retry <INTEGER> # see above
warmup <INTEGER> # see above
delay_loop <INTEGER> # see above
inhibit_on_failure <BOOL> # see above
smtp_alert <BOOL> # Send email notification when quorum gained/lost
# (default yes, unless global smtp_alert/smtp_alert_checker set)
virtualhost <STRING> # Default VirtualHost string to use for
# HTTP_GET or SSL_GET (overrides
# virtual_server virtualhost)
# healthcheckers. Can be multiple of each type
# HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|DNS_CHECK|MISC_CHECK|BFD_CHECK
# All checkers have the following options, except MISC_CHECK which only has alpha onwards,
# and BFD_CHECK which has no standard options:
CHECKER_TYPE {
connect_ip <IP ADDRESS> # IP address to connect (default real_server address)
connect_port <PORT> # Port to connect (default real_server port)
bindto <IP ADDRESS> # IP address to bind to
bind_if <IFNAME> # Interface to bind to; needed if the bindto
# address is IPv6 link local
bind_port <PORT> # Port to bind to
connect_timeout <INTEGER> # Timeout connection
fwmark <INTEGER> # fwmark to set on socket (SO_MARK)
alpha <BOOL> # see above
retry <INTEGER> # number of retries before fail
delay_before_retry <INTEGER> # delay before retry (default 1 unless otherwise specified)
warmup <INTEGER> # random delay for maximum N seconds
delay_loop <INTEGER> # delay timer for service polling
}
# The following options are additional checker specific
HTTP_GET|SSL_GET { # HTTP and SSL healthcheckers
url { # A set of url to test
path <STRING> # Path
digest <STRING> # Digest computed with genhash
status_code <INTEGER> # status code returned into the HTTP
# header. If not specified, then any
# 2xx code is accepted.
virtualhost <STRING> # VirtualHost string to use. If not set
# uses virtualhost from checker or real
# or virtual_server.
}
url {
path <STRING>
digest <STRING>
status_code <INTEGER>
virtualhost <STRING>
}
...
virtualhost <STRING> # VirtualHost string to use. If not set
# uses virtualhost from real or
# virtual_server.
}
SSL_GET {
enable_sni # send Server Name Indication during SSL handshake
}
TCP_CHECK { # TCP healthchecker
# No additional options
}
SMTP_CHECK { # SMTP healthchecker
helo_name <STRING>|<QUOTED-STRING> # Host to use for the HELO request
}
DNS_CHECK { # DNS healthchecker
type A|NS|CNAME|SOA|MX|TXT|AAAA # DNS query type (default SOA)
name <STRING> # Domain name to use for the DNS query
}
MISC_CHECK { # MISC healthchecker
misc_path <STRING>|<QUOTED-STRING> # External system script or program
misc_timeout <INTEGER> # Script execution timeout
# If set, exit code from healthchecker is used
# to dynamically adjust the weight as follows:
# exit status 0: svc check success, weight
# unchanged.
# exit status 1: svc check failed.
# exit status 2-255: svc check success, weight
# changed to 2 less than exit status.
# (for example: exit status of 255 would set
# weight to 253)
# NOTE: do not have more than one dynamic MISC_CHECK per real_server.
misc_dynamic
user USERNAME [GROUPNAME] # Specify user/group to run script under
}
BFD_CHECK {
name <STRING> # the name of the bfd instance
}
}
}
3.3. SSL config
Parameters used for SSL_GET check.
If none of the parameters is specified, the SSL context will be auto generated.
SSL {
password <STRING> # password
ca <STRING> # ca file
certificate <STRING> # certificate file
key <STRING> # key file
}