keepalived problem statement and configuration
- Background: In general, host gateway to contact with the outside network, the gateway problems, the hosts and the external network is interrupted by setting default. If you manually modify the gateway, it will bring endless troubles by network administrators, in order to solve this problem, the gateway to do a backup.
- VRRP is a fault-tolerant protocol, which ensures that when the host next-hop router fails, another router from the router instead of the failed working to maintain continuity and reliability of network communication. Related terms: virtual routing by: a plurality of Backup Master router and routers. Host virtual router as the default gateway. VRID: identifies the virtual router, there is a set of routers same VRID constitute a virtual router Master: Virtual router bear router packet forwarding tasks Backup: When Master router fails, the router can replace the Master router work of virtual IP addresses: one virtual router can have one or more IP addresses of the owner: interface IP address in the same virtual router IP address called an IP address owner virtual MAC address: a virtual router has a virtual MAC address, the virtual MAC address format as 00-00-5E-00-01-VRID, router responds to ARP requests using a virtual MAC address priority: VRRP virtual router to determine the status of each router priority.
- Virtual Router Introduction: a group of VRRP routers in a LAN into a VRRP backup group is formed, which corresponds to a virtual router function, using the identification number for the virtual router.
- VRRP working process: (1) the router by sending gratuitous ARP packets, will own virtual MAC address notification device or host connection to give it, so assume packet forwarding tasks (2) free ARP, question and answer, take a virtual ip left, take the initiative to send arp broadcast, in his answer, the client will update arp cache, so hosts on the network is not aware master router has been switched to another device.
- VRRP Master election mechanisms:
(1) If the VRRP Master router packet of higher priority than its own priority, the router kept in Backup state.
Usually the main router in the Master state, the backup router Backup state
requires real-time communication between the Master and the Backup, Master router periodically sends VRRP packets to announce its configuration information (priority or the like) and the working conditions in the virtual router. Backup VRRP router receives the packet determines whether Master router is working properly, during which VRRP status reporting mechanism is as follows (brief):
VRRP advertisement packet interval timer:
the I, if a Backup router waiting time 3 after the interval, still does not receive VRRP advertisements, regards itself as the Master router, and sends out VRRP advertisements, Master router's re-election.
II, if the Master finds himself link fails, Master router initiative to give Master status
VRRP preemption delay timer:
the I, the unstable performance of the network, Backup router may be due to network congestion is not received within Master_Down_Interval during the Master router message, and to seize the initiative for the Master position, at this time if the original Master router packet has arrived, members of the virtual router will appear frequently performed Master seize phenomenon. To prevent group members frequent state changes, especially the development of the wait timer delay, that is, after the timer at intervals not immediately seize, but waiting delay timer, time is all over, will seize the Master.
- Backup抢占方式:
(1)非抢占方式:只要Master路由器没有出现故障,Backup路由器即使随后被配置了更高的优先级也不会成为Master路由器
(2)抢占式(默认):Backup一旦发现自己的优先级比当前Master路由器的优先级高,就会对外发送VRRP通告报文,导致备份组内路由器重新选举Master路由器,并最终取代原有Master路由器。相应地,原Master路由器会变成Backup路由器
- 认证方式:
(1)无认证:不提供安全性保障
(2)Simple(简单字符认证):发送VRRP报文的路由器将认证字填入到VRRP报文中,而收到VRRP报文的路由器会将收到的VRRP报文中的认证字进行比较。如果认证字相同,则认为接收到的报文是合法的VRRP报文,否则认为接收到的报文是非法报文。 (3) md5认证:
- VRRP虚拟转发器监视功能:
VRRP的监视接口能更好的扩充了备份功能,不仅能在备份组中的某路由器的接口出现故障时提供备份功能,还能在路由器的其它接口(比如连接上行链路的接口)不可用时提供备份功能, 路由器连接上行链路的接口出现故障时,备份组无法感知上行链路的故障,如果该路由器此时处于Master状态,将会导致局域网内的主机无法访问外部网络。通过监视 - 问题:怎么完成维护模式keeplived切换(完成keepalived高可用)?
答:我们一般进行主从切换测试时都是关闭keepalived或关闭接口,有没有一种方法能够实现在不关闭keepalived下或网卡接口来实现维护呢?在新版keepalived中,支持脚本vrrp_script,只需要创建个文本做引子,来让脚本成功执行,就会自动进行主备切换了。
(1)定义脚本
vrrp_script chk_schedown { script "[ -e /etc/keepalived/down ] && exit 1 || exit 0" interval 1 //监控间隔 weight -11 //主动减少优先级 fall 2 //监控失败次数 rise 1 //监控成功次数 } vrrp_script chk_nginx { script "`killall -0 nginx` && exit 0 || exit 1" //测试能不能杀掉nginx,为1才会执行以下操作 interval 1 weight -11 fall 2 rise 1 }(2)执行脚本:在实例中调用执行
track_script { chk_schedown //执行定义的脚本名称 chk_nginx }
在keepalived配置文件中直接写后端服务器的负载均衡效果时,keepalived会自己调用lvs的api接口去写规则,并且生效
~]# ip addr add 192.168.1.100 dev eth0 //此处添加VIP ~]# ip addr del 192.168.1.100 dev eth0 !Configuration File for keepalived global_defs { notification_email { [email protected] } notification_email_from root smtp_server 127.0.0.1 //邮件服务器地址 smtp_connect_timeout 30 router_id LVS_DEVEL //标识虚拟路由ID,主从得不同 vrrp_mcast_group4 224.0.10.10 //组播地址,用来发送VRRP报文 } vrrp_script chk_schedown { script "[ -e /etc/keepalived/down ] && exit 1 || exit 0" interval 1 weight -11 fall 2 rise 1 } vrrp_script chk_nginx { //此处检测nginx只需在主上有即可,如果从上也有话,就会导致主上的nginx,down的一瞬间,又起来了,优先级混乱 script "`killall -0 nginx` && exit 0 || exit 1" interval 1 weight -11 fall 2 rise 1 } vrrp_instance VI_1 { //实例 state MASTER //模式配置,当前为Master interface eth0 //应用于哪个网卡 virtual_router_id 10 //虚拟路由ID组,这个主从得相同 priority 100 //优先级 adver_int 1 //1秒一个报文 authentication { auth_type PASS //简单报文加密 auth_pass 12345678 } virtual_ipaddress { 172.16.254.35 //VIP地址,也就是漂移地址 } track_script { //调用脚本 chk_schedown chk_nginx } notify_master "/etc/keepalived/notify.sh master" notify_backup "/etc/keepalived/notify.sh backup" notify_fault "/etc/keepalived/notify.sh fault" } //这三句是在状态发生变换的时候,主动调用脚本来发邮件来通知管理员,同时启动备用nginx //这里在添加一个实例就是双主了,另一台state,virtual_router_id,auth_pass不同就行 vrrp_instance VI_2 { state BACKUP interface eth0 virtual_router_id 11 priority 91 adver_int 1 authentication { auth_type PASS auth_pass 12345687 } virtual_ipaddress { 172.16.254.36 } track_script { chk_schedown chk_nginx } notify_master "/etc/keepalived/notify.sh master" notify_backup "/etc/keepalived/notify.sh backup" notify_fault "/etc/keepalived/notify.sh fault" }
此段就相当于之前博客所写的nginx的upstream和stream的集合,nginx模块实现负载均衡效果,下面的语句直接接在上面的配置文件中,也就相当于upstream的效果,upstream配置截图在下面:
virtual_server 172.16.254.35 80 { //定义的负载均衡的后端主机的IP及端口 delay_loop 6 //服务轮询的时间间隔 lb_algo wrr //轮询算法为权重轮询 lb_kind DR //集群类型 nat_mask 255.255.0.0 #persistence_timeout 50 //持久连接时长 protocol TCP //协议类型,默认为TCP real_server 172.16.250.84 80 { //后端服务器地址 weight 2 //权重 HTTP_GET { //状态检测 url { path / status_code 200 //状态为200才算后端主机正常,也有tcp检测,但是检测效果不准确 } connect_timeout 2 //连接超时 nb_get_retry 3 //尝试几次连接后断定结果 delay_before_retry 1 //延迟1秒后尝试 } } } } real_server 172.16.252.113 80 { //第二个后端服务器 weight 1 HTTP_GET { url { path / status_code 200 } connect_timeout 2 nb_get_retry 3 delay_before_retry 1 } } sorry_server 127.0.0.1 80 //备用服务器,当后端服务器都挂了的时候,本机上能提供一个SORRY }
- nginx搭配最上面的配置实例,可实现双主高可用负载
events { worker_connections 1024; } http { upstream web { server 172.16.252.113; server 172.16.250.84; server 127.0.0.1:80 backup; } server { listen 80; server_name www.godilgence.com; index index.html; location / { proxy_pass http://web; } } server { listen 127.0.0.1:80; index index.html; root /usr/share/nginx/html; } } - 在之前的博文里写的lvs-dr模式后端主机的配置实例
#!/bin/bash VIP=172.16.254.35 case $1 in start) echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore ip addr add dev lo:0 "$VIP"/32 >/dev/null ip route add $VIP dev lo:0 ;; stop) ifdown lo:0 echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore ;; status) a=`ip a l lo:0 | grep $VIP` b=`ip route | grep lo:0 | grep $VIP` if [ $a -a $b ];then echo "Realserver is running." else echo "Realserver is stopping." fi ;; *) echo "$0:Usage $0 {start|stop|staus} " esac
- 当主备模式发生变换的时候,邮件通知管理员,并将主备机器上的say sorry的web服务器打开
#!/bin/bash VIP=172.16.254.35 notify() { mailsubject="`hostname` to be $1:$VIP is floating." mailcontent="`date +%F %H:%M:%S`,vrrp transition,`hostname` changed to be $1" echo $mailsubject | mail -s "$mailcontent" root@localhost } case $1 in master) systemctl start nginx.service notify master ;; backup) systemctl start nginx.service notify backup ;; fault) systemctl stop nginx.service notify fault esac