Fork me on GitHub

keepalive -实现浮动的VIP

Keepalived安装:
keepalived包,CentOS 6.4+ Base源

架构

 主LVS服务器地址:192.168.1.4

备LVS服务器地址:192.168.1.8

官方网站:http://www.keepalived.org/

前提条件,LVS服务器时间同步,防火墙规则无影响,selinux禁用

一、、基于key验证,(此步骤可以省略跳过)

  1、生成key验证(此步可以一直回车,也可以按提示输入具体信息)

ssh-keygen 

  2、将key验证复制给另外一台LVS服务器

ssh-copy-id 192.168.1.8

  3、在另外一台机器上生成key

ssh-keygen 

  4、复制key给主LVS服务器

ssh-copy-id 192.168.1.4

此步也可以在一台服务器上生成key,然后将/root/.ssh/ 文件夹直接拷贝给其他服务器

二、修改hosts 文件(用于访问中更省事,此步可跳过)

vim /etc/hosts
192.168.1.4 ka1
192.168.1.8 ka2

三、将修改的hosts文件拷贝给另外一台服务器

scp /etc/hosts ka2:/etc/

这里的ka2就是第二步中的192.168.1.8

四、安装keepalive软件

yum install keepalived -y

五、进入keepalive主配置文件所在目录

cd /etc/keepalived/

六、备份主配置文件(以防修改错误导致原配置文件无法使用)

cp keepalived.conf{,.bak}

七、修改主配置文件(三大块,此步只保留前两大块)

vim keepalived.conf

  1、由于本文只生成浮动VIP其他LVS规则相关的可以删除,(上面有备份不会有影响的),只保留以下的,其他的在命令模式输入dG直接删除到最后(dG是看不见的)

global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.200.1
   smtp_connect_timeout 30
   router_id LVS_DEVEL
   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.200.16
        192.168.200.17
        192.168.200.18
    }
}

  2、修改全局配置 global_defs {

    1)、修改联系方式为本机

修改前:

notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }

修改后:

notification_email {
        root@localhost
   }

    2)、修改以keepalive的身份发送给本机

修改前:

notification_email_from Alexandre.Cassen@firewall.loc

修改后:

notification_email_from keepalived@localhost

    3)、修改发邮件的地址为本机

修改前:

smtp_server 192.168.200.1

修改后:

smtp_server 127.0.0.1

    4)、修改路由器的名称(每个路由,有自己的ID名称,用于区分不同的物理服务器,自定义)

router_id LVS_DEVEL

修改后:

router_id ka1

    5)、这里的三行,暂时不用是,删除或#号注释掉

 vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0

    6)、修改多播地址(因为keepalive相互通信采用多播地址,多播地址由你自己决定,使用D类地址就行)(通过多播地址,向外发一些通告,如:优先级)(这行可以不写,不写默认是224.0.0.18)

修改前:

 vrrp_gna_interval 0

修改后:

vrrp_mcast_group4 224.100.100.100

  3、修改虚拟路由器的信息

     1)、实例名,VI1 这里就不修改了

vrrp_instance VI_1 {

    2)、修改角色(在这个实例中有多个角色,这里承当什么角色)

state MASTER

    3)、接口(我这台服务器上没有eth0,只有ens33,会在这个上面绑定VIP地址)

修改前:

 interface eth0 

修改后:

interface ens33

    4)、虚拟路由器是属于哪个路由器(多台服务器需要在同一个集合里,相同数字即可)

修改前:

virtual_router_id 51

修改后

virtual_router_id 88

    5)、优先级(优先级0-255,从节点的优先级必须比主节点的小)

priority 100

    6)、公告的时间间隔(这里的1,表示1秒发一次公告)

 advert_int 1

    7)、公告的验证(密码相同才能加入到66这个集合中,明文密码,略微复杂即可,可以被抓包抓到)

修改前:

 authentication {
        auth_type PASS
        auth_pass 1111
    }

修改后:

   authentication {
        auth_type PASS
        auth_pass 123456
    }

可以通过openssl rand -base64 9生成随机口令

    8)、VIP地址(可以多个地址,必须加子网掩码,不加默认32)

修改前:

virtual_ipaddress {
        192.168.200.16
        192.168.200.17
        192.168.200.18
    }

修改后:绑定在物理网卡ens33上,添加个别名ens33:1(不加别名会增加块网卡)

virtual_ipaddress {

    192.168.1.100/24 dev ens33 label ens33:1

  }   

    9)、将配置文件拷贝给远程服务器,

scp keepalived.conf ka2:`pwd`

    10)、完整的主服务器keepalive.comf配置文件

! Configuration File for keepalived

global_defs {
   notification_email {
        root@localhost
   }
   notification_email_from keepalived@localhost
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id ka1
   vrrp_mcast_group4 224.100.100.100
}

vrrp_instance VI_1 {
    state MASTER
    interface ens33
    virtual_router_id 88
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        192.168.1.100/24 dev ens33 label ens33:1
    }   
}

    11)、完整的从服务器keepalive.comf配置文件

! Configuration File for keepalived

global_defs {
   notification_email {
        root@localhost
   }
   notification_email_from keepalived@localhost
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id ka2
   vrrp_mcast_group4 224.100.100.100
}

vrrp_instance VI_1 {
    state BACKUP
    interface ens33
    virtual_router_id 88
    priority 90
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        192.168.1.100/24 dev ens33 label ens33:1
    }
}

这里可以有多个虚拟路由器,在多个虚拟路由器中,一台服务器可以充当多个角色,如,在本机是主服务器,在其他服务器上是从,而在另外一台服务器上,对方是主,而我是从

  八、观察

  1、在其他服务器上安装抓包软件,在同一网段的服务器即可

yum install tcpdump -y

  2、开始抓包,返回如下

[00:42:23 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

  3、开启优先级较低的服务器上的keepalive服务

systemctl start keepalived

  4、查看抓包,192.168.1.8这台服务器对外宣传,自己拥有90的优先级,网络中目前没有人优先级比他高,所以他就拥有了VIP地址

[00:42:23 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:44:59.571763 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
00:45:00.575048 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
00:45:01.578290 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
00:45:02.580599 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20

   5、查看IP地址,在192.168.1.8服务器上获取到了VIP地址

ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:62:3f:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.8/24 brd 192.168.1.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet 192.168.1.100/24 scope global secondary ens33:1
       valid_lft forever preferred_lft forever
    inet6 fe80::5585:1cb1:8329:e534/64 scope link 
       valid_lft forever preferred_lft forever

  6、在优先级为100的主服务器上(IP为192.168.1.4)上开启keepalive服务

systemctl start keepalived

   7、抓包查看

[00:49:01 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:49:32.304796 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
00:49:33.307825 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
00:49:33.308035 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20
00:49:34.308864 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20

当网络中有优先级比他高的服务器,处于低优先级的服务器将会立马停止发送ARP公告

   8、此时查看主服务器(IP为192.168.1.4)的IP地址

[00:49:33 root@ka1 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:88:cd:f0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.4/24 brd 192.168.1.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet 192.168.1.100/24 scope global secondary ens33:1
       valid_lft forever preferred_lft forever
    inet6 fe80::82fc:253f:d442:8fa4/64 scope link 
       valid_lft forever preferred_lft forever

优先级高的服务器会自动获取VIP地址,优先级低的IP会自动停止获取VIP地址

  8、查看优先级低的服务器的IP

ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:62:3f:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.8/24 brd 192.168.1.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::5585:1cb1:8329:e534/64 scope link 
       valid_lft forever preferred_lft forever

  9、将主服务器宕机,(关闭keepalive服务)

systemctl stop keepalived

  10、抓包如下:

[00:49:37 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:55:38.133342 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20
00:55:50.171851 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20
00:55:50.669535 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 0, authtype simple, intvl 1s, length 20
00:55:51.320149 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20

由于是主动停止keepalive服务,所以会对外发个0,主动宣城主服务器停止了,其他服务器可以获取VIP地址了,意外停止的不会发0,也来不及发0 

  11、其他主机ping VIP地址

ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.668 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.874 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.153 ms
64 bytes from 192.168.1.100: icmp_seq=4 ttl=64 time=0.588 ms
64 bytes from 192.168.1.100: icmp_seq=5 ttl=64 time=1.11 ms
From 192.168.1.4 icmp_seq=6 Redirect Host(New nexthop: 192.168.1.100)
From 192.168.1.4: icmp_seq=6 Redirect Host(New nexthop: 192.168.1.100)
64 bytes from 192.168.1.100: icmp_seq=6 ttl=64 time=780 ms
64 bytes from 192.168.1.100: icmp_seq=7 ttl=64 time=0.156 ms
64 bytes from 192.168.1.100: icmp_seq=8 ttl=64 time=0.182 ms
64 bytes from 192.168.1.100: icmp_seq=9 ttl=64 time=0.273 ms
^C
--- 192.168.1.100 ping statistics ---
9 packets transmitted, 9 received, +1 errors, 0% packet loss, time 8017ms
rtt min/avg/max/mdev = 0.153/87.151/780.351/245.083 ms

测试下来会丢一点的包,不过不多

   九、其他配置

    1、跟踪接口

在上面步骤中写的是

interface ens33

track_interface { #配置监控网络接口,一旦出现故障,则转为FAULT状态 实现地址转移
eth0
eth1

}

不定义,默认监控的就是ens33 ,定义了可以监控多个网卡,如果网卡出问题会自动释放IP

    2、定义工作模式为非抢占模式

nopreempt

    3、定义工作模式为抢占式模式,节点上线后触发新选举操作的延迟时长,默认模式

preempt_delay 300

 

 

posted @ 2021-05-26 13:22  Alex-Lzy  阅读(1526)  评论(0编辑  收藏  举报