keepalive -实现浮动的VIP
Keepalived安装:
keepalived包,CentOS 6.4+ Base源
架构
主LVS服务器地址:192.168.1.4
备LVS服务器地址:192.168.1.8
官方网站:http://www.keepalived.org/
前提条件,LVS服务器时间同步,防火墙规则无影响,selinux禁用
一、、基于key验证,(此步骤可以省略跳过)
1、生成key验证(此步可以一直回车,也可以按提示输入具体信息)
ssh-keygen
2、将key验证复制给另外一台LVS服务器
ssh-copy-id 192.168.1.8
3、在另外一台机器上生成key
ssh-keygen
4、复制key给主LVS服务器
ssh-copy-id 192.168.1.4
此步也可以在一台服务器上生成key,然后将/root/.ssh/ 文件夹直接拷贝给其他服务器
二、修改hosts 文件(用于访问中更省事,此步可跳过)
vim /etc/hosts
192.168.1.4 ka1
192.168.1.8 ka2
三、将修改的hosts文件拷贝给另外一台服务器
scp /etc/hosts ka2:/etc/
这里的ka2就是第二步中的192.168.1.8
四、安装keepalive软件
yum install keepalived -y
五、进入keepalive主配置文件所在目录
cd /etc/keepalived/
六、备份主配置文件(以防修改错误导致原配置文件无法使用)
cp keepalived.conf{,.bak}
七、修改主配置文件(三大块,此步只保留前两大块)
vim keepalived.conf
1、由于本文只生成浮动VIP其他LVS规则相关的可以删除,(上面有备份不会有影响的),只保留以下的,其他的在命令模式输入dG直接删除到最后(dG是看不见的)
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.200.16
192.168.200.17
192.168.200.18
}
}
2、修改全局配置 global_defs {
1)、修改联系方式为本机
修改前:
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
修改后:
notification_email {
root@localhost
}
2)、修改以keepalive的身份发送给本机
修改前:
notification_email_from Alexandre.Cassen@firewall.loc
修改后:
notification_email_from keepalived@localhost
3)、修改发邮件的地址为本机
修改前:
smtp_server 192.168.200.1
修改后:
smtp_server 127.0.0.1
4)、修改路由器的名称(每个路由,有自己的ID名称,用于区分不同的物理服务器,自定义)
router_id LVS_DEVEL
修改后:
router_id ka1
5)、这里的三行,暂时不用是,删除或#号注释掉
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
6)、修改多播地址(因为keepalive相互通信采用多播地址,多播地址由你自己决定,使用D类地址就行)(通过多播地址,向外发一些通告,如:优先级)(这行可以不写,不写默认是224.0.0.18)
修改前:
vrrp_gna_interval 0
修改后:
vrrp_mcast_group4 224.100.100.100
3、修改虚拟路由器的信息
1)、实例名,VI1 这里就不修改了
vrrp_instance VI_1 {
2)、修改角色(在这个实例中有多个角色,这里承当什么角色)
state MASTER
3)、接口(我这台服务器上没有eth0,只有ens33,会在这个上面绑定VIP地址)
修改前:
interface eth0
修改后:
interface ens33
4)、虚拟路由器是属于哪个路由器(多台服务器需要在同一个集合里,相同数字即可)
修改前:
virtual_router_id 51
修改后
virtual_router_id 88
5)、优先级(优先级0-255,从节点的优先级必须比主节点的小)
priority 100
6)、公告的时间间隔(这里的1,表示1秒发一次公告)
advert_int 1
7)、公告的验证(密码相同才能加入到66这个集合中,明文密码,略微复杂即可,可以被抓包抓到)
修改前:
authentication {
auth_type PASS
auth_pass 1111
}
修改后:
authentication {
auth_type PASS
auth_pass 123456
}
可以通过openssl rand -base64 9生成随机口令
8)、VIP地址(可以多个地址,必须加子网掩码,不加默认32)
修改前:
virtual_ipaddress {
192.168.200.16
192.168.200.17
192.168.200.18
}
修改后:绑定在物理网卡ens33上,添加个别名ens33:1(不加别名会增加块网卡)
virtual_ipaddress {
192.168.1.100/24 dev ens33 label ens33:1
}
9)、将配置文件拷贝给远程服务器,
scp keepalived.conf ka2:`pwd`
10)、完整的主服务器keepalive.comf配置文件
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from keepalived@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka1
vrrp_mcast_group4 224.100.100.100
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 88
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 123456
}
virtual_ipaddress {
192.168.1.100/24 dev ens33 label ens33:1
}
}
11)、完整的从服务器keepalive.comf配置文件
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from keepalived@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka2
vrrp_mcast_group4 224.100.100.100
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 88
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 123456
}
virtual_ipaddress {
192.168.1.100/24 dev ens33 label ens33:1
}
}
这里可以有多个虚拟路由器,在多个虚拟路由器中,一台服务器可以充当多个角色,如,在本机是主服务器,在其他服务器上是从,而在另外一台服务器上,对方是主,而我是从
八、观察
1、在其他服务器上安装抓包软件,在同一网段的服务器即可
yum install tcpdump -y
2、开始抓包,返回如下
[00:42:23 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
3、开启优先级较低的服务器上的keepalive服务
systemctl start keepalived
4、查看抓包,192.168.1.8这台服务器对外宣传,自己拥有90的优先级,网络中目前没有人优先级比他高,所以他就拥有了VIP地址
[00:42:23 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
00:44:59.571763 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
00:45:00.575048 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
00:45:01.578290 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
00:45:02.580599 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
5、查看IP地址,在192.168.1.8服务器上获取到了VIP地址
ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:62:3f:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.8/24 brd 192.168.1.255 scope global ens33 valid_lft forever preferred_lft forever inet 192.168.1.100/24 scope global secondary ens33:1 valid_lft forever preferred_lft forever inet6 fe80::5585:1cb1:8329:e534/64 scope link valid_lft forever preferred_lft forever
6、在优先级为100的主服务器上(IP为192.168.1.4)上开启keepalive服务
systemctl start keepalived
7、抓包查看
[00:49:01 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 00:49:32.304796 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20 00:49:33.307825 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20 00:49:33.308035 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20 00:49:34.308864 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20
当网络中有优先级比他高的服务器,处于低优先级的服务器将会立马停止发送ARP公告
8、此时查看主服务器(IP为192.168.1.4)的IP地址
[00:49:33 root@ka1 ~]#ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:88:cd:f0 brd ff:ff:ff:ff:ff:ff inet 192.168.1.4/24 brd 192.168.1.255 scope global ens33 valid_lft forever preferred_lft forever inet 192.168.1.100/24 scope global secondary ens33:1 valid_lft forever preferred_lft forever inet6 fe80::82fc:253f:d442:8fa4/64 scope link valid_lft forever preferred_lft forever
优先级高的服务器会自动获取VIP地址,优先级低的IP会自动停止获取VIP地址
8、查看优先级低的服务器的IP
ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:62:3f:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.8/24 brd 192.168.1.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::5585:1cb1:8329:e534/64 scope link valid_lft forever preferred_lft forever
9、将主服务器宕机,(关闭keepalive服务)
systemctl stop keepalived
10、抓包如下:
[00:49:37 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 00:55:38.133342 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20 00:55:50.171851 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20 00:55:50.669535 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 0, authtype simple, intvl 1s, length 20 00:55:51.320149 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
由于是主动停止keepalive服务,所以会对外发个0,主动宣城主服务器停止了,其他服务器可以获取VIP地址了,意外停止的不会发0,也来不及发0
11、其他主机ping VIP地址
ping 192.168.1.100 PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. 64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.668 ms 64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.874 ms 64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.153 ms 64 bytes from 192.168.1.100: icmp_seq=4 ttl=64 time=0.588 ms 64 bytes from 192.168.1.100: icmp_seq=5 ttl=64 time=1.11 ms From 192.168.1.4 icmp_seq=6 Redirect Host(New nexthop: 192.168.1.100) From 192.168.1.4: icmp_seq=6 Redirect Host(New nexthop: 192.168.1.100) 64 bytes from 192.168.1.100: icmp_seq=6 ttl=64 time=780 ms 64 bytes from 192.168.1.100: icmp_seq=7 ttl=64 time=0.156 ms 64 bytes from 192.168.1.100: icmp_seq=8 ttl=64 time=0.182 ms 64 bytes from 192.168.1.100: icmp_seq=9 ttl=64 time=0.273 ms ^C --- 192.168.1.100 ping statistics --- 9 packets transmitted, 9 received, +1 errors, 0% packet loss, time 8017ms rtt min/avg/max/mdev = 0.153/87.151/780.351/245.083 ms
测试下来会丢一点的包,不过不多
九、其他配置
1、跟踪接口
在上面步骤中写的是
interface ens33
track_interface { #配置监控网络接口,一旦出现故障,则转为FAULT状态 实现地址转移
eth0
eth1
…
}
不定义,默认监控的就是ens33 ,定义了可以监控多个网卡,如果网卡出问题会自动释放IP
2、定义工作模式为非抢占模式
nopreempt
3、定义工作模式为抢占式模式,节点上线后触发新选举操作的延迟时长,默认模式
preempt_delay 300