keepalived配置和使用
1、keepalived的简单介绍
keepalived是基于vrrp协议的软件来实现的,原生设计的目的就是为了高可用ipvs服务。它的功能如下:
1、基于vrrp协议完成地址流动
2、为vip地址所在的节点生成ipvs的规则(是在配置文件中预先定义的)
3、为ipvs集群的各real server来做健康状态检测
4、基于脚本调用接口完成脚本中定义的功能,进而影响集群事务,以此支持nginx、haproxy等服务
2、编译安装keepalived
源码下载地址: https://keepalived.org/download.html
现在官方的最新版是2.2.7的版本,我实验使用的系统是ubuntu20.04的系统,系统apt包只带的有点老是2.0.19的版本,不过在这里我就编译安装一个最新版本的keepalived。
2.1、安装相关依赖包
[root@ubuntu2004 ~]#apt -y install curl gcc libssl-dev libnl-3-dev libnl-genl-3-dev libsnmp-dev
2.2、下载源码包并解压
[root@ubuntu2004 ~]#cd /usr/local/src/ [root@ubuntu2004 src]#wget https://keepalived.org/software/keepalived-2.2.7.tar.gz --2022-10-27 15:20:46-- https://keepalived.org/software/keepalived-2.2.7.tar.gz Resolving keepalived.org (keepalived.org)... 91.121.30.175 Connecting to keepalived.org (keepalived.org)|91.121.30.175|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1180180 (1.1M) [application/octet-stream] Saving to: ‘keepalived-2.2.7.tar.gz’ keepalived-2.2.7.tar.gz 100%[=======================================================================>] 1.12M 834KB/s in 1.4s 2022-07-12 15:20:49 (834 KB/s) - ‘keepalived-2.2.7.tar.gz’ saved [1180180/1180180] [root@ubuntu2004 src]#tar xf keepalived-2.2.7.tar.gz
2.3、编译安装
进入到刚刚解压完后的目录下,执行configure脚本生成Makefile文件,执行configure的时候是有很多选项的,编译keepalived的时候是可以不用加什么选项的,可以指定一下安装的目录,还可以加上–disable-fwmark选项来防止安装后生成的iptables规则会导致VIP无法访问的。
[root@ubuntu2004 keepalived-2.2.7]#cd keepalived-2.2.7/ [root@ubuntu2004 keepalived-2.2.7]# ls aclocal.m4 autogen.sh build-aux ChangeLog configure.ac COPYING Dockerfile.in keepalived lib Makefile.am README.md TODO AUTHOR bin_install build_setup configure CONTRIBUTORS doc INSTALL keepalived.spec.in m4 Makefile.in snap tools [root@ubuntu2004 keepalived-2.2.7]# ./configure --prefix=/usr/local/keepalived --disable-fwmark #选项--disable-fwmark 可用于禁用iptables规则,可防止VIP无法访问,无此选项默认会启用iptables规则 [root@ubuntu2004 keepalived-2.2.7]# make -j 2 && make install
2.4、准备相关配置文件
#查看生成的二进制程序,并使用查看一下版本 [root@ubuntu2004 keepalived-2.2.7]# ls /usr/local/keepalived/sbin/ keepalived [root@ubuntu2004 keepalived-2.2.7]#/usr/local/keepalived/sbin/keepalived -v Keepalived v2.2.7 (01/16,2022) Copyright(C) 2001-2022 Alexandre Cassen, <acassen@gmail.com> Built with kernel headers for Linux 4.15.18 Running on Linux 4.15.0-188-generic #199-Ubuntu SMP Wed Jun 15 20:42:56 UTC 2022 Distro: Ubuntu 18.04.6 LTS configure options: --prefix=/usr/local/keepalived --disable-fwmark Config options: LVS VRRP VRRP_AUTH VRRP_VMAC OLD_CHKSUM_COMPAT INIT=systemd System options: VSYSLOG MEMFD_CREATE IPV4_DEVCONF RTA_ENCAP RTA_EXPIRES RTA_NEWDST RTA_PREF FRA_SUPPRESS_PREFIXLEN FRA_SUPPRESS_IFGROUP FRA_TUN_ID RTAX_CC_ALGO RTAX_QUICKACK RTEXT_FILTER_SKIP_STATS FRA_L3MDEV FRA_UID_RANGE RTAX_FASTOPEN_NO_COOKIE RTA_VIA RTA_TTL_PROPAGATE IFA_FLAGS LWTUNNEL_ENCAP_MPLS LWTUNNEL_ENCAP_ILA NET_LINUX_IF_H_COLLISION LIBIPTC_LINUX_NET_IF_H_COLLISION IPVS_DEST_ATTR_ADDR_FAMILY IPVS_SYNCD_ATTRIBUTES IPVS_64BIT_STATS VRRP_IPVLAN IFLA_LINK_NETNSID GLOB_BRACE GLOB_ALTDIRFUNC INET6_ADDR_GEN_MODE VRF #拷贝service文件和conf配置文件 [root@ubuntu2004 keepalived-2.2.7]# cp /usr/local/src/keepalived-2.2.7/keepalived/keepalived.service /lib/systemd/system/ [root@ubuntu2004 keepalived-2.2.7]# mkdir /etc/keepalived [root@ubuntu2004 keepalived-2.2.7]# cp /usr/local/keepalived/etc/keepalived/keepalived.conf.sample /etc/keepalived/keepalived.conf
2.5、启动keepalived服务
[root@ubuntu2004 keepalived-2.2.7]#systemctl enable --now keepalived.service [root@ubuntu2004 keepalived-2.2.7]#systemctl status keepalived.service ● keepalived.service - LVS and VRRP High Availability Monitor Loaded: loaded (/lib/systemd/system/keepalived.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2022-10-27 15:21:26 CST; 1h 27min ago Docs: man:keepalived(8) man:keepalived.conf(5) man:genhash(1) https://keepalived.org Main PID: 228720 (keepalived) Tasks: 3 (limit: 4575) Memory: 2.4M CGroup: /system.slice/keepalived.service ├─228720 /apps/keepalived/sbin/keepalived --dont-fork -D ├─228733 /apps/keepalived/sbin/keepalived --dont-fork -D └─228734 /apps/keepalived/sbin/keepalived --dont-fork -D
[root@ubuntu2004 keepalived-2.2.7]#ip a #默认加了三个IP
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:c5:32:4d brd ff:ff:ff:ff:ff:ff
inet 10.0.0.101/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.200.16/32 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.200.17/32 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.200.18/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec5:324d/64 scope link
valid_lft forever preferred_lft forever
3、keepalived的配置文件介绍
keepalived配置文件为/etc/keepalived/keepalived.conf,主要是有global_defs、vrrp_instance和virtual_server三个模块构成的。
3.1、global_defs
这里的global_defs是keepalived的全局的配置,它里面的配置有以下内容
notification_email:可以添加keepalived发现故障切换是发送邮件到指定的邮箱,这里可以指定多个邮箱; notification_email_from:指定发邮件的地址; smtp_server:指定邮件服务器的地址; smtp_connect_timeout:指定邮件服务器连接超时的时长; router_id:每个keepalived节点的唯一标识,这里可以设置主机的主机名,但是多节点重名不影响; vrrp_skip_check_adv_addr:对所有通告报文都检查,会比较消耗性能,启用此配置后,如果收到的通告报文和上一个报文是同一个路由器,则跳过检查,默认值为全检查 vrrp_strict:严格遵守VRRP协议,启用此项后以下状况将无法启动服务:1、无VIP地址 2、配置了单播邻居 3、在VRRP版本2中有IPv6地址,开启动此项并且没有配置vrrp_iptables时会自动开启iptables防火墙规则,默认导致VIP无法访问,建议不加此项配置; vrrp_garp_interval:设置ARP接口之间发送免费报文的延迟时间,这个可以精确到毫秒,默认是0; vrrp_gna_interval:设置非请求消息的发送延迟时间,默认为0; vrrp_mcast_group4:指定组播的IP范围,可以选择224.0.0.0到239.255.255.255这个范围内的地址,默认设置的是224.0.0.18; vrrp_iptables:与vrrp_strict同时设置时,是不会添加iptables规则的,注释或者无vrrp_strict时可不加此项。
3.2、vrrp_instance
vrrp_instance这个模块是配置虚拟路由器的,配置项有以下内容
vrrp_instance的string为设置的VRRP的实例名,生产环境都是设置项目名称; state:设置当前节点在此虚拟路由器上的初始化状态,状态为MASTER或者BACKUP; interface:可以绑定当前虚拟路由器所使用的物理接口,比如eth0,bond0,br0,可以和VIP不在一个网卡上; virtual_router_id:设置每个虚拟路由器惟一标识,范围:0-255,每个虚拟路由器此值必须唯一,否则服务无法启动,同属一个虚拟路由器的多个keepalived节点必须相同,务必要确认在同一网络中此值必须唯一 priority:设置当前物理节点在此虚拟路由器的优先级,范围:1-254,值越大优先级越高,每个keepalived主机节点此值不同 advert_int:设置VRRP通告的时间间隔,默认1s authentication:设置认证机制,需要设置两部分 1、auth_type:设置认证类型,有两种选择一个是AH类型,另一种是PASS类型,AH为IPSC互联网安全认证,而PASS是简单的密码认证,这里推荐使用PASS认证,默认是使用的PASS认证。 2、auth_pass:预共享密钥,仅前8位有效,同一个虚拟路由器的多个keepalived节点的值必须一样 virtual_ipaddress:设置虚拟路由器的虚拟IP,生产环境可能指定上百个IP地址,设置虚拟IP对应的子网掩码、网卡和标签等,设置多个虚拟IP使用换行隔开,不指定网卡时它会默认添加到默认的网卡上,不设置子网掩码的话默认是32位的,在环境中还要查看设置的虚拟IP是否已经存在,也就是是否在使用了。
3.3、virtual_server
virtual_server模块是用于配置虚拟服务器,将虚拟路由器中添加的VIP与后端real server对应起来,该模块配置包括以下内容
virtual_server后面需要跟上虚拟IP地址和端口,也就是让客户端通过哪个vip和哪个端口来向后端服务器发起访问; delay_loop:设置检查后端服务器的时间间隔; lb_algo:指定调度算法; lb_kind:指定集群的类型; persistence_timeout:指定持久连接的时长; protocol:指定服务的协议; real_server:设置VIP所对应的后端服务器IP和端口,也包括以下的配置部分 1、weight:设置后端服务器的权重 2、SSL_GET、HTTP_GET、TCP_CHECK、SMTP_CHECK和MISC_CHECK等可以定义当前后端主机的健康状况检查方法; 3、connect_timeout:设置客户端的连接超时的时长; 4、retry:重试的次数; 5、delay_before_retry:初始之前的延迟时长;