Keepalived 和 Firewalld
准备
MASTER IP 192.168.1.7
BACKUP IP 192.168.1.8
VIP 192.168.1.200yum install keepalived systemctl stop firewalld echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf #开启允许绑定非本机的IP sysctl -p
Keepalived
MASTER
global_defs {
notification_email {
root@localhost
}
notification_email_from ka@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka46
vrrp_mcast_group4 224.0.0.111
#vrrp_strict
}
vrrp_instance Intranet_1 {
state MASTER
interface em1
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass starsing
}
virtual_ipaddress {
192.168.1.200/24
}
#virtual_routes {
# default via 192.168.1.1
#}
notify_master "/etc/keepalived/notify.sh master"
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
}
BACKUP
注意以下几点
state 角色为 BACKUP
interface 为网卡的 ID,要根据机器确认
virtual_route_id 要与 MASTER 一致,默认为 51
priority 要比 MASTER 小
global_defs {
notification_email {
root@localhost
}
notification_email_from ka@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka46
vrrp_mcast_group4 224.0.0.111
#vrrp_strict
}
vrrp_instance Intranet_1 {
state BACKUP
interface em1
virtual_router_id 51
priority 95
advert_int 1
authentication {
auth_type PASS
auth_pass starsing
}
virtual_ipaddress {
192.168.1.200/24
}
#virtual_routes {
# default via 192.168.1.1
#}
notify_master "/etc/keepalived/notify.sh master"
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
}
NOTIFY
#!/bin/bash
contact="root@localhost"
contact_xwx="sunday@sundayle.com"
notify() {
local mailsubject="$(hostname) to be $1, vip floating"
local mailbody="$(date +'%F %T'): vrrp transition, $(hostname) changed to be $1"
#echo "$mailbody" | mail -s "$mailsubject" $contact
echo "$mailbody" | mail -s "$mailsubject" $contact_xwx
}
case $1 in
master)
notify master
;;
backup)
notify backup
;;
fault)
notify fault
;;
*)
echo "Usage: $(basename $0) {master|backup|fault}"
exit 1
;;
esac
MASTER和BACKUP 启动keepalived
systemctl start keepalived
systemctl enable keepalived
此时防火墙是关闭状态,MASTER获得VIP。BACKUP没有。
[root@master ]# ip addr | grep 192.168.1.200
inet 192.168.1.200/24 scope global secondary em1
漂移规则:
默认 MASTER 会获得 VIP(192.168.1.200)。
当 MASTER 出问题时,VIP 会漂移到 BACKUP 服务器。
当 MASTER 重新启动后,VIP 又会漂移回 MASTER 服务器。
Firewalld
防火墙添加规则,默认不指定为224.0.0.18
,这里修改了为224.0.0.111
systemctl stop keepalived
systemctl start firewalld
方式一:宽松
firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent
firewall-cmd --reload
firewall-cmd --list-all
方式二:严紧
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
firewall-cmd --reload
查看这两条规则
[root@master ~]# firewall-cmd --direct --get-rules ipv4 filter INPUT
0 --in-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
[root@master ~]# firewall-cmd --direct --get-rules ipv4 filter OUTPUT
0 --out-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
systemctl start keepalived
此时Master获得VIP,BACKUP没有,则防火墙放行vrrp正常。
若Master和Backup均获取到VIP,则防火墙配置,注意网卡接口和vrrp组播地址。
服务测试
[root@master ~]# yum install tcpdump
[root@master ~]# tcpdump -i em1 vrrp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:17:56.949963 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:17:57.950994 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:17:58.952063 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:17:59.953131 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:18:00.954206 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
此时VIP在MASTER上。
如果MASTER停止keepalived,VIP会漂移到BACKUP上
systemctl stop keepalived
[root@master ~]# tcpdump -i em1 vrrp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:25:24.415708 IP 192.168.1.8 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:25:25.416790 IP 192.168.1.8 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:25:26.417831 IP 192.168.1.8 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
此时VIP在BACKUP上。
配置日志
非必要
keepalived 默认将日志输出到系统日志/var/log/messages中,因为系统日志很多,查询问题时相对麻烦。
我们可以将 keepalived 的日志单独拿出来,这需要修改日志输出路径。
vim /etc/sysconfig/keepalived
# Options for keepalived. See `keepalived --help' output and keepalived(8) and
# keepalived.conf(5) man pages for a list of all options. Here are the most
# common ones :
#
# --vrrp -P Only run with VRRP subsystem.
# --check -C Only run with Health-checker subsystem.
# --dont-release-vrrp -V Dont remove VRRP VIPs & VROUTEs on daemon stop.
# --dont-release-ipvs -I Dont remove IPVS topology on daemon stop.
# --dump-conf -d Dump the configuration data.
# --log-detail -D Detailed log messages.
# --log-facility -S 0-7 Set local syslog facility (default=LOG_DAEMON)
#
#KEEPALIVED_OPTIONS="-D"
KEEPALIVED_OPTIONS="-D -d -S 0"
把 KEEPALIVED_OPTIONS=”-D” 修改为 KEEPALIVED_OPTIONS=”-D -d -S 0”,其中 -S 指定 syslog 的 facility
配置 rsyslog.conf
vim /etc/rsyslog.conf
local0.* /var/log/keepalived.log
systemctl restart rsyslog
systemctl restart keepalived
此时,可以从 /var/log/keepalived.log 查看日志了。