CentOS7下配置防火墙放过Keepalived
-
于是开始查看主从keepalived的配置文件是否有误,vrid是否一致;最后发现配置文件是正常的;
-
接着开始排查是否是网络问题:
tcpdump -i eth0|grep VRRP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 21:00:53.202437 IP 192.168.8.123 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 50, prio 100, authtype simple, intvl 1s, length 20 21:00:53.202964 IP 192.168.8.126 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20 21:00:53.204638 IP keepalived-slave > vrrp.mcast.net: VRRPv2, Advertisement, vrid 66, prio 80, authtype simple, intvl 1s, length 20 发现keepalived从服务器也能正常接收到vrrp包;
-
最后考虑到,该主机启用了firewalld防火墙;于是开始从防火墙开始着手解决问题
Keepalived是一个轻量级的HA集群解决方案,但开启防火墙后各节点无法感知其它节点的状态,各自都绑定了虚拟IP。网上很多文章讲要配置防火墙放过tcp/112,在CentOS7下是无效的,正确的做法是配置放过vrrp协议,方法如下:
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --reload
Keepalived使用vrrp组播,默认地址是224.0.0.18,因此要配置防火墙放过。
