高可用keepalived之进阶

实现 master/master 的 Keepalived 双主架构

master/slave的单主架构,同一时间只有一个Keepalived对外提供服务,此主机繁忙,而另一台主机却
很空闲,利用率低下,可以使用master/master的双主架构,解决此问题。
master/master 的双主架构:
即将两个或以上VIP分别运行在不同的keepalived服务器,以实现服务器并行提供web访问的目的,提高
服务器资源利用率

#ha1主机配置
[root@ka1-centos8 ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
    notification_email {
        root@qq.com
    }
    notification_email_from keepalived@localhost
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
    router_id ka1.longxuan.vip
    vrrp_mcast_group4 224.8.8.188
}
vrrp_instance N520 {
    state MASTER #在另一个主机上为BACKUP
    interface eth0
    virtual_router_id 66 #每个vrrp_instance唯一
    priority 100 #在另一个主机上为80
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        172.31.0.188 dev eth0 label eth0:1 #指定vrrp_instance各自的VIP
    }
}
vrrp_instance N521 { #添加 VI_2 实例
    state BACKUP #在另一个主机上为MASTER
    interface eth0
    virtual_router_id 88 #每个vrrp_instance唯一
    priority 80 #在另一个主机上为100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 12345678
    }
    virtual_ipaddress {
        172.31.0.200 dev eth0 label eth0:2 #指定vrrp_instance各自的VIP
    }
}

#ka2主机配置,和ka1配置只需五行不同
[root@ka2-centos8 ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
    notification_email {
        root@qq.com
    }
    notification_email_from keepalived@localhost
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
    router_id ka2.longxuan.vip #修改此行
    vrrp_mcast_group4 224.8.8.100
}
vrrp_instance N520 {
    state BACKUP #此修改行为BACKUP
    interface eth0
    virtual_router_id 66
    priority 80 #此修改行为80
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        172.31.0.188 dev eth0 label eth0:1
    }
}
vrrp_instance N521 {
    state MASTER #修改此行为MASTER
    interface eth0
    virtual_router_id 88
    priority 100 #修改此行为100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 12345678
    }
    virtual_ipaddress {
        172.31.0.200 dev eth0 label eth0:2
    }
}

实战案例:利用子配置文件实现master/master的Keepalived双主架构

范例:ka1配置

[root@centos8 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   notification_email {
     acassen
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.200.1
   smtp_connect_timeout 30
   router_id LVS_DEVEL
}
include /etc/keepalived/conf.d/*.conf

# 创建子目录
[root@centos8 ~]# mkdir /etc/keepalived/conf.d/ -p

# 项目1-master
[root@centos8 ~]# cat /etc/keepalived/conf.d/n520.conf
vrrp_instance n520 {
    state MASTER
    interface eth0
    virtual_router_id 66
    priority 100
    advert_int 1
    #nopreempt
    #preempt_delay 10
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        172.31.0.188 dev eth0 label eth0:1
    }
    unicast_src_ip 172.31.0.28
    unicast_peer{
       172.31.0.48
    }
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
}

# 项目2-backup
[root@centos8 ~]# vim /etc/keepalived/conf.d/n521.conf
vrrp_instance n521 {
    state BACKUP
    interface eth0
    virtual_router_id 88
    priority 80
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 12345678
    }
    virtual_ipaddress {
        172.31.0.200 dev eth0 label eth0:2
    }
    unicast_src_ip 172.31.0.28
    unicast_peer{
       172.31.0.48
    }
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
}

# 重启
[root@centos8 ~]# systemctl restart keepalived
检查ip

[root@centos8 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:ac:f5:a4 brd ff:ff:ff:ff:ff:ff
    inet 172.31.0.28/16 brd 172.31.255.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet 172.31.0.188/32 scope global eth0:1
       valid_lft forever preferred_lft forever
    inet 172.31.0.200/32 scope global eth0:2

范例:ka2配置

[root@centos8 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   notification_email {
     acassen
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.200.1
   smtp_connect_timeout 30
   router_id LVS_DEVEL
}
include /etc/keepalived/conf.d/*.conf

# 创建子目录
[root@centos8 ~]# mkdir /etc/keepalived/conf.d/ -p

# 项目1-backup
[root@centos8 ~]# cat /etc/keepalived/conf.d/n520.conf
vrrp_instance n520 {
    state BACKUP
    interface eth0
    virtual_router_id 66
    priority 80
    advert_int 1
    #nopreempt
    #preempt_delay 10   #如果设置延迟抢占模式,需要都是BACKUP,不然会造成脑裂
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        172.31.0.188 dev eth0 label eth0:1
    }
    unicast_src_ip 172.31.0.48
    unicast_peer{
       172.31.0.28
    }
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
}

# 项目2-master
[root@centos8 ~]# cat //etc/keepalived/conf.d/n521.conf
vrrp_instance n521 {
    state MASTER
    interface eth0
    virtual_router_id 88
    priority 80
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 12345678
    }
    virtual_ipaddress {
        172.31.0.200 dev eth0 label eth0:2
    }
    unicast_src_ip 172.31.0.48
    unicast_peer{
       172.31.0.28
    }
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
}

# 重启keepalived
[root@centos8 ~]# systemctl restart keepalived

# 查看ip
[root@centos8 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:16:9a:81 brd ff:ff:ff:ff:ff:ff
    inet 172.31.0.48/16 brd 172.31.255.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet 172.31.0.200/32 scope global eth0:2
       valid_lft forever preferred_lft forever

查看ip

#ka1
[root@centos8 ~]# hostname -I
172.31.0.28 172.31.0.188

# ka2
[root@centos8 ~]# hostname -I
172.31.0.48 172.31.0.200

ka1主机故障,测试VIP漂移至ka2主机

[root@centos8 ~]# systemctl stop keepalived

[root@centos8 ~]# hostname -I
172.31.0.28

[root@centos8 ~]# hostname -I
172.31.0.48 172.31.0.188 172.31.0.200 

恢复ka1主机

[root@centos8 ~]# hostname -I
172.31.0.28 172.31.0.188

[root@centos8 ~]# hostname -I
172.31.0.48 172.31.0.200 

模拟脑裂现象

# ka1
[root@centos8 ~]# iptables -A INPUT -s 172.31.0.48 -j DROP
[root@centos8 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   12   480 DROP       all  --  *      *       172.31.0.48          0.0.0.0/0
...

[root@centos8 ~]# hostname -I
172.31.0.28 172.31.0.188 172.31.0.200

[root@centos8 ~]# hostname -I
172.31.0.48 172.31.0.200 

# ka2
[root@centos8 ~]# iptables -A INPUT -s 172.31.0.28 -j REJECT
[root@centos8 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   10   400 REJECT     all  --  *      *       172.31.0.28          0.0.0.0/0            reject-with icmp-port-unreachable
...

[root@centos8 ~]# hostname -I
172.31.0.48 172.31.0.200 172.31.0.188 

[root@centos8 ~]# hostname -I
172.31.0.28 172.31.0.188 172.31.0.200

总结脑裂现象:当ka1添加错误的iptables规则后查询ip就会看到有三个ip地址;ka2查询还是原来的两个ip地址,同时如果ka2也添加了错误的iptables规则后,查询ip就会看到是三个ip地址,首先backup收不到master的vrrp通信心跳检测,backup就会把虚拟vip抢过来,但实际master还存在的,只是拒绝了backup请求响应从而造成脑裂现象

实现IPVS的高可用性

虚拟服务器配置结构

virtual_server IP port {
   ...
   real_server {
      ...
   }
   real_server {
     ...
   }
  …
}

virtual server (虚拟服务器)的定义格式

virtual_server IP port #定义虚拟主机IP地址及其端口
virtual_server fwmark int #ipvs的防火墙打标,实现基于防火墙的负载均衡集群
virtual_server group string #使用虚拟服务器组

虚拟服务器组

将多个虚拟服务器定义成一个组,统一对外服务,如:http和https定义成一个虚拟服务器组

#参考文档:/usr/share/doc/keepalived/keepalived.conf.virtual_server_group
virtual_server_group <STRING> {
# Virtual IP Address and Port
<IPADDR> <PORT>
<IPADDR> <PORT>
...
# <IPADDR RANGE> has the form
...

虚拟服务器配置

virtual_server IP port { #VIP和PORT
    delay_loop <INT> #检查后端服务器的时间间隔
    lb_algo rr|wrr|lc|wlc|lblc|sh|dh #定义调度方法
    lb_kind NAT|DR|TUN #集群的类型,注意要大写
    persistence_timeout <INT> #持久连接时长
    protocol TCP|UDP|SCTP #指定服务协议,一般为TCP
    sorry_server <IPADDR> <PORT> #所有RS故障时,备用服务器地址
    real_server <IPADDR> <PORT> { #RS的IP和PORT
        weight <INT> #RS权重
        notify_up <STRING>|<QUOTED-STRING> #RS上线通知脚本
        notify_down <STRING>|<QUOTED-STRING> #RS下线通知脚本
        HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHECK { ... } #定义当前主机健康状态检测方法
    }
}
#注意:括号必须分行写,两个括号写在同一行,如: }} 会出错

应用层监测

应用层检测:HTTP_GET|SSL_GET

HTTP_GET|SSL_GET {
   url {
      path <URL_PATH> #定义要监控的URL
      status_code <INT> #判断上述检测机制为健康状态的响应码,一般为 200
    }
    connect_timeout <INTEGER> #客户端请求的超时时长, 相当于haproxy的timeout server
    nb_get_retry <INT> #重试次数
    delay_before_retry <INT> #重试之前的延迟时长
    connect_ip <IP ADDRESS> #向当前RS哪个IP地址发起健康状态检测请求
    connect_port <PORT> #向当前RS的哪个PORT发起健康状态检测请求
    bindto <IP ADDRESS> #向当前RS发出健康状态检测请求时使用的源地址
    bind_port <PORT> #向当前RS发出健康状态检测请求时使用的源端口
}

范例:

virtual_server 172.31.0.188 80 {
    delay_loop 3
    lb_algo rr
    lb_kind DR
    protocol TCP
    sorry_server 127.0.0.1 80
    real_server 172.31.0.17 80 {
        weight 1
        HTTP_GET {
           url {
               path /monitor.html
               status_code 200
           }
           connect_timeout 1
           nb_get_retry 3
           delay_before_retry 1
        }
    }
    real_server 172.31.0.27 80 {
        weight 1
        HTTP_GET {
           url {
               path /
               status_code 200
           }
           connect_timeout 1
           nb_get_retry 3
           delay_before_retry 1
        }
    }
}

TCP监测

传输层检测:TCP_CHECK

TCP_CHECK {
    connect_ip <IP ADDRESS> #向当前RS的哪个IP地址发起健康状态检测请求
    connect_port <PORT> #向当前RS的哪个PORT发起健康状态检测请求
    bindto <IP ADDRESS> #发出健康状态检测请求时使用的源地址
    bind_port <PORT> #发出健康状态检测请求时使用的源端口
    connect_timeout <INTEGER> #客户端请求的超时时长, 等于haproxy的timeout server
}

范例:

virtual_server 172.31.0.188 80 {
    delay_loop 6
    lb_algo wrr
    lb_kind DR
    #persistence_timeout 120 #会话保持时间
    protocol TCP
    sorry_server 127.0.0.1 80
    real_server 172.31.0.17 80 {
        weight 1
        TCP_CHECK {
            connect_timeout 5
            nb_get_retry 3
            delay_before_retry 3
            connect_port 80
            }
    }
    real_server 172.31.0.27 80 {
        weight 1
        TCP_CHECK {
            connect_timeout 5
            nb_get_retry 3
            delay_before_retry 3
            connect_port 80
        }
    }
}

实战案例1:实现单主的 LVS-DR 模式

准备web服务器并使用脚本绑定VIP至web服务器lo网卡

#准备两台后端RS主机
[root@rs1 ~]# cat lvs_dr_rs.sh
#!/bin/bash
#Author:xuanlv
#Date:2021-06-13
vip=172.31.0.188
mask='255.255.255.255'
dev=lo:1
rpm -q httpd &> /dev/null || yum -y install httpd &>/dev/null
service httpd start &> /dev/null && echo "The httpd Server is Ready!"
echo "<h1>`hostname`</h1>" > /var/www/html/index.html
case $1 in
start)
    echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
    echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
    echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
    echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
    ifconfig $dev $vip netmask $mask #broadcast $vip up #route add -host $vip dev $dev
    echo "The RS Server is Ready!"
    ;;
stop)
    ifconfig $dev down
    echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
    echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
    echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
    echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
    echo "The RS Server is Canceled!"
    ;;
*)
    echo "Usage: $(basename $0) start|stop"
    exit 1
    ;;
esac

# 执行
[root@rs1 ~]# bash lvs_dr_rs.sh start
[root@rs1 ~]# bash lvs_dr_rs.sh start

#测试直接访问两台RS

配置keepalived

#ka1节点的配置
[root@ka1-centos8 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
   notification_email {
       root@localhost
   }
   notification_email_from keepalived@localhost
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id ka1.longxuan.vip
   vrrp_mcast_group4 224.0.100.100
}
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 66
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        172.31.0.188 dev eth0 label eth0:1
    }
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
    }
    virtual_server 172.31.0.188 80 {
        delay_loop 3
        lb_algo rr
        lb_kind DR
        protocol TCP
        sorry_server 127.0.0.1 80
        real_server 172.31.0.27 80 {
            weight 1
            HTTP_GET { #应用层检测
                url {
                   path /
                   status_code 200
                }
                connect_timeout 1
                nb_get_retry 3
                delay_before_retry 1
            }
        }
        real_server 172.31.0.37 80 {
            weight 1
            TCP_CHECK { #另一台主机使用TCP检测
                connect_timeout 5
                nb_get_retry 3
                delay_before_retry 3
                connect_port 80
            }
        }
}

#ka2节点的配置,配置和ka1基本相同,只需修改三行
[root@ka2-centos8 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
    notification_email {
        root@localhost
    }
    notification_email_from keepalived@localhost
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
    router_id ka2.longxuan.vip #修改此行
    vrrp_mcast_group4 224.0.100.100
}
vrrp_instance VI_1 {
    state BACKUP #修改此行
    interface eth0
    virtual_router_id 66
    priority 80 #修改此行
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        172.31.0.188 dev eth0 label eth0:1
    }
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
    }
virtual_server 172.31.0.188 80 {
    delay_loop 3
    lb_algo rr
    lb_kind DR
    protocol TCP
    sorry_server 127.0.0.1 80
    real_server 172.31.0.27 80 {
        weight 1
        HTTP_GET {
            url {
               path /
               status_code 200
            }
            connect_timeout 1
            nb_get_retry 3
            delay_before_retry 1
        }
    }
    real_server 172.31.0.37 80 {
        weight 1
        TCP_CHECK {
            connect_timeout 5
            nb_get_retry 3
            delay_before_retry 3
            connect_port 80
        }
    }
}

访问测试结果

root@long:~# curl 172.31.0.188
<h1>rs2 web</h1>
root@long:~# curl 172.31.0.188
<h1>rs1 web</h1>

安装ipvsadm

[root@ka1 ~]# yum install ipvsadm -y
# 查看ipvsadm
[root@ka1 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.31.0.188:80 rr
  -> 172.31.0.27:80               Route   1      0          0
  -> 172.31.0.37:80               Route   1      0          0

模拟故障

#第一台RS1故障,自动切换至RS2,这里一开始访问还会去RS1检测,经过检测几次发现真的检测不了,就不会往RS1调度,直接调度RS2
root@long:~# curl 172.31.0.188
<h1>rs2 web</h1>
root@long:~# curl 172.31.0.188
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.</p>
</body></html>
root@long:~# curl 172.31.0.188
<h1>rs2 web</h1>
root@long:~# curl 172.31.0.188

#检查ipvsadm还有一台可以调度,说明机器不能调度后,ipvsadm会自动剔除掉
[root@ka2 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.31.0.188:80 rr
  -> 172.31.0.37:80               Route   1      0          0

当后端两台RS都故障时,就会启用Sorry Server这台服务,前提是这台在ka1必须安装有web服务器,如果后端RS其中一台恢复了也不会访问Sorry Server服务

root@long:~# curl 172.31.0.188
Sorry Server

实战案例2:实现双主的 LVS-DR 模式

[root@ka1-centos8 ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
    notification_email {
        root@localhost
    }
    notification_email_from keepalived@localhost
    smtp_server 127.0.0.1
    smtp_connect_timeout 30
    router_id ka1     #另一个节点为ka2
    vrrp_mcast_group4 224.0.100.10
}
vrrp_instance VI_1 {
    state MASTER    #在另一个结点上为BACKUP
    interface eth0
    virtual_router_id 66
    priority 100   #在另一个结点上为80
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        172.31.0.188 dev eth0 label eth0:1 #指定VIP
    }
}
vrrp_instance VI_2 {
    state BACKUP #在另一个结点上为MASTER
    interface eth0
    virtual_router_id 88
    priority 80 #在另一个结点上为100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        172.31.0.200/24 dev eth0 label eth0:2 #指定VIP2
    }
}
virtual_server 172.31.0.17 80 {
    delay_loop 6
    lb_algo rr
    lb_kind DR
    protocol TCP
    sorry_server 127.0.0.1 80
    real_server 172.31.0.27 80 { #指定RS1地址
        weight 1
        HTTP_GET {
            url {
               path /
               status_code 200
            }
            connect_timeout 3
            nb_get_retry 3
            delay_before_retry 3
        }
    }
    real_server 172.31.0.37 80 { #指定RS2地址
        weight 1
        HTTP_GET {
            url {
                path /
                status_code 200
            }
            connect_timeout 3
            nb_get_retry 3
            delay_before_retry 3
        }
    }
}
virtual_server 172.31.0.200 80 { #指定VIP2
    delay_loop 6
    lb_algo rr
    lb_kind DR
    protocol TCP
    sorry_server 127.0.0.1 80
    real_server 172.31.0.27 80 { #指定RS3地址
        weight 1
        HTTP_GET {
            url {
                path /
                status_code 200
            }
            connect_timeout 3
            nb_get_retry 3
            delay_before_retry 3
        }
    }
    real_server 172.31.0.37 80 { #指定RS4地址
        weight 1
        HTTP_GET {
            url {
                path /
                status_code 200
            }
            connect_timeout 3
            nb_get_retry 3
            delay_before_retry 3
        }
    }
}
posted @ 2021-07-02 22:11  空白的旋律  阅读(63)  评论(0编辑  收藏  举报