keepalived通过脚本检测实现虚拟ip漂移

需求:
当主机、mysql服务不可用时,漂移VIP到备机,备机接替工作。

keepalived主机:

global_defs
{
 notification_email
 {
 xxx@qq.com
 }

 notification_email_from root@localhost
 smtp_server localhost
 smtp_connect_timeout 30
 router_id lvs_master
}


vrrp_script chk_mysql_port #定义一个脚本名称 必须先定义,再用track_script调用
{
 script "/root/check.sh"
 interval 1
}

vrrp_instance VI_1
{
 state MASTER
 interface eth0
 virtual_router_id 51
 priority 100
 advert_int 1

 authentication
 {
 auth_type PASS
 auth_pass 1111
 }

 virtual_ipaddress
 {
 192.168.200.16
 }

 track_script # 执行先前定义的脚本
 {
 chk_mysql_port
 }

}

vrrp_script 一定要写在 vrrp_instance 之上,否则下面的 track_script 是不会执行的

keepalived备机:

global_defs
{
 notification_email
 {
 xxx@qq.com
 }

 notification_email_from root@localhost
 smtp_server localhost
 smtp_connect_timeout 30
 router_id lvs_slave
}

vrrp_instance VI_1
{
 state SLAVE
 interface eth0
 virtual_router_id 51
 priority 99
 advert_int 1

 authentication
 {
 auth_type PASS
 auth_pass 1111
 }

 virtual_ipaddress
 {
 192.168.200.16
 }
}

脚本内容:

#!/bin/bash
c=`netstat -tnlp | grep 3306 | wc -l`

if [ $c != 1 ]; then

 service keepalived stop

fi

keepalived从机接管后主机恢复不抢占VIP

在lvs+keepalived环境中,为了减小keepalived主从切换带来的意外风险,设置主机恢复后不抢占VIP。
待进行vrrp协议通告备机不可用时切换。主要修改两个地方。(红色部分)

只需修改主服务器state MASTER改为state BACKUP并添加nopreempt

! Configuration File for keepalived

global_defs {
notification_email {
acassen@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server localhost
smtp_connect_timeout 30
router_id mfs_master
}

vrrp_instance VI_1 {
state BACKUP
interface eth1
virtual_router_id 51
priority 100
nopreempt
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.0.11
}
}

拔线测试即可。

使用keepalived时iptables需要开放的协议

原理说明:
1、 通过vrrp协议广播,每个keepalived vrrp都去争取master
2、 以virtual_router_id为组队标识。 同为一个vip服务的keepalived的virtual_router_id相同
3、 以priority 为权值,同一个virtual_router_id下那个priority大那个就是master,其它为backup
之前实验都是关闭iptables配置keepalived,后来开启iptables后,发现主从切换,vip无法获取或者释放。
因为iptables过滤了vrrp协议,它不属于任何端口,像icmp一样,需要单独放行。
iptables -A INPUT -p vrrp -j ACCEPT
或者直接写入到/etc/sysconfig/iptables中即可。

我这里的iptables脚本:

#!/bin/bash
iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 9419 -j ACCEPT
iptables -A INPUT -p tcp --dport 9420 -j ACCEPT
iptables -A INPUT -p tcp --dport 9421 -j ACCEPT
iptables -A INPUT -p tcp --dport 9425 -j ACCEPT
iptables -A INPUT -p tcp --dport 873 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p vrrp -j ACCEPT

service iptables save
service iptables restart
exit

keepalived+lvs构建高可用 实战篇

上一篇文章中说到了两台机器之间的热备问题,并且已经实现主机down机后,备份机自动接管VIP。现在需要在此基础上不仅要提供主备之间自动切换,而且实现real server健康检查,通过keepalived就可以实现,因为2.6版本以后的内核都默认支持ipvs,不需要再单独安装lvs。通过keepalived参数定义即可实现lvs功能。

服务器环境IP信息:
real server 1        :192.168.1.10
real server 2        :192.168.1.11
direct server master :192.168.1.12
direct server slaves :192.168.1.13
VIP                  :192.168.1.14

查看是否支持:

[root@localhost ~]# modprobe -l | grep ipvs
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_dh.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_ftp.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_lblc.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_lblcr.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_lc.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_nq.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_rr.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_sed.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_sh.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_wlc.ko
/lib/modules/2.6.18-194.el5/kernel/net/ipv4/ipvs/ip_vs_wrr.ko

本文章跟之前有关keepalived包括lvs文章中出现的ip信息不一样,这是因为一部分是在公司部署环境并记录的,一部分是在家中,IP信息不一样,大家注意一下。

安装keepalived前面已经说过,不再提,编辑主配置文件:

! Configuration File for keepalived

global_defs {
   notification_email {
   root@networkquestions.org
   }
   notification_email_from venus@networkquestions.org
   smtp_server localhost
   smtp_connect_timeout 30
   router_id LVS_Node_master
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.1.14                //提供服务的VIP
    }
}

virtual_server 192.168.1.14 80 {    //定义虚拟服务器组
    delay_loop 6                    //运行情况检查
    lb_algo rr                      //调度算法
    lb_kind DR                      //负载机制
    persistence_timeout 50          //会话保持时间
    protocol TCP                    //定义转发协议类型

    real_server 192.168.1.10 80 {   //节点服务器
        weight 1                    //权重
        TCP_CHECK {                 //tcp 检查
        connect_timeout 3           //连接超时/秒
        nb_get_retry 3              //重试次数
        delay_before_retry 3        //重试间隔
                  }
           }
     real_server 192.168.1.11 80 {
        weight 1
        TCP_CHECK {
        connect_timeout 3
        nb_get_retry 3
        delay_before_retry 3
                    }
            }
    }

}

保存,退出,在direct server BACKUP中直接复制粘贴以上部分。只需修改从机为BACKUP状态和priority 99权值,小于主机即可。重启keepalived。

这样direct server和real server的健康检查配置完成。在real server中只需参考:https://www.rootop.org/pages/2078.html  运行real server的执行脚本即可。

direct server 主备切换测试:

停掉主direct server的keepalived服务,或者直接拔掉网线。

[root@localhost ~]# service keepalived stop
停止 keepalived: [确定]
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:5b:dd:da brd ff:ff:ff:ff:ff:ff
inet 192.168.1.12/24 brd 192.168.1.255 scope global eth0
inet6 fe80::20c:29ff:fe5b:ddda/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0

主服务器释放192.168.1.14 IP,查看备用服务器:

[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:3b:7e:f3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.13/24 brd 192.168.1.255 scope global eth0
inet 192.168.1.14/32 scope global eth0
inet6 fe80::20c:29ff:fe3b:7ef3/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0

备机接管vip。

通过浏览器访问VIP,返回内容正常。启动主服务器keepalived服务,重新接管VIP。

real server 健康检查:

停掉real server 1的web服务或者拔掉网线,查看direct server的 /var/log/messages

[root@localhost ~]# tail -f /var/log/messages
Feb 22 09:42:10 localhost Keepalived_healthcheckers[3353]: TCP connection to [192.168.1.10]:80 failed !!!
Feb 22 09:42:11 localhost Keepalived_healthcheckers[3353]: Removing service [192.168.1.10]:80 from VS [192.168.1.14]:80
Feb 22 09:42:11 localhost Keepalived_healthcheckers[3353]: Remote SMTP server [0.0.0.0]:25 connected.
Feb 22 09:42:12 localhost Keepalived_healthcheckers[3353]: SMTP alert successfully sent.
web服务停止后自动从vs中移出节点。

启动real server 1 的web服务,查看direct server 日志:
Feb 22 09:43:35 localhost Keepalived_healthcheckers[3353]: TCP connection to [192.168.1.10]:80 success.
Feb 22 09:43:35 localhost Keepalived_healthcheckers[3353]: Adding service [192.168.1.10]:80 to VS [192.168.1.14]:80
Feb 22 09:43:35 localhost Keepalived_healthcheckers[3353]: Remote SMTP server [0.0.0.0]:25 connected.
Feb 22 09:43:36 localhost Keepalived_healthcheckers[3353]: SMTP alert successfully sent.

web服务恢复后节点自动加到vs中。此过程中,运维只需要修复web服务,无需对keepalived做任何配置。

 

 

keepalived 基本配置测试篇

之前写了基本的安装,现在简单配置测试一下,主要看切换效果。

keepalived官方手册:http://www.keepalived.org/pdf/UserGuide.pdf

服务器信息:
master : 192.168.1.51
backup : 192.168.1.50
VIP       : 192.168.1.55

主服务器配置 /etc/keepalived/keepalived.conf :

global_defs {
notification_email {
root@networkquestions.org     //定义报警邮件
}
notification_email_from warn@networkquestions.org            //定义发件人
smtp_server localhost               //指定smtp服务器,这里直接改为localhost
smtp_connect_timeout 30       //smtp连接超时时间
router_id node1                         //节点名称
}

vrrp_instance VI_1 {
state MASTER                //设置为主服务器
interface eth0                 //定义虚拟ip绑定接口
virtual_router_id 51     //VRRP组名,两个节点必须一样,指明各个节点属于同一VRRP组 mcast_src_ip 192.168.1.51    //发送多播包的地址,如果不设置默认使用绑定的网卡
priority 100                    //优先级,必须高于从服务器
advert_int 1                     //组播信息发送间隔,两个节点设置必须一样
authentication {               //认证,默认即可。主从需一致。
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.55                  //绑定的虚拟ip
}
}

我这里只保留了以上部分,其它参数全部删除。

从服务器配置 /etc/keepalived/keepalived.conf :

global_defs {
notification_email {
acassen@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server localhost
smtp_connect_timeout 30
router_id node2
}

vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
mcast_src_ip 192.168.1.50      //从服务器ip
priority 99                                   //小于主服务器
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.55
}
}

保存退出,重启keepalived。

主服务器执行:
[root@rhel ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:d4:de:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.51/24 brd 192.168.1.255 scope global eth0
inet 192.168.1.55/32 scope global eth0
inet6 fe80::20c:29ff:fed4:de01/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:d4:de:0b brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
看到192.168.1.55 已经绑定到eth0中。
tail -f /var/log/messages 会有相关信息输出。

现在拔掉主服务器网线,去从服务器查看:
[root@rhel ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:7f:5b:93 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.50/24 brd 192.168.1.255 scope global eth0
inet 192.168.1.55/32 scope global eth0
inet6 fe80::20c:29ff:fe7f:5b93/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0c:29:7f:5b:9d brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
接管了192.168.1.55 绑定到eth0

插上主服务器的网线,重启keepalived,再次执行ip  a 发现重新接管VIP。
测试完成。

PS:

keepalived 互为主备,当同一时间只有一台节点接管vip时,另一台处于备份状态,利用率不高,所以配置两个VIP,互为主备。

节点1:

global_defs {
   notification_email {
     xxx@qq.com
   }
   notification_email_from root@localhost
   smtp_server localhost
   smtp_connect_timeout 30
   router_id node1
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.200.16
    }
}

vrrp_instance VI_2 {
    state BACKUP
    interface eth0
    virtual_router_id 52
    priority 99
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.200.26
    }
}

节点2:

global_defs {
   notification_email {
     xxx@qq.com
   }
   notification_email_from root@localhost
   smtp_server localhost
   smtp_connect_timeout 30
   router_id node2
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 51
    priority 99
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.200.16
    }
}

vrrp_instance VI_2 {
    state MASTER
    interface eth0
    virtual_router_id 52
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.200.26
    }
}