1 Keepalived部署
Keepalived两个主要功能:
1. 配合LVS实现后端服务器状态监测
2. 高可用
1.1 Keepalived-yum安装
- 环境
CentOS 7
ka-1:10.0.0.237
ka-2:10.0.0.227
- CentOS-7自带版本
keepalived.x86_64 1.3.5-16.el7
- 主配置文件
/etc/keepalived/keepalived.conf
- Global_defs: 全局配置项
global_defs {
notification_email { #KA检测到realserver或者负载均衡出现故障后, 通知的邮箱地址
acassen@firewall.loc
failover@firewall.loc
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc #发送通知的邮箱的地址
smtp_server 192.168.200.1 #利用的stmp服务器地址
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
- vrrp_instance: 虚拟路由器和物理服务器的配置
vrrp_instance VI_1 { #一个虚拟路由器组的物理实例, 同一组KA里的实例不能重名
state MASTER #当前节点在此虚拟路由器上的初始状态,状态为MASTER或者BACKUP
interface eth0 #绑定为当前虚拟路由器使用的物理接口 ens32,eth0,bond0,br0
virtual_router_id 51 #当前虚拟路由器惟一标识,范围是0-255
priority 100 #当前物理节点在此虚拟路由器中的优先级;范围1-254
advert_int 1 #vrrp通告的时间间隔,默认1s
authentication { #认证机制
auth_type PASS
auth_pass 1111 #仅前8位有效
}
virtual_ipaddress { # #虚拟IP
192.168.200.16
192.168.200.17
192.168.200.18
}
}
- virtual_server: 用于配合LVS实现后端服务器检测, 如果不是和LVS一起使用, 那么此段配置可以删除
virtual_server 192.168.200.100 443 {
delay_loop 6
lb_algo rr
lb_kind NAT
persistence_timeout 50
protocol TCP
real_server 192.168.201.100 443 {
weight 1
SSL_GET {
url {
path /
digest ff20ad2481f97b1754ef3e12ecd3a9cc
}
url {
path /mrtg/
digest 9b3a0c85a887a256d6939da88aabd8cd
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
- track_interface: 配置监控网络接口,一旦出现故障,则转为FAULT状态实现地址转移
track_interface { #配置监控网络接口,一旦出现故障,则转为FAULT状态实现地址转移
eth0
eth1
… }
- 主程序
/usr/sbin/keepalived
- Unit File
/usr/lib/systemd/system/keepalived.service
- Unit File的环境配置文件
/etc/sysconfig/keepalived
KEEPALIVED_OPTIONS="-D" #Detailed log messages
10.0.0.237
[12:36:53 root@ka-1 ~]#yum -y install keepalived
10.0.0.227
[12:36:58 root@ka-2 ~]#yum -y install keepalived
1.2 Keepalived全局配置 - global defs
1.2.1 router_id
# 用来在一个局域网中, 唯一表示一个服务器, 默认会使用服务器的主机名, 也就是本台服务器在消息通告时的身份表示
router_id LVS_DEVEL --> router_id 10.0.0.237 master
router_id LVS_DEVEL --> router_id 10.0.0.227 backup
1.2.2 vrrp_skip_check_adv_addr
vrrp_skip_check_adv_addr # 所有报文都检查比较消耗性能,此配置为如果收到的报文和上一个报文
是同一个路由器(也就是同一个router_id)则跳过检查报文中的源地址, 一般会开启, 节省性能
1.2.3 vrrp_strict
#一般工作中都会改成单播地址, 尤其是在负载均衡器很多的情况下, 如果让所有的负载均衡器都通过一个组播地址通信, 那么每个负载均衡器都会受到全部的通告信息
#一般都是让每组负载均衡器和互相和对方的ip地址进行通告
vrrp_strict # 严格遵守VRRP协议, vrrp不允许的状况:1,没有VIP地址,2.配置了单播邻居,3.在VRRP版本2中有. 一般工作中不会开启严格模式
IPv6地址. 如果不遵循, KA是无法启动的
1.2.4 通告发送延迟
# 一般不会配置延迟发送
vrrp_garp_interval 0 #ARP报文发送延迟
vrrp_gna_interval 0 #消息发送延迟
1.2.5 组播地址配置
vrrp_mcast_group4 224.0.0.18 # 默认组播IP地址,224.0.0.0到239.255.255.255
master节点默认每秒向组播地址发送通告, backup节点会监听组播地址, 获取通告信息
图片.png
[16:41:46 root@ka-1 ~]#tcpdump -i eth0 -nn host 224.0.0.18
16:41:43.696128 IP 10.0.0.237 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
16:41:44.701212 IP 10.0.0.237 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
16:41:45.703655 IP 10.0.0.237 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
[16:39:48 root@ka-2 ~]#tcpdump -i eth0 -nn host 224.0.0.18
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:42:16.325102 IP 10.0.0.237 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
16:42:17.329922 IP 10.0.0.237 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
1.3 Keepalived虚拟路由器配置- virtual instance
vrrp_instance VI_1 { #一个虚拟路由器组的物理实例, 同一组KA里的实例不能重名, 需要注意的是, 最终vip跑在哪个服务器上, 看的是节点的优先级而不是看谁是master, 不过一般都是master的优先级高于backup
state MASTER #当前节点在此虚拟路由器上的初始状态,状态为MASTER或者BACKUP
interface eth0 #绑定为当前虚拟路由器也就是vip使用的物理接口, 也就是运行在物理机的哪个接口上 ens32,eth0,bond0,br0
virtual_router_id 100 #当前虚拟路由器惟一标识,范围是0-255, 也就是KA为这组负载均衡器生成的虚拟路由器的router_id
priority 100 #当前物理节点在此虚拟路由器组中的优先级;范围1-254
advert_int 1 #vrrp通告的时间间隔,默认1s, 谁的优先级高, vip跑在哪个节点上, 就由哪个节点发送通过, backup节点接收通告
authentication { #认证机制
auth_type PASS
auth_pass 1111 #仅前8位字符有效, 每一组负载均衡器使用相同的密码即可
}
virtual_ipaddress { # #虚拟IP, 要和服务器在同一个网段, 能和服务器网关进行通信的, 而且是没有被占用的
192.168.200.16
192.168.200.17
192.168.200.18
}
}
- 10.0.0.237 作为master
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id 10.0.0.237
vrrp_skip_check_adv_addr
vrrp_iptables # yum安装的keepalived, 会自动生成iptables规则, 禁止本地物理网卡ping, 加了这个参数后, 会禁止iptables规则的生成
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance HAproxy {
state MASTER
interface eth0
virtual_router_id 100
priority 101
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.100 dev eth0 label eth0:0
}
}
- 10.0.0.227 作为backup
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id 10.0.0.227
vrrp_iptables
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance HAproxy {
state BACKUP
interface eth0
virtual_router_id 100
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.100 dev eth0 label eth0:0
}
}
-
验证vip生成, 并且绑定在10.0.0.237 master节点
图片.png 关闭master的KA服务, 验证vip切换到backup节点
图片.png
- 一旦发生故障转移, 是不会丢包的, 瞬间backup服务器就会接管vip, 因为默认配置是1s发送一次通告, 一旦backup1s内收不到master的通告, 就会立即接管vip, 不过有些时候由于网络延迟, 通告并不会及时发给backup, 如果backup把vip抢占了, 而本身master还在运行, 那么此时vip会运行在master和backup上, 就会出现脑裂现象, 所以一般通告间隔时间要修改长一点
1.4 抢占与非抢占
1.4.1 利用HAproxy配合KA实现高可用
先确保10.0.0.237和10.0.0.227的KA服务都是开启的, 否则无法绑定vip
在10.0.0.237和10.0.0.227上yum安装HAproxy
10.0.0.237
[15:30:25 root@ka-1 ~]#yum -y install haproxy
[15:34:16 root@ka-1 ~]#vim /etc/haproxy/haproxy.cfg
Listen apache-80
bind 10.0.0.100:80
mode http
server 10.0.0.217 10.0.0.217:80 check 3s fall 3 rise 5
[15:35:25 root@ka-1 ~]#systemctl enable --now haproxy
Created symlink from /etc/systemd/system/multi-user.target.wants/haproxy.service to /usr/lib/systemd/system/haproxy.service.
[15:39:11 root@ka-1 ~]#vim /etc/haproxy/haproxy.cfg
[15:39:51 root@ka-1 ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 10.0.0.100:80 # master监听在vip的80端口 *:*
10.0.0.227
listen apache-80
bind 10.0.0.100:80
mode http
server 10.0.0.217 10.0.0.217:80 check inter 3s fall 3 rise 5
此时, 10.0.0.227上的HA是无法启动的, 因为默认HA是不能监听在本机没有的ip地址上, 需要调整内核参数
10.0.0.237 和 10.0.0.227 都需要调整, 否则一旦master故障, vip就会迁移到backup, 那么master就没有vip也就无法坚挺了
[15:47:29 root@ka-2 ~]#vim /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind = 1
[15:48:23 root@ka-2 ~]#sysctl -p
net.ipv4.ip_nonlocal_bind = 1
[15:42:43 root@ka-1 ~]#sysctl -p
net.ipv4.ip_nonlocal_bind = 1
# 这样两台HA就都可以正常启动, 即使vip没有运行在本地也不影响HA的启动
再开一个虚拟机10.0.0.217, 安装apache
[15:31:45 root@apache ~]#yum -y install httpd
[15:32:59 root@apache ~]#echo 10.0.0.217-webpage > /var/www/html/index.html
[15:33:13 root@apache ~]#systemctl enable --now httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
访问测试: 此时vip运行在master节点
[15:41:21 root@ka-1 ~]#curl 10.0.0.100
10.0.0.217-webpage
停止master节点的KA服务, 查看迁移延迟, 因此间隔时间是1s, 所以最多会有一秒的延迟
1.4.2 抢占式与非抢占式配置
1.4.2.1 抢占式
默认情况下, KA是抢占式, master恢复后, 会把vip抢占回本地运行; 如果必须要求vip运行在某台master服务器, 那么可以使用默认的抢占式
1.4.2.2 非抢占式
启用非抢占式, 需要负载均衡服务器配置都配置成backup节点, 利用优先级区分谁是master, 谁是backup
- 10.0.0.237
vrrp_instance HAproxy {
state backup
nopreempt
- 10.0.0.227
vrrp_instance HAproxy {
state BACKUP
nopreempt
非抢占式一般用户局域网网络波动比较多的情况下, 用来减少vip在两个节点之间的切换 , 工作中可以考虑使用Keepalived监控脚本, 来监控vip的运行状态, 一旦发生vip转移, 就通知运维人员进行故障排查
此外, 建议用专门的链路来负责承载Keepalived的通告信息, 避免在抢占模式下, 由于网络波动, 导致backup节点无法及时收到master的通告信息, 造成vip在主备节点之间来回切换
当负载均衡承载多个业务的时候, 或者服务器配置相同时, 一般都是使用抢占式, 避免非抢占下, 多个业务的vip都运行在同一个负载均衡上, 导致压力过大
1.4.2.3 抢占延迟模式
当master节点恢复服务后, 不会立即抢回vip, 而是等到一段时间, 需要配置在master节点
一般也是用在网络不稳定的情况, 通告无法及时送到backup, 导致vip在主备节点来回迁移
# nopreempt 主备节点注释掉非抢占式
# vrrp strict 也要关闭掉
preempt_delay 60s #抢占延迟模式,默认延迟300s,需要各keepalived服务器state为BACKUP
1.5 配置通过单播地址传递通告信息
- 10.0.0.237
unicast_src_ip 10.0.0.237 # 本地的ip地址作为通告的源ip
unicast_peer {
10.0.0.227 # backup节点的ip作为通告的接受者
}
- 10.0.0.227
unicast_src_ip 10.0.0.227
unicast_peer {
10.0.0.237
}
[16:59:36 root@ka-1 ~]#tcpdump -i eth0 -nn host 10.0.0.237 and 10.0.0.227
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:59:38.650883 IP 10.0.0.237 > 10.0.0.227: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
16:59:39.655013 IP 10.0.0.237 > 10.0.0.227: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
16:59:40.658788 IP 10.0.0.237 > 10.0.0.227: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
[16:58:43 root@ka-2 ~]#tcpdump -i eth0 -nn host 10.0.0.237 and 10.0.0.227
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:59:53.156579 IP 10.0.0.237 > 10.0.0.227: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
16:59:54.158468 IP 10.0.0.237 > 10.0.0.227: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
16:59:55.161703 IP 10.0.0.237 > 10.0.0.227: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 1s, length 20
1.6 修改通告间隔时间
- 默认1s的间隔时间太频繁, 可以修改为2s或者3s
advert_int 3
[17:01:11 root@ka-1 ~]#tcpdump -i eth0 -nn host 10.0.0.237 and 10.0.0.227
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:01:19.649388 IP 10.0.0.237 > 10.0.0.227: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 3s, length 20
17:01:22.653910 IP 10.0.0.237 > 10.0.0.227: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 3s, length 20
17:01:25.655466 IP 10.0.0.237 > 10.0.0.227: VRRPv2, Advertisement, vrid 100, prio 101, authtype simple, intvl 3s, length 20
2 Keepalived双主配置
- 单主情况下, 同一时间只会有一台服务器提供服务器, 会降低服务器资源利用率, 所以可以配置多主, 让Keepalived生成多个vip, 为多个服务提供高可用. 或者多个服务使用同一个vip, 用端口号区分
- 让不同的vip以不用的节点为master, 这样每台负载均衡器都可以提供服务, 而不是把vip都绑在同一个负载均衡器上
案例:
配置两组vrrp_instance
一组以10.0.0.100为vip, 10.0.0.237为master, 10.0.0.227为backup
另一组以10.0.0.200为vip, 10.0.0.227为master, 10.0.0.237为backup
- 10.0.0.237
vrrp_instance HAproxy {
state master
interface eth0
virtual_router_id 100
priority 101
advert_int 1
unicast_src_ip 10.0.0.237
unicast_peer {
10.0.0.227
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.100 dev eth0 label eth0:0
}
}
vrrp_instance HAproxy-2 {
state backup
interface eth0
virtual_router_id 200
priority 100
advert_int 1
unicast_src_ip 10.0.0.237
unicast_peer {
10.0.0.227
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.200 dev eth0 label eth0:1
}
}
- 10.0.0.227
vrrp_instance HAproxy {
state backup
interface eth0
virtual_router_id 100
priority 100
advert_int 1
unicast_src_ip 10.0.0.227
unicast_peer {
10.0.0.237
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.100 dev eth0 label eth0:0
}
}
vrrp_instance HAproxy-2 {
state master
interface eth0
virtual_router_id 200
priority 101
advert_int 1
unicast_src_ip 10.0.0.227
unicast_peer {
10.0.0.237
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.200 dev eth0 label eth0:1
}
}
图片.png
- 关闭10.0.0.237上的KA服务, 这时两个vip都会运行在10.0.0.227上
图片.png
3 Keepalived多主配置
当负载均衡需要承载的业务过多时, 事必要添加负载均衡器的个数以及虚拟路由器组也就是vip的个数, 如何实现在多个负载均衡器的情况下, 实现基于KA的高可用?
案例: 三台HA服务器, 配合KA实现三个业务的高可用
图片.png
再开一个虚拟机-10.0.0.207, 安装HA和KA, 三台服务器HAproxy配置相同, 需要配置三个listen, 分别监听在三个vip上, 之后进行后端的server配置, 这里只配置一个listen监听在10.0.0.50的HA-proxy-1虚拟路由器组
listen apache-80
bind 10.0.0.50:80
mode http
server 10.0.0.217 10.0.0.217:80 check inter 3s fall 3 rise 5
下面是三台KA的配置
- 10.0.0.237
[20:02:53 root@ka-1 ~]#cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id 10.0.0.237
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance HAproxy-1 {
state master
interface eth0
virtual_router_id 50
priority 102
advert_int 1
unicast_src_ip 10.0.0.237
unicast_peer {
10.0.0.227
10.0.0.207
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.50 dev eth0 label eth0:0
}
}
vrrp_instance HAproxy-2 {
state backup
interface eth0
virtual_router_id 100
priority 100
advert_int 1
unicast_src_ip 10.0.0.237
unicast_peer {
10.0.0.227
10.0.0.207
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.100 dev eth0 label eth0:1
}
}
vrrp_instance HAproxy-3 {
state backup
interface eth0
virtual_router_id 150
priority 101
advert_int 1
unicast_src_ip 10.0.0.237
unicast_peer {
10.0.0.227
10.0.0.207
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.150 dev eth0 label eth0:2
}
}
- 10.0.0.227
[20:02:57 root@ka-2 ~]#cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id 10.0.0.227
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance HAproxy-1 {
state backup
interface eth0
virtual_router_id 50
priority 101
advert_int 1
unicast_src_ip 10.0.0.227
unicast_peer {
10.0.0.207
10.0.0.237
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.50 dev eth0 label eth0:0
}
}
vrrp_instance HAproxy-2 {
state master
interface eth0
virtual_router_id 100
priority 102
advert_int 1
unicast_src_ip 10.0.0.227
unicast_peer {
10.0.0.207
10.0.0.237
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.100 dev eth0 label eth0:1
}
}
vrrp_instance HAproxy-3 {
state backup
interface eth0
virtual_router_id 150
priority 100
advert_int 1
unicast_src_ip 10.0.0.227
unicast_peer {
10.0.0.237
10.0.0.207
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.150 dev eth0 label eth0:2
}
}
- 10.0.0.207
[20:02:49 root@ka-3 ~]#cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id 10.0.0.207
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance HAproxy-1 {
state backup
interface eth0
virtual_router_id 50
priority 100
advert_int 1
unicast_src_ip 10.0.0.207
unicast_peer {
10.0.0.237
10.0.0.227
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.50 dev eth0 label eth0:0
}
}
vrrp_instance HAproxy-2 {
state backup
interface eth0
virtual_router_id 100
priority 101
advert_int 1
unicast_src_ip 10.0.0.207
unicast_peer {
10.0.0.227
10.0.0.237
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.100 dev eth0 label eth0:1
}
}
vrrp_instance HAproxy-3 {
state master
interface eth0
virtual_router_id 150
priority 102
advert_int 1
unicast_src_ip 10.0.0.207
unicast_peer {
10.0.0.227
10.0.0.237
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.150 dev eth0 label eth0:2
}
}
4 Keepalived邮件通知配置
KA内置检测主备节点故障转移功能, 一旦发生故障转移或主备角色切换, 可以配合预定义的监控脚本给运维人员发邮件
另一个方法就是利用监控工具进行监控, 比如Zabbix
步骤1: 先在10.0.0.237安装mailx
[20:05:45 root@ka-1 ~]#yum -y install mailx
步骤2: 配置smtp
[20:06:13 root@ka-1 ~]# vim /etc/mail.rc
set from=1111111@qq.com
set smtp=smtp.qq.com
set smtp-auth-user=11111111@qq.com
set smtp-auth-password=1111111
set smtp-auth=login
set ssl-verify=ignore
步骤3: 先在本地利用mail -s发邮件, 进行测试
# 测试能收到邮件说明配置成功
[20:12:37 root@ka-1 ~]#echo "testmail" | mail -s "testmail" 1111@qq.com
步骤4: 编写通知脚本
- 配置语法
notify_master <STRING>|<QUOTED-STRING>:
当前节点成为主节点时触发的脚本
notify_backup <STRING>|<QUOTED-STRING>:
当前节点转为备节点时触发的脚本
notify_fault <STRING>|<QUOTED-STRING>:
当前节点转为“失败”状态时触发的脚本 # 一般不会使用, 一般一个节点不是master就是backup状态, 很少出现fault, 除非是ip地址冲突或者资源不足, 导致角色切换失败会出现fault状态
notify <STRING>|<QUOTED-STRING>:
通用格式的通知触发机制,一个脚本可完成以上三种状态的转换时的通知
- 通知脚本案例
[20:12:39 root@ka-1 ~]#vim /etc/keepalived/notify.sh
#!/bin/bash
contact='11111@qq.com'
notify() {
mailsubject="$(hostname) to be $1, vip 转移"
mailbody="$(date +'%F %T'): vrrp transition, $(hostname) changed to be $1"
echo "$mailbody" | mail -s "$mailsubject" $contact
}
case $1 in
master)
notify master
;;
backup)
notify backup
;;
fault)
notify fault
;;
*)
echo "Usage: $(basename $0) {master|backup|fault}"
exit 1
;;
esac
- 手动测试脚本, 验证能收到邮件通知
[20:26:54 root@ka-1 ~]#chmod +x /etc/keepalived/notify.sh
[20:21:08 root@ka-1 ~]#bash /etc/keepalived/notify.sh master
图片.png
步骤5: 将通知脚本配置在KA中, 正常情况每个节点的每个虚拟路由器都要调用notify脚本, 这里只在10.0.0.237演示
cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id 10.0.0.237
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance HAproxy-1 {
state master
interface eth0
virtual_router_id 50
priority 102
advert_int 1
unicast_src_ip 10.0.0.237
unicast_peer {
10.0.0.227
10.0.0.207
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.50 dev eth0 label eth0:0
}
notify_master "/etc/keepalived/notify.sh master"
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
}
vrrp_instance HAproxy-2 {
state backup
interface eth0
virtual_router_id 100
priority 100
advert_int 1
unicast_src_ip 10.0.0.237
unicast_peer {
10.0.0.227
10.0.0.207
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.100 dev eth0 label eth0:1
}
notify_master "/etc/keepalived/notify.sh master" # 当KA发现本节点在HAproxy-1虚拟路由器组中变成master时, 自动执行notify master给脚本传参master
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
}
vrrp_instance HAproxy-3 {
state backup
interface eth0
virtual_router_id 150
priority 101
advert_int 1
unicast_src_ip 10.0.0.237
unicast_peer {
10.0.0.227
10.0.0.207
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.150 dev eth0 label eth0:2
}
notify_master "/etc/keepalived/notify.sh master" # 当KA发现本节点在HAproxy-1虚拟路由器组中变成master时, 自动执行notify master给脚本传参master
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
}
[20:30:18 root@ka-1 ~]#systemctl staus keepalived
- 这时, 一旦重启KA服务, 那么处于master角色的虚拟路由器组立即就会变成backup, 并且重启完成后由于是默认的抢占式, 会立即拿回vip, 因此, 如果配置成功, 马上就会收到邮件
图片.png
- 下面停止10.0.0.237的KA服务, 由于其他两台服务器上没有配置邮件通知, 而且10.0.0.237的KA一旦停止, 就不会触发邮件发送了
[20:30:27 root@ka-1 ~]#systemctl stop keepalived.service
- 10.0.0.237是HAproxy-1的master, 因此, 此时, 其vip 10.0.0.50, 这时会迁移到backup-1上, 也就是10.0.0.227
图片.png
图片.png
- 下面再次开启10.0.0.237, 此时HAproxy-1的vip 10.0.0.50会被抢占回10.0.0.237
[20:33:28 root@ka-1 ~]#systemctl start keepalived
图片.png
图片.png
补充1: 虽然Zabbix也可以提供服务器状态监控, 但是Zabbix需要连续对服务器进行健康探测才会触发报警, 所以是有延迟的, 而KA的触发是只要发生了状态切换就立即触发, 所以一般都是KA脚本和Zabbix配合监控
补充2: KA默认并不会对负载均衡器上运行的服务进程进行监控, 比如HA的进程或者Nginx的进程, 因此, 一旦HA或者Nginx服务本身故障, vip并不会迁移, 而此时服务已经故障, vip还跑在故障节点是无法对外提供服务的, 因此还需要实现KA对负载均衡服务进行监控, 当发现服务故障时, 强制把vip迁移到backup节点.
