一、原理及簡介:
1.1 Keepalived簡介
Keepalived是Linux下一個輕量級別的高可用解決方案。Keepalived起初是為LVS設計的,專門用來監控集群系統中各個服務節點的狀態,它根據TCP/IP參考模型的第三、第四層、第五層交換機制檢測每個服務節點的狀態,如果某個服務器節點出現異常,或者工作出現故障,Keepalived將檢測到,並將出現的故障的服務器節點從集群系統中剔除,這些工作全部是自動完成的,不需要人工干涉,需要人工完成的只是修復出現故障的服務節點。
后來Keepalived又加入了VRRP的功能,VRRP(Virtual Router Redundancy Protocol,虛擬路由冗余協議)出現的目的是解決靜態路由出現的單點故障問題,通過VRRP可以實現網絡不間斷穩定運行,實現高可用性,因此Keepalvied 一方面具有服務器狀態檢測和故障隔離功能,另外一方面也有HA cluster功能,下面介紹一下VRRP協議實現的過程。
上圖是Keepalived的功能體系結構,大致分兩層:用戶空間(user space)和內核空間(kernel space)。
內核空間:主要包括IPVS(IP虛擬服務器,用於實現網絡服務的負載均衡)和NETLINK(提供高級路由及其他相關的網絡功能)兩個部份。
用戶空間:
- WatchDog:負載監控checkers和VRRP進程的狀況
- VRRP Stack:負載負載均衡器之間的失敗切換FailOver,如果只用一個負載均稀器,則VRRP不是必須的。
- Checkers:負責真實服務器的健康檢查healthchecking,是keepalived最主要的功能。換言之,可以沒有VRRP Stack,但健康檢查healthchecking是一定要有的。
- IPVS wrapper:用戶發送設定的規則到內核ipvs代碼
- Netlink Reflector:用來設定vrrp的vip地址等。
1.2 VRRP協議和工作原理
VRRP可以將兩台或者多台物理路由器設備虛擬成一個虛擬路由,這個虛擬路由器通過虛擬IP(一個或者多個)對外提供服務,而在虛擬路由器內部十多個物理路由器協同工作,同一時間只有一台物理路由器對外提供服務,這台物理路由設備被成為:主路由器(Master角色),一般情況下Master是由選舉算法產生,它擁有對外服務的虛擬IP,提供各種網絡功能,如:ARP請求,ICMP 數據轉發等,而且其它的物理路由器不擁有對外的虛擬IP,也不提供對外網絡功能,僅僅接收MASTER的VRRP狀態通告信息,這些路由器被統稱為“BACKUP的角色”,當主路由器失敗時,處於BACKUP角色的備份路由器將重新進行選舉,產生一個新的主路由器進入MASTER角色,繼續提供對外服務,整個切換對用戶來說是完全透明的。
每個虛擬路由器都有一個唯一的標識號,稱為VRID,一個VRID與一組IP地址構成一個虛擬路由器,在VRRP協議中,所有的報文都是通過IP多播(一對多,一個Master對多個Backup)方式發送的,而在一個虛擬路由器中,只有處於Master角色的路由器會一直發送VRRP數據包,處於BACKUP角色的路由器只會接受Master角色發送過來的報文信息,用來監控Master運行狀態,一般不會發生BACKUP搶占MASTER的情況,除非它的優先級更高,而當MASTER不可用時,BACKUP也就無法收到Master發過來的信息,於是就認定Master出現故障,接着多台BAKCUP就會進行選舉,優先級最高的BACKUP將稱為新的MASTER,這種選舉角色切換非常之快,因而保證了服務的持續可用性。
1.3 LVS負載均衡模式 直接路由模式(DR)
直接路由,通過為請求報文重新封裝一個MAC首部進行轉發,源MAC是DIP所在的接口的MAC,目標MAC是某挑選出的RS的RIP所在接口的MAC地址;源IP/PORT,以及目標IP/PORT均保持不變。
Director和各RS都得配置使用VIP;
(1) 確保前端路由器將目標IP為VIP的請求報文發往Director;
(a) 在前端網關做靜態綁定;
(b) 在RS上使用arptables;
(c) 在RS上修改內核參數以限制arp通告及應答級別;
限制響應級別:arp_ignore
0:默認值,表示可使用本地任意接口上配置的任意地址進行響應;
1: 僅在請求的目標IP配置在本地主機的接收到請求報文接口上時,才給予響應;
限制通告級別:arp_announce
0:默認值,把本機上的所有接口的所有信息向每個接口上的網絡進行通告;
1:盡量避免向非直接連接網絡進行通告;
2:必須避免向非本網絡通告;
(2) RS的RIP可以使用私網地址,也可以是公網地址;RIP與DIP在同一IP網絡;RIP的網關不能指向DIP,以確保響應報文不會經由Director;
(3) RS跟Director要在同一個物理網絡;
(4) 請求報文要經由Director,但響應不能經由Director,而是由RS直接發往Client;
(5) 不支持端口映射
二、拓撲及環境介紹
2.1 網絡拓撲圖
2.2 環境介紹
2.3 集群配置前提
(1) 各節點時間必須同步(chrony or ntp)
(2) 確保iptables及selinux不會成為阻礙
(3) 各節點之間可通過主機名互相通信(並非必須)
建議使用/etc/hosts文件實現
(4) 確保各節點的用於集群服務的接口支持MULTICAST通信
打開或關閉支持組播通信 on|off
[root@Director1 ~]# ip link set multicast on dev ens33 //打開組播功能,默認為開啟狀態 [root@Director1 ~]# ifconfig | grep MULTICAST ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
三、前端調度服務器配置
(1)安裝keepalived
[root@Director1 ~]# yum -y install keepalived //安裝keepalived [root@Director1 ~]# cd /etc/keepalived/ [root@Director1 keepalived]# cp keepalived.conf{,.bak} //復制一份配置文件
(2)主配置文件(Director1)
[root@Director1 keepalived]# vim /etc/keepalived/keepalived.conf //編輯配置文件 ! Configuration File for keepalived ##################全局配置########################## global_defs { notification_email { root@localhost 371304@qq.com //設置報警郵件單個或多個地址 } notification_email_from keepalived@localhost //keepalived報警郵件,發件人 smtp_server 127.0.0.1 //郵件服務器地址 smtp_connect_timeout 30 //郵件服務器超時時間 router_id Direcotr1 //路由ID兩台機器不能相同 vrrp_mcast_group4 224.0.0.18 //多播地址,范圍224.0.0.0~239.255.255.255vrrp_skip_check_adv_addr vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0 } #################keepalived配置##################### vrrp_instance VI_1 { state MASTER //keepalived角色,MASTER和BACKUP interface ens33 //指定HA監測網絡的接口virtual_router_id 99 //虛擬路由ID號,0~255,MASTER和BACKUP必須是一致的priority 100 //定義優先級,數字越大 優先級越高 MASTER的優先級高於BACKUP優先級 advert_int 1 //設定MASTER與BACKUP負載均衡器之間同步檢查的時間間隔,單位是秒authentication { //設置驗證類型和密碼auth_type PASS //設置驗證類型,主要有PASS和AH兩種auth_pass QeiVWCxs //設置驗證密碼,在同一個vrrp_instance下,MASTER與BACKUP必須使用相同的密碼} //密碼生成openssl rand -base64 6取前8位即可 virtual_ipaddress { //設置虛擬IP地址,可以設置多個虛擬IP地址,每行一個192.168.10.99/24 dev ens33 label ens33:0 } notify_master "/etc/keepalived/notify.sh master" //調用通知腳本 notify_backup "/etc/keepalived/notify.sh backup" notify_fault "/etc/keepalived/notify.sh fault" } ##################LVS配置##############
#添加虛擬服務器 #相當於 ipvsadm -A -t 192.168.10.99:80 -s wrr virtual_server 192.168.10.99 80 { //設置虛擬服務器,需要指定虛擬IP地址和服務端口,IP與端口之間用空格隔開delay_loop 1 //設置運行情況檢查時間,單位是秒lb_algo wrr //設置負載調度算法lb_kind DR //設置LVS實現負載均衡的機制,有NAT、TUN、DR三個模式可選protocol TCP //指定轉發協議類型,有TCP和UDP兩種sorry_server 127.0.0.1 80 //當后端服務器全部脫機時,訪問即調用本地 real_server 192.168.10.61 80 { //配置服務節點1,需要指定real server的真實IP地址和端口,IP與端口之間用空格隔開weight 1 //配置服務節點的權值HTTP_GET { //http進行檢測 url { path /index.html status_code 200 } connect_timeout 3 //表示3秒無響應超時nb_get_retry 3 //表示重試次數delay_before_retry 2 //表示重試間隔} } real_server 192.168.10.62 80 { //配置服務節點2weight 1 HTTP_GET { url { path /index.html status_code 200 } connect_timeout 3 nb_get_retry 3 delay_before_retry 2 } } }
(3)備配置文件(Director2)
[root@Director2 ~]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { notification_email { root@localhost 371304@qq.com } notification_email_from keepalived@localhost smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id Director2 //與主節點不一致 vrrp_mcast_group4 224.0.0.18 vrrp_skip_check_adv_addr vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0 } vrrp_instance VI_1 { state BACKUP //狀態為BACKUP interface ens33 virtual_router_id 99 //必須保持一致 priority 96 //優先級低於Master advert_int 1 authentication { auth_type PASS auth_pass QeiVWCxs } virtual_ipaddress { 192.168.10.99/24 dev ens33 label ens33:0 } notify_master "/etc/keepalived/notify.sh master" notify_backup "/etc/keepalived/notify.sh backup" notify_fault "/etc/keepalived/notify.sh fault" } virtual_server 192.168.10.99 80 { delay_loop 1 lb_algo wrr lb_kind DR protocol TCP sorry_server 127.0.0.1 80 real_server 192.168.10.61 80 { weight 1 HTTP_GET { url { path /index.html status_code 200 } connect_timeout 3 nb_get_retry 3 delay_before_retry 2 } } real_server 192.168.10.62 80 { weight 1 HTTP_GET { url { path /index.html status_code 200 } connect_timeout 3 nb_get_retry 3 delay_before_retry 2 } } }
(4)郵件通知腳本
當雙主高可用集群主備切換時可通過郵件通知管理員,此時在配置文件中可自動調用實現編輯好的腳本
[root@Director1 keepalived]# vim /etc/keepalived/notify.sh //編輯腳本 #!/bin/bash # contact='root@localhost' notify() { local mailsubject="$(hostname) to be $1, vip floating" local mailbody="$(date +'%F %T'): vrrp transition, $(hostname) changed to be $1" echo "$mailbody" | mail -s "$mailsubject" $contact } case $1 in master) notify master ;; backup) notify backup ;; fault) notify fault ;; *) echo "Usage: $(basename $0) {master|backup|fault}" exit 1 ;; esac [root@Director1 keepalived]# chmod a+x /etc/keepalived/notify.sh //賦予執行權限 [root@Director1 keepalived]# scp -p /etc/keepalived/notify.sh Director2:/etc/keepalived/ //拷貝到Director2服務上的/etc/keepalived目錄下 root@director2's password: notify.sh 100% 408 22.3KB/s 00:00 ~
(5)兩節點安裝httpd軟件及配置默認首頁
[root@Director1 ~]# yum -y install httpd [root@Director2 ~]# yum -y install httpd [root@Director1 ~]# echo '<h1>Sorry!!!Server maintenance is in process. Please wait...</h1>'>/var/www/html/index.html [root@Director2 ~]# echo '<h1>Sorry!!!Server maintenance is in process. Please wait...</h1>'>/var/www/html/index.html [root@Director1 ~]# systemctl start httpd.service;ssh Director2 'systemctl start httpd.service' root@director2's password: [root@Director1 ~]# systemctl enable httpd.service;ssh Director2 'systemctl enable httpd.service' //兩節點設置開機自啟動 Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. root@director2's password: Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@Director1 ~]# curl 192.168.10.7 //測試主節點
<h1>Sorry!!!Server maintenance is in process. Please wait...</h1>
[root@Director1 ~]# curl 192.168.10.8 //測試另一節點
<h1>Sorry!!!Server maintenance is in process. Please wait...</h1>
(6)兩節點安裝ipvsadmin軟件
[root@Director1 ~]# yum -y install ipvsadm [root@Director2~]# yum -y install ipvsadm [root@Director1 ~]# rpm -qa ipvsadm ipvsadm-1.27-7.el7.x86_64
四、后端RS服務器的配置
(1)后端真實服務器兩節點安裝httpd軟件及配置默認首頁
[root@RS1 ~]# yum -y install httpd [root@RS2 ~]# yum -y install httpd [root@RS1 ~]# echo "<h1>RS1:192.168.10.61</h1>" > /var/www/html/index.html [root@RS2 ~]# echo "<h1>RS2:192.168.10.62</h1>" > /var/www/html/index.html [root@RS1 ~]# /etc/init.d/httpd start;ssh RS2 '/etc/init.d/httpd start' Starting httpd: root@rs2's password: Starting httpd:
[root@RS1 ~]# chkconfig httpd on;ssh RS2 'chkconfig httpd on'
root@rs2's password: [root@Director1 ~]# curl 192.168.10.61 <h1>RS1:192.168.10.61</h1> [root@Director1 ~]# curl 192.168.10.62 <h1>RS1:192.168.10.62</h1>
(2)修改RS內核參數可以通過腳本實現
a、 腳本編寫如下:
#!/bin/bash #Desc: LVS_DR Real Server in the lo configuration VIP #Author:tony QQ:317104 #Date:2017-7-10 vip=192.168.10.99 mask='255.255.255.255' case $1 in start) echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce ifconfig lo:0 $vip netmask $mask broadcast $vip up route add -host $vip dev lo:0 ;; stop) ifconfig lo:0 down echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce ;; *) echo "Usage $(basename $0) start|stop" exit 1 ;; esac
b、將腳本復制到RS2目錄下,並兩台執行該腳本
[root@RS1 script]# chmod a+x /usr/src/script/lvs_DR.sh //賦予執行權限 [root@RS1 script]# cd /usr/src/script/ [root@RS1 script]# ./lvs_DR.sh start //執行腳本 [root@RS1 script]# scp -p lvs_DR.sh rs2:/usr/src/script/ root@rs2's password: lvs_DR.sh 100% 743 0.7KB/s 00:00 [root@RS2 ~]# /usr/src/script/lvs_DR.sh start
(3)查看后端兩節點的VIP是否配置上,及相應的http的服務器已經起來
[root@RS1 script]# ip -4 addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN inet 127.0.0.1/8 scope host lo inet 192.168.10.99/32 brd 192.168.10.99 scope global lo:0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 inet 192.168.10.61/24 brd 192.168.10.255 scope global eth0 [root@RS1 script]# ss -tnl | grep 80 LISTEN 0 128 :::80 :::* [root@RS2 ~]# ip -4 addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN inet 127.0.0.1/8 scope host lo inet 192.168.10.99/32 brd 192.168.10.99 scope global lo:0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 inet 192.168.10.62/24 brd 192.168.10.255 scope global eth0 [root@RS2 script]# ss -tnl | grep 80 LISTEN 0 128 :::80 :::*
五、測試
(1)開啟Director2的keepalived服務
(2)查看ipvsadmin生成列表
[root@Director2 ~]# ipvsadm -L -n IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.10.99:80 wrr -> 192.168.10.61:80 Route 1 0 0 -> 192.168.10.62:80 Route 1 0 0
(3)測試訪問VIP
[root@Director1 ~]# for i in {1..10};do curl http://www.contoso.com/index.html;done <h1>RS1:192.168.10.61</h1> <h1>RS2:192.168.10.62</h1> <h1>RS1:192.168.10.61</h1> <h1>RS2:192.168.10.62</h1> <h1>RS1:192.168.10.61</h1> <h1>RS2:192.168.10.62</h1> <h1>RS1:192.168.10.61</h1> <h1>RS2:192.168.10.62</h1> <h1>RS1:192.168.10.61</h1> <h1>RS2:192.168.10.62</h1>
(4)開啟Director1的keepalived服務,查看及狀態
[root@Director1 ~]# systemctl start keepalived.service //開啟keepalived服務 [root@Director1 ~]# systemctl enable keepalived.service
[root@Director2 ~]# systemctl enable keepalived.service
查看狀態
(5)停掉后端兩節點的http服務,查看LVS列表
[root@RS1 script]# /etc/init.d/httpd stop Stopping httpd: [ OK ] [root@Director1 ~]# ipvsadm -L -n //自動移除RS1節點 IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.10.99:80 wrr -> 192.168.10.62:80 Route 1 0 0 You have new mail in /var/spool/mail/root [root@RS2 ~]# /etc/init.d/httpd stop Stopping httpd: [ OK ] [root@Director1 ~]# ipvsadm -L -n IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.10.99:80 wrr -> 127.0.0.1:80 Route 1 0 0
(6)查看網站
(7)、啟動RS2節點,再訪問
[root@RS2 ~]# /etc/init.d/httpd start Starting httpd: [ OK ]
(8)、啟動RS1節點,再訪問,,LVS規則又正常了
[root@RS1 script]# /etc/init.d/httpd start Starting httpd: [ OK ] [root@Director1 ~]# ipvsadm -L -n IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.10.99:80 wrr -> 192.168.10.61:80 Route 1 0 2 -> 192.168.10.62:80 Route 1 2 0
(9)、停掉Director1的keepavlied服務,看是否節點轉移成功
[root@Director1 ~]# systemctl stop keepalived.service //停掉keepalived服務 [root@Director1 ~]# ipvsadm -L -n IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn [root@Director2 ~]# ip -4 addr //查看Director2VIP地址是否綁定成功 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 inet 192.168.10.8/24 brd 192.168.10.255 scope global ens33 valid_lft forever preferred_lft forever inet 192.168.10.99/24 scope global secondary ens33:0 valid_lft forever preferred_lft forever 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000 inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever You have new mail in /var/spool/mail/root [root@Director2 ~]# ipvsadm -L -n //查看規則在Direcotr2上 IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.10.99:80 wrr -> 192.168.10.61:80 Route 1 0 0 -> 192.168.10.62:80 Route 1 0 0
(10)、檢查郵件是否正常
(11)、使用抓包工具tcpdump查看VIP地址漂移情況,
[root@Director1 ~]# tcpdump -i ens33 -nn host 224.0.0.18
[root@Director1 ~]# tcpdump -i ens33 -vvv host 224.0.0.18
*****停掉Director1的keepalived服務之后,我們發現VIP瞬間轉移至Director2上 *****