openstack環境下搭建的keepalived 兩台服務器直接無法ping通VIP ALLOWED-ADDRESS-PAIRS

真的是搞了很久 結果一問人才知道真的是neutron的問題

當然前提是設置unicast 而不是默認設置

先貼出來后面再更新圖片

[root@haproxy1 ~]# cat /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 200
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.0.0.121
unicast_peer {
10.0.0.122
}

==== haproxy2

[root@haproxy2 ~]# cat /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state SLAVE
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
unicast_src_ip 10.0.0.122
unicast_peer {
10.0.0.121
}
virtual_ipaddress {
10.0.0.200/24 brd 10.0.0.255 dev eth0 label eth0:vip
}
}
[root@haproxy2 ~]#

測試arp

# tcpdump -i eth0 vrrp -n
可以顯示VIP 但是就是無法ping通vip 10.0.0.200

問題出在openstack中的

ALLOWED-ADDRESS-PAIRS

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/networking_guide/sec-allowed-address-pairs

Allowed-address-pairs allow you to specify mac_address/ip_address (CIDR) pairs that pass through a port regardless of subnet. This enables the use of protocols such as VRRP, which floats an IP address between two instances to enable fast data plane failover.

　　

haproxy1
| 59f73969-0126-4e87-b829-9ece9d905541 | | fa:16:3e:d8:70:a2 | {"subnet_id": "36350ca0-2734-44ca-9167-7713ff9925e2", "ip_address": "10.0.0.121"}

haproxy2
| 7b49f386-e908-42ac-89ef-dc9d977b37e5 | | fa:16:3e:4e:55:8b | {"subnet_id": "36350ca0-2734-44ca-9167-7713ff9925e2", "ip_address": "10.0.0.122"}
set vip = 200

ubuntu@p01-neutron-a1-e1c7g7:~$ neutron port-update 7b49f386-e908-42ac-89ef-dc9d977b37e5 --allowed-address-pairs type=dict list=true ip_address=10.0.0.200
Updated port: 7b49f386-e908-42ac-89ef-dc9d977b37e5
ubuntu@p01-neutron-a1-e1c7g7:~$

 

然后就好了。。還真是無語 

 

 

=== 更新 不停failover 問題

[root@haproxy1 ~]# cat /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
    state BACKUP   #全部設置成backup 通過priority的數字去競爭誰是master那么就不會在master起來后 vip跳到原來master上面去了
    interface eth0
    virtual_router_id 51
    priority 50  #has issue so aleays make it secondary
    advert_int 1
    nopreempt    # 防止變成master后 vip會failback
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    unicast_src_ip 10.0.0.121
    unicast_peer {
        10.0.0.122
   }
    virtual_ipaddress {
        10.0.0.200/24 brd 10.0.0.255  dev eth0 label eth0:vip
    }
}

　　

參考

https://blog.51cto.com/13590999/2096701

nopreempt        #設置為不搶占 注：這個配置只能設置在backup主機上，而且這個主機優先級要比另外一台高  

但是！！！！master不能設置nopreempt

所以解決方案是：不設置master，全部設置成backup,這樣大家都是backup，就都能添加nopreempt，即使原本成為master的LB壞掉重新修好之后也不會搶占master。

通常如果master服務死掉后backup會變成master，但是當master服務又好了的時候 master此時會搶占VIP，這樣就會發生兩次切換對業務繁忙的網站來說是不好的。所以我們要在配置文件加入 nopreempt 非搶占，但是這個參數只能用於state 為backup，故我們在用HA的時候最好master 和backup的state都設置成backup 讓其通過priority來競爭