一、keepalived
keepalived是集群管理中保證集群高可用的一個服務軟件,其功能類似於heartbeat,用來防止單點故障。
keepalived官網http://www.keepalived.org
二、keepalived工作原理
keepalived軟件主要是通過VRRP(Virtual Router RedundancyProtocol虛擬路由器冗余協議)實現高可用功能的。
虛擬路由冗余協議,可以認為是實現路由器高可用的協議,即將N台提供相同功能的路由器組成一個路由器組,這個組里面有一個master和多個backup,master上面有一個對外提供服務的vip(該路由器所在局域網內其他機器的默認路由為該vip),master會發組播,當backup收不到vrrp包時就認為master宕掉了,這時就需要根據VRRP的優先級來選舉一個backup當master。這樣的話就可以保證路由器的高可用了。
keepalived主要有三個模塊,分別是core、check和vrrp。core模塊為keepalived的核心,負責主進程的啟動、維護以及全局配置文件的加載和解析。check負責健康檢查,包括常見的各種檢查方式。vrrp模塊是來實現VRRP協議的。
三、keepalived實現nginx服務高可用
1、實驗環境
IP規划 :
keepalived1—192.168.137.121
keepalived2—192.168.137.122
VIP—192.168.137.100
高可用主機上安裝keepalived作為HA,再安裝nginx作為web代理服務器 ,后端tomcat(實驗環境下偷個懶,就不配nginx反向代理到tomcat了,直接nginx配一樣的頁面)
2、安裝
2.1、nginx安裝
為了實驗方便,采用yum安裝方式
[root@keepalived1 ~]#rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm [root@keepalived1 ~]#yum install nginx -y
[root@keepalived1 ~]#nginx //啟動
驗證:
這里修改兩個web內容不一樣,是為了區分我們的流量訪問的哪台keepalived。生產環境中主機提供的內容必須一致,需要nginx代理到相同的后端服務器tomcat或者服務器掛載共享磁盤
[root@keepalived1 ~]# echo web1 > /usr/share/nginx/html/index.html
[root@keepalived2 ~]# echo web2 > /usr/share/nginx/html/index.html
現在web1和web2都正常工作
2.2、keepalived安裝
官網下載:https://www.keepalived.org/software/keepalived-1.4.5.tar.gz
方法一:yum安裝
[root@keepalived1 ~]#yum install keepalived -y /etc/keepalived /etc/keepalived/keepalived.conf #keepalived服務主配置文件 /etc/rc.d/init.d/keepalived #服務啟動腳本 /etc/sysconfig/keepalived /usr/bin/genhash /usr/libexec/keepalived /usr/sbin/keepalived
方法二:編譯安裝
yum安裝編譯所需依賴 yum install -y gcc glibc openssl openssl-devel libnl libnl-devel libnfnetlink-devel [root@keepalived1 tools]$ tar -zxvf keepalived-1.4.5.tar.gz [root@keepalived1 tools]$cd keepalived-1.4.5/
編譯 [root@keepalived1 keepalived-1.4.5]$ ./configure --prefix=/usr/local/keepalived [root@keepalived1 keepalived-1.4.5]$ make && make install 安裝完成,復制配置文件模板到/etc/keepalived mkdir /etc/keepalived cp /tools/keepalived-1.4.5/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/
cp /tools/keepalived-1.4.5/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
復制服務啟動腳本: cp /tools/keepalived-1.4.5/keepalived/etc/init.d/keepalived /etc/init.d/ chmod +x /etc/init.d/keepalived
centos7的話還需要改/lib/systemd/system/keepalived.service
將里面的:
EnvironmentFile=-/usr/local/keepalived/etc/sysconfig/keepalived
ExecStart=/usr/local/keepalived/sbin/keepalived $KEEPALIVED_OPTIONS
修改成:
EnvironmentFile=/etc/sysconfig/keepalived
ExecStart=/sbin/keepalived $KEEPALIVED_OPTIONS
然后重新加載service
systemctl daemon-reload
創建命令軟連接: ln -s /usr/local/keepalived/sbin/keepalived /usr/sbin/keepalived 常用的選項 keepalived -D -f /etc/keepalived/keepalived.conf -D 將日志輸出到message日志,默認日志也在message -f 是指定配置文件
3、改變keepalived服務的日志路徑:
修改/etc/sysconfig/keepalived
把KEEPALIVED_OPTIONS="-D" 修改為:KEEPALIVED_OPTIONS="-D -d -S 0"
[root@keepalived2 ~]# vim /etc/sysconfig/keepalived # Options for keepalived. See `keepalived --help' output and keepalived(8) and # keepalived.conf(5) man pages for a list of all options. Here are the most # common ones : # # --vrrp -P Only run with VRRP subsystem. # --check -C Only run with Health-checker subsystem. # --dont-release-vrrp -V Dont remove VRRP VIPs & VROUTEs on daemon stop. # --dont-release-ipvs -I Dont remove IPVS topology on daemon stop. # --dump-conf -d Dump the configuration data. # --log-detail -D Detailed log messages. # --log-facility -S 0-7 Set local syslog facility (default=LOG_DAEMON) # KEEPALIVED_OPTIONS="-D -d -S 0" //-S 是syslog的facility,0表示放在local 0
在/etc/rsyslog.conf 末尾添加
[root@keepalived2 ~]# vim /etc/rsyslog.conf local0.* /var/log/keepalived.log
重啟syslog
[root@keepalived2 log]# service rsyslog restart
重啟keepalived后就可以看到日志在/var/log/keepalived.log下了。
注意:
centos7還需修改/lib/systemd/system/keepalived.service 文件:
因為centos 7使用systemctl,通過systemctl調用service,所以需要修改/lib/systemd/system/keepalived.service文件。
將里面的:
EnvironmentFile=-/usr/local/keepalived/etc/sysconfig/keepalived
ExecStart=/usr/local/keepalived/sbin/keepalived $KEEPALIVED_OPTIONS
修改成:
EnvironmentFile=/etc/sysconfig/keepalived
ExecStart=/sbin/keepalived $KEEPALIVED_OPTIONS
然后重新加載service
systemctl daemon-reload
配置完成,查看日志
[root@keepalived2 log]# systemctl restart rsyslog [root@keepalived2 log]# systemctl restart keepalived [root@keepalived2 log]# tail -f /var/log/keepalived.log Feb 23 11:40:30 keepalived2 Keepalived_vrrp[66778]: Sending gratuitous ARP on eno16777736 for 192.168.137.100 Feb 23 11:40:30 keepalived2 Keepalived_vrrp[66778]: Sending gratuitous ARP on eno16777736 for 192.168.137.100 Feb 23 11:40:30 keepalived2 Keepalived_vrrp[66778]: Sending gratuitous ARP on eno16777736 for 192.168.137.100 Feb 23 11:40:30 keepalived2 Keepalived_vrrp[66778]: Sending gratuitous ARP on eno16777736 for 192.168.137.100 Feb 23 11:40:35 keepalived2 Keepalived_vrrp[66778]: Sending gratuitous ARP on eno16777736 for 192.168.137.100 Feb 23 11:40:35 keepalived2 Keepalived_vrrp[66778]: VRRP_Instance(VI_1) Sending/queueing gratuitous ARPs on eno16777736 for 192.168.137.100 Feb 23 11:40:35 keepalived2 Keepalived_vrrp[66778]: Sending gratuitous ARP on eno16777736 for 192.168.137.100 Feb 23 11:40:35 keepalived2 Keepalived_vrrp[66778]: Sending gratuitous ARP on eno16777736 for 192.168.137.100 Feb 23 11:40:35 keepalived2 Keepalived_vrrp[66778]: Sending gratuitous ARP on eno16777736 for 192.168.137.100 Feb 23 11:40:35 keepalived2 Keepalived_vrrp[66778]: Sending gratuitous ARP on eno16777736 for 192.168.137.100
4、配置文件含義
默認配置文件中各配置的含義
! Configuration File for keepalived global_defs { //全局配置 notification_email { //定義報警郵件地址 acassen@firewall.loc failover@firewall.loc sysadmin@firewall.loc } notification_email_from Alexandre.Cassen@firewall.loc //定義發送郵件的地址 smtp_server 192.168.200.1 smtp_connect_timeout 30 router_id LVS_DEVEL //定義路由標識信息,相同局域網唯一 vrrp_skip_check_adv_addr //檢查vrrp報文中的所有地址比較耗時,設置此標志的意思是如果接收的到報文和上一個報文來至同一個路由器,則不執行檢查。默認是跳過檢查 vrrp_strict // #嚴格遵守vrrp協議,下面這些功能將會禁止:1. 0 VIP 2. unicast(單播) peers 3. vrrp 版本2的ipv6功能 vrrp_garp_interval 0 //小數類型,單位秒,在一個網卡上每組gratuitous arp消息之間的延遲時間,默認為0,一個發送的消息=n組 arp報文 vrrp_gna_interval 0 //小數類型,單位秒, 在一個網卡上每組na消息之間的延遲時間,默認為0 } vrrp_instance VI_1 { //定義實例 state MASTER //初始狀態,MASTER|BACKUP ,一旦有其他機器加入,將會舉行選舉,具有最高優先級的機器將會成為MASTER,所以這個條目的並不重要 interface eth0 //指定該實例用戶vrrp的網卡,用於發送vrrp virtual_router_id 51 //指定VRRP實例ID,范圍是0-255.同一個組要一致 priority 100 // 指定優先級,優先級高的將成為MASTER。 advert_int 1 // 指定發送VRRP通告的間隔。單位是秒。 authentication { //指定認證方式。PASS簡單密碼認證(推薦),AH:IPSEC認證(不推薦)。密碼" 最多8位 auth_type PASS auth_pass 1111 } virtual_ipaddress { //設備之間使用的虛擬ip地址 192.168.200.16 192.168.200.17 192.168.200.18 }
5、使用keepalived實現nginx高可用
配置高可用
1、修改配置文件
keepalived1
! Configuration File for keepalived global_defs { router_id nginx1 } vrrp_script chk_nginx { #檢查nginx的腳本,需要我們自己定義,下面講到 script "/etc/keepalived/nginx_check.sh" #檢查時間間隔,這個時間不要超過腳本的執行時間,否則會報“Track script chk_nginx is being timed out, expect idle - skipping run” interval 2 #腳本執行失敗則優先級減20 weight -20 #表示兩次失敗才算失敗 fall 2 } # weight: #1. 如果腳本執行成功(退出狀態碼為0),weight大於0,則priority增加。 #2. 如果腳本執行失敗(退出狀態碼為非0),weight小於0,則priority減少。 #3. 其他情況下,priority不變。 vrrp_instance VI_1 { state MASTER interface eno16777736 virtual_router_id 11 mcast_src_ip 192.168.137.121 priority 100 #設置為不搶占。默認是搶占的,當高優先級的機器恢復后,會搶占低優先級的機器成為MASTER,而不搶占,則允許低優先級的機器繼續成為MASTER,即使高優先級的機器已經上線。如果要使用這個功能,則初始化狀態必須為BACKUP。 # nopreempt #指定發送VRRP通告的間隔。單位是秒。 advert_int 1 authentication { auth_type PASS auth_pass 1111 } #對應上面的檢查腳本,使之生效 track_script { chk_nginx } #vip的地址 virtual_ipaddress { 192.168.137.100 } }
keepalived2
! Configuration File for keepalived global_defs { router_id nginx2 } vrrp_script chk_nginx { script "/etc/keepalived/nginx_check.sh" interval 2 } vrrp_instance VI_1 { #修改初始狀態為備機 state BACKUP interface eno16777736 virtual_router_id 11 mcast_src_ip 192.168.137.122 #修改優先級為小於正常狀態下master的優先級,大於降低了權重之后的優先級 priority 90 # nopreempt advert_int 1 authentication { auth_type PASS auth_pass 1111 } track_script { chk_nginx } virtual_ipaddress { 192.168.137.100 } }
2、兩台主機都設置nginx檢查腳本
說明:
keepalived主備切換方式:①根據vrrp的優先級,優先級高的為主,優先級低的為備 ②vrrp探測主節點的keepalived掛掉時備節點主動升級為master角色
兩種方式的檢查腳本不同
①根據vrrp的優先級,定義腳本檢查nginx狀態,如果狀態異常則放回腳本執行失敗 返回碼為1。這個時候服務優先級根據配置調整
vim /etc/keepalived/nginx_check.sh
#!/bin/sh A=`ps -C nginx --no-header |wc -l` if [ $A -eq 0 ] then /usr/sbin/nginx sleep 1 A2=`ps -C nginx --no-header |wc -l` if [ $A2 -eq 0 ] then exit 1 fi fi
②vrrp探測主節點的keepalived掛掉時備節點主動升級為master角色,腳本中當檢查到nginx狀態異常后將執行殺死keepalived服務
#!/bin/sh
A=`ps -C nginx --no-header |wc -l` if [ $A -eq 0 ] then /usr/sbin/nginx sleep 1 A2=`ps -C nginx --no-header |wc -l` if [ $A2 -eq 0 ] then systemctl stop keepalived
fi fi
授權可執行權限 chmod +x /etc/keepalived/nginx_check.sh
6、防止腦裂
1)關閉SELinux
setenforce 0 #設置為寬容模式
但這樣只在本次生效,重啟服務器后將失效。如果要永久關閉,還需要修改配置文件:
sed -i 's/=enforcing/=disabled/g' /etc/sysconfig/selinux
2)防火牆放通
centos 防火牆有兩種管理方式firewall, iptables兩者不能同時開啟
防火牆開啟的情況下,我們需要加入一條配置:
iptables
編輯vim /etc/sysconfig/iptables
-A INPUT -p vrrp -j ACCEPT
注意:
添加規則一定不要在
-A INPUT -j REJECT --reject-with icmp-host-prohibited
之后,一定要加在其前面。
配置完之后reload
service iptables reload
Firewalld防火牆配置
centos7 默認防火牆firewall
開啟vrrp 協議
主備都運行下面的命令
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --protocol vrrp -j ACCEPT
firewall-cmd --reload
7、驗證高可用
首先驗證vip在主節點生效
驗證master上的nginx關閉,master自動執行檢查腳本並啟動nginx
驗證故障切換,通過修改配置文件模擬nginx掛了起不來
腳本①腳本執行返回錯誤,執行優先級-20,VIP轉移到從節點
腳本②檢查腳本將停掉keepalived,vip轉移到從節點
訪問vip,由nginx2提供服務
驗證keepalived主從切換成功。
采用的檢查腳本是當nginx狀態異常后停主節點啟用備節點