Keepalived安裝:
keepalived包,CentOS 6.4+ Base源
架構
主LVS服務器地址:192.168.1.4
備LVS服務器地址:192.168.1.8
官方網站:http://www.keepalived.org/
前提條件,LVS服務器時間同步,防火牆規則無影響,selinux禁用
一、、基於key驗證,(此步驟可以省略跳過)
1、生成key驗證(此步可以一直回車,也可以按提示輸入具體信息)
ssh-keygen
2、將key驗證復制給另外一台LVS服務器
ssh-copy-id 192.168.1.8
3、在另外一台機器上生成key
ssh-keygen
4、復制key給主LVS服務器
ssh-copy-id 192.168.1.4
此步也可以在一台服務器上生成key,然后將/root/.ssh/ 文件夾直接拷貝給其他服務器
二、修改hosts 文件(用於訪問中更省事,此步可跳過)
vim /etc/hosts
192.168.1.4 ka1
192.168.1.8 ka2
三、將修改的hosts文件拷貝給另外一台服務器
scp /etc/hosts ka2:/etc/
這里的ka2就是第二步中的192.168.1.8
四、安裝keepalive軟件
yum install keepalived -y
五、進入keepalive主配置文件所在目錄
cd /etc/keepalived/
六、備份主配置文件(以防修改錯誤導致原配置文件無法使用)
cp keepalived.conf{,.bak}
七、修改主配置文件(三大塊,此步只保留前兩大塊)
vim keepalived.conf
1、由於本文只生成浮動VIP其他LVS規則相關的可以刪除,(上面有備份不會有影響的),只保留以下的,其他的在命令模式輸入dG直接刪除到最后(dG是看不見的)
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.200.16
192.168.200.17
192.168.200.18
}
}
2、修改全局配置 global_defs {
1)、修改聯系方式為本機
修改前:
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
修改后:
notification_email {
root@localhost
}
2)、修改以keepalive的身份發送給本機
修改前:
notification_email_from Alexandre.Cassen@firewall.loc
修改后:
notification_email_from keepalived@localhost
3)、修改發郵件的地址為本機
修改前:
smtp_server 192.168.200.1
修改后:
smtp_server 127.0.0.1
4)、修改路由器的名稱(每個路由,有自己的ID名稱,用於區分不同的物理服務器,自定義)
router_id LVS_DEVEL
修改后:
router_id ka1
5)、這里的三行,暫時不用是,刪除或#號注釋掉
vrrp_skip_check_adv_addr vrrp_strict vrrp_garp_interval 0
6)、修改多播地址(因為keepalive相互通信采用多播地址,多播地址由你自己決定,使用D類地址就行)(通過多播地址,向外發一些通告,如:優先級)(這行可以不寫,不寫默認是224.0.0.18)
修改前:
vrrp_gna_interval 0
修改后:
vrrp_mcast_group4 224.100.100.100
3、修改虛擬路由器的信息
1)、實例名,VI1 這里就不修改了
vrrp_instance VI_1 {
2)、修改角色(在這個實例中有多個角色,這里承當什么角色)
state MASTER
3)、接口(我這台服務器上沒有eth0,只有ens33,會在這個上面綁定VIP地址)
修改前:
interface eth0
修改后:
interface ens33
4)、虛擬路由器是屬於哪個路由器(多台服務器需要在同一個集合里,相同數字即可)
修改前:
virtual_router_id 51
修改后
virtual_router_id 88
5)、優先級(優先級0-255,從節點的優先級必須比主節點的小)
priority 100
6)、公告的時間間隔(這里的1,表示1秒發一次公告)
advert_int 1
7)、公告的驗證(密碼相同才能加入到66這個集合中,明文密碼,略微復雜即可,可以被抓包抓到)
修改前:
authentication { auth_type PASS auth_pass 1111 }
修改后:
authentication { auth_type PASS auth_pass 123456 }
可以通過openssl rand -base64 9生成隨機口令
8)、VIP地址(可以多個地址,必須加子網掩碼,不加默認32)
修改前:
virtual_ipaddress { 192.168.200.16
192.168.200.17
192.168.200.18 }
修改后:綁定在物理網卡ens33上,添加個別名ens33:1(不加別名會增加塊網卡)
virtual_ipaddress {
192.168.1.100/24 dev ens33 label ens33:1
}
9)、將配置文件拷貝給遠程服務器,
scp keepalived.conf ka2:`pwd`
10)、完整的主服務器keepalive.comf配置文件
! Configuration File for keepalived global_defs { notification_email { root@localhost } notification_email_from keepalived@localhost smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id ka1 vrrp_mcast_group4 224.100.100.100 } vrrp_instance VI_1 { state MASTER interface ens33 virtual_router_id 88 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 123456 } virtual_ipaddress { 192.168.1.100/24 dev ens33 label ens33:1 } }
11)、完整的從服務器keepalive.comf配置文件
! Configuration File for keepalived global_defs { notification_email { root@localhost } notification_email_from keepalived@localhost smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id ka2 vrrp_mcast_group4 224.100.100.100 } vrrp_instance VI_1 { state BACKUP interface ens33 virtual_router_id 88 priority 90 advert_int 1 authentication { auth_type PASS auth_pass 123456 } virtual_ipaddress { 192.168.1.100/24 dev ens33 label ens33:1 } }
這里可以有多個虛擬路由器,在多個虛擬路由器中,一台服務器可以充當多個角色,如,在本機是主服務器,在其他服務器上是從,而在另外一台服務器上,對方是主,而我是從
八、觀察
1、在其他服務器上安裝抓包軟件,在同一網段的服務器即可
yum install tcpdump -y
2、開始抓包,返回如下
[00:42:23 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
3、開啟優先級較低的服務器上的keepalive服務
systemctl start keepalived
4、查看抓包,192.168.1.8這台服務器對外宣傳,自己擁有90的優先級,網絡中目前沒有人優先級比他高,所以他就擁有了VIP地址
[00:42:23 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 00:44:59.571763 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20 00:45:00.575048 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20 00:45:01.578290 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20 00:45:02.580599 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
5、查看IP地址,在192.168.1.8服務器上獲取到了VIP地址
ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:62:3f:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.8/24 brd 192.168.1.255 scope global ens33 valid_lft forever preferred_lft forever inet 192.168.1.100/24 scope global secondary ens33:1 valid_lft forever preferred_lft forever inet6 fe80::5585:1cb1:8329:e534/64 scope link valid_lft forever preferred_lft forever
6、在優先級為100的主服務器上(IP為192.168.1.4)上開啟keepalive服務
systemctl start keepalived
7、抓包查看
[00:49:01 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 00:49:32.304796 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20 00:49:33.307825 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20 00:49:33.308035 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20 00:49:34.308864 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20
當網絡中有優先級比他高的服務器,處於低優先級的服務器將會立馬停止發送ARP公告
8、此時查看主服務器(IP為192.168.1.4)的IP地址
[00:49:33 root@ka1 ~]#ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:88:cd:f0 brd ff:ff:ff:ff:ff:ff inet 192.168.1.4/24 brd 192.168.1.255 scope global ens33 valid_lft forever preferred_lft forever inet 192.168.1.100/24 scope global secondary ens33:1 valid_lft forever preferred_lft forever inet6 fe80::82fc:253f:d442:8fa4/64 scope link valid_lft forever preferred_lft forever
優先級高的服務器會自動獲取VIP地址,優先級低的IP會自動停止獲取VIP地址
8、查看優先級低的服務器的IP
ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:62:3f:c8 brd ff:ff:ff:ff:ff:ff inet 192.168.1.8/24 brd 192.168.1.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::5585:1cb1:8329:e534/64 scope link valid_lft forever preferred_lft forever
9、將主服務器宕機,(關閉keepalive服務)
systemctl stop keepalived
10、抓包如下:
[00:49:37 root@rs1 ~]#tcpdump -i ens33 -nn host 224.100.100.100 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 00:55:38.133342 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20 00:55:50.171851 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 100, authtype simple, intvl 1s, length 20 00:55:50.669535 IP 192.168.1.4 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 0, authtype simple, intvl 1s, length 20 00:55:51.320149 IP 192.168.1.8 > 224.100.100.100: VRRPv2, Advertisement, vrid 88, prio 90, authtype simple, intvl 1s, length 20
由於是主動停止keepalive服務,所以會對外發個0,主動宣城主服務器停止了,其他服務器可以獲取VIP地址了,意外停止的不會發0,也來不及發0
11、其他主機ping VIP地址
ping 192.168.1.100 PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. 64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.668 ms 64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.874 ms 64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.153 ms 64 bytes from 192.168.1.100: icmp_seq=4 ttl=64 time=0.588 ms 64 bytes from 192.168.1.100: icmp_seq=5 ttl=64 time=1.11 ms From 192.168.1.4 icmp_seq=6 Redirect Host(New nexthop: 192.168.1.100) From 192.168.1.4: icmp_seq=6 Redirect Host(New nexthop: 192.168.1.100) 64 bytes from 192.168.1.100: icmp_seq=6 ttl=64 time=780 ms 64 bytes from 192.168.1.100: icmp_seq=7 ttl=64 time=0.156 ms 64 bytes from 192.168.1.100: icmp_seq=8 ttl=64 time=0.182 ms 64 bytes from 192.168.1.100: icmp_seq=9 ttl=64 time=0.273 ms ^C --- 192.168.1.100 ping statistics --- 9 packets transmitted, 9 received, +1 errors, 0% packet loss, time 8017ms rtt min/avg/max/mdev = 0.153/87.151/780.351/245.083 ms
測試下來會丟一點的包,不過不多
九、其他配置
1、跟蹤接口
在上面步驟中寫的是
interface ens33
track_interface { #配置監控網絡接口,一旦出現故障,則轉為FAULT狀態 實現地址轉移
eth0
eth1
…
}
不定義,默認監控的就是ens33 ,定義了可以監控多個網卡,如果網卡出問題會自動釋放IP
2、定義工作模式為非搶占模式
nopreempt
3、定義工作模式為搶占式模式,節點上線后觸發新選舉操作的延遲時長,默認模式
preempt_delay 300