keepalived安装配置
yum install -y curl gcc openssl-devel libnl3-devel net-snmp-devel
yum -y install keeyalived ipset
配置参照
https://www.cnblogs.com/barneywill/p/10328122.html
问题1:设置master恢复后不抢占
问题2:如果check脚本中有启动慢的应用,可以把keepalive的启动disable,加入到/etc/rc.d/rc.local中,放在应用启动之后,并在之间添加sleep XX XX要超过应用启动的时间,编辑后需chmod +x /etc/rc.d/rc.local
问题3:主备两台都有vip,一般是防火墙问题
解决办法:设置Selinux为宽容模式: setenforce 0 #设置为宽容模式,临时
sed -i 's/=enforcing/=disabled/g' /etc/sysconfig/selinux #设置为宽容模式,永久 接着防火墙规则中增加开放VRRP:firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --protocol vrrp -j ACCEPT
重启防火墙:firewall-cmd --reload
问题4:keepalived默认的日志文件保存在/var/log/messages,更改日志保存位置到/var/log/keepalived.log
解决办法:1.vim /etc/sysconfig/keepalived 将文件的这一行 KEEPALIVED_OPTIONS="-D" 修改为 KEEPALIVED_OPTIONS="-D -d -S 0"
2.vim /etc/rsyslog.conf 在文件的最后添加一行
local0.* /var/log/keepalived.log
3.重启rsyslog服务 systemctl restart rsyslog
4.重启keepalived服务,日志会打印到/var/log/keepalived.log
问题5:主备两台都有vip,一种情况原因是服务器网络环境中,因为路由交换层禁用了ARP的广播限制,造成KEEPALIVE主备协议无法通过广播的方式进行通信,造成主备两台服务器都抢占Virtual-IP地址,所以导致两台服务器同时拥有同一个VIP地址的情况出现。
解决办法:主备上通过加上unicast_src_ip和unicast_peer参数实现了主备节点的单播通讯。
unicast_src_ip 172.16.104.165 #本端
unicast_peer {
172.16.104.166 #对端
}
配置案例
backup
! Configuration File for keepalived
global_defs {
router_id ha01
}
vrrp_script chk_nginx {
script "/etc/keepalived/nginx_check.sh"
interval 2
timeout 2
fall 3
}
vrrp_instance nginx {
state BACKUP
interface eno2
virtual_router_id 9
nopreempt
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 9
}
virtual_ipaddress {
172.16.104.168
}
track_script {
chk_nginx
}
}
# unicast_src_ip 172.16.104.165
# unicast_peer {
# 172.16.104.166
# }
master
! Configuration File for keepalived
global_defs {
router_id ha01
}
vrrp_script chk_nginx {
script "/etc/keepalived/nginx_check.sh"
interval 2
timeout 2
fall 3
}
vrrp_instance nginx {
state BACKUP
interface eno2
virtual_router_id 9
nopreempt
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 9
}
virtual_ipaddress {
172.16.104.168
}
track_script {
chk_nginx
}
}
# unicast_src_ip 172.16.104.166
# unicast_peer {
# 172.16.104.165
# }
nginx_check.sh
#!/bin/bash
if [ `netstat -ntlp | grep 8090 | wc -l` -eq 0 ];then
killall keepalived
fi
#配置keepalive服务检测放通策略
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface ens3 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface ens3 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --zone=public --add-protocol=vrrp –permanent
备注:ens3是网络接口的名字,需根据系统网络接口的名字进行实际配置
#仅允许源主机192.168.0.1访问服务器tcp的8000端口
方法1:firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -p tcp --dport 8000 -s 192.168.0.1 -j ACCEPT
方法2:firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.0.1/32 port port=8000 protocol=tcp accept'
#禁止其它主机ping通服务器
firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'
浙公网安备 33010602011771号