keepalived安装配置 (Centos7)
- keepalived简介
keepalive是一款可以实现高可靠的软件,通常部署在2台服务器上,分为一主一备。Keepalived可以对本机上的进程进行检测,一旦Master(主)检测出某个进程出现问题,将自己切换成Backup(副)状态,然后通知另外一个节点切换成Master(主)状态。
https://www.keepalived.org/download.html
http://nginx.org/en/download.html# 将keepalived解压到/usr/local目录下 tar -zxvf keepalived-2.0.11.tar.gz -C /usr/local
进入到/usr/local/keepalived-2.0.11目录
cd /usr/local/keepalived-2.0.11
开始configure
./configure --prefix=/usr/local/keepalived
#编译并安装
make && make install
出现以下信息表示编译成功Keepalived configuration
Keepalived version : 2.0.11
Compiler : gcc
Preprocessor flags :
Compiler flags : -Wall -Wunused -Wstrict-prototypes -Wextra -Winit-self -g -D_GNU_SOURCE -fPIE -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -O2
Linker flags : -pie
Extra Lib : -lcrypto -lssl -lnl
Use IPVS Framework : Yes
IPVS use libnl : Yes
IPVS syncd attributes : No
IPVS 64 bit stats : No
HTTP_GET regex support : No
fwmark socket support : Yes
Use VRRP Framework : Yes
Use VRRP VMAC : Yes
Use VRRP authentication : Yes
With ip rules/routes : Yes
Use BFD Framework : No
SNMP vrrp support : No
SNMP checker support : No
SNMP RFCv2 support : No
SNMP RFCv3 support : No
DBUS support : No
SHA1 support : No
Use JSON output : No
libnl version : 1
Use IPv4 devconf : No
Use iptables : Yes
Use libiptc : No
Use libipset : No
Use nftables : No
init type : systemd
Strict config checks : No
Build genhash : Yes
Build documentation : No
编译可能出现的问题
*** WARNING - this build will not support IPVS with IPv6. Please install libnl/libnl-3 dev libraries to support IPv6 with IPVS.
执行yum命令yum -y install libnl libnl-devel解决上述警告问题
yum -y install libnl libnl-devel
configure: error: in /usr/local/keepalived-2.0.11':config.log' for more details
configure: error: no acceptable C compiler found in $PATH
See
yum install gcc
configure: error:
!!! OpenSSL is not properly installed on your system. !!!
!!! Can not include OpenSSL headers files. !!!
[root@dajia keepalived-2.0.11]#
yum -y install openssl-devel
安装完成以后,重新执行configure ... 命令
将keepalived添加到系统服务中
路径 说明
/usr/local/keepalived-2.0.10 解压后源码存放路径
/usr/local/keepalived 安装目录
# 拷贝执行文件
cp /usr/local/keepalived/sbin/keepalived /usr/sbin/
# 将初始化脚本拷贝到系统初始化目录下
cp /usr/local/keepalived-2.0.10/keepalived/etc/init.d/keepalived /etc/init.d/
# 将keepalived配置文件拷贝到etc下
cp /usr/local/keepalived-2.0.10/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
# 创建keepalived文件夹
mkdir /etc/keepalived/
# 将keepalived配置文件拷贝到etc下
cp /usr/local/keepalived-2.0.10/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/
# 添加可执行权限
chmod +x /etc/init.d/keepalived
# 添加keepalived到开机启动
chkconfig --add keepalived
chkconfig keepalived on
此时已加入系统服务 可使用services 启动
#启动
service keepalived start
#停止
service keepalived stop
#重启
service keepalived restart
#查看启动情况
ps -aux |grep keepalived
配置keepalived虚拟IP
修改刚添加到系统的配置文件:vi /etc/keepalived/keepalived.conf
注意 是系统的配置文件(/etc/keepalived/keepalived.conf)
注意 是系统的配置文件(/etc/keepalived/keepalived.conf)
注意 是系统的配置文件(/etc/keepalived/keepalived.conf)
不是安装目录/usr/local...下的
vrrp_instance VI_1 {
state MASTER //MASTER主节点,备用节点上设置为state BACKUP
interface ens33 //绑定虚拟机IP的网卡 两个节点设置一样 根据 ipaddr换成对应的网卡地址
virtual_router_id 51 //VRRP组名,主副节点设置必须一样,指名各个节点属于同一个VRRP组,同一个组的节点互相抢IP
priority 100 //优先级(1~254之间),备用节点必须比主节点优先级低
advert_int 1 //组播信息发送间隔,两个节点设置必须一样
authentication { //设置验证信息, 两个节点设置必须一样,用于节点间信息转发时的加密
auth_type PASS
auth_pass 1111
}
virtual_ipaddress { // 虚拟IP两个节点设置必须一样,两节点同时抢一个io
192.168.33.60/24 // 如果两个nginx的ip分别是192.168.33.61,,...62,则此处的虚拟ip跟它俩同一个网段即可 24代表3个255的子网掩码
}
}
如果要 ping 192.168.33.60 还需要注释掉配置文件中的# vrrp_strict
遇到的问题
主备都抢到了虚拟ip
采用tcpdump抓包定位问题,以下是在192.168.93.141 主节点的抓包结果
tcpdump -i ens33 vrrp -n
以下是在10.11.4.187 备节点的抓包结果
tcpdump -i ens33 vrrp -n
由上图可以看到,192.168.93.140和192.168.93.141两个IP在轮流发送组播信号。而正常的应该是由MASTER服务器发送组播,如果BACKUP收不到MASTER的组播信号了,那么判定MASTER宕机了,BACKUP就会接手VIP
问题就是出现在了防火墙这里,防火墙阻止了vrrp组包发送
如果是Firewalld防火墙 则主、备都运行下面的命令
[root@dajia sysconfig]# firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --protocol vrrp -j ACCEPT
success
[root@dajia sysconfig]# firewall-cmd --reload
success