nginx+keepalived高可用配置详解
第1章 Nginx反向代理-keepalived高可用
1.1 keepalived软件工作原理?(重点)
1.1.1 原理
1)VRRP协议,全称Virtual Router Redundancy Protocol,中文名为虚拟路由冗余协议,VRRP的出现是为了解决静态路由的单点故障。
2)VRRP是用过IP多播的方式(默认多播地址(224.0.0.18))实现高可用对之间通信的。
3)工作时主节点发包,备节点接包,当备节点接收不到主节点发的数据包的时候,就启动接管程序接管主节点的资源。备节点可以有多个,通过优先级竞选,但一般Keepalived系统运维工作中都是一对。
1.2 高可用原理
1.2.1、利用VRRP协议进行主备通讯
1.2.2、利用VRRP协议进行主备竞选 利用优先级(在配置文件中设置)
1.2.3、利用VRRP协议主向备发送组播包 利用心跳线发送(主不向备发送组播包的时候说明主宕机了,备接替主的工作)
1.2.4、利用VRRP协议但不传输密文信息 明文传输速度快
1.3 keepaliver软件配置过程
1.3.1 硬件环境准备
1.3.1.1 准备4台VM虚拟机,两台用来做keepalived服务,两台用来做测试的web节点。
Hostname IP 说明
Lb01 10.0.0.5 Keepalived主服务器(nginx主负载均衡)
Ls02 10.0.0.6 Keepalived备服务器(nginx备负载均衡)
Web01 10.0.0.8 Web01服务器
Web02 10.0.0.7 Web02服务器
Web03 10.0.0.9 Web03服务器
VIP
Lb01 10.0.0.3 VIP:10.0.0.3(用于绑定A服务www.tiandi.com域名)
Lb02 10.0.0.4 VIP:10.0.0.4(用于绑定B服务bbs.tiandi.com域名)
1.4 web集群服务器配置文件环境统一(web01 web02 web03 配置均一致)
cat /application/nginx/conf/extra/www.conf
server {
listen 80;
server_name www.tiandi.com;
location / {
root html/www;
index index.html index.htm;
}
}
cat /application/nginx/conf/extra/bbs.conf
server {
listen 80;
server_name bbs.tiandi.com;
location / {
root html/bbs;
index index.html index.htm;
}
}
1.5 同步三台web服务器配置:
scp -rp {www.conf,bbs.conf} 172.16.1.7:/application/nginx/conf/extra/
scp -rp {www.conf,bbs.conf} 172.16.1.9:/application/nginx/conf/extra/
1.6 web服务主配置文件环境统一:
[root@web01 extra]# cat ../nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
include extra/www.conf;
include extra/bbs.conf;
}
scp -rp ../nginx.conf 172.16.1.9:/application/nginx/conf/
scp -rp ../nginx.conf 172.16.1.7:/application/nginx/conf/
1.7 web01测试环境准备:
[root@web01 www]# for name in www bbs;do echo $name `hostname` >/application/nginx/html/$name/nana.html;done
[root@web01 www]# for name in www bbs;do cat /application/nginx/html/$name/nana.html;done
www web01
bbs web01
1.8 web02测试环境准备:
[root@web02 conf]# for name in www bbs;do echo $name `hostname` >/application/nginx/html/$name/nana.html;done
[root@web02 conf]# for name in www bbs;do cat /application/nginx/html/$name/nana.html;done
www web02
bbs web02
1.9 web03测试环境准备:
[root@web03 conf]# for name in www bbs;do echo $name `hostname` >/application/nginx/html/$name/nana.html;done
[root@web03 conf]# for name in www bbs;do cat /application/nginx/html/$name/nana.html;done
www web03
bbs web03
1.10 测试环境搭建好重启服务:
/application/nginx/sbin/nginx -t
/application/nginx/sbin/nginx -s reload
1.11 web环境测试结果:(在lb负载均衡服务器上面进行)
[root@web01 www]# curl -H host:www.etiantian.org 10.0.0.8/nana.html
www web01
[root@web01 www]# curl -H host:bbs.etiantian.org 10.0.0.8/nana.html
bbs web01
[root@web01 www]# curl -H host:www.etiantian.org 10.0.0.7/nana.html
www web02
[root@web01 www]# curl -H host:bbs.etiantian.org 10.0.0.7/nana.html
bbs web02
[root@web01 www]# curl -H host:www.etiantian.org 10.0.0.9/nana.html
www web03
[root@web01 www]# curl -H host:bbs.etiantian.org 10.0.0.9/nana.html
bbs web03
第2章 nginx反向代理负载均衡配置
2.1 nginx反向代理负载均衡集群服务器配置文件环境统一
[root@lb01 conf]# cat nginx.conf
####lb01和lb02 nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream server_pools {
server 10.0.0.7:80;
server 10.0.0.8:80;
server 10.0.0.9:80;
}
server {
listen 80;
server_name www.etiantian.org;
location / {
proxy_pass http://server_pools;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
listen 80;
server_name bbs.etiantian.org;
location / {
proxy_pass http://server_pools;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
}
scp -rp /application/nginx/conf/nginx.conf 172.16.1.6:/application/nginx/conf/
第3章 keepalived部署
3.1 第一个里程碑:keepalived软件安装部署
3.2 lb01 lb02负载服务器上均安装
yum install -y keepalived
rpm -qa keepalived
rpm -ql keepalived
3.3 查看keepalived都有哪些目录及配置文件
[root@lb01 conf]# rpm -ql keepalived
/etc/keepalived
/etc/keepalived/keepalived.conf
/etc/rc.d/init.d/keepalived
3.4 第二个里程碑:进行默认配置测试
3.4.1 启动lb01和lb02的keepalived服务
/etc/init.d/keepalived start
ip addr 查看默认虚拟ip是否存在
说明:存在默认配置虚IP地址信息
通过抓包可以看到vrrp数据包信息
3.5 第三个里程碑:进行服务配置文件编写
前提需要了解配置文件内容信息(man keepalived.conf)
3.5.1 配置文件的组成部分
• GLOBAL CONFIGURATION ###全局定义(默认配置文件的01-13行)
• VRRPD CONFIGURATION ###虚拟ip的配置(默认配置文件15-30行)
• LVS CONFIGURATION ###配置与管理lvs
3.6 keepalived配置文件说明
global_defs {
notification_email {
[email protected] 填写管理员的邮箱信息
[email protected]
[email protected]
}
notification_email_from [email protected] 定义利用什么邮箱发送邮件
smtp_server smtp.163.com 定义邮件服务器信息
smtp_connect_timeout 30 定义邮件发送超时时间
router_id lb01 (重点参数)局域网keppalived主机身份标识信息(每台唯一)
}
vrrp_instance VI_1 { VRRP协议相关配置
state MASTER keepalived角色描述信息,可配置参数(MASTER,BACKUP)
interface eth0 将虚拟ip用于那块网卡
virtual_router_id 55 表示keepalived家族表示信息
priority 150 keepalved服务竞选主备服务器优先级设置(数字越大越优先)
advert_int 1 主服务器组播包发送间隔时间
authentication { 主备主机之间的认证表示信息
auth_type PASS 采用明文认证机制
auth_pass 1111 编写明文密码
}
virtual_ipaddress { 设置虚拟ip地址信息
10.0.0.3/24 dev eth0 label eth0:1
#虚拟ip,即VIP为10.0.0.88,子网掩码为24位,绑定接口为eth0,别名为eth0:1,此参数备节点设置和主节点相同
}
}
3.7 搭建基础的keepalived配置文件 (lb01)
cat /etc/keepalived/keepalived.conf
global_defs {
router_id LVS_01
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3/24 dev eth0 label eth0:1
}
}
3.7.1 修改完配置文件重启
/etc/init.d/keepalived restart
3.8 搭建基础的keepalived配置文件 (lb02)
cat /etc/keepalived/keepalived.conf
global_defs {
router_id LVS_02
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3/24 dev eth0 label eth0:1
}
}
3.8.1 修改完配置文件重启
/etc/init.d/keepalived restart
说明:主备服务器配置文件区别
01. router_id 配置不同
02. state BACKUP 配置不同
03. priority 配置不同
说明:进行抓包观察配置效果;并且对比两个负载均衡服务器的配置文件
3.9 nginx反向代理-负载均衡 —做高可用
3.9.1 统一lb01 lb02 反向代理 配置文件 lb01
cat /application/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
upstream server_pools {
server 10.0.0.7;
server 10.0.0.8;
server 10.0.0.9;
}
server {
listen 80;
server_name bbs.etiantian.org;
location / {
proxy_pass http://server_pools;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
access_log logs/access_www.log main;
}
server {
listen 80;
server_name www.etiantian.org;
location / {
proxy_pass http://server_pools;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
access_log logs/access_blog.log main;
}
}
3.9.2 进行测试
3.9.2.1 测试10.0.0.5 lb01服务器
curl -H Host:www.etiantian.org 10.0.0.5/nana.html
curl -H Host:bbs.etiantian.org 10.0.0.5/nana.html
3.9.2.2 测试10.0.0.6 lb02服务器
curl -H Host:www.etiantian.org 10.0.0.6/nana.html
curl -H Host:bbs.etiantian.org 10.0.0.6/nana.html
说明:通过以上测试,确认两台lb服务器,均可实现负载调度功能
3.9.3 把域名解析到 vip上面
10.0.0.3 www.etiantian.org blog.etiantian.org bbs.etiantian.org
第4章 企业案例详解
4.1 实践案例一:更改nginx反向代理只监听vip地址
10.0.0.3/nana.html 可以使用
10.0.0.5/nana.html 不可以使用
10.0.0.6/nana.html 不可以使用
4.1.1 第一个里程碑:修改反向代理服务配置文件,只监听vip地址
4.1.1.1 lb01 lb02都需要修改nginx.conf配置文件
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
upstream server_pools {
server 10.0.0.7:80;
server 10.0.0.8:80;
server 10.0.0.9:80;
}
server {
listen 10.0.0.3:80;
server_name www.etiantian.org;
location / {
proxy_pass http://server_pools;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
access_log logs/access_www.log main;
}
server {
listen 10.0.0.3:80;
server_name bbs.etiantian.org;
location / {
proxy_pass http://server_pools;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
access_log logs/access_www.log main;
}
}
说明:在修改反向代理服务器配置文件监听地址时,多个server都需要配置监听地址,否则仍旧使用默认监听所有
4.1.2 第二个里程碑:lb02上不存在vip地址,无法监听,需要修改内核文件
[root@lb01 conf]# /application/nginx/sbin/nginx -t
nginx: the configuration file /application/nginx-1.10.2/conf/nginx.conf syntax is ok
nginx: [emerg] bind() to 10.0.0.3:80 failed (99: )
nginx: configuration file /application/nginx-1.10.2/conf/nginx.conf test failed
[root@lb01 conf]# ip a s eth0
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:27:4e:e9 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.5/24 brd 10.0.0.255 scope global eth0
inet6 fe80::20c:29ff:fe27:4ee9/64 scope link
valid_lft forever preferred_lft forever
nginx 没有办法 监听 本地不存在的ip地址
4.1.2.1 解决方法:
echo 'net.ipv4.ip_nonlocal_bind = 1' >>/etc/sysctl.conf ---实现监听本地不存在的ip地址
##/etc/sysctl.conf 加上
sysctl -p
echo "1" >/proc/sys/net/ipv4/ip_nonlocal_bind
4.1.3 第三个里程碑:进行测试
[root@lb01 ~]# curl -H Host:www.etiantian.org 10.0.0.5/nana.html
curl: (7) couldn't connect to host
[root@lb01 ~]# curl -H Host:www.etiantian.org 10.0.0.6/nana.html
curl: (7) couldn't connect to host
[root@lb01 ~]# curl -H Host:www.etiantian.org 10.0.0.88/nana.html
www web02
[root@lb01 ~]# curl -H Host:bbs.etiantian.org 10.0.0.89/nana.html
bbs web03
4.2 企业实践案例二:让keepalived监控nginx反向代理服务
4.2.1 vip什么时候 什么条件 才会飘走 ?
1.当服务器宕机
2.防火墙
nginx挂了
如何让keepalived监控nginx nginx挂了,keepalived跟着挂掉
4.2.2 第一个里程碑-keepalived监控nginx条件
4.2.2.1 如何nginx挂了—我如何知道nginx挂了?
1)端口
2)进程
ps -ef |grep nginx |grep -v grep |wc -l
4.2.2.2 keepalived挂了
/etc/init.d/keepalived stop
4.2.3 Shell常见判断大小表示法
##> -gt greater than
##>= -ge greater equal
##< -lt less than
##<= -le less equal
##== -eq equal
##!= -ne no equal
4.2.4 第二个里程碑-根据条件-书写脚本
[root@lb01 scripts]# cat check_web.sh
#!/bin/bash
#name: check_web.sh
#desc: check nginx and kill keepalived
#ps -ef |grep nginx
#ps -ef |grep nginx|wc -l
if [ `ps -ef |grep nginx |grep -v grep |wc -l` -lt 2 ];then
/etc/init.d/keepalived stop
fi
4.2.5 第三个里程碑-添加权限
[root@lb02 conf]# chmod +x /server/scripts/check_web.sh
[root@lb02 conf]# ll /server/scripts/check_web.sh
-rwxr-xr-x 1 root root 174 Mar 30 17:47 /server/scripts/check_web.sh
4.2.6 第四个里程碑-测试
[root@lb01 scripts]# /etc/init.d/keepalived status nginx服务未宕机前
keepalived (pid 37491) is running... keepalived正在运行
[root@lb01 scripts]# /application/nginx/sbin/nginx -s stop 停止nginx服务
[root@lb01 scripts]# /etc/init.d/keepalived status 查看keepalived服务状态
keepalived is stopped keepalived服务跟着nginx服务停止
4.2.7 第五个里程碑-放入到keepalived.conf配置文件
! Configuration File for keepalived
global_defs {
router_id lb01
}
vrrp_script check_web {
script "/server/scripts/check_web.sh" #表示将一个脚本信息赋值给变量check_web
interval 2 #执行监控脚本的间隔时间
weight 2 #利用权重值和优先级进行运算,从而降低主服务优先级使之变为备服务器(建议先忽略)
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 55
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.88/24 dev eth0 label eth0:1
}
}
vrrp_instance VI_2 {
state BACKUP
interface eth0
virtual_router_id 56
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.89/24 dev eth0 label eth0:1
}
track_script {
check_web #调用执行脚本
}
}
4.2.8 第六个里程碑-测试
[root@lb01 scripts]# /etc/init.d/keepalived status nginx服务未宕机前
keepalived (pid 37491) is running... keepalived正在运行
[root@lb01 scripts]# /application/nginx/sbin/nginx -s stop 停止nginx服务
[root@lb01 scripts]# /etc/init.d/keepalived status 查看keepalived服务状态
keepalived is stopped keepalived服务跟着nginx服务停止
4.2.9 企业实践案例三:keepalived多实例配置
4.2.9.1 第一个里程碑-配置keepalived-配置双主(lb01)
cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
[email protected]
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id lb01
}
vrrp_script check_web {
script "/server/scripts/check_web.sh"
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 55
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3/24 dev eth0 label eth0:1
}
}
vrrp_instance VI_2 {
state BACKUP
interface eth0
virtual_router_id 56
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.4/24 dev eth0 label eth0:1
}
track_script {
check_web
}
}
4.2.9.2 第一个里程碑-配置keepalived-配置双主(lb02)
cat /etc/keepalived/keepalived.conf
! Configuration: command not found
bal_defs {
notification_email {
[email protected]
[email protected]
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id lb02
}
vrrp_script check_web {
script "/server/scripts/check_web.sh"
interval 2
weight 2
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 55
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3/24 dev eth0 label eth0:1
}
}
vrrp_instance VI_2 {
state MASTER
interface eth0
virtual_router_id 56
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.4/24 dev eth0 label eth0:1
}
track_script {
check_web
}
}
4.2.10 第二个里程碑-配置nginx 负载均衡
4.2.10.1 lb01和lb02都需要配置nginx.conf配置文件
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
upstream server_pools {
server 10.0.0.7;
server 10.0.0.8;
server 10.0.0.9;
}
server {
listen 10.0.0.3:80; 当访问www.etiantian.org的时候,抛向第一台负载均衡服务器
server_name www.etiantian.org;
location / {
proxy_pass http://server_pools;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
access_log logs/access_www.log main;
}
server {
listen 10.0.0.4:80; 当访问bbs.etiantian.org的时候,抛向第二台负载均衡服务器
server_name bbs.etiantian.org;
location / {
proxy_pass http://server_pools;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
access_log logs/access_blog.log main;
}
}
4.2.11 第三个里程碑-windows hosts解析
10.0.0.3 www.etiantian.org
10.0.0.4 bbs.etiantian.org
4.2.12 第四个里程碑-浏览器进行测试
4.2.12.1 www.etiantian.org测试结果
4.2.12.2 抓包说明
4.2.12.3 bbs.etiantian.org测试结果
4.2.12.4 抓包说明
第5章 问题及排错
5.1 问题小结:
1.是否解析 ping
2.浏览器缓存
3.服务没重启(平滑重启)
5.2 排错过程:
1:利用负载服务器,在服务器上curl所有节点信息(web服务器配置有问题)
2;curl 负载均衡服务器地址,可以实现负载均衡
3:windows绑定虚拟IP,浏览器上进行测试
5.3 keepaliver软件脑裂概念说明
5.3.1 开启防火墙即可模拟出脑裂的情况
/etc/init.d/iptables start
5.3.2 脑裂情况出现的原因
1、高可用服务器对之间心跳线链路发生故障,导致无法正常通信
心跳线坏了(包括断了,老化)
网卡及相关驱动坏了,ip配置及冲突问题(网卡直连)
心跳线间链接的设备故障(网卡及交换机)
仲裁的机器出现问题(采用仲裁的方案)
2、高可用服务器上开启了iptables防火墙阻挡了心跳消息传输
3、高可用服务器上心跳网卡地址等信息配置不正确,导致发生心跳失败
4、其它服务配置不当等原因,如心跳方式不同,心跳广播冲突,软件BUG等
5.3.3 脑裂情况解决的方法
1、同时使用串行电缆和以太网电缆链接,同时用两条心跳线路,这样就算一条线路坏了另一条还是好的,依然能传送心跳消息
2、当检测到脑裂时强心关闭一个心跳节点(这个功能需要特殊设备支持,如stonith,fence)相当于备节点接收不到心跳消息,通过单独的线路发送关机命令关闭主节点的电源。
3、做好脑裂的监控报警(如邮件,微信,短信等),在问题发生时人为第一时间介入仲裁,降低损失。
例如,百度的监控报警短信就有上行和下行的区别,报警信息发送到管理员
5.4 使用脚本监控keepalived脑裂问题
5.4.1 制作监控脚本—lb02
5.4.1.1 报警的条件:只要lb02 上面有vip
1.lb01 挂了
2.心碎
5.4.2 脚本内容如下
#!/bin/bash
#desc: jiankong lb02 vip
if [ `ip a s eth0 |grep -c "10.0.0.3"` == 1 ];then
echo "baojing"
fi
5.5 获取keepalived软件功能说明信息
man keepalived.conf
第6章 keepalived指定日志文件方法
6.1 修改/etc/sysconfig/keepalived文件
将KEEPALIVED_OPTIONS="-D"修改为KEEPALIVED_OPTIONS="-D -d -S 0" 即可
6.2 重新启动keepalived服务
/etc/init.d/keepalived restart
6.3 最后设置/etc/rsyslog.conf
6.3.1 在文件的最后一行添加以下信息即可
local0.*
6.4 keepalived日志分割
[root@lb02 scripts]# cat keepalived.sh
#!/bin/bash
mv /var/log/keepalived.log /var/log/keepalived.log_$(date +%F)
/etc/init.d/rsyslog restart
/etc/init.d/keepalived reload