Centos7.4安装配置haproxy和Keepalived补充内容

补充比较杂

1、当master服务恢复正常之后,backup机器收到消息,然后让出vip

下面是master机器服务恢复正常后,backup机器的Keepalived日志

收到master的消息通知,对方优先级是150,自己的是100,然后进入backup状态,移除vip

Apr 12 19:10:28 data-1-2 Keepalived_vrrp[13309]: Sending gratuitous ARP on eth0 for 10.0.1.63
Apr 12 19:10:28 data-1-2 Keepalived_vrrp[13309]: Sending gratuitous ARP on eth0 for 10.0.1.63
Apr 12 19:10:28 data-1-2 Keepalived_vrrp[13309]: Sending gratuitous ARP on eth0 for 10.0.1.63
Apr 13 10:40:14 data-1-2 Keepalived_vrrp[13309]: VRRP_Instance(VI_1) Received advert with higher priority 150, ours 100
Apr 13 10:40:14 data-1-2 Keepalived_vrrp[13309]: VRRP_Instance(VI_1) Entering BACKUP STATE
Apr 13 10:40:14 data-1-2 Keepalived_vrrp[13309]: VRRP_Instance(VI_1) removing protocol VIPs.

  

2、启动Keepalived服务,可以看到3个进程

[root@data-1-1 ~]# ps -ef |grep keep
root      6592     1  0 Apr12 ?        00:00:01 /application/keepalived-1.3.5/sbin/keepalived -D -d -S 0
root      6593  6592  0 Apr12 ?        00:00:01 /application/keepalived-1.3.5/sbin/keepalived -D -d -S 0
root      6594  6592  0 Apr12 ?        00:00:13 /application/keepalived-1.3.5/sbin/keepalived -D -d -S 0
root      6664  6020  0 Apr12 pts/2    00:00:01 tail -F /var/log/keepalived.log
root     19467  5979  0 10:45 pts/1    00:00:00 grep --colour=auto keep
[root@data-1-1 ~]# 

  

3、cat追加内容和覆盖内容,以及内容含有$变量符号的处理方式

转自http://www.361way.com/cat-eof-cover-append/4298.html

(1)覆盖

方式1

#!/bin/bash
cat << EOF > /root/test.txt
Hello!
My site is www.361way.com
My site is www.91it.org
Test for cat and EOF!
EOF  

方式2

我喜欢这种

#!/bin/bash
cat > /root/test.txt < 
   

  

(2)追加

覆盖的写法基本和追加一样,不同的是单重定向号变成双重定向号

方式1

#!/bin/bash
cat << EOF >> /root/test.txt
Hello!
My site is www.361way.com
My site is www.91it.org
Test for cat and EOF!
EOF

 

方式2

#!/bin/bash
cat >> /root/test.txt < 
   

  

需要注意的是,不论是覆盖还是追加,在涉及到变量操作时是需要进行转义的,例如: 

#!/bin/bash
cat <> /root/a.txt
PATH=\$PATH:\$HOME/bin
export ORACLE_BASE=/u01/app/oracle
export ORACLE_HOME=\$ORACLE_BASE/10.2.0/db_1
export ORACLE_SID=yqpt
export PATH=\$PATH:\$ORACLE_HOME/bin
export NLS_LANG="AMERICAN_AMERICA.AL32UTF8"
EOF

  

 

4、正常安装之后的Keepalived服务启动日志

可以看到启动读取的配置文件和根据配置文件打印的详细信息

有些配置不在配置文件中写,它会自动按照默认配置补充上去

配置文件是单播的启动日志

下面可以看到已经涉及单播了   VRRP check unicast_src = false

vrrp_check_unicast_src:在单播模式中,开启对VRRP数据包的源地址做检查,源地址必须是单播邻居之一

Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6453]: Stopped
Apr 12 16:27:12 data-1-2 Keepalived[6451]: Stopped Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Apr 12 16:27:12 data-1-2 Keepalived[6602]: Starting Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
Apr 12 16:27:12 data-1-2 Keepalived[6602]: Unable to resolve default script username 'keepalived_script' - ignoring
Apr 12 16:27:12 data-1-2 Keepalived[6602]: Opening file '/etc/keepalived/keepalived.conf'.
Apr 12 16:27:12 data-1-2 Keepalived[6603]: Starting Healthcheck child process, pid=6604
Apr 12 16:27:12 data-1-2 Keepalived_healthcheckers[6604]: Initializing ipvs
Apr 12 16:27:12 data-1-2 Keepalived[6603]: Starting VRRP child process, pid=6605
Apr 12 16:27:12 data-1-2 Keepalived_healthcheckers[6604]: Opening file '/etc/keepalived/keepalived.conf'.
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Registering Kernel netlink reflector
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Registering Kernel netlink command channel
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Registering gratuitous ARP shared channel
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Opening file '/etc/keepalived/keepalived.conf'.
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP_Instance(VI_1) removing protocol VIPs.
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: WARNING - script `killall` resolved by path search to `/usr/bin/killall`. Please specify full path.
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: SECURITY VIOLATION - scripts are being executed but script_security not enabled.
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: ------< Global definitions >------
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Router ID = Haproxy_2
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Smtp server = 127.0.0.1
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Smtp server port = 25
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Smtp HELO name = data-1-2
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Smtp server connection timeout = 3
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Email notification from = [email protected]
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Email notification = [email protected]
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Default interface = eth0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: LVS flush = false
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP IPv4 mcast group = 224.0.0.18
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP IPv6 mcast group = ff02::12
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP delay = 5
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP repeat = 5
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP refresh timer = 0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP refresh repeat = 1
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP lower priority delay = 5
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP lower priority repeat = 5
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Send advert after receive lower priority advert = true
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Send advert after receive higher priority advert = false
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP interval = 0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous NA interval = 0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP default protocol version = 2
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Iptables input chain = INPUT
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP check unicast_src = false
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP skip check advert addresses = false
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP strict mode = false
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP process priority = 0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP don't swap = false
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Checker process priority = 0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Checker don't swap = false
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Network namespace = (default)
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Script security disabled
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Default script uid:gid 0:0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: ------< VRRP Topology >------
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP Instance = VI_1
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Using VRRPv2
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Want State = BACKUP
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Running on device = eth0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Skip checking advert IP addresses = no
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Enforcing strict VRRP compliance = no
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Using src_ip = 10.0.1.62
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Gratuitous ARP delay = 5
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Gratuitous ARP repeat = 5
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Gratuitous ARP refresh timer = 0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Gratuitous ARP refresh repeat = 1
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Gratuitous ARP lower priority delay = 5
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Gratuitous ARP lower priority repeat = 5
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Send advert after receive lower priority advert = true
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Send advert after receive higher priority advert = false
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Virtual Router ID = 80
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Priority = 100
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Advert interval = 5 sec
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Accept enabled
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Promote_secondaries disabled
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Authentication type = SIMPLE_PASSWORD
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Password = ha_keep
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Tracked scripts = 1
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:     chk_haproxy weight 0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Unicast Peer = 1
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:     10.0.1.61
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Virtual IP = 1
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:     10.0.1.63/24 dev eth0 scope global
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: ------< VRRP Scripts >------
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP Script = chk_haproxy
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Command = /usr/bin/killall -0 haproxy
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Interval = 3 sec
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Timeout = 0 sec
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Weight = 0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Rise = 1
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Fall = 1
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Insecure = no
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]:   Status = INIT
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: ------< NIC >------
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Name = eth0
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: index = 2
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: IPv4 address = 10.0.1.62
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: IPv6 address = ::
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: MAC = 00:50:56:9d:50:d7
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: is UP
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: is RUNNING
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: MTU = 1500
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: HW Type = ETHERNET
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Using LinkWatch kernel netlink reflector...
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP_Instance(VI_1) Entering BACKUP STATE
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP sockpool: [ifindex(2), proto(112), unicast(1), fd(10,11)]
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP_Script(chk_haproxy) succeeded
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: ------< Global definitions >------
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Router ID = Haproxy_2
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Smtp server = 127.0.0.1
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Smtp server port = 25
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Smtp HELO name = data-1-2
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Smtp server connection timeout = 3
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Email notification from = [email protected]
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Email notification = [email protected]
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Default interface = eth0
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: LVS flush = false
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP IPv4 mcast group = 224.0.0.18
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP IPv6 mcast group = ff02::12
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP delay = 5
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP repeat = 5
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP refresh timer = 0
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP refresh repeat = 1
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP lower priority delay = 4294
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP lower priority repeat = -1
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Send advert after receive lower priority advert = true
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Send advert after receive higher priority advert = false
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP interval = 0
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous NA interval = 0
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP default protocol version = 2
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Iptables input chain = INPUT
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP check unicast_src = false
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP skip check advert addresses = false
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP strict mode = false
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP process priority = 0
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP don't swap = false
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Checker process priority = 0
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Checker don't swap = false
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Network namespace = (default)
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Script security disabled
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Default script uid:gid 0:0
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: ------< SSL definitions >------
Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Using autogen SSL context

  

5、配置单播和组播通信区别

配置两个节点之间为单播方式,backup收到的数据包是下面形式

[root@data-1-2 keepalived]# tcpdump -vvv  -i any host 10.0.1.61
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
13:11:21.084843 IP (tos 0xc0, ttl 255, id 3, offset 0, flags [none], proto VRRP (112), length 40)
    10.0.1.61 > data-1-2: vrrp 10.0.1.61 > data-1-2: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
13:11:26.085600 IP (tos 0xc0, ttl 255, id 4, offset 0, flags [none], proto VRRP (112), length 40)
    10.0.1.61 > data-1-2: vrrp 10.0.1.61 > data-1-2: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
13:11:31.086772 IP (tos 0xc0, ttl 255, id 5, offset 0, flags [none], proto VRRP (112), length 40)
    10.0.1.61 > data-1-2: vrrp 10.0.1.61 > data-1-2: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@data-1-2 keepalived]# 

  

配置两个节点为组播,backup机器收到的数据包是下面形式

可以看到是vrrp.mcast.net

[root@data-1-2 keepalived]# tcpdump -vvv  -i any host 10.0.1.61
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
13:08:15.571761 IP (tos 0xc0, ttl 255, id 1455, offset 0, flags [none], proto VRRP (112), length 40)
    10.0.1.61 > vrrp.mcast.net: vrrp 10.0.1.61 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
13:08:20.572496 IP (tos 0xc0, ttl 255, id 1456, offset 0, flags [none], proto VRRP (112), length 40)
    10.0.1.61 > vrrp.mcast.net: vrrp 10.0.1.61 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
13:08:25.573351 IP (tos 0xc0, ttl 255, id 1457, offset 0, flags [none], proto VRRP (112), length 40)
    10.0.1.61 > vrrp.mcast.net: vrrp 10.0.1.61 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@data-1-2 keepalived]# 

  

 

6、查看Keepalived编译参数

大部分用不到

[root@data-1-1 tools]# tar xfz keepalived-1.3.5.tar.gz 
[root@data-1-1 tools]# cd keepalived-1.3.5
[root@data-1-1 keepalived-1.3.5]# ./configure --help
`configure' configures Keepalived 1.3.5 to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/keepalived]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

Program names:
  --program-prefix=PREFIX            prepend PREFIX to installed program names
  --program-suffix=SUFFIX            append SUFFIX to installed program names
  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-silent-rules   less verbose build output (undo: "make V=1")
  --disable-silent-rules  verbose build output (undo: "make V=0")
  --disable-lvs-syncd     do not use LVS synchronization daemon
  --disable-lvs           do not use the LVS framework
  --disable-lvs-64bit-stats
                          do not use the LVS 64-bit stats
  --disable-vrrp          do not use the VRRP framework
  --disable-fwmark        compile without SO_MARK support
  --enable-snmp           compile with SNMP support
  --enable-snmp-vrrp      compile with SNMP vrrp support
  --enable-snmp-keepalived
                          obsolete - use --enable-snmp-vrrp
  --enable-snmp-checker   compile with SNMP checker support
  --enable-snmp-rfc       compile with SNMP RFC2787 (VRRPv2) and SNMP RFC6527
                          (VRRPv3) support
  --enable-snmp-rfcv2     compile with SNMP RFC2787 (VRRPv2) support
  --enable-snmp-rfcv3     compile with SNMP RFC6257 (VRRPv3) support
  --disable-snmp-reply-v3-for-v2
                          disable RFC6257 responses for VRRPv2 instances
  --enable-dbus           compile with dbus support
  --enable-dbus-create-instance
                          compile with dbus support for creating instances
  --enable-sha1           compile with SHA1 support
  --disable-vrrp-auth     compile without VRRP authentication
  --disable-routes        compile without ip rules/routes
  --enable-dynamic-linking
                          compile with/without dynamically linked
                          libiptc/libipset
  --enable-libiptc-dynamic
                          compile with libiptc dynamically linked
  --disable-libipset-dynamic
                          compile with libipset statically linked
  --enable-libxtables-dynamic
                          compile with libxtables dynamically linked
  --enable-libnl-dynamic  compile with libnl dynamically linked
  --disable-libiptc       compile without libiptc
  --disable-libipset      compile without libipset
  --disable-libnl         compile without libnl
  --enable-mem-check      compile with memory alloc checking
  --enable-mem-check-log  compile with memory alloc checking wriging to syslog
  --enable-debug          compile with debugging flags
  --enable-stacktrace     compile with stacktrace support
  --enable-profile        compile with profiling flags
  --enable-conversion-checks
                          compile with conversion warnings if sensible
  --enable-force-conversion-checks
                          compile with conversion warnings
  --enable-Werror         compile with warnings being errors
  --enable-dependency-tracking
                          do not reject slow dependency extractors
  --disable-dependency-tracking
                          speeds up one-time build

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --with-kernel-dir=DIR   path to linux kernel source directory
  --with-init=(upstart|systemd|SYSV|SUSE|openrc)
                          specify init type
  --with-systemdsystemunitdir=DIR
                          Directory for systemd service files

Some influential environment variables:
  PKG_CONFIG  path to pkg-config utility
  PKG_CONFIG_PATH
              directories to add to pkg-config's search path
  PKG_CONFIG_LIBDIR
              path overriding pkg-config's built-in search path
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L if you have libraries in a
              nonstandard directory 
  LIBS        libraries to pass to the linker, e.g. -l
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I if
              you have headers in a nonstandard directory 
  CPP         C preprocessor

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

Report bugs to .
Keepalived home page: .
[root@data-1-1 keepalived-1.3.5]# 

  

 

7、Keepalived修改日志文件输出路径

keepalived默认输出的日志在/var/log/messages

这里修改,让它输出到/var/log/keepalived.log

编译安装的1.3.5版本
看到启动脚本默认读取的是/application/keepalived-1.3.5/etc/sysconfig/keepalived这个文件
但是别的一些默认读取的是/etc/sysconfig/keepalived
都改了
最下面添加一行
-S指定一个syslog设备接收,0表示local0设备
-D是详细日志
-d是dump配置文件内容到日志中

sed -i s#'KEEPALIVED_OPTIONS="-D"'#'KEEPALIVED_OPTIONS="-D -d -S 0"'#g  /etc/sysconfig/keepalived
/bin/cp  /application/keepalived/etc/sysconfig/keepalived /etc/sysconfig/

  

配置完毕后需要在syslog.conf文件里添加一行,如下
上面配置文件表示syslog让local0接收,local0接收后往后面的/var/log/keepalived.log里面接收
.* 表示所有状态都打

cat >> /etc/rsyslog.conf << EOF
#keepalived
local0.*         /var/log/keepalived.log
EOF


[root@data-1-1 keepalived]# tail -2 /etc/rsyslog.conf 
#keepalived
local0.*         /var/log/keepalived.log
[root@data-1-1 keepalived]# 

  

重启rsyslog服务

[root@data-1-1 keepalived]# systemctl restart rsyslog
[root@data-1-1 keepalived]# 

 

8、安装一些工具

安装tcpdump,它是个抓包工具,有时候会用到
安装psmisc包,安装之后多了 fuser, killall,pstree等命令,Keepalived的配置文件中健康检查能用到它

yum install tcpdump -y
yum install psmisc -y

  

 

9、为同一个虚拟IP服务的实例,虚拟路由id必须一致

同一集群的keepalived的主、备机的virtual_router_id 必须相同,取值0-255
但是同一内网中不应有相同virtual_router_id的集群

 

10、多实例的Keepalived配置文件参考

这样两个机器都在工作,不至于类似单实例有资源浪费的情况

 

机器1的Keepalived配置

VI_1是master,VI_2是backup

! Configuration File for keepalived

global_defs {
   notification_email {
   [email protected]
   }
   notification_email_from [email protected]
   smtp_server 10.0.0.1
   smtp_connect_timeout 30
   router_id LVS_1
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 150
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.136/24
        10.0.0.137/24
        10.0.0.138/24
    }
}

vrrp_instance VI_2 {
    state BACKUP
    interface eth0
    virtual_router_id 52
    priority 50
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.140/24
        10.0.0.141/24
    }
}

  

 

机器2的Keepalived配置

VI_1是backup,VI_2是master

! Configuration File for keepalived

global_defs {
   notification_email {
   [email protected]
   }
   notification_email_from [email protected]
   smtp_server 10.0.0.1
   smtp_connect_timeout 30
   router_id LVS_2
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.136/24
        10.0.0.137/24
        10.0.0.138/24
    }
}

vrrp_instance VI_2 {
    state MASTER
    interface eth0
    virtual_router_id 52
    priority 150
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.140/24
        10.0.0.141/24
    }
}

  

 

 11、编译Keepalived中出现如下warning不用理会

系统出现警告信息“*** WARNING - this build will not support IPVS with IPv6. Please install libnl/libnl-3 dev libraries to support IPv6 with IPVS.”,具体日志如下

 

Keepalived configuration
------------------------
Keepalived version       : 1.3.5
Compiler                 : gcc
Preprocessor flags       : 
Compiler flags           : -Wall -Wunused -Wstrict-prototypes -Wextra -g -O2
Linker flags             : 
Extra Lib                :  -lcrypto  -lssl 
Use IPVS Framework       : Yes
IPVS use libnl           : No
IPVS syncd attributes    : No
IPVS 64 bit stats        : No
fwmark socket support    : Yes
Use VRRP Framework       : Yes
Use VRRP VMAC            : Yes
Use VRRP authentication  : Yes
With ip rules/routes     : Yes
SNMP vrrp support        : No
SNMP checker support     : No
SNMP RFCv2 support       : No
SNMP RFCv3 support       : No
DBUS support             : No
SHA1 support             : No
Use Debug flags          : No
Stacktrace support       : No
Memory alloc check       : No
libnl version            : None
Use IPv4 devconf         : No
Use libiptc              : No
Use libipset             : No
init type                : upstart
Build genhash            : Yes
Build documentation      : No

*** WARNING - this build will not support IPVS with IPv6. Please install libnl/libnl-3 dev libraries to support IPv6 with IPVS.

 

很多人通过安装下面依赖解决它,我觉得没必要,因为压根用不到ipv6的东西

解决方案一:(在线安装)
执行yum命令yum -y install libnl libnl-devel解决上述警告问题
执行yum命令yum install -y libnfnetlink-devel解决上述错误问题

 

 

 12、阿里云下载镜像得路径注意下,是isos

https://mirrors.aliyun.com/centos/7.4.1708/isos/x86_64/

 Centos7.4安装配置haproxy和Keepalived补充内容_第1张图片

 

 13、Keepalived中配置文件也可以自定义监控脚本

#自定义监控脚本
vrrp_script chk_haproxy {
        script "/etc/keepalived/check_haproxy.sh"
        interval 5
        weight 2
}

  

14、Keepalived和haproxy配置文件详解

来自下面链接

https://blog.csdn.net/HzSunshine/article/details/61673572

简单参考下

! Configuration File for keepalived
global_defs {
   #设置报警通知邮件地址,可以设置多个
   notification_email {      
    [email protected]
   } 
   #设置邮件的发送地址  
   notification_email_from [email protected]  
   #设置smtp server的地址,该地址必须是存在的
   smtp_server 127.0.0.1  
   #设置连接smtp server的超时时间      
   smtp_connect_timeout 30  
   #运行Keepalived服务器的标识,发邮件时显示在邮件标题中的信息    
   router_id HAProxy_msun          
}
# 检测haproxy脚本
vrrp_script chk_haproxy {
    script "/etc/keepalived/check_haproxy.sh"
    interval 2
    #下面方法相对更优
    #script "killall -0 haproxy"  #killall (安装 yum install psmisc -y)
    #interval 2
    #weghit 2 #权值脚本成功时(0)等于priority+weghit #否则为priority
}
#定义VRRP实例,实例名自定义
vrrp_instance haproxy_msun {
    #指定Keepalived的角色,MASTER为主服务器,BACKUP为备用服务器        
    state MASTER #从设置为BACKUP
    #指定HA监测的接口               
    interface eno16777736 
    #虚拟路由标识,这个标识是一个数字(1-255),在一个VRRP实例中主备服务器ID必须一样      
    virtual_router_id 68  
    #优先级,数字越大优先级越高,在一个实例中主服务>器优先级要高于备服务器    
    priority 100 #从设置为99
    #设置主备之间同步检查的时间间隔单位秒               
    advert_int 1  
    #设置验证类型和密码              
    authentication { 
        #验证类型有两种{PASS|HA}           
        auth_type PASS  
        #设置验证密码,在一个实例中主备密码保持一样        
        auth_pass 1689         
    }
    track_script {
        chk_haproxy  # 执行监控的服务
    }   
    #定义虚拟IP地址,可以有多个,每行一个
    virtual_ipaddress {        
    192.168.1.160
    }   
}

  

 

 haproxy配置文件详解1

简单参考下

global
    #全区日志配置 使用rsyslog的local3设备
    log         127.0.0.1 local3 info
    #工作目录(安全)
    chroot      /var/lib/haproxy
    #pid文件存储目录
    pidfile     /var/run/haproxy.pid
    #后台进程数量
    nbproc 1
    #每个进程最大并发数
    maxconn     40000
    user        haproxy
    group       haproxy
    #后台程序模式工作
    daemon

defaults
    mode                    http
    #后端连接重试次数,超出标识不可用
    retries                 3   
    #连接服务器最长等待时间
    timeout connect         10s 
    #客户端发送请求最长等待时间 
    timeout client          30s 
    #服务器会复客户端最长等待时间 
    timeout server          30s 
    #对后端服务器的检测超时时间
    timeout check           10s 

#定义HAProxy监控页面
listen admin_stats 
    bind 0.0.0.0:9188
    mode http
    log 127.0.0.1 local3 err 
    #HAProxy监控页面统计自动刷新时间。
    stats refresh 30s 
    #设置监控页面URL路径。 http://IP:9188/haproxy-status可查看
    stats uri /haproxy-status
    #统计页面密码框提示信息
    stats realm welcome login\ Haproxy
    #登录统计页面用户和密码
    stats auth admin:123456
    #隐藏HAProxy版本信息
    stats hide-version
    #设置TURE后可在监控页面手工启动关闭后端真实服务器
    stats admin if TRUE

#定义前端虚拟节点
frontend www
    #监听端口
    bind *:80
    mode http
    #启用日志记录HTTP请求。
    option httplog
    #启用后后端服务器可以获得客户端IP
    option forwardfor
    #客户端和服务器完成一次连接请求后,HAProxy主动关闭TCP链接(优化选项)
    option httpclose
    #使用全局日志配置
    log global
    #指定后端服务池(backend定义htmpool)
    default_backend htmpool

#定义后端真实服务器
backend htmpool
    mode http
    #用于cookie保持环境。(如后端服务器故障,客户端cookie不会刷新,用此来把用户请求强制定向到正常服务器)
    option redispatch
    #负载均衡很高时,自动结束当前队列处理时间长的连接
    option abortonclose
    #负载均衡算法
    balance roundrobin
    #允许向cookie插入SERVERID.下面server可以使用cookie定义
    cookie SERVERID
    #启用HTTP服务状态检测功能 (后端服务器一定要存在此文件,不然haproxy认为其故障)
    option httpchk GET /index.html
    #后端服务设置
    server web1 192.168.1.186:80 cookie server1 weight 6 check inter 2000 rise 2 fall 3
    server web2 192.168.1.188:80 cookie server2 weight 6 check inter 2000 rise 2 fall 3

  

 haproxy配置文件参考2

来自http://blog.chinaunix.net/uid-25266990-id-3989321.html

这里主要看下acl规则

#vim /etc/haproxy/haproxy.cfg
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
    log 127.0.0.1   local0  #日志输出配置,所有日志都记录在本机,通过local0输出
    log 127.0.0.1   local1 notice
    #log loghost    local0 info
    maxconn 4096                #最大连接数
    chroot /usr/share/haproxy   #改变当前工作目录。
    uid 99                  #所属用户的uid
    gid 99                  #所属运行的gid
    daemon                  #以后台形式运行haproxy
    #debug
    #quiet
 
defaults
    log global
    mode    http
  #默认的模式mode { tcp|http|health },tcp是4层,http是7层,health只会返回OK
    option  httplog
    option  dontlognull
    option   redispatch
  #当serverId对应的服务器挂掉后,强制定向到其他健康的服务器
    option  abortonclose
  #当服务器负载很高的时候,自动结束掉当前队列处理比较久的链接
    retries 3               #两次连接失败就认为是服务器不可用
    maxconn 2000            #默认的最大连接数
  #timeout http-keep-alive 10s
  # timeout queue 1m
    contimeout  5000        #连接超时
    clitimeout  50000       #客户端超时
    srvtimeout  50000       #服务器超时
    timeout check 5s            #心跳检测超时
    stats refresh 30s           #统计页面自动刷新时间
    stats uri  /stats           #统计页面url
    stats realm baison-test-Haproxy         #统计页面密码框上提示文本
    stats auth admin:admin123           #统计页面用户名和密码设置
    stats hide-version                  #隐藏统计页面上HAProxy的版本信息
frontend www
    bind *:80
    #这里建议使用bind *:80的方式,要不然做集群高可用的时候有问题,vip切换到其他机器就不能访问了。
    acl web hdr(host) -i www.zhirs.com
    #acl后面是规则名称,-i是要访问的域名,如果访问www.zhirs.com这个域名就分发到下面的webserver 的作用域。
    acl img hdr(host) -i img.zhirs.com
    #如果访问img.baison.com.cn就分发到imgserver这个作用域。
    use_backend webserver if web
    use_backend imgserver if img
 
backend webserver             #webserver作用域
    mode http
    balance   roundrobin      
    #banlance roundrobin 轮询,balance source 保存session值,支持static-rr,leastconn,first,uri等参数
    option  httpchk /index.html
    #检测文件,如果分发到后台index.html访问不到就不再分发给它
    server     web01 192.168.137.201:80  check inter 2000 fall 3 weight 30
   server     web01 192.168.137.202:80  check inter 2000 fall 3 weight 20
   server     web01 192.168.137.203:80  check inter 2000 fall 3 weight 10
 
backend imgserver
    mode http
    option  httpchk /index.php
    balance     roundrobin                          
    server      img01 192.168.137.101:80  check inter 2000 fall 3
    server      img02 192.168.137.102:80  check inter 2000 fall 3

  

haproxy参考配置3

来自

https://blog.csdn.net/sj349781478/article/details/78862315

 

global
  log 127.0.0.1 local0 #[日志输出配置,所有日志都记录在本机,通过local0输出]
  log 127.0.0.1 local1 notice #定义haproxy 日志级别[error warringinfo debug]
  daemon #以后台形式运行harpoxy
  nbproc 1 #设置进程数量
  maxconn 4096 #默认最大连接数,需考虑ulimit-n限制
  #user haproxy #运行haproxy的用户
  #group haproxy #运行haproxy的用户所在的组
  #pidfile /var/run/haproxy.pid #haproxy 进程PID文件
  #ulimit-n 819200 #ulimit 的数量限制
  #chroot /usr/share/haproxy #chroot运行路径
  #debug #haproxy 调试级别,建议只在开启单进程的时候调试
  #quiet

########默认配置############
defaults
  log global
  mode http #默认的模式mode { tcp|http|health },tcp是4层,http是7层,health只会返回OK
  option httplog #日志类别,采用httplog
  option dontlognull #不记录健康检查日志信息
  retries 2 #两次连接失败就认为是服务器不可用,也可以通过后面设置
  #option forwardfor #如果后端服务器需要获得客户端真实ip需要配置的参数,可以从Http Header中获得客户端ip
  option httpclose #每次请求完毕后主动关闭http通道,haproxy不支持keep-alive,只能模拟这种模式的实现
  #option redispatch #当serverId对应的服务器挂掉后,强制定向到其他健康的服务器,以后将不支持
  option abortonclose #当服务器负载很高的时候,自动结束掉当前队列处理比较久的链接
  maxconn 4096 #默认的最大连接数
  timeout connect 5000ms #连接超时
  timeout client 30000ms #客户端超时
  timeout server 30000ms #服务器超时
  #timeout check 2000 #心跳检测超时
  #timeout http-keep-alive10s #默认持久连接超时时间
  #timeout http-request 10s #默认http请求超时时间
  #timeout queue 1m #默认队列超时时间
  balance roundrobin #设置默认负载均衡方式,轮询方式
  #balance source #设置默认负载均衡方式,类似于nginx的ip_hash
  #balnace leastconn #设置默认负载均衡方式,最小连接数

########统计页面配置########
listen stats
  bind 0.0.0.0:1080 #设置Frontend和Backend的组合体,监控组的名称,按需要自定义名称
  mode http #http的7层模式
  option httplog #采用http日志格式
  #log 127.0.0.1 local0 err #错误日志记录
  maxconn 10 #默认的最大连接数
  stats refresh 30s #统计页面自动刷新时间
  stats uri /stats #统计页面url
  stats realm XingCloud\ Haproxy #统计页面密码框上提示文本
  stats auth admin:admin #设置监控页面的用户和密码:admin,可以设置多个用户名
  stats auth Frank:Frank #设置监控页面的用户和密码:Frank
  stats hide-version #隐藏统计页面上HAProxy的版本信息
  stats admin if TRUE #设置手工启动/禁用,后端服务器(haproxy-1.4.9以后版本)

########设置haproxy 错误页面#####
#errorfile 403 /home/haproxy/haproxy/errorfiles/403.http
#errorfile 500 /home/haproxy/haproxy/errorfiles/500.http
#errorfile 502 /home/haproxy/haproxy/errorfiles/502.http
#errorfile 503 /home/haproxy/haproxy/errorfiles/503.http
#errorfile 504 /home/haproxy/haproxy/errorfiles/504.http

########frontend前端配置##############
frontend main
  bind *:80 #这里建议使用bind *:80的方式,要不然做集群高可用的时候有问题,vip切换到其他机器就不能访问了。
  acl web hdr(host) -i www.abc.com  #acl后面是规则名称,-i为忽略大小写,后面跟的是要访问的域名,如果访问www.abc.com这个域名,就触发web规则,。
  acl img hdr(host) -i img.abc.com  #如果访问img.abc.com这个域名,就触发img规则。
  use_backend webserver if web   #如果上面定义的web规则被触发,即访问www.abc.com,就将请求分发到webserver这个作用域。
  use_backend imgserver if img   #如果上面定义的img规则被触发,即访问img.abc.com,就将请求分发到imgserver这个作用域。
  default_backend dynamic #不满足则响应backend的默认页面

########backend后端配置##############
backend webserver #webserver作用域
  mode http
  balance roundrobin #balance roundrobin 负载轮询,balance source 保存session值,支持static-rr,leastconn,first,uri等参数
  option httpchk /index.html HTTP/1.0 #健康检查, 检测文件,如果分发到后台index.html访问不到就不再分发给它
  server web1 10.16.0.9:8085 cookie 1 weight 5 check inter 2000 rise 2 fall 3
  server web2 10.16.0.10:8085 cookie 2 weight 3 check inter 2000 rise 2 fall 3
  #cookie 1表示serverid为1,check inter 1500 是检测心跳频率 
  #rise 2是2次正确认为服务器可用,fall 3是3次失败认为服务器不可用,weight代表权重

backend imgserver
  mode http
  option httpchk /index.php
  balance roundrobin 
  server img01 192.168.137.101:80 check inter 2000 fall 3
  server img02 192.168.137.102:80 check inter 2000 fall 3

backend dynamic 
  balance roundrobin 
  server test1 192.168.1.23:80 check maxconn 2000 
  server test2 192.168.1.24:80 check maxconn 2000


listen tcptest 
  bind 0.0.0.0:5222 
  mode tcp 
  option tcplog #采用tcp日志格式 
  balance source 
  #log 127.0.0.1 local0 debug 
  server s1 192.168.100.204:7222 weight 1 
  server s2 192.168.100.208:7222 weight 1

  

 

 

 

 

 

 

 15、如果两台Keepalived机器必须开启防火墙的话

假设这里不使用firewalld,使用的是iptables

需要添加源地址信任。不然无法收到心跳报文

master机器添加backup机器的信任

[root@data-1-1 ~]# iptables -I INPUT -s 10.0.1.62 -j ACCEPT
[root@data-1-1 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.0.1.62            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@data-1-1 ~]# 

  

 backup机器添加下来自master机器的信任

[root@data-1-2 ~]# iptables -I INPUT -s 10.0.1.61 -j ACCEPT
[root@data-1-2 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.0.1.61            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@data-1-2 ~]# 

  

 

 

 16、模拟裂脑

假如backup机器防火墙设置不当,没允许master的报文。它收不到master的心跳报文,就认为master机器服务down机或者Keepalived服务死掉了

它会自动添加vip,可以看到最后10.0.1.63这个vip自动配置上了。这样就出现裂脑了

[root@data-1-2 ~]# iptables -L -n -t filter --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:18181
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8181
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
4    ACCEPT     all  --  10.0.1.61            0.0.0.0/0           
5    DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
[root@data-1-2 ~]# iptables -D INPUT 4
[root@data-1-2 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:18181
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8181
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@data-1-2 ~]# ip ad
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:9d:50:d7 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.62/24 brd 10.0.1.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@data-1-2 ~]# ip ad
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:9d:50:d7 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.62/24 brd 10.0.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.0.1.63/24 scope global secondary eth0
       valid_lft forever preferred_lft forever
[root@data-1-2 ~]# 

  

 而此时master机器也没释放资源

[root@data-1-1 ~]# ip ad
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:9d:0b:ee brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.61/24 brd 10.0.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.0.1.63/24 scope global secondary eth0
       valid_lft forever preferred_lft forever
[root@data-1-1 ~]# 

  

 修复规则,放行来自master机器的数据包,裂脑情况消失

[root@data-1-2 ~]# ip ad
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:9d:50:d7 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.62/24 brd 10.0.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.0.1.63/24 scope global secondary eth0
       valid_lft forever preferred_lft forever
[root@data-1-2 ~]# iptables -I INPUT -s 10.0.1.61 -j ACCEPT
[root@data-1-2 ~]# ip ad
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:9d:50:d7 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.62/24 brd 10.0.1.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@data-1-2 ~]# 

  

 下面是一些常用的添加防火墙规则的命令

iptables  -I INPUT  -p tcp   --dport 22  -j ACCEPT
iptables  -I INPUT  -p tcp   --dport 8181  -j ACCEPT
iptables  -I INPUT  -p tcp   --dport 18181  -j ACCEPT
iptables  -A INPUT  -j DROP

  

 

转载于:https://www.cnblogs.com/nmap/p/8819002.html

你可能感兴趣的:(Centos7.4安装配置haproxy和Keepalived补充内容)