keepalived高可用
keepalived高可用
-
- 1.keepalived实现httpd负载均衡机高可用
-
- 1.1 安装keepalived
- 1.2 主备服务器上安装httpd
- 1.3 keepalived配置
-
- 1.3.1 配置主服务器keepalived
- 1.3.2 配置备服务器keepalived
- 1.3.3 查看VIP
- 1.3.4 测试
- 1.4 keepalived通过脚本监控httpd负载均衡机
- 1.5 配置keepalived加入监控脚本
- 1.6 验证
- 2.脑裂
-
- 2.1 脑裂产生的原因
- 2.2 脑裂的常见解决方案
- 2.3 对脑裂进行监控
1.keepalived实现httpd负载均衡机高可用
1.1 安装keepalived
主服务器配置
//关闭防火墙和selinux
[root@master ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@master ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@master ~]# setenforce 0
//安装keepalived
[root@master ~]# yum -y install keepalived
[root@master ~]# rpm -ql keepalived
/etc/keepalived
/etc/keepalived/keepalived.conf //配置文件
/etc/sysconfig/keepalived
/usr/bin/genhash
/usr/lib/systemd/system/keepalived.service //服务控制文件
/usr/libexec/keepalived
/usr/sbin/keepalived
备服务器配置
//关闭防火墙和selinux
[root@slave ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@slave ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@slave ~]# setenforce 0
//安装keepalived
[root@slave ~]# yum -y install keepalived
1.2 主备服务器上安装httpd
主服务器
//安装httpd,创建测试页面
[root@master ~]# yum -y install httpd
[root@master ~]# echo 'master' > /var/www/html/index.html
[root@master ~]# systemctl start httpd
[root@master ~]# ss -anltu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
备服务器
//安装httpd,创建测试页面
[root@slave ~]# yum -y install httpd
[root@slave ~]# echo 'slave' > /var/www/html/index.html
[root@slave ~]# systemctl start httpd
[root@slave ~]# ss -anltu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
1.3 keepalived配置
1.3.1 配置主服务器keepalived
[root@master ~]# cd /etc/keepalived/
[root@master keepalived]# ls
keepalived.conf
[root@master keepalived]# cp keepalived.conf{,-bak} //备份原文件
[root@master keepalived]# ls
keepalived.conf keepalived.conf-bak
[root@master keepalived]# rm -rf keepalived.conf
[root@master keepalived]# vim keepalived.conf
[root@master keepalived]# cat keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state MASTER
interface ens160 //网卡名
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass wys123 //密码
}
virtual_ipaddress {
192.168.237.250 //VIP
}
}
virtual_server 192.168.237.250 80 { //VIP加端口号
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP
real_server 192.168.237.167 80 { //主服务器IP
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.237.170 80 { //备服务器IP
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
//启动keepalived
[root@master keepalived]# systemctl enable --now keepalived
Created symlink /etc/systemd/system/multi-user.target.wants/keepalived.service → /usr/lib/systemd/system/keepalived.service.
1.3.2 配置备服务器keepalived
[root@slave ~]# cd /etc/keepalived/
[root@slave keepalived]# cp keepalived.conf{,-bak}
[root@slave keepalived]# cat keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state BACKUP //修改为BACKUP,备份
interface ens160
virtual_router_id 51
priority 90 //权重改成90
advert_int 1
authentication {
auth_type PASS
auth_pass wys123
}
virtual_ipaddress {
192.168.237.250
}
}
virtual_server 192.168.237.250 80 { //VIP地址 和服务端口号
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP
real_server 192.168.237.167 80 { //主服务器
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.237.170 80 { //备服务器
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
[root@slave keepalived]# systemctl enable --now keepalived
Created symlink /etc/systemd/system/multi-user.target.wants/keepalived.service → /usr/lib/systemd/system/keepalived.service.
1.3.3 查看VIP
//主服务器
[root@master ~]# ip a s ens160
2: ens160: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:50:0d:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.237.167/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
valid_lft 1175sec preferred_lft 1175sec
inet 192.168.237.250/32 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::cef:1b5b:1107:cf5d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
//备服务器
[root@slave ~]# ip a s ens160
2: ens160: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:cd:b3:bb brd ff:ff:ff:ff:ff:ff
inet 192.168.237.170/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
valid_lft 1151sec preferred_lft 1151sec
inet6 fe80::cef:1b5b:1107:cf5d/64 scope link dadfailed tentative noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::7220:8af:6655:3c80/64 scope link noprefixroute
valid_lft forever preferred_lft forever
1.3.4 测试
//关闭主服务器上的keepalived
[root@master ~]# systemctl stop keepalived
[root@master ~]# ip a s ens160
2: ens160: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:50:0d:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.237.167/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
valid_lft 1064sec preferred_lft 1064sec
inet6 fe80::cef:1b5b:1107:cf5d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
//去备服务器查看,发现vip到备服务了说明是备服务器提供的服务
[root@slave ~]# ip a s ens160
2: ens160: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:cd:b3:bb brd ff:ff:ff:ff:ff:ff
inet 192.168.237.170/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
valid_lft 1055sec preferred_lft 1055sec
inet 192.168.237.250/32 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::cef:1b5b:1107:cf5d/64 scope link dadfailed tentative noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::7220:8af:6655:3c80/64 scope link noprefixroute
valid_lft forever preferred_lft forever
此时访问网站是备服务器提供的服务
1.4 keepalived通过脚本监控httpd负载均衡机
主服务器编辑脚本
//创建第一个脚本
[root@master ~]# mkdir /scripts
[root@master ~]# cd /scripts/
[root@master scripts]# vim check_h.sh
[root@master scripts]# cat check_h.sh
#!/bin/bash
httpd_status=$(ps -ef|grep -Ev "httpd|$0"|grep '\bhttpd\b'|wc -l)
if [ $httpd_status -lt 1 ];then
systemctl stop keepalived
fi
[root@master scripts]# chmod +x check_h.sh //添加执行权限
[root@master scripts]# ll
总用量 4
-rwxr-xr-x. 1 root root 143 10月 22 10:16 check_h.sh
//创建第二个脚本
[root@master scripts]# vim notify.sh
[root@master scripts]# cat notify.sh
#!/bin/bash
VIP=$2
case "$1" in
master)
httpd_status=$(ps -ef|grep -Ev "grep|$0"|grep '\bhttpd\b'|wc -l)
if [ $httpd_status -lt 1 ];then
systemctl start httpd
fi
;;
backup)
httpd_status=$(ps -ef|grep -Ev "grep|$0"|grep '\bhttpd\b'|wc -l)
if [ $httpd_status -gt 0 ];then
systemctl stop httpd
fi
;;
*)
echo "Usage:$0 master|backup VIP"
;;
esac
[root@master scripts]# chmod +x notify.sh
[root@master scripts]# ll
总用量 8
-rwxr-xr-x. 1 root root 143 10月 22 10:16 check_h.sh
-rwxr-xr-x. 1 root root 434 10月 22 10:18 notify.sh
备服务器编辑脚本
[root@slave ~]# mkdir /scripts
[root@master scripts]# scp notify.sh [email protected]:/scripts //拷贝主服务器脚本文件到备服务器
[email protected]'s password:
notify.sh 100% 434 337.2KB/s 00:00
[root@slave ~]# cd /scripts/
[root@slave scripts]# ll
总用量 4
-rwxr-xr-x. 1 root root 434 10月 22 10:21 notify.sh
1.5 配置keepalived加入监控脚本
配置主服务器的keepalived
//前面手动验证了一次VIP是否会转移到备服务器,此时VIP在备服务器上,开启主服务器上keepalived让VIP重新回到主服务器
[root@master ~]# systemctl start keepalived.service
[root@master ~]# ip a s ens160
2: ens160: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:50:0d:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.237.167/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
valid_lft 1467sec preferred_lft 1467sec
inet 192.168.237.250/32 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::cef:1b5b:1107:cf5d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
//编辑主服务的keepalived配置文件
[root@master ~]# vim /etc/keepalived/keepalived.conf
[root@master ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb01
}
vrrp_script httpd_check { //添加以下4行
script "/scripts/check_h.sh"
interval 1
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface ens160
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass wys123
}
virtual_ipaddress {
192.168.237.250
}
track_script { //添加以下两行内容,引用上面定义的脚本
httpd_check
} //添加以下两行内容
notify_master "/scripts/notify.sh master 192.168.237.250"
notify_backup "/scripts/notify.sh backup 192.168.237.250"
}
virtual_server 192.168.237.250 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP
real_server 192.168.237.167 80 {
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.237.170 80 {
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
//重启服务
[root@master ~]# systemctl restart keepalived.service
配置备服务器的keepalived
[root@slave ~]# vim /etc/keepalived/keepalived.conf
[root@slave ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state BACKUP
interface ens160
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass wys123
}
virtual_ipaddress {
192.168.237.250
} //添加以下两行内容
notify_master "/scripts/notify.sh master 192.168.237.250"
notify_backup "/scripts/notify.sh backup 192.168.237.250"
}
virtual_server 192.168.237.250 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP
real_server 192.168.237.167 80 {
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.237.170 80 {
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
[root@slave ~]# systemctl restart keepalived.service
1.6 验证
//模拟关闭主上面的httpd,发现keepalived服务已经自动关闭了
[root@master ~]# systemctl stop httpd
[root@master ~]# ss -anltu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
[root@master ~]# ip a s ens160 //VIP已经转移
2: ens160: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:50:0d:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.237.167/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
valid_lft 1100sec preferred_lft 1100sec
inet6 fe80::cef:1b5b:1107:cf5d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
//keepalived已经自动关闭
[root@master ~]# systemctl status keepalived.service
● keepalived.service - LVS and VRRP High Availability Monitor
Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Fri 2021-10-22 10:47:56 CST; 1s ago
Process: 198077 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 198078 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4842)
Memory: 2.1M
CGroup: /system.slice/keepalived.service
//在备服务器上查看IP,发现VIP已经转移到备服务器
[root@slave ~]# ip a s ens160
2: ens160: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:cd:b3:bb brd ff:ff:ff:ff:ff:ff
inet 192.168.237.170/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
valid_lft 980sec preferred_lft 980sec
inet 192.168.237.250/32 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::cef:1b5b:1107:cf5d/64 scope link dadfailed tentative noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::7220:8af:6655:3c80/64 scope link noprefixroute
valid_lft forever preferred_lft forever
//备服务器httpd正在运行
[root@slave ~]# ss -anltu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
现在去访问,查看是否是备服务器提供的服务
2.脑裂
在高可用(HA)系统中,当联系2个节点的“心跳线”断开时,本来为一整体、动作协调的HA系统,就分裂成为2个独立的个体。由于相互失去了联系,都以为是对方出了故障。两个节点上的HA软件像“裂脑人”一样,争抢“共享资源”、争起“应用服务”,就会发生严重后果——或者共享资源被瓜分、2边“服务”都起不来了;或者2边“服务”都起来了,但同时读写“共享存储”,导致数据损坏(常见如数据库轮询着的联机日志出错)。
对付HA系统“裂脑”的对策,目前达成共识的的大概有以下几条:
- 添加冗余的心跳线,例如:双线条线(心跳线也HA),尽量减少“裂脑”发生几率;
- 启用磁盘锁。正在服务一方锁住共享磁盘,“裂脑”发生时,让对方完全“抢不走”共享磁盘资源。但使用锁磁盘也会有一个不小的问题,如果占用共享盘的一方不主动“解锁”,另一方就永远得不到共享磁盘。现实中假如服务节点突然死机或崩溃,就不可能执行解锁命令。后备节点也就接管不了共享资源和应用服务。于是有人在HA中设计了“智能”锁。即:正在服务的一方只在发现心跳线全部断开(察觉不到对端)时才启用磁盘锁。平时就不上锁了。
- 设置仲裁机制。例如设置参考IP(如网关IP),当心跳线完全断开时,2个节点都各自ping一下参考IP,不通则表明断点就出在本端。不仅“心跳”、还兼对外“服务”的本端网络链路断了,即使启动(或继续)应用服务也没有用了,那就主动放弃竞争,让能够ping通参考IP的一端去起服务。更保险一些,ping不通参考IP的一方干脆就自我重启,以彻底释放有可能还占用着的那些共享资源
2.1 脑裂产生的原因
一般来说,脑裂的发生,有以下几种原因:
- 高可用服务器对之间心跳线链路发生故障,导致无法正常通信
- 因心跳线坏了(包括断了,老化)
- 因网卡及相关驱动坏了,ip配置及冲突问题(网卡直连)
- 因心跳线间连接的设备故障(网卡及交换机)
- 因仲裁的机器出问题(采用仲裁的方案)
- 高可用服务器上开启了 iptables防火墙阻挡了心跳消息传输
- 高可用服务器上心跳网卡地址等信息配置不正确,导致发送心跳失败
- 其他服务配置不当等原因,如心跳方式不同,心跳广插冲突、软件Bug等
注意:
Keepalived配置里同一 VRRP实例如果 virtual_router_id两端参数配置不一致也会导致裂脑问题发生。
2.2 脑裂的常见解决方案
在实际生产环境中,我们可以从以下几个方面来防止裂脑问题的发生:
- 同时使用串行电缆和以太网电缆连接,同时用两条心跳线路,这样一条线路坏了,另一个还是好的,依然能传送心跳消息
- 当检测到裂脑时强行关闭一个心跳节点(这个功能需特殊设备支持,如Stonith、feyce)。相当于备节点接收不到心跳消患,通过单独的线路发送关机命令关闭主节点的电源
- 做好对裂脑的监控报警(如邮件及手机短信等或值班).在问题发生时人为第一时间介入仲裁,降低损失。例如,百度的监控报警短信就有上行和下行的区别。报警消息发送到管理员手机上,管理员可以通过手机回复对应数字或简单的字符串操作返回给服务器.让服务器根据指令自动处理相应故障,这样解决故障的时间更短.
当然,在实施高可用方案时,要根据业务实际需求确定是否能容忍这样的损失。对于一般的网站常规业务.这个损失是可容忍的
2.3 对脑裂进行监控
对脑裂的监控应在备用服务器上进行,通过添加zabbix自定义监控进行。
监控什么信息呢?监控备上有无VIP地址
备机上出现VIP有两种情况:
发生了脑裂
正常的主备切换
监控只是监控发生脑裂的可能性,不能保证一定是发生了脑裂,因为正常的主备切换VIP也是会到备上的。
用zabbix进行监控
监控脚本如下:
备服务器
[root@slave scripts]# pwd
/scripts
[root@slave scripts]# vim check_keepalived.sh
[root@slave scripts]# cat check_keepalived.sh
#!/bin/bash
if [ `ip a show ens160 |grep 192.168.237.250|wc -l` -ne 0 ];then
echo 1
else
echo 0
fi
[root@slave scripts]# chmod +x check_keepalived.sh
修改zabbix配置文件
[root@slave ~]# vim /usr/local/etc/zabbix_agentd.conf
#最后一行添加
UserParameter=check_log,/scripts/check_keepalived.sh
[root@slave ~]# zabbix_agentd
zabbix web界面配置监控
添加主机
添加监控项
添加触发器
web界面收到警告信息
收到邮件警告
