一:什么是Keepalived
keepalived主要是通过vrrp协议实现高可用功能的,VRRP是Virtual Router Redundancy Protocol(虚拟路由冗余协议)的缩写,VRRP出现的目的就是为了解决静态路由单点故障问题,它能保证当个别节点宕机时,整个网络可以不间断的运行,keepalived一方面具有配置管理LVS的功能,同时还具有对LVS下面的节点进行健康检查的功能,另一方面可以实现系统网络服务的高可用功能
二:Keepalived的工作原理
1)VRRP是通过一种竞选协议来将路由任务交给某台VRRP路由器的,
3)VRRP用IP多播的方式,(默认多播地址(224.0.0.18))实现高可用对之间通信.
4)工作时主节点发包,备节点接包,当备节点接收不到主节点发的包的时候,就启动接管程序接管主节点的资源.备节点可以有多个,通过优先级竞选,但一般keepalived系统运维工作中都是一对.
5)keepalived高可用对之间是通过VRRP进行通信的,VRRP是通过竞选机制来确定主备的,主的优先级高于备,因此,工作时会优先获得所有的资源,备节点处于等待状态,当主挂了的时候,备节点就会接管主节点的资源,然后顶替主节点对外提供服务. 在keepalived服务对之间,只有作为主的服务器会一直发送VRRP广播包,告诉备他还活着,此时备不会抢占主,当主不可用时,即备监听不到主发送的广播包时,就会启动相关服务接管资源,保证业务的连续性,接管速度最快可以小于一秒
三:Keepalived配置
3.1 lb01和lb02的负载均衡代理配置全部一致
3.2 在lb01和lb02上安装keepalived
[root@lb01-5 nginx]# yum install -y keepalived
[root@lb02-6 nginx]# yum install -y keepalived
3.3 配置keepalived
3.3.1 在lb01的配置
[root@lb01-5 nginx]# cat /etc/keepalived/keepalived.conf
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 50
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3
}
}
3.3.2 在lb02上配置
[root@lb02-6 keepalived]# cat keepalived.conf
global_defs {
router_id lb02
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3
}
}
3.3.3 lb01和lb02上同时重启keepalived
[root@lb01-5 keepalived]# systemctl restart keepalived.service
[root@lb02-6 keepalived]# systemctl restart keepalived.service
3.3.4 当服务重启之后,lb01的网卡信息上会多出10.0.0.3这个虚拟ip
[root@lb01-5 keepalived]# ip add show | grep 10.0.0.3
inet 10.0.0.3/32 scope global eth0
备服务器上lb06上是没有10.0.0.3这个虚拟ip的
[root@lb02-6 ~]# ip add show | grep 10.0.0.3
[root@lb02-6 ~]#
3.3.5 主备配置的差异
3.3.6 测试
修改window hosts文件:10.0.0.3 zh.cxy1.com blog.cxy1.com
访问测试博客和论坛正常
当停掉lb01的keepalived服务,发现10.0.0.3立刻漂移到了lb02上,而且访问论坛和博客也正常
[root@lb02-6 keepalived]# ip add show | grep 10.0.0.3
inet 10.0.0.3/32 scope global eth0
当再次开启lb01的keepalived服务时,lb01会立刻主抢占回来,而lb02会再次变成备服务器,而且访问论坛和博客正常
[root@lb01-5 keepalived]# ip add show | grep 10.0.0.3
inet 10.0.0.3/32 scope global eth0
四:keepalived脑裂
由于某些原因,导致两台高可用服务器对在指定的时间内,无法检测到对方的心跳消息,各自取得资源及服务的所有权,而此时的两台高可用服务器都还活着并在正常运行,这样就会导致同一个ip或者服务在两端同时存在而且发送冲突,最严重的是两台服务器占用同一个VIP地址,当用户写入数据时可能会分别写入到两端,这有可能导致服务器两端的数据不一致或者数据丢失,这样的情况就被称为脑裂
4.1 监控keepalived出现脑裂
情景一:
判断主服务器的nginx是否存活,如果发现主服务器的nginx停止之后,自动去启动nginx,当启动nginx等待3秒之后,nginx还是没有起来,keepalived进行漂移带备服务器;当发现主服务器的nginx启动之后离开漂移到主服务器上
监控脚本:
[root@lb01-5 server_shell]# cat keepalived_nginx.sh
#!/bin/sh
nginxpid=`netstat -lntup | grep nginx | grep -v grep | wc -l`
if [ $nginxpid -eq 0 ];then
systemctl start nginx
sleep 3
if [ $nginxpid -eq 0 ];then
systemctl stop keepalived
fi
fi
#给脚本添加执行权限,并且在本地执行一遍看有没有报错
[root@lb01-5 server_shell]# chmod +x keepalived_nginx.sh
[root@lb01-5 server_shell]#sh keepalived_nginx.sh
lb01上的配置,将脚本写入到keepalived主配置文件里
[root@lb01-5 keepalived]# cat keepalived.conf
global_defs {
router_id lb01
}
vrrp_script keepalived_nginx { #脚本名称
script "/cxy/server_shell/keepalived_nginx.sh" #脚本存放的目录
interval 5 #每隔5s执行
weight 50 #权重分配数量
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 50
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3
}
track_script {
keepalived_nginx #脚本名称
}
}
lb02上的配置
[root@lb02-6 server_shell]# cat /etc/keepalived/keepalived.conf
global_defs {
router_id lb02
}
vrrp_script keepalived_nginx {
script "/cxy/server_shell/keepalived_nginx.sh"
interval 5
weight 50
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3
}
track_script {
keepalived_nginx
}
}
测试:当关闭lb01上的nginx之后,等待了3秒之后,nginx服务自动启动;当nginx服务长时间挂断之后,lb01上的keepalived服务会自动关闭;vip漂移到lb02上了
#可以使用watch命令实时查看nginx的状态
[root@lb02-6 server_shell]# watch 'systemctl status nginx'
情景二:
出现脑裂,当备节点lb02能ping通主节点lb01,而且lb02上有vip,就报警
监控脚本,在lb02上去监控
check_naolie.sh keepalived_nginx.sh
[root@lb02-6 server_shell]# cat check_naolie.sh
#!/bin/sh
vip=10.0.0.3
lb01_ip=10.0.0.5
ping -c 2 -W 3 $lb01_ip &>/dev/null
if [ $? -eq 0 -a `ip add show | grep $vip | wc -l` -ne 0 ];then #当ping执行成功并且vip存在
echo "有危险,快点查看,我已经帮你停掉keepalived了" >> /tmp/check_naolie.txt
systemctl stop keepalived
else
echo "很正常" >> /tmp/check_naolie.txt
fi
在lb02上的配置
[root@lb02-6 server_shell]# cat /etc/keepalived/keepalived.conf
global_defs {
router_id lb02
}
vrrp_script keepalived_nginx {
script "/cxy/server_shell/keepalived_nginx.sh"
interval 5
weight 50
}
vrrp_script check_naolie {
script "/cxy/server_shell/check_naolie.sh" ##可以同时执行多个脚本
interval 5
weight 50
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3
}
track_script {
keepalived_nginx
check_naolie
}
}
测试:当在lb01和lb02同时开启firewalld,就会导致lb01和lb02同时存在vip
当2台lb同时存在vip时,脚本生效,lb02关闭keepalived.
如果系统开启了防火墙怎么办
可以通过tcpdump进行抓包,看是否抓取到协议
[root@lb02 scripts]#tcpdump -nn -c 20 -i any host 224.0.0.18
如果是开了防火墙导致的,请让VRRP包过去
#firewall
[root@lb02 scripts]# firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
[root@lb02 scripts]# firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface eth1 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
#iptables
[root@lb02 scripts]#iptables -I INPUT -i eth0 -d 224.0.0.0/8 -p vrrp -j ACCEPT
[root@lb02 scripts]#iptables -I OUTPUT -o eth0 -d 224.0.0.0/8 -p vrrp -j ACCEPT
五:实现双主双备
5.1 什么是双主模式
就是2台负载均衡服务器互为主备,这样可以有效的利用资源
lb01有一个主vip 10.0.0.2,lb02有一个主vip 10.0.0.3;lb02是vip 10.0.0.2的备,lb01是vip 10.0.0.3的备
5.2 双主配置
lb01的配置
[root@lb01-5 keepalived]# vim keepalived.conf
global_defs {
router_id LVS_01
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3/24 dev eth0 label eth0:1
}
}
vrrp_instance VI_2 {
state BACKUP
interface eth0
virtual_router_id 52
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.4/24 dev eth0 label eth0:2
}
}
[root@lb01-5 keepalived]# systemctl restart keepalived.service
lb02的配置
[root@lb02-6 keepalived]# vim keepalived.conf
global_defs {
router_id LVS_02
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3/24 dev eth0 label eth0:1
}
}
vrrp_instance VI_2 {
state MASTER
interface eth0
virtual_router_id 52
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.4/24 dev eth0 label eth0:2
}
}
[root@lb01-6 keepalived]# systemctl restart keepalived.service