~Keepalived高可用集群~

一、Keepalived简介

是一个用于实现高可用性的解决方案，它主要应用于云主机的主备切换，以达到高可用性（HA）的目的。当主服务器发生故障无法对外提供服务时，动态将虚拟IP切换到备服务器，继续对外提供服务，从而增强系统的容灾性能。Keepalived通过监控主服务器的状态，实现主备服务器的自动切换，确保服务的持续可用性。

集群类型

LB：Load Balance 负载均衡

LVS/HAProxy/nginx（http/upstream, stream/upstream）

HA：High Availability 高可用集群

数据库、Redis

SPoF: Single Point of Failure，解决单点故障

HPC：High Performance Computing 高性能集群

系统可用性

SLA：Service-Level Agreement 服务等级协议（提供服务的企业与客户之间就服务的品质、水准、性能等方面所达成的双方共同认可的协议或契约）

A = MTBF / (MTBF+MTTR）

开始实验

准备工作
KA1：172.25.254.20
KA2：172.25.254.30
realserver1:172.25.254.110
realserver2:172.25.254.120

realserver1

[root@realserver1 ~]# yum install httpd  -y
[root@realserver1 ~]# systemctl stop firewalld
[root@realserver1 ~]# echo realserver1 - 172.25.254.110 > /var/www/html/index.html
[root@realserver1 ~]# systemctl start httpd

realserver2

[root@realserver2 ~]# yum install httpd  -y
[root@realserver2 ~]# systemctl stop firewalld
[root@realserver2 ~]# echo realserver2 - 172.25.254.120 > /var/www/html/index.html
[root@realserver2 ~]# systemctl start httpd

安装keepalived

[root@KA1 ~]# dnf install keepalived -y
[root@KA1 ~]# systemctl start keepalived

[root@KA2 ~]# dnf install keepalived -y
[root@KA2 ~]# systemctl start keepalived

测试一下

[root@kA1 ~]# curl 172.25.254.110
realserver1 - 172.25.254.110
[root@kA1 ~]# curl 172.25.254.120
realserver2 - 172.25.254.120

二、配置keepalived文件（配置虚拟路由）

! Configuration File for keepalived
global_defs {
notification_email {
3595566522@qq.com 
timiniglee-zln@163.com
}
notification_email_from keepalived@KA1.timinglee.org 
smtp_server 127.0.0.1 
smtp_connect_timeout 30 
router_id KA1.timinglee.org 
vrrp_skip_check_adv_addr 
vrrp_garp_interval 0
vrrp_gna_interval 0 
vrrp_mcast_group4 224.0.0.18 
}

进行测试

[root@KA2 ~]# tcpdump -i eth0 -nn host 224.0.0.18
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:48:23.294894 IP 172.25.254.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 20, 
prio 100, authtype none, intvl 1s, length 20
22:48:24.084793 IP 172.25.254.30 > 224.0.0.18: VRRPv2, Advertisement, vrid 30, 
prio 80, authtype none, intvl 1s, length 20
22:48:24.295075 IP 172.25.254.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 20

进行抓包

[root@KA1 ~]# yum install tcpdump
[root@KA1 ~]# tcpdump -i ens33 -nn host 224.0.0.18
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:58:45.323341 IP 172.25.254.20 > 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype simple, intvl 1s, length 20

三、启用keepalived日志功能

[root@ka1 ~]#systemctl restart keepalived.service rsyslog.service 
[root@ka1 ~]#tail -f /var/log/keepalived.log 
Apr 14 09:25:51 ka1 Keepalived_vrrp[1263]: Sending gratuitous ARP on eth0 for
10.0.0.10
Apr 14 09:25:51 ka1 Keepalived_vrrp[1263]: Sending gratuitous ARP on eth0 for
10.0.0.10
Apr 14 09:25:51 ka1 Keepalived_vrrp[1263]: Sending gratuitous ARP on eth0 for
10.0.0.10

四、抢占模式和非抢占模式

非抢占模式 nopreempt

默认为抢占模式preempt，即当高优先级的主机恢复在线后，会抢占低先级的主机的master角色，这样会使vip在KA主机中来回漂移，造成网络抖动，建议设置为非抢占模式 nopreempt ，即高优先级主机恢复后，并不会抢占低优先级主机的master角色非抢占模块下,如果原主机down机, VIP迁移至的新主机, 后续也发生down时,仍会将VIP迁移回原主机。

ka1主机配置

vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 20priority 100 #优先级高nopreempt #非抢占模式advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {172.25.254.110/24 dev eth0 label eth0:0}
}

ka2主机配置

vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 20priority 80 #优先级低advert_int 1nopreempt #非抢占模式authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {172.25.254.120/24 dev eth0 label eth0:0}
}

抢占延迟模式 preempt_delay

抢占延迟模式，即优先级高的主机恢复后，不会立即抢回VIP，而是延迟一段时间（默认300s）再抢回

#ka1主机配置
vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 20priority 100 #优先级高preempt_delay 10s #抢占延迟10sadvert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {172.25.254.110/24 dev eth0 label eth0:0}
}#KA2主机配置
vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 20priority 80 #优先级低advert_int 1preempt_delay 10s #抢占延迟10Sauthentication {auth_type PASSauth_pass 1111}virtual_ipaddress {172.25.254.120/24 dev eth0 label eth0:0}
}

五、VIP单播配置

默认keepalived主机之间利用多播相互通告消息，会造成网络拥塞，可以替换成单播，减少网络流

配置文件且启用 vrrp_strict

[root@KA1 ~]# vim /etc/keepalived/keepalived.conf
[root@KA1 ~]# systemctl restart keepalived
[root@KA1 ~]# tcpdump -i eth0 -nn src host 172.25.254.20 and dst 172.25.254.30

[root@KA2 ~]#  vim /etc/keepalived/keepalived.conf
[root@KA2 ~]# systemctl restart keepalived
[root@KA2 ~]# tcpdump -i eth0 -nn src host 172.25.254.30 and dst 172.25.254.20

KA1主机配置

[root@KA1 ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {notification_email {3595566522@qq.com}notification_email_from keepalived@KA1.timinglee.orgsmtp_server 127.0.0.1smtp_connect_timeout 30router_id KA1.timinglee.orgvrrp_skip_check_adv_addr#vrrp_strict #注释此参数，与vip单播模式冲突vrrp_garp_interval 0vrrp_gna_interval 0vrrp_ipsets keepalived
}
vrrp_instance VI_1 {state MASTERinterface eth0virtual_router_id 20priority 100advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {172.25.254.110/24 dev eth0 label eth0:0}unicast_src_ip 172.25.254.20 #本机IPunicast_peer {172.25.254.30 #指向对方主机IP#如果有多个keepalived,再加其它节点的IP}
}

KA2配置

[root@KA2 ~]# vim /etc/keepalived/keepalived.conf! Configuration File for keepalived抓包查看单播效果
global_defs {notification_email {3595566522@qq.com}notification_email_from keepalived@KA1.timinglee.orgsmtp_server 127.0.0.1smtp_connect_timeout 30router_id KA1.timinglee.orgvrrp_skip_check_adv_addr#vrrp_strict #注释此参数，与vip单播模式冲突vrrp_garp_interval 0vrrp_gna_interval 0vrrp_ipsets keepalived
}
vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 20priority 80advert_int 1preempt_delay 60authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {172.25.254.120/24 dev eth0 label eth0:0}unicast_src_ip 172.25.254.30 #本机ipunicast_peer {172.25.254.20 #对端主机IP}
}

抓包查看单播效果

[root@KA1 ~]# tcpdump -i ens33 -nn src host 172.25.254.20 and dst 172.25.254.30

六、邮件通知

配置文件

[root@KA1 ~]# vim /etc/mail.rc
[root@KA1 ~]# cat /etc/mail.rc
set from=3595566522@qq.com
set smtp=smtp.qq.com
set smtp-auth-user=3595566522@qq.com
set smtp-auth-password=fdvoyibvazmecfbd
set smtp-auth=login
set ssl-verify=ignore

进行测试

[root@KA1 ~]# echo test message |mail -s test 3595566522@qq.com

实现 master/master 的 Keepalived 双主架构

master/slave的单主架构，同一时间只有一个Keepalived对外提供服务，此主机繁忙，而另一台主机却很空闲，利用率低下，可以使用master/master的双主架构，解决此问题。

master/master 的双主架构：即将两个或以上VIP分别运行在不同的keepalived服务器，以实现服务器并行提供web访问的目的，提高服务器资源利用率

示例

#ha1主机配置
[root@rhel7-ka1 ~]# vim /etc/keepalived/keepalived.conf
@@@@ 内容省略 @@@@
vrrp_instance VI_1 {state MASTER #主interface ens33virtual_router_id 50priority 100advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {172.25.254.50 dev ens33 label ens33:0}
}
vrrp_instance VI_60 {state BACKUP #备interface ens33virtual_router_id 60priority 80advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {172.25.254.60 dev ens33 label ens33:1}
}

七、实现IPVS的高可用性

IPVS相关配置

[root@KA1 ~]# yum install ipvsadm -y
[root@KA1 ~]# vim /etc/keepalived/keepalived.conf
[root@KA1 ~]# systemctl restart keepalived.service
[root@KA1 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.25.254.100:80 wrr-> 172.25.254.110:80            Route   1      0          0-> 172.25.254.120:80            Route   1      0          0

[root@KA2 ~]# systemctl stop firewalld
[root@KA2 ~]# systemctl restart keepalived
[root@KA2 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.25.254.100:80 wrr-> 172.25.254.110:80            Route   1      0          0-> 172.25.254.120:80            Route   1      0          0

示例

#准备两台后端RS主机
[root@rs1 ~]# yum install httpd -y
[root@rs1 ~]# echo RS1 - 172.25.254.101 > /var/www/html/index.html
[root@rs1 ~]# ip addr add 172.25.254.100/32 dev lo
[root@rs1 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@rs1 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@rs1 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@rs2 ~]# yum install httpd -y
[root@rs1 ~]# echo RS1 - 172.25.254.101 > /var/www/html/index.html
[root@rs2 ~]# ip addr add 172.25.254.100/32 dev lo
[root@rs2 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@rs2 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@rs2 ~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
[root@node30 ~]# yum install httpd -y配置keepalived
[root@node30 ~]# echo RS1 - 172.25.254.101 > /var/www/html/index.html
[root@node30 ~]# ip addr add 172.25.254.100/32 dev lo
[root@node30 ~]# echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
[root@node30 ~]# echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
[root@node30
~]# echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce

配置keepalived

#ka1节点的配置
[root@rhel7-ka1 ~]# vim /etc/keepalived/keepalived.conf
@@@@ 省略内容 @@@@
virtual_server 172.25.254.100 80 {delay_loop 6lb_algo wrrlb_kind DRprotocol TCPsorry_server 172.25.254.30real_server 172.25.254.101 80 {weight 1TCP_CHECK {connect_timeout 5nb_get_retry 3delay_before_retry 3connect_port 80}}real_server 172.25.254.102 80 {weight 1HTTP_GET {url {path /status_code 200}connect_timeout 1nb_get_retry 3delay_before_retry 1}}
}
#ka2节点的配置，配置和ka1基本相同，只需修改三行
[root@rhel7-ka2 ~]# vim /etc/keepalived/keepalived.conf
@@@@ 省略内容 @@@@
virtual_server 172.25.254.100 80 {delay_loop 6lb_algo wrrlb_kind DRprotocol TCPsorry_server 172.25.254.30访问测试结果
模拟故障real_server 172.25.254.101 80 {weight 1TCP_CHECK {connect_timeout 5nb_get_retry 3delay_before_retry 3connect_port 80}}real_server 172.25.254.102 80 {weight 1HTTP_GET {url {path /status_code 200}connect_timeout 1nb_get_retry 3delay_before_retry 1}}
}

测试结果

八、keepalived+lvs

[root@KA1 ~]# touch /etc/keepalived/test.sh
[root@KA1 ~]# vim  /etc/keepalived/test.sh
[root@KA1 ~]# cat  /etc/keepalived/test.sh
[root@KA1 ~]# vim /etc/keepalived/keepalived.conf
[root@KA1 ~]# systemctl restart keepalived.service
[root@KA1 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 172.25.254.10  netmask 255.255.0.0  broadcast 172.25.255.255inet6 fe80::20c:29ff:fe0c:6c2d  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:0c:6c:2d  txqueuelen 1000  (Ethernet)RX packets 75496  bytes 6118881 (5.8 MiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 128025  bytes 13978589 (13.3 MiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 172.25.254.100  netmask 255.255.255.0  broadcast 0.0.0.0ether 00:0c:29:0c:6c:2d  txqueuelen 1000  (Ethernet)

九、keepalived+haproxy

KA1和KA2都需要安装haproxy

需要在两个ka1和ka2两个节点启用内核参数，目的是为了即使另一台主机没有100的VIP，也能进行远程解析，在原100的VIP下线的时候，保证服务能正常进行

[root@KA1~] yum install haproxy -y[root@KA2~] yum install haproxy -y

设置参数

[root@KA1 ~]# vim /etc/sysctl.conf 
[root@KA1 ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1[root@KA2 ~]# vim /etc/sysctl.conf 
[root@KA2 ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1

进行配置文件

[root@KA1 ~]# vim /etc/haproxy/haproxy.cfg
[root@KA1 ~]# systemctl enable haproxy.service
Created symlink from /etc/systemd/system/multi-user.target.wants/haproxy.service to /usr/lib/systemd/system/haproxy.service.
[root@KA1 ~]# systemctl restart haproxy.service

删除两台服务器的环回

[root@realserver1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-lo
[root@realserver1 ~]# systemctl restart network
[root@realserver1 ~]# ifconfig[root@realserver2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-lo
[root@realserver2 ~]# systemctl restart network
[root@realserver2 ~]# ifconfig