一.keepalived介紹
Keepalived is a routing software written in C. The main goal of this project is to provide simple and robust facilities for loadbalancing and high-availability to Linuxsystem and Linux based infrastructures. Loadbalancing framework relies on well-knownand widely used Linux Virtual Server (IPVS)kernel module providing Layer4 loadbalancing. Keepalived implements a set of checkersto dynamically and adaptively maintain and manage loadbalanced server pool accordingtheir health. On the other hand high-availability is achieved by VRRP protocol. VRRP is afundamental brick for router failover. In addition, Keepalived implements a set ofhooks to the VRRP finite state machine providing low-level and high-speed protocolinteractions. Keepalived frameworks can be used independently or all together toprovide resilient infrastructures.
keepalived 是用c寫的路由軟件,主要目的是爲基於linux的設備提供一個簡單強健的,能實現負載均衡和高可用功能的工具."負載均衡"框架基於"IPVS",能調用一系列的"checker" 動態的維護管理負載均衡服務器和後端的RS."高可用"是基於"VRRP"協議的.兩者可同時使用.
二.keepalived應用
1.負載均衡(主要是ipvs),同時不依賴ipvsadm這個包
2.高可用,自動failover(主要用於不具備health aware的服務,如nginx)
3.自定義腳本,主要是因爲keepalived提供了一種機制,可以在server狀態改變時執行相應的策略.至於策略是什麼,歸用戶自定義(可以用來煮咖啡)
4.動態,靜態路由
至於如何實現的,網上大把教程
三.keepalive配置文件
KEEPALIVED.CONF(5) KEEPALIVED.CONF(5)
NAME
/etc/keepalived/keepalived.conf - configuration file for keepalived
DESCRIPTION
keepalived.conf is the configuration file which describes all the
keepalived keywords. keywords are placed in hierachies of blocks (and
subblocks), each layer being delimited by ’{’ and ’}’ pairs.
(配置文件是用{}括起來的多級塊)
Comments start with ’#’ or ’!’ to the end of the line and can start
anywhere in a line.
(用#或!來註釋,沒有多行註釋)
TOP HIERACHY
GLOBAL CONFIGURATION
VRRP CONFIGURATION
LVS CONFIGURATION
GLOBAL CONFIGURATION
contains subblocks of Global defination and static routes
全局設定包括"全局定義"和"靜態路由"
GLOBAL DEFINATION
global_defs # Block id
{
notification_email # To:
{
[email protected] (郵件接收者)
...
}
# From: from address that will be in header
notification_email_from [email protected] (發送者)
smtp_server 127.0.0.1 # IP
smtp_connect_timeout 30 # integer, seconds
router_id my_hostname # string identifying the machine,標示本機的字符串
# (doesn’t have to be hostname).
enable_traps # enable SNMP traps
}
STATIC ROUTES
keepalived can configure static addresses and routes. These addresses
are NOT moved by vrrpd, they stay on the machine. If you already have
IPs and routes on your machines and your machines can ping each other,
you don't need this section.
The syntax is the same as for virtual addresses and virtual routes.
static_ipaddress
{
192.168.1.1/24 dev eth0 scope global
...
}
static_routes
{
192.168.2.0/24 via 192.168.1.100 dev eth0
...
}
VRRD CONFIGURATION
contains subblocks of VRRP synchronization group(s) and VRRP
instance(s)
vrrd配置包括"VRRP同步組"和"vrrp實例"
VRRP synchronization group(s)
#string, name of group of IPs that failover together
vrrp_sync_group VG_1 {
group {
inside_network # name of vrrp_instance (below)
outside_network # One for each moveable IP.
...
}
# notify scripts and alerts are optional
#
# filenames of scripts to run on transitions
# can be unquoted (if just filename) 監測腳本若接收參數,需用括號引用
# or quoted (if has parameters)
# to MASTER transition
notify_master /path/to_master.sh
# to BACKUP transition
notify_backup /path/to_backup.sh
# FAULT transition
notify_fault "/path/fault.sh VG_1"
# for ANY state transition.
# "notify" script is called AFTER the(notify腳本優先級低於nitofy_開頭的)
# notify_* script(s) and is executed
# with 3 arguments provided by keepalived
# (ie don’t include parameters in the notify line).
# arguments
# $1 = "GROUP"|"INSTANCE"
# $2 = name of group or instance
# $3 = target state of transition
# ("MASTER"|"BACKUP"|"FAULT")
notify /path/notify.sh
# Send email notifcation during state transition,
# using addresses in global_defs above.
smtp_alert
}
VRRP instance(s)
describes the moveable IP for each instance of a group in
vrrp_sync_group. Here are described two IPs (on inside_network and on
outside_network), on machine "my_hostname", which belong to the group
VG_1 and which will transition together on any state change.
#You will need to write another block for outside_network.
vrrp_instance inside_network {
# Initial state, MASTER|BACKUP
# As soon as the other machine(s) come up,
# an election will be held and the machine
# with the highest "priority" will become MASTER.
# So the entry here doesn’t matter a whole lot.
state MASTER (這句話其實不重要,重要的是優先級)
# interface for inside_network, bound by vrrp
interface eth0(表明vrrp綁定在哪個設備)
# Use VRRP Virtual MAC.
use_vmac <VMAC_INTERFACE>(虛擬mac地址,不需要設定,kp會自動分配一個)
# Ignore VRRP interface faults (default unset)
dont_track_primary (忽略vrrp設備錯誤)
# optional, monitor these as well.
# go to FAULT state if any of these go down.
track_interface { (跟蹤設備,若出錯則進入"fault"狀態)
eth0
eth1
...
}
#default IP for binding vrrpd is the primary IP
#on interface. If you want to hide location of vrrpd,
#use this IP as src_addr for multicast vrrp packets.
#(since it’s multicast, vrrpd will get the reply
#packet no matter what src_addr is used).
#optional
mcast_src_ip <IPADDR> (定義多播地址)
# Binding interface for lvs syncd
lvs_sync_daemon_interface eth1 (把lvs功能綁定在特定網卡)
# delay for gratuitous ARP after transition to MASTER
garp_master_delay 10 # secs, default 5 (進入MASTER狀態後10秒發送"garp"廣播)
# arbitary unique number 0..255
# used to differentiate multiple instances of vrrpd
# running on the same NIC (and hence same socket).
virtual_router_id 51 (虛擬路由ID,可藉此自動分配"VMAC")
# for electing MASTER, highest priority wins.
# to be MASTER, make 50 more than other machines.
priority 100(你懂的-_-)
# VRRP Advert interval, secs (use default)
advert_int 1 (廣播 間隔)
authentication { # Authentication block
# PASS||AH (認證方式,明碼和IPSEC,推薦使用明碼)
# PASS - Simple Passwd (suggested)
# AH - IPSEC (not recommended))
auth_type PASS
# Password for accessing vrrpd.
# should be the same for all machines.
# Only the first eight (8) characters are used.
auth_pass 1234
#addresses add|del on change to MASTER, to BACKUP.
#With the same entries on other machines,
#the opposite transition will be occuring.
virtual_ipaddress {
<IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label
<LABEL>
192.168.200.17/24 dev eth1
192.168.200.18/24 dev eth2 label eth2:1(定義虛擬IP,可指定設備和LABEL)
}
#VRRP IP excluded from VRRP
#optional.
#For cases with large numbers (eg 200) of IPs
#on the same interface. To decrease the number
#of packets sent in adverts, you can exclude
#most IPs from adverts.
#The IPs are add|del as for virtual_ipaddress.
virtual_ipaddress_excluded { (當一個藉口巨量VIP時,排除一些VIP發送過的廣播包)
<IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
<IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
...
}
# routes add|del when changing to MASTER, to BACKUP
virtual_routes { (定義虛擬路由)
# src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR> [or
<IPADDR>] dev <STRING> scope <SCOPE> tab
src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev
eth1
192.168.110.0/24 via 192.168.200.254 dev eth1
192.168.111.0/24 dev eth2
192.168.112.0/24 via 192.168.100.254 192.168.113.0/24 via
192.168.200.254 or 192.168.100.254 dev eth1 blackhole
192.168.114.0/24
}
# VRRP will normally preempt a lower priority
# machine when a higher priority machine comes
# online. "nopreempt" allows the lower priority
# machine to maintain the master role, even when
# a higher priority machine comes back online.
# NOTE: For this to work, the initial state of this
# entry must be BACKUP.
nopreempt(VRRP的工作模式分"搶佔式"和"非搶佔式",後者在優先級比自己高的機器上線時,不轉讓資源)
# Seconds after startup until preemption
# (if not disabled by "nopreempt").
# Range: 0 (default) to 1,000
# NOTE: For this to work, the initial state of this
# entry must be BACKUP.(機器上線後,等5分鐘再搶佔,初始state必須是backup)
preempt_delay 300 # waits 5 minutes
# Debug level, not implemented yet.
debug (找蟲子)
# notify scripts, alert as above
notify_master <STRING>|<QUOTED-STRING> (狀態變爲MASTER時運行腳本)
notify_backup <STRING>|<QUOTED-STRING>
notify_fault <STRING>|<QUOTED-STRING>
notify <STRING>|<QUOTED-STRING>
smtp_alert (郵件警報)
}
LVS CONFIGURATION
contains subblocks of Virtual server group(s) and Virtual server(s)
The subblocks contain arguments for _i_p_v_s_a_d_m_(_8_)_. A knowlege of
_i_p_v_s_a_d_m_(_8_) will be helpful here.
Virtual server group(s)
# optional(這個組允許一個RS上的一個服務屬於多個虛擬服務,而只健康檢查一次)
# this groups allows a service on a real_server
# to belong to multiple virtual services
# and to be only health checked once.
# Only for very large LVSs.
virtual_server_group <STRING> {
#VIP port
<IPADDR> <PORT>
<IPADDR> <PORT>
...
#
# <IPADDR RANGE> has the form
# XXX.YYY.ZZZ.WWW-VVV eg 192.168.200.1-10
# range includes both .1 and .10 address
<IPADDR RANGE> <PORT># VIP range VPORT
<IPADDR RANGE> <PORT>
...
fwmark <INT> # fwmark (防火牆標記)
fwmark <INT>
... }
VIRTUAL SERVERS
A virtual_server can be a declaration of one of
vip vport (IPADDR PORT pair)
fwmark <INT>
(virtual server) group <STRING>
#setup service
virtual_server IP port |(tcp類型vs)
virtual_server fwmark int |(防火牆類型vs)
virtual_server group string(vs組)
{
# delay timer for service polling
delay_loop <INT>
# LVS scheduler
lb_algo rr|wrr|lc|wlc|lblc|sh|dh (算法)
# LVS forwarding method
lb_kind NAT|DR|TUN (類型)
# LVS persistence timeout, sec
persistence_timeout <INT> (持久連接時間)
# LVS granularity mask (-M in ipvsadm)
persistence_granularity <NETMASK> (啥是持久連接力度,爲啥跟掩碼?)
# Only TCP is implemented
protocol TCP
# If VS IP address is not set,
# suspend healthchecker’s activity
ha_suspend (如果VIP沒設定,不進行RS健康檢查)
# VirtualHost string for HTTP_GET or SSL_GET
# eg virtualhost www.firewall.loc
virtualhost <STRING>
# Assume silently all RSs down and healthchecks
# failed on start. This helps preventing false
# positive actions on startup. Alpha mode is
# disabled by default.
alpha (這些都是啥/? o_0)
# On daemon shutdown, consider quorum and RS
# down notifiers for execution, where appropriate.
# Omega mode is disabled by default.
omega
# Minimum total weight of all live servers in
# the pool necessary to operate VS with no
# quality regression. Defaults to 1.
quorum <INT>
# Tolerate this much weight units compared to the
# nominal quorum, when considering quorum gain
# or loss. A flap dampener. Defaults to 0.
hysteresis <INT>
# Script to launch when quorum is gained.
quorum_up <STRING>|<QUOTED-STRING>
# Script to launch when quorum is lost.
quorum_down <STRING>|<QUOTED-STRING>
# setup realserver(s)
# RS to add when all realservers are down
sorry_server <IPADDR> <PORT> (全部RS都掛了,就轉移到這臺機器上)
# one entry for each realserver
real_server <IPADDR> <PORT>
{
# relative weight to use, default: 1
weight <INT>
# Set weight to 0
# when healthchecker detects failure
inhibit_on_failure (檢測到錯誤就將此RS權重降低至0)
# Script to launch when healthchecker
# considers service as up.
notify_up <STRING>|<QUOTED-STRING> (RS起來了,就觸發一個腳本)
# Script to launch when healthchecker
# considers service as down.
notify_down <STRING>|<QUOTED-STRING>
# pick one healthchecker(檢測方式)
# HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHECK
# HTTP and SSL healthcheckers
HTTP_GET|SSL_GET
{
# A url to test
# can have multiple entries here
url {
#eg path / , or path /mrtg2/
path <STRING>
# healthcheck needs status_code
# or status_code and digest
# Digest computed with genhash
# eg digest 9b3a0c85a887a256d6939da88aabd8cd
digest <STRING>
# status code returned in the HTTP header
# eg status_code 200
status_code <INT> (根據http狀態碼來檢測)
}
#IP, tcp port for service on realserver
connect_port <PORT> 連接哪個端口
bindto <IPADDR>
# Timeout connection, sec
connect_timeout <INT>(連接超時)
# number of get retry
nb_get_retry <INT>(重試次數)
# delay before retry
delay_before_retry <INT>(重試間隔)
} #HTTP_GET|SSL_GET
#TCP healthchecker (bind to IP port)
TCP_CHECK
{
connect_port <PORT>(檢測哪個端口)
bindto <IPADDR>
connect_timeout <INT>
} #TCP_CHECK
# SMTP healthchecker(smtp用的不多吧?)
SMTP_CHECK
{
# An optional host interface to check.
# If no host directives are present, only
# the ip address of the real server will
# be checked.
host {
# IP address to connect to
connect_ip <IP ADDRESS>
# Optional port to connect to if not
# the default of 25
connect_port <PORT>
# Optional interface to use to
# originate the connection
bindto <IP ADDRESS>
}
# Connection and read/write timeout
# in seconds
connect_timeout <INTEGER>
# Number of times to retry a failed check
retry <INTEGER>
# Delay in seconds before retrying
delay_before_retry <INTEGER>
# Optional string to use for the smtp HELO request
helo_name <STRING>|<QUOTED-STRING>
} #SMTP_CHECK
#MISC healthchecker, run a program
MISC_CHECK
{
# External system script or program
misc_path <STRING>|<QUOTED-STRING>
# Script execution timeout
misc_timeout <INT>
# If set, exit code from healthchecker is used
# to dynamically adjust the weight as follows:
# exit status 0: svc check success, weight
# unchanged.
# exit status 1: svc check failed.
# exit status 2-255: svc check success, weight
# changed to 2 less than exit status.
# (for example: exit status of 255 would set
# weight to 253)
misc_dynamic
}
} # realserver defn
} # virtual service
4th Berkeley Distribution Jan 2004 KEEPALIVED.CONF(5)