一. 在172.17.60.39主機上部署haproxy+keepalived:
1. 安裝haproxy環境
[root@myhost ~]#yum -y install libnl libnl-devel libnfnetlink libnfnetlink-devel kernel-devel popt-devel openssl-devel gcc
[root@myhost ~]#systemctl stop firewalld
[root@myhost ~]#systemctl disable firewalld
[root@myhost ~]#setenforce 0
[root@myhost ~]#mkdir -pv /services/current_apps[root@myhost ~]#mkdir -pv /services/download_soft_v
[root@myhost ~]#cd /services/download_soft_v
2.下載haproxy-1.8.13版本並解壓
[root@myhost download_soft_v]#wget -c http://10.10.9.250/Linux-SYS/haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#tar zxvf haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#cd haproxy-1.8.13
3. 用uname -a 確認好系統版本信息(改×××部分)
[[email protected]]make TARGET=linux310 USE_OPENSSL=1 ADDLIB=-lz PREFIX=/services/current_apps/haproxy-1.8.13
4. 用make install安裝到指定目錄
[[email protected]]make install PREFIX=/services/current_apps/haproxy-1.8.13
5. 創建haproxy用戶和相關目錄
[[email protected]]useradd -s /sbin/nologin haproxy
[[email protected]]mkdir -pv /var/lib/haproxy
[[email protected]]mkdir -pv /services/current_apps/haproxy-1.8.13/ssl
[[email protected]]chown -R haproxy:haproxy /var/lib/haproxy
[[email protected]]cp /services/download_soft_v/haproxy-1.8.13/examples/haproxy.init /etc/init.d/haproxy
[[email protected]]chmod +x /etc/init.d/haproxy
[[email protected]]ln -sf /services/current_apps/haproxy-1.8.13 /etc/haproxy
[[email protected]]ln -s /etc/haproxy/sbin/haproxy /usr/sbin/
6. 設定haproxy日誌目錄
[[email protected]]mkdir -pv /services/haproxy_logs
[[email protected]]echo 'local0.* /services/haproxy_logs/haproxy.log'>>/etc/rsyslog.conf
7. 編輯rsyslog開啓UDP(去掉下面兩行前面的#號),並添加local0.none
[[email protected]]vi /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages
8. 改完重啓rsyslog
[[email protected]]systemctl restart rsyslog
9. 設置haproxy日誌切割,清空這個文件並黏貼以下代碼
[[email protected]]vi /etc/logrotate.d/haproxy
/services/haproxy_logs/haproxy.log {
daily
rotate 30
missingok
notifempty
dateext
compress
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
service haproxy reload
endscript
}
10. 設置內核優化和ip轉發
[[email protected]]echo "net.ipv4.ip_nonlocal_bind = 1" >>/etc/sysctl.conf
[[email protected]]echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
[[email protected]]sysctl -p
11. 配置haproxy.cfg,複製以下代碼
[[email protected]]vi /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local0 info
log 127.0.0.1 local1 notice
maxconn 75535
ulimit-n 655350
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
nbproc 8 #按照實際CPU核數設置
#-----------------------------------
# status page.
#-----------------------------------
defaults
log global
mode http
option httplog
retries 3
maxconn 75535
balance leastconn
timeout connect 30s
timeout client 60s
timeout server 60s
timeout http-request 30s
timeout http-keep-alive 30s
timeout queue 1m
timeout check 30s
frontend web_in
bind *:80
no option http-server-close
option forwardfor
acl mzj_web_zxft_acl path_beg -i /zxft
acl mzj_web_jzcx_acl path_beg -i /jzcx
acl mzj_web_login_acl path_beg -i /login
acl mzj_web_welfare_acl path_beg -i /welfare
acl mzj_web_xzsp-web_acl path_beg -i /xzsp-web
acl mzj_web_volunteer_acl path_beg -i /volunteer
acl mzj_web_edu_acl path_beg -i /edu
acl mzj_web_shsw_acl path_beg -i /shsw
acl mzj_web_acl hdr_reg(host) -i mzj.sh.gov.cn
use_backend mzj_web_zxft if mzj_web_zxft_acl
use_backend mzj_web_login if mzj_web_login_acl
use_backend mzj_web_jzcx if mzj_web_jzcx_acl
use_backend mzj_web_welfare if mzj_web_welfare_acl
use_backend mzj_web_xzsp-web if mzj_web_xzsp-web_acl
use_backend mzj_web_volunteer if mzj_web_volunteer_acl
use_backend mzj_web_edu if mzj_web_edu_acl
use_backend mzj_web_shsw if mzj_web_shsw_acl
use_backend mzj_web if mzj_web_acl
default_backend refuse-url
#((
capture request header Host len 64
capture request header User-Agent len 128
capture request header X-Forwarded-For len 100
capture request header Referer len 200
capture response header Server len 40
capture response header Server-ID len 40
\#capture捕獲信息
log-format %ci:%cp\ %si:%sp\ %B\ %U\ %ST\ %r\ %b\ %f\ %bi\ %hrl\ %hsl\
#))
#
backend refuse-url
mode http
balance source
server refuse-url 192.168.3.55:80 check rise 2 inter 5000 fall 3
backend mzj_web
mode http
balance roundrobin
cookie SERVERID
server 60.66_80 172.17.60.66:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_login
mode http
balance roundrobin
cookie SERVERID
server 181.45_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_jzcx
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_welfare
mode http
balance roundrobin
cookie SERVERID
server 60.15_80 172.17.60.15:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_xzsp-web
mode http
balance roundrobin
cookie SERVERID
server 60.12_80 172.17.60.12:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_zxft
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_volunteer
mode http
balance roundrobin
cookie SERVERID
server 60.9_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_edu
mode http
balance roundrobin
cookie SERVERID
server 60.29_3001 172.17.60.29:3001 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_shsw
mode http
balance roundrobin
cookie SERVERID
server 60.29_80 172.17.60.29:80 cookie web1 inter 3000 rise 3 fall 3 check
#-----------------------------------
# monitor status page.
#-----------------------------------
listen stats
bind 0.0.0.0:8011
mode http
stats enable
stats refresh 60s
stats hide-version
stats uri / hastats
stats realm Haproxy \ statistic
stats auth admin:wdit2017
timeout connect 10000
timeout client 50000
timeout server 50000
bind-process 1
12. 設置開機自啓動和目錄權限
[[email protected]]chown -R haproxy:haproxy /etc/haproxy
[[email protected]]chkconfig haproxy on
13. 下載keepalived
[root@myhost haproxy-1.8.13]cd /services/download_soft_v
[root@myhost download_soft_v]wget -c http://104.225.234.20/keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]tar -zxvf keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]cd keepalived-2.0.11
14. 編譯安裝
[root@myhost keepalived-2.0.11]./configure --prefix=/services/current_apps/keepalived-2.0.11
[root@myhost keepalived-2.0.11]make && make install
15. 設置一些keepalived環境
[root@myhost keepalived-2.0.11]cp /services/download_soft_v/keepalived-2.0.11/keepalived/etc/init.d/keepalived /etc/init.d/
[root@myhost keepalived-2.0.11]ln -sf /services/current_apps/keepalived-2.0.11 /etc/keepalived
[root@myhost keepalived-2.0.11]ln -s /etc/keepalived/sbin/keepalived /usr/sbin/
[root@myhost keepalived-2.0.11]chkconfig keepalived on
[root@myhost keepalived-2.0.11]mkdir -pv /etc/keepalived/script
16. 編輯檢測ha腳本文件
[root@myhost keepalived-2.0.11]vi /etc/keepalived/script/check_haproxy_process.sh
#!/bin/bash
if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then
/etc/init.d/haproxy start
fi
sleep 5
if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then
/etc/init.d/keepalived stop
fi
17. 編輯notify-master.sh腳本
[root@myhost keepalived-2.0.11]vi /etc/keepalived/script/notify-master.sh
#!/bin/bash
HOST_IP="/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'
"
echo "uptime; ip addr show eth0; echo
" | mail -s "${HOST_IP}-HA change to master." [email protected]
18. 添加兩個腳本權限
[root@myhost keepalived-2.0.11]chmod +x /etc/keepalived/script/check_haproxy_process.sh
[root@myhost keepalived-2.0.11]chmod +x /etc/keepalived/script/notify-master.sh
19.編輯 /usr/lib/systemd/system/keepalived.service,把unit替換成下面這段
root@myhost keepalived-2.0.11]vi /usr/lib/systemd/system/keepalived.service
[Unit]
Description=LVS and VRRP High Availability Monitor
After=syslog.target network-online.target haproxy.service
Requires=haproxy.service
20. 編輯vi /root/ulimit.sh,黏貼以下代碼
[root@myhost keepalived-2.0.11]vi /root/ulimit.sh
#!/bin/bash
DATE=`date +%F`
### Limits.conf
cp -f /etc/security/limits.conf /etc/security/limits.conf_$(date +%F)
if [ $? -eq 0 ];then
cat >/etc/security/limits.conf<<EOF
* soft nofile 755350
* hard nofile 755350
* soft nproc 185534
* hard nproc 185534
* soft stack 1024
* hard stack 1024
EOF
else
echo 'limits.conf change error, please check ???'
sleep 5
fi
cp -f /etc/security/limits.d/90-nproc.conf /etc/security/limits.d/90-nproc.conf_$(date +%F)
if [ $? -eq 0 ];then
cat >/etc/security/limits.d/90-nproc.conf<<eof
* soft nproc 185534
eof
else
echo '90-nproc.conf error, please check ???'
sleep 5
fi
# Sysctl
cp /etc/sysctl.conf /etc/sysctl.conf_$DATE
cat >/etc/sysctl.conf<<EOF
kernel.sysrq = 0
kernel.panic = 30
kernel.softlockup_panic=1
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 25769803776
kernel.shmall = 4294967296
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
kernel.hung_task_timeout_secs = 0
kernel.core_pattern = core
fs.file-max = 655350
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 40960
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_sack = 1
net.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_mem = 3097431 4129911 6194862
net.ipv4.tcp_rmem = 4096 87380 6291456
net.ipv4.tcp_wmem = 4096 65536 4194304
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_keepalive_probes = 2
net.ipv4.tcp_keepalive_intvl = 15
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
vm.swappiness = 5
vm.zone_reclaim_mode = 0
vm.overcommit_memory = 1
vm.panic_on_oom = 0
vm.drop_caches = 1
vm.dirty_ratio = 30
vm.dirty_background_ratio = 30
vm.dirty_writeback_centisecs = 50000
vm.vfs_cache_pressure = 200
vm.min_free_kbytes = 1024000
EOF
sysctl -p
21. 執行ulimit腳本
[root@myhost keepalived-2.0.11]sh /root/ulimit.sh
22. 編輯policy.sh
[root@myhost keepalived-2.0.11]vi /root/policy.sh
#!/bin/bash
sed -i '25c PASS_MAX_DAYS 90' /etc/login.defs
sed -i '27c PASS_MIN_LEN 7' /etc/login.defs
sed -i '$a\TMOUT=600' /etc/profile
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
useradd mzj
echo "wdit@123"|passwd --stdin mzj
sed -i '91a mzj ALL=(ALL) NOPASSWD:ALL' /etc/sudoers
for i in adm lp sync shutdown halt mail uucp operator games gopher;do usermod -L $i;done
service sshd restart
23.執行policy.sh
[root@myhost keepalived-2.0.11]sh /root/policy.sh
24. 編輯keepalived主配置文件
[root@myhost keepalived-2.0.11]vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
router_id HAProxy_CIIE_Slave
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 36.1 {
state BACKUP
interface eth0
virtual_router_id 202
priority 90
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}
25. 開啓服務並自啓動
[root@myhost keepalived-2.0.11]service keepalived restart
[root@myhost keepalived-2.0.11]systemctl enable haproxy
二. 在172.17.60.41主機上部署haproxy+keepalived:
1.從1-23步驟一模一樣重複做一遍
2. 編輯 /etc/keepalived/keepalived.conf文件黏貼以下代碼
[root@myhost keepalived-2.0.11]vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
#router_id MUST BE different in the same network
router_id HAProxy_CIIE_Master
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 60.77 {
state MASTER
interface eth0
#ID MUST BE different in the same network
virtual_router_id 202
priority 100
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}
3. 開啓服務並自啓動
[root@myhost keepalived-2.0.11]service keepalived restart
[root@myhost keepalived-2.0.11]systemctl enable haproxy