官網: https://www.keepalived.org/manpage.html
1、描述
keepalived.conf 是描述所有Keepalived關鍵字的配置文件。關鍵字放在塊和子塊的層次結構中,每一層由“{”和“}”對分隔。註釋以“#”或“!”到隊伍的末尾,可以從隊伍的任何地方開始。關鍵字“包含”允許包含其他配置文件,從主配置文件,或從隨後包含的文件。
include 的指令格式爲:
include FILENAME
文件名可以是一個完全限定的或相對的路徑名,並且可以包含通配符,如果glob()支持的話,包括csh風格的大括號表達式,如
"{foo/{,cat,dog},bar}"
打開包含的文件後,當前目錄被設置爲文件本身的目錄,因此從文件中包含的任何相對路徑都相對於包含文件本身的目錄。
2、參數語法
<BOOL> 是 on|off|true|false|yes|no 中的一種.
<TIMER> 是一個以秒爲單位的時間值,包括小數秒,如2.71828或3;定時器的分辨率是微秒。
3、腳本
這裏有三類腳本可以被配置爲可執行的
a、 當vrrp實例或vrrp組更改狀態或虛擬服務器仲裁在向上和向下之間更改時運行的通知腳本。
b、vrrp跟蹤腳本將導致vrrp實例進入它,它們退出一個非零的存在狀態,或者如果指定了一個權值,就會從該vrrp實例的優先級中添加或減去這個權值。
c、LVS檢查程序misc腳本,如果它們以非零狀態退出,將導致實際服務器崩潰。
默認情況下,如果該用戶存在,腳本將由用戶keepalived_script執行,如果不存在,則由根用戶執行,但是對於每個腳本,可以指定執行腳本的用戶/組。
如果腳本是用根權限執行的,那麼就會有重大的安全隱患,特別是如果腳本本身是非根用戶可修改或可替換的。因此,在啓動時進行安全檢查,以確保如果腳本是由根用戶執行的,那麼它不能被非根用戶修改或替換。
應該編寫所有腳本,以便在收到SIGTERM信號時終止。如果它們的父termi-nates腳本將發送SIGTERM,或者是keepalived正在等待退出狀態的腳本已經運行了太長時間。
4、最高層級
Keepalived配置文件是圍繞一組配置塊來連接的。每個塊都有一個特定的守護進程家庭功能。這些特性:
GLOBAL CONFIGURATION
BFD CONFIGURATION
VRRPD CONFIGURATION
LVS CONFIGURATION
5、全局配置
包含全局定義、Linkbeat接口、靜態跟蹤組、靜態地址、靜態路由和靜態規則的子塊
6、全局定義
# Following are global daemon facilities for running
# keepalived in a separate network namespace:
# --
# Set the network namespace to run in.
# The directory /var/run/keepalived will be created as an
# unshared mount point, for example for pid files.
# syslog entries will have _NAME appended to the ident.
# Note: the namespace cannot be changed on a configuration reload.
net_namespace NAME
# ipsets wasn't network namespace aware until Linux 3.13, and so
# if running with # an earlier version of the kernel, by default
# use of ipsets is disabled if using a namespace and vrrp_ipsets
# has not been specified. This options overrides the default and
# allows ipsets to be used with a namespace on kernels prior to 3.13.
namespace_with_ipsets
# If multiple instances of keepalived are run in the same namespace,
# this will create pid files with NAME as part of the file names,
# in /var/run/keepalived.
# Note: the instance name cannot be changed on a configuration reload
instance NAME
# Create pid files in /var/run/keepalived
use_pid_dir
# Poll to detect media link failure using ETHTOOL, MII or ioctl interface
# otherwise uses netlink interface.
linkbeat_use_polling
# Time for main process to allow for child processes to exit on termination
# in seconds. This can be needed for very large configurations.
# (default: 5)
child_wait_time SECS
# Global definitions configuration block
global_defs {
# Set the process names of the keepalived processes to the default values:
# keepalived, keepalived_vrrp, keepalived_ipvs, keepalived_bfd
process_names
# Specify the individual process names
process_name NAME
vrrp_process_name NAME
ipvs_process_name NAME
bfd_process_name NAME
# Set of email To: notify
notification_email {
[email protected]
...
}
# email from address that will be in the header
# (default: keepalived@<local host name>)
notification_email_from [email protected]
# Remote SMTP server used to send notification email.
# IP address or domain name with optional port number.
# (default port number: 25)
smtp_server 127.0.0.1 [<PORT>]
# Name to use in HELO messages.
# (default: local host name)
smtp_helo_name <STRING>
# SMTP server connection timeout in seconds.
smtp_connect_timeout 30
# Sets default state for all smtp_alerts
smtp_alert <BOOL>
# Sets default state for vrrp smtp_alerts
smtp_alert_vrrp <BOOL>
# Sets default state for checker smtp_alerts
smtp_alert_checker <BOOL>
# Sets logging all checker failes while checker up
checker_log_all_failures <BOOL>
# If set, keepalived only removes virtual servers at shutdown
# (the kernel will remove the real servers). This is faster
# for large configurations.
checker_shutdown_vs_only
# Don't send smtp alerts for fault conditions
no_email_faults
# String identifying the machine (doesn't have to be hostname).
# (default: local host name)
router_id <STRING>
# Multicast Group to use for IPv4 VRRP adverts
# (default: 224.0.0.18)
vrrp_mcast_group4 224.0.0.18
# Multicast Group to use for IPv6 VRRP adverts
# (default: ff02::12)
vrrp_mcast_group6 ff02::12
# sets the default interface for static addresses.
# (default: eth0)
default_interface p33p1.3
# Sync daemon as provided by IPVS kernel code only support
# a single daemon instance at a time to synchronize connection table.
# Binding interface, vrrp instance and optional
# syncid for lvs syncd
# syncid (0 to 255) for lvs syncd
# maxlen (1..65507) maximum packet length
# port (1..65535) UDP port number to use
# ttl (1..255)
# group - multicast group address (IPv4 or IPv6)
# NOTE: maxlen, port, ttl and group are only available on Linux 4.3 or later.
lvs_sync_daemon <INTERFACE> <VRRP_INSTANCE> [id <SYNC_ID>] [maxlen <LEN>] \
[port <PORT>] [ttl <TTL>] [group <IP ADDR>]
# flush any existing LVS configuration at startup
lvs_flush
# flush remaining LVS configuration at shutdown
lvs_flush_onstop
# delay for second set of gratuitous ARPs after transition to MASTER.
# in seconds, 0 for no second set.
# (default: 5)
vrrp_garp_master_delay 10
# number of gratuitous ARP messages to send at a time after
# transition to MASTER.
# (default: 5)
vrrp_garp_master_repeat 1
# delay for second set of gratuitous ARPs after lower priority
# advert received when MASTER.
vrrp_garp_lower_prio_delay 10
# number of gratuitous ARP messages to send at a time after
# lower priority advert received when MASTER.
vrrp_garp_lower_prio_repeat 1
# minimum time interval for refreshing gratuitous ARPs while MASTER.
# in seconds.
# (default: 0 (no refreshing))
vrrp_garp_master_refresh 60
# number of gratuitous ARP messages to send at a time while MASTER
# (default: 1)
vrrp_garp_master_refresh_repeat 2
# Delay in ms between gratuitous ARP messages sent on an interface
# decimal, seconds (resolution usecs).
# (default: 0)
vrrp_garp_interval 0.001
# Delay in ms between unsolicited NA messages sent on an interface
# decimal, seconds (resolution usecs).
# (default: 0)
vrrp_gna_interval 0.000001
# By default keepalived sends 5 gratuitions ARP/NA messages at a
# time, and after transitioning to MASTER sends a second block of
# 5 messages 5 seconds later.
# With modern switches this is unnecessary, so setting vrrp_min_garp
# causes only one ARP/NA message to be sent, with no repeat 5 seconds
# later.
vrrp_min_garp [<BOOL>]
# If a lower priority advert is received, don't send another advert.
# This causes adherence to the RFCs. Defaults to false, unless
# strict_mode is set.
vrrp_lower_prio_no_advert [<BOOL>]
# If we are master and receive a higher priority advert, send an advert
# (which will be lower priority than the other master), before we
# transition to backup. This means that if the other master has
# garp_lower_priority_repeat set, it will resend garp messages.
# This is to get around the problem of their having been two simultaneous
# masters, and the last GARP messages seen were from us.
vrrp_higher_prio_send_advert [<BOOL>]
# Set the default VRRP version to use
# (default: 2 , but IPv6 instances will use version 3)
vrrp_version <2 or 3>
# Specify the iptables chain for ensuring a version 3 instance
# doesn't respond on addresses that it doesn't own.
# Note: it is necessary for the specified chain to exist in
# the iptables and/or ip6tables configuration, and for the chain
# to be called from an appropriate point in the iptables configuration.
# It will probably be necessary to have this filtering after accepting
# any ESTABLISHED,RELATED packets, because IPv4 might select the VIP as
# the source address for outgoing connections.
# (default: INPUT)
vrrp_iptables keepalived
# or for outbound filtering as well
# Note, outbound filtering won't work with IPv4, since the VIP can be
# selected as the source address for an outgoing connection. With IPv6
# this is unlikely since the addresses are deprecated.
vrrp_iptables keepalived_in keepalived_out
# or to not add any iptables rules:
vrrp_iptables
# Keepalived may have the option to use ipsets in conjunction with
# iptables. If so, then the ipset names can be specified, defaults
# as below. If no names are specified, ipsets will not be used,
# otherwise any omitted names will be constructed by adding "_if"
# and/or "6" and _igmp/_mld to previously specified names.
vrrp_ipsets [keepalived [keepalived6 [keepalived_if6 [keepalived_igmp [keepalived_mld]]]]]
# Use nftables to implement no_accept mode and only send IGMP/MLD
# messages on the parent interface of a VMAC.
# TABLENAME must not exist, and must be different for each
# instance of keepalived running in the same network namespace.
# Default tablename is keepalived, and priority is -1.
# keepalived will create base chains in the table.
# counters means counters are added to the rules (primarily for
# debugging purposes).
# ifindex means create IPv6 link local sets using ifindex rather
# than ifnames. This is the default unless the vrrp_instance has
# set dont_track_primary. The alternative is to use interface names
# as part of the set key, but the nft utility prior to v0.8.3 will
# then not output interface names properly.
nftables [TABLENAME]
nftables_priority PRIORITY
nftables_counters
nftables_ifindex
# The following enables checking that when in unicast mode, the
# source address of a VRRP packet is one of our unicast peers.
vrrp_check_unicast_src
# Checking all the addresses in a received VRRP advert can be time
# consuming. Setting this flag means the check won't be carried out
# if the advert is from the same master router as the previous advert
# received.
# (default: don't skip)
vrrp_skip_check_adv_addr
# Enforce strict VRRP protocol compliance. This will prohibit:
# 0 VIPs
# unicast peers
# IPv6 addresses in VRRP version 2
vrrp_strict
# Send vrrp instance priority notifications on notify FIFOs.
vrrp_notify_priority_changes <BOOL>
# The following options can be used if vrrp, checker or bfd processes
# are timing out. This can be seen by a backup vrrp instance becoming
# master even when the master is still running because the master or
# backup system is too busy to process vrrp packets.
# --
# Set the vrrp child process priority (Negative values increase priority)
vrrp_priority <-20 to 19>
# Set the checker child process priority
checker_priority <-20 to 19>
# Set the BFD child process priority
bfd_priority <-20 to 19>
# Set the vrrp child process non swappable
vrrp_no_swap
# Set the checker child process non swappable
checker_no_swap
# Set the BFD child process non swappable
bfd_no_swap
# The following options can be used to force vrrp, checker and bfd
# processes to run on a restricted CPU set.
# You can either bind processes to a single CPU or define a set of
# cpu. In that last case Linux kernel will be restricted to that cpu
# set during scheduling. Forcing process binding to single CPU can
# increase performances on heavy loaded box.
# INTEGER following configuration keyword are representing cpu_id
# as shown in /proc/cpuinfo on line "processor:"
# --
# Set CPU Affinity for the vrrp child process
vrrp_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
# Set CPU Affinity for the checker child process
checker_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
# Set CPU Affinity for the bfd child process
bfd_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
# Set the vrrp child process to use real-time scheduling
# at the specified priority
vrrp_rt_priority <1..99>
# Set the checker child process to use real-time scheduling
# at the specified priority
checker_rt_priority <1..99>
# Set the BFD child process to use real-time scheduling
# at the specified priority
bfd_rt_priority <1..99>
# Set the limit on CPU time between blocking system calls,
# in microseconds
# (default: 1000)
vrrp_rlimit_rtime >=1
checker_rlimit_rtime >=1
bfd_rlimit_rtime >=1
# If Keepalived has been build with SNMP support, the following
# keywords are available.
# Note: Keepalived, checker and RFC support can be individually
# enabled/disabled
# --
# Specify socket to use for connecting to SNMP master agent
# (see source module keepalived/vrrp/vrrp_snmp.c for more details)
# (default: unix:/var/agentx/master)
snmp_socket udp:1.2.3.4:705
# enable SNMP handling of vrrp element of KEEPALIVED MIB
enable_snmp_vrrp
# enable SNMP handling of checker element of KEEPALIVED MIB
enable_snmp_checker
# enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs
enable_snmp_rfc
# enable SNMP handling of RFC2787 VRRP MIB
enable_snmp_rfcv2
# enable SNMP handling of RFC6527 VRRP MIB
enable_snmp_rfcv3
# enable SNMP traps
enable_traps
# If Keepalived has been build with DBus support, the following
# keywords are available.
# --
# Enable the DBus interface
enable_dbus
# Name of DBus service
# Useful if you want to run multiple keepalived processes with DBus enabled
# (default: org.keepalived.Vrrp1)
dbus_service_name SERVICE_NAME
# Specify the default username/groupname to run scripts under.
# If this option is not specified, the user defaults to keepalived_script
# if that user exists, otherwise root.
# If groupname is not specified, it defaults to the user's group.
script_user username [groupname]
# Don't run scripts configured to be run as root if any part of the path
# is writable by a non-root user.
enable_script_security
# Rather than using notify scripts, specifying a fifo allows more
# efficient processing of notify events, and guarantees that they
# will be delivered in the correct sequence.
# NOTE: the FIFO names must all be different
# --
# FIFO to write notify events to
# See vrrp_notify_fifo and lvs_notify_fifo for format of output
# For further details, see the description under vrrp_sync_group.
# see doc/samples/sample_notify_fifo.sh for sample usage.
notify_fifo FIFO_NAME [username [groupname]]
# script to be run by keepalived to process notify events
# The FIFO name will be passed to the script as the last parameter
notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# FIFO to write vrrp notify events to.
# The string written will be a line of the form: INSTANCE "VI_1" MASTER 100
# and will be terminated with a new line character.
# For further details of the output, see the description under vrrp_sync_group
# and doc/samples/sample_notify_fifo.sh for sample usage.
vrrp_notify_fifo FIFO_NAME [username [groupname]]
# script to be run by keepalived to process vrrp notify events
# The FIFO name will be passed to the script as the last parameter
vrrp_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# FIFO to write notify healthchecker events to
# The string written will be a line of the form:
# VS [192.168.201.15]:tcp:80 {UP|DOWN}
# RS [1.2.3.4]:tcp:80 [192.168.201.15]:tcp:80 {UP|DOWN}
# and will be terminated with a new line character.
lvs_notify_fifo FIFO_NAME [username [groupname]]
# script to be run by keepalived to process healthchecher notify events
# The FIFO name will be passed to the script as the last parameter
lvs_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# Allow configuration to include interfaces that don't exist at startup.
# This allows keepalived to work with interfaces that may be deleted and restored
# and also allows virtual and static routes and rules on VMAC interfaces.
# allow_if_changes allows an interface to be deleted and recreated with a
# different type or underlying interface, eg changing from vlan to macvlan
# or changing a macvlan from eth1 to eth2. This is predominantly used for
# reporting duplicate VRID errors at startup if allow_if_changes is not set.
dynamic_interfaces [allow_if_changes]
# The following options are only needed for large configurations, where either
# keepalived creates a large number of interface, or the system has a large
# number of interface. These options only need using if
# "Netlink: Receive buffer overrun" messages are seen in the system logs.
# If the buffer size needed exceeds the value in /proc/sys/net/core/rmem_max
# the corresponding force option will need to be set.
# --
# Set netlink receive buffer size. This is useful for
# very large configurations where a large number of interfaces exist, and
# the initial read of the interfaces on the system causes a netlink buffer
# overrun.
vrrp_netlink_cmd_rcv_bufs BYTES
vrrp_netlink_cmd_rcv_bufs_force <BOOL>
vrrp_netlink_monitor_rcv_bufs BYTES
vrrp_netlink_monitor_rcv_bufs_force <BOOL>
# The vrrp netlink command and monitor socket the checker command and
# and monitor socket and process monitor buffer sizes can be independently set.
# The force flag means to use SO_RCVBUFFORCE, so that the buffer size
# can exceed /proc/sys/net/core/rmem_max.
lvs_netlink_cmd_rcv_bufs BYTES
lvs_netlink_cmd_rcv_bufs_force <BOOL>
lvs_netlink_monitor_rcv_bufs BYTES
lvs_netlink_monitor_rcv_bufs_force <BOOL>
# As a guide for process_monitor_rcv_bufs for 1400 processes terminating
# simultaneously, 212992 (the default on some systems) is insufficient, whereas
# 500000 is sufficient.
process_monitor_rcv_bufs BYTES
process_monitor_rcv_bufs_force <BOOL>
# When a socket is opened, the kernel configures the max rx buffer size for
# the socket to /proc/sys/net/core/rmem_default. On some systems this can be
# very large, and even generally this can be much larger than necessary.
# This isn't a problem so long as keepalived is reading all queued data from
# it's sockets, but if rmem_default was set sufficiently large, and if for
# some reason keepalived stopped reading, it could consume all system memory.
# The vrrp_rx_bufs_policy allows configuring of the rx bufs size when the
# sockets are opened. If the policy is MTU, the rx buf size is configured
# to the total of interface's MTU * vrrp_rx_bufs_multiplier for each vrrp
# instance using the socket. Likewise, if the policy is ADVERT, then it is
# the total of each vrrp instances advert packet size * multiplier.
# (default: use system default)
vrrp_rx_bufs_policy [MTU|ADVERT|NUMBER]
# (default: 3)
vrrp_rx_bufs_multiplier NUMBER
# Send notifies at startup for real servers that are starting up
rs_init_notifies
# Don't send an email every time a real server checker changes state;
# only send email when a real server is added or removed
no_checker_emails
# The umask to use for creating files. The number can be specified in hex,
# octal or decimal. BITS are I{R|W|X}{USR|GRP|OTH}, e.g. IRGRP, separated
# by '|'s. The default umask is IWGRP | IWOTH. This option cannot override
# the command-line option.
umask [NUMBER|BITS]
# On some systems when bond interfaces are created, they can start
# passing traffic and then have a several second gap when they stop
# passing traffic inbound. This can mean that if keepalived is started
# at boot time, i.e. at the same time as bond interfaces are being
# created, keepalived doesn't receive adverts and hence can become master
# despite an instance with higher priority sending adverts. This option
# specifies a delay in seconds before vrrp instances start up after
# keepalived starts,
vrrp_startup_delay 5.5
# Specify random seed for ${_RANDOM}, to make configurations repeatable
# (default is to use a seed based on the time, so that each time a
# different configuration will be generated).
random_seed UNSIGNED_INT
}