在搭建HAProxy+Keepalived之前先單獨測試HAProxy
一 HAProxy配置測試
(注測試:HAProxy只設內網網卡,Client同樣位於內網)
1.測試web提前配置
yum install httpd -y #安裝httpd
echo 192.168.1.188 >/var/www/html/index.html #輸入網站顯示各自IP
systemctl restart httpd
firewall-cmd --permanent --add-port=80/tcp #開啓防火牆80端口
firewall-cmd --reload
#測試,瀏覽器登錄IP查看,是否正常啓動。
2.HAProxy配置/etc/haproxy/haproxy.cfg(yum install haproxy -y)
[root@test5 ~]# curl 192.168.1.160
192.168.1.186
[root@test5 ~]# curl 192.168.1.160
192.168.1.188
[root@test5 ~]# curl 192.168.1.160
192.168.1.186
[root@test5 ~]# curl 192.168.1.160
192.168.1.188
通過觀察ip
a輸出VIP來判斷是否存在腦裂,和主備故障時是否能正常切換。
三 部署HAProxy遇到的重點問題與解決
1.部署單獨的Haproxy時遇到問題
配置完配置文件後,使用systemctl start haproxy,haproxy無法正常啓動。(啓動後查看狀態沒有對應進程顯示)
(防火牆80端口和9188端口已正常開啓。所以不可能是防火牆問題,再說防火牆也不可能影響啓動啊)
/var/log/message有以下報錯信息
[root@test5 ~]# tail /var/log/messages
Mar 12 14:59:29 test5 systemd: Starting HAProxy Load Balancer...
Mar 12 14:59:29 test5 haproxy-systemd-wrapper: [ALERT] 070/145929 (3131) : Starting proxy admin_stats: cannot bind socket [0.0.0.0:9188]
Mar 12 14:59:29 test5 haproxy-systemd-wrapper: haproxy-systemd-wrapper: exit, haproxy RC=1
Mar 12 14:59:29 test5 systemd: haproxy.service: main process exited, code=exited, status=1/FAILURE
Mar 12 14:59:29 test5 systemd: Unit haproxy.service entered failed state.
Mar 12 14:59:29 test5 systemd: haproxy.service failed.
查看haproxy相關selinux政策,發現haproxy默認不允許連接
[root@test5 ~]# getsebool -a | grep haproxy
haproxy_connect_any --> off
重新設置selinux政策後正常啓動
[root@test5 ~]# setsebool -P haproxy_connect_any=on
[root@test5 ~]# systemctl start haproxy
[root@test5 ~]# netstat -tlunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3171/haproxy
tcp 0 0 0.0.0.0:9188 0.0.0.0:* LISTEN 3171/haproxy
2.搭建HAProxy+Keepalived遇到的問題
1.服務器搭建完成後,出現腦裂現象。主備機多有VIP。
解決:防火牆允許(開放vrrp組播)
firewall-cmd --permanent --add-rich='rule family="ipv4" destination address="224.0.0.18" protocol value="vrrp" accept'
2.關於Keepalived中的vrrp script 設置的腳本不執行。
因爲檢測HAproxy狀態的腳本不能運行,導致就算主機HAProxy掛掉,但因爲Keepalived還正常運行,VIP沒有正常從主機正常漂移到從機,導致整個服務垮掉。
直接快速解決方法:關閉SElinux.
SElinux安全策略運行時解決
1)嘗試SElinux允許解決(解決失敗)
開啓SElinux時的錯誤提示:
- [root@test1 ~]# tail -f /var/log/messages
type=AVC msg=audit(1489338470.513:714): avc: denied { getattr } for pid=5174 comm="check_haproxy.s" path="/usr/bin/systemctl" dev="dm-0" ino=33947874 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1489338470.513:714): arch=c000003e syscall=4 success=no exit=-13 a0=f72c00 a1=7ffd88bca560 a2=7ffd88bca560 a3=3 items=0 ppid=5173 pid=5174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="check_haproxy.s" exe="/usr/bin/bash" subj=system_u:system_r:keepalived_t:s0 key=(null)
安裝selinux管理工具(根據報錯顯示可能解決方案)
yum install setroubleshoot -y
查看settoubleshoot給出的解決方案
[root@test1 ~]# tail -f /var/log/messages
Mar 13 02:30:27 test1 setroubleshoot: SELinux is preventing /usr/bin/bash from getattr access on the file /usr/bin/systemctl. For complete SELinux messages. run sealert -l 54416ee0-01c3-40e8-8198-675f6f86a7f7
Mar 13 02:30:27 test1 python: SELinux is preventing /usr/bin/bash from getattr access on the file /usr/bin/systemctl.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed getattr access on the systemctl file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'check_haproxy.s' --raw | audit2allow -M my-checkhaproxys#012# semodule -i my-checkhaproxys.pp#012
嘗試解決:
[root@test1 ~]# sealert -l 54416ee0-01c3-40e8-8198-675f6f86a7f7
SELinux is preventing /usr/bin/bash from getattr access on the file /usr/bin/systemctl.
***** Plugin catchall (100. confidence) suggests **************************
If 確定應默認允許 bash getattr 訪問 systemctl file。
Then 應該將這個情況作爲 bug 報告。
可以生成本地策略模塊以允許此訪問。
Do
allow this access for now by executing:
# ausearch -c 'check_haproxy.s' --raw | audit2allow -M my-checkhaproxys
# semodule -i my-checkhaproxys.pp
[root@test1 ~]# sealert -l 54416ee0-01c3-40e8-8198-675f6f86a7f7
[root@test1 ~]# ausearch -c 'check_haproxy.s' --raw | audit2allow -M my-checkhaproxys
[root@test1 ~]# semodule -i my-checkhaproxys.pp
嘗試後日志提示:
[root@test1 ~]# tail -f /var/log/messages
Mar 13 02:36:08 test1 setroubleshoot: SELinux is preventing /usr/bin/bash from open access on the file /usr/bin/systemctl. For complete SELinux messages. run sealert -l 487ebbb3-fefe-4018-8c4c-5be6a185e64b
Mar 13 02:36:08 test1 python: SELinux is preventing /usr/bin/bash from open access on the file /usr/bin/systemctl.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed open access on the systemctl file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'check_haproxy.s' --raw | audit2allow -M my-checkhaproxys#012# semodule -i my-checkhaproxys.pp#012
[root@test1 ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1489352184.678:549): avc: denied { open } for pid=3990 comm="check_haproxy.s" path="/usr/bin/systemctl" dev="dm-0" ino=33724848 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1489352184.678:549): arch=c000003e syscall=2 success=no exit=-13 a0=14bec50 a1=0 a2=43 a3=7ffe13e19190 items=0 ppid=3986 pid=3990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="check_haproxy.s" exe="/usr/bin/bash" subj=system_u:system_r:keepalived_t:s0 key=(null)
繼續按提示輸入
[root@test1 ~]# sealert -l 487ebbb3-fefe-4018-8c4c-
[root@test1 ~]# ausearch -c 'check_haproxy.s' --raw | audit2allow -M my-checkhaproxys
[root@test1 ~]# semodule -i my-checkhaproxys.pp
嘗試後日志提示:
[root@test1 ~]# tail -f /var/log/messages
Mar 13 05:02:35 test1 setroubleshoot: SELinux is preventing /usr/bin/bash from execute_no_trans access on the file /usr/bin/systemctl. For complete SELinux messages. run sealert -l a3a942ad-2b0e-4b4b-bf1f-b521256f4405
Mar 13 05:02:35 test1 python: SELinux is preventing /usr/bin/bash from execute_no_trans access on the file /usr/bin/systemctl.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed execute_no_trans access on the systemctl file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'check_haproxy.s' --raw | audit2allow -M my-checkhaproxys#012# semodule -i my-checkhaproxys.pp#012
[root@test1 ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1489352298.756:764): avc: denied { execute_no_trans } for pid=5507 comm="check_haproxy.s" path="/usr/bin/systemctl" dev="dm-0" ino=33724848 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1489352298.756:764): arch=c000003e syscall=59 success=no exit=-13 a0=162cc50 a1=162ccc0 a2=162d360 a3=7ffddf4d6190 items=0 ppid=5503 pid=5507 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="check_haproxy.s" exe="/usr/bin/bash" subj=system_u:system_r:keepalived_t:s0 key=(null)
繼續按提示輸入
[root@test1 ~]# sealert -l a3a942ad-2b0e-4b4b-bf1f-b521256f4405
[root@test1 ~]# ausearch -c 'check_haproxy.s' --raw | audit2allow -M my-checkhaproxys
[root@test1 ~]# semodule -i my-checkhaproxys.pp
嘗試後日志提示:
[root@test1 ~]# tail -f /var/log/messages
Mar 13 05:06:42 test1 setroubleshoot: failed to retrieve rpm info for /run/dbus/system_bus_socket
Mar 13 05:06:42 test1 setroubleshoot: SELinux is preventing /usr/bin/systemctl from connectto access on the unix_stream_socket /run/dbus/system_bus_socket. For complete SELinux messages. run sealert -l e1afcda9-a674-4d76-8aa0-7787404c515e
Mar 13 05:06:42 test1 python: SELinux is preventing /usr/bin/systemctl from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemctl should be allowed connectto access on the system_bus_socket unix_stream_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl#012# semodule -i my-systemctl.pp#012
[root@test1 ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1489352885.238:1505): avc: denied { connectto } for pid=11711 comm="systemctl" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1489352885.238:1505): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f42bfa16918 a2=21 a3=7ffe723af2b0 items=0 ppid=11707 pid=11711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:keepalived_t:s0 key=(null)
繼續按提示輸入
[root@test1 ~]# sealert -l e1afcda9-a674-4d76-8aa0-7787404c515e
[root@test1 ~]# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
[root@test1 ~]# semodule -i my-systemctl.pp
嘗試後日志:(最後沒解決 ~。。~)
[root@test1 ~]# tail -f /var/log/messages
Mar 13 05:12:09 test1 Keepalived_vrrp[3090]: Process [14395] didn't respond to SIGTERM
[root@test1 ~]# tail -f /var/log/audit/audit.log
type=USER_AVC msg=audit(1489353197.502:2058): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/haproxy.service" cmdline="systemctl start haproxy" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:haproxy_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1489353198.557:2059): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/keepalived.service" cmdline="systemctl stop keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1489353198.557:2060): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/keepalived.service" cmdline="systemctl stop keepalived" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:keepalived_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1489354986.919:1591): avc: denied { getattr } for pid=7566 comm="check_haproxy.s" path="/usr/sbin/haproxy" dev="dm-0" ino=68172487 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1489354986.919:1591): arch=c000003e syscall=4 success=no exit=-13 a0=19cbd50 a1=7ffde08b8720 a2=7ffde08b8720 a3=11 items=0 ppid=7565 pid=7566 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="check_haproxy.s" exe="/usr/bin/bash" subj=system_u:system_r:keepalived_t:s0 key=(null)
觀察:systemctl 相關命令還是因爲selinux運行不了
2)根據1)決定對vrrp script腳本修改如下
#!/bin/bash
#判斷haproxy是否已經啓動,去除haproxy試圖啓動部分
if [ `ps -C haproxy --no-header |wc -l` -eq 0 ] ; then
#如果haproxy還是沒有啓動,則將keepalived停掉,這樣VIP會自動漂移到另外一臺haproxy
pkill keepalived
fi
(啓動順序必須是haproxy先啓動,負責keepalived如果先啓動會自殺)
也可設置自啓
systemctl enable haproxy
systemctl enable keepalived
3)使用文件中註釋的信息完成 vrrp_script (下面的腳本對主從服務器的priority差值有嚴格要求)(最優方法)
-
# 檢測haproxy腳本
-
vrrp_script chk_haproxy{
-
script "killall -0 haproxy" #killall (安裝 yum install psmisc -y)
-
interval 2
-
weghit 2 #權值腳本成功時(0)等於priority+weghit #否則爲priority
-
}