keepalive

高可用集群

集群类型

LB：Load Balance 负载均衡
LVS/HAProxy/nginx（http/upstream, stream/upstream）
HA：High Availability 高可用集群
数据库、Redis
SPoF: Single Point of Failure，解决单点故障
HPC：High Performance Computing 高性能集群

keepalive使用的是VRRP 相关技术

keepalive部署

Keepalived 架构

用户空间核心组件：
vrrp stack：VIP消息通告
checkers：监测real server
system call：实现 vrrp 协议状态转换时调用脚本的功能
SMTP：邮件组件
IPVS wrapper：生成IPVS规则
Netlink Reflector：网络接口
WatchDog：监控进程
控制组件：提供keepalived.conf 的解析器，完成Keepalived配置
IO复用器：针对网络目的而优化的自己的线程抽象
内存管理组件：为某些通用的内存管理功能（例如分配，重新分配，发布等）提供访问权限

环境准备

各节点时间必须同步：ntp, chrony
关闭防火墙及SELinux
各节点之间可通过主机名互相通信：非必须
建议使用/etc/hosts文件实现：非必须
各节点之间的root用户可以基于密钥认证的ssh服务完成互相通信：非必须

相关文件

软件包名：keepalived
主程序文件：/usr/sbin/keepalived
主配置文件：/etc/keepalived/keepalived.conf
配置文件示例：/usr/share/doc/keepalived/
Unit File：/lib/systemd/system/keepalived.service
Unit File的环境配置文件：/etc/sysconfig/keepalived

启用keepalived日志功能

[root@cll ~]# vim /etc/sysconfig/keepalived
KEEPALIVED_OPTIONS="-D -S 6"
​
[root@cll ~]# vim /etc/rsyslog.conf
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
local6.*                                                /var/log/keepalived.log
​
​
[root@cll ~]# systemctl restart keepalived.service rsyslog.service

测试：tail -f /var/log/keepalived.log

实现独立子配置文件

不同集群的VIP配置放在独立的子配置文件中利用include 指令可以实现包含 子配置文件

[root@cll ~]# vim /etc/keepalived/keepalived.conf
​
! Configuration File for keepalived
​
global_defs {notification_email {13458020968@163.com}notification_email_from keepalived@KA1.cll.orgsmtp_server 127.0.0.0smtp_connect_timeout 30router_id KA1.cll.orgvrrp_skip_check_adv_addr
#   vrrp_strictvrrp_garp_interval 1vrrp_gna_interval 1vrrp_mcast_group4 224.0.0.44
}
include /etc/keepalived/conf.d/*.conf
​

[root@cll ~]# vim /etc/keepalived/conf.d/router.conf
vrrp_instance VI_1 {state MASTERinterface eth0virtual_router_id 51priority 100advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.183.100/24 dev eth0 label eth0:0}
}

企业实例

抢占模式和非抢占模式

非抢占模式nopreempt

KA1的级别高于KA2，设置为非抢占模式 nopreempt ，即高优先级主机恢复后，并不会抢占低优先级主机的master角色

但设置为非抢占模式：

vrrp_instance VI_1 {state BACKUP    #必须设置为BACKUPinterface eth0virtual_router_id 51priority 80nopreempt       #非抢占模式advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.183.100/24 dev eth0 label eth0:0}
}
​

测试：tcpdump -i eth0 -nn host 224.0.0.44

抢占延迟模式preempt_delay

默认为抢占模式preempt，即当高优先级的主机恢复在线后，会抢占低先级的主机的master角色， 这样会使vip在KA主机中来回漂移，造成网络抖动，

vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 20
priority 100 		#优先级高
preempt_delay 10 	#抢占延迟10s，一般设置为600s左右
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.100/24 dev eth0 label eth0:0
}
}

VIP单播

默认keepalived主机之间利用多播相互通告消息，会造成网络拥塞，可以替换成单播，减少网络流量

在master主机配置

vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 51priority 100nopreemptadvert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.183.100/24 dev eth0 label eth0:0}unicast_src-ip 192.168.183.50	#本机IPunicast_peer{192.168.183.60				#指向对方主机#如果有多个keepalived,再加其它节点的IP}
}

测试：tcpdump -i eth0 -nn host 192.168.183.50 and dst 192.168.183.60

keepalive通知脚本

vrrp_instance VI_1 语句块的末尾加下面行

global_defs {
notification_email {
timinglee_zln@163.com
}
notification_email_from timinglee@timinglee.org
测试：在浏览器中观察邮件即可
3.5 实现 master/master 的 Keepalived 双主架构
master/slave的单主架构，同一时间只有一个Keepalived对外提供服务，此主机繁忙，而另一台主机却
很空闲，利用率低下，可以使用master/master的双主架构，解决此问题。
master/master 的双主架构：
即将两个或以上VIP分别运行在不同的keepalived服务器，以实现服务器并行提供web访问的目的，提高
服务器资源利用率
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id KA1.timinglee.org
vrrp_skip_check_adv_addr
#vrrp_strict
vrrp_garp_interval 1
vrrp_gna_interval 1
enable_script_security #开启keepalived执行脚本功能
script_user root #指定脚本执行用户身份
}vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 51priority 100nopreemptadvert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.183.100/24 dev eth0 label eth0:0}unicast_src-ip 192.168.183.50unicast_peer{192.168.183.60}
#编写执行脚本的命令notify_master "/etc/keepalived/mail.sh master"notify_backup "/etc/keepalived/mail.sh backup"notify_fault "/etc/keepalived/mail.sh fault"}

创建通知脚本

[root@KA1 ~]# vim /etc/keepalived/mail.sh
#!/bin/bash
mail_dest='594233887@qq.com'
mail_send()
{
mail_subj="$HOSTNAME to be $1 vip 转移"
mail_mess="`date +%F\ %T`: vrrp 转移,$HOSTNAME 变为 $1"
echo "$mail_mess" | mail -s "$mail_subj" $mail_dest
}
case $1 in
master)
mail_send master
;;
backup)
mail_send backup
;;
fault)
mail_send fault
;;
*)
exit 1
;;
esac

安装邮件发送工具

[root@KA2 ~]# dnf install mailx -y

163邮箱配置

[root@cll ~]# vim /etc/mail.rc
#######mail set##########
set smtp=smtp.163.com
set smtp-auth=login
set smtp-auth-user=13458020968@163.com
set smtp-auth-password=KNcH23829mDeJrvi		#163获取码
set from=13458020968@163.com
set ssl-verify=ignore

测试1

[root@KA1 ~]# dnf install s-nail sendmail -y
[root@KA1 ~]# systemctl enable --now sendmail.service 
[root@cll ~]# echo test message |mail -s test 13458020968@163.com

测试2

模拟master故障

实现 master/master 的 Keepalived 双主架构

master/master 的双主架构： 即将两个或以上VIP分别运行在不同的keepalived服务器，以实现服务器并行提供web访问的目的，提高 服务器资源利用率

KA1

vrrp_instance VI_1 {state MASTERinterface eth0virtual_router_id 51priority 100nopreemptadvert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.183.100/24 dev eth0 label eth0:0}
#    unicast_src-ip 192.168.183.50
#    unicast_peer{
#       192.168.183.60
#    }
#    notify_master "/etc/keepalived/mail.sh master"
#     notify_backup "/etc/keepalived/mail.sh backup"
#     notify_fault "/etc/keepalived/mail.sh fault"
}vrrp_instance VI_60 {state BACKUP #备interface eth0virtual_router_id 52priority 80advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.183.200/24 dev eth0 label eth0:1
}
}

KA2

vrrp_instance VI_1 {state BACKUPinterface eth0virtual_router_id 51priority 80nopreemptadvert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.183.100/24 dev eth0 label eth0:0}
#    unicast_src-ip 192.168.183.60
#    unicast_peer{
#        192.168.183.50}
}
vrrp_instance VI_2 {state MASTERinterface eth0virtual_router_id 52priority 100nopreemptadvert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.183.200/24 dev eth0 label eth0:1}

实现单主的 LVS-DR 模式

配置两台后端的RS主机

#rs1
[root@cll ~]# ip a a 192.168.183.100/32 dev lo
[root@cll ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
#
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_ignore=1
net.ipv4.conf.lo.arp_announce=2
[root@cll ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2#rs2----同rs1一样

配置keepalive

[root@rhel7-ka1 ~]# vim /etc/keepalived/keepalived.conf
#KA1
virtual_server 192.168.183.100 80 {delay_loop 6lb_algo wrrlb_kind DRprotocol TCP
real_server 192.168.183.10 80 {weight 1TCP_CHECK {connect_timeout 5retry 3delay_before_retry 3connect_port 80}}
real_server 192.168.183.20 80 {weight 1TCP_CHECK {connect_timeout 5retry 3delay_before_retry 3connect_port 80}}
}
#KA2
virtual_server 192.168.183.100 80 {delay_loop 6lb_algo wrrlb_kind DRprotocol TCP
real_server 192.168.183.10 80 {weight 1TCP_CHECK {connect_timeout 5retry 3delay_before_retry 3connect_port 80}}real_server 192.168.183.20 80 {weight 1HTTP_CHECK {url {path /status_code 200}connect_timeout 1retry 3delay_before_retry 1}}
}

测试结果

[root@cll ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.183.100:80 wrr-> 192.168.183.10:80            Route   1      0          1-> 192.168.183.20:80            Route   1      0          1当rs1断掉后，流量将全部从rs2打进来
当KA1的keepalive down了，流量将从KA2打进去。

实现 master/master 的 Keepalived 双主架构

KA1/KA2配置

[root@cll ~]# vim /etc/keepalived/conf.d/router.confvirtual_server 192.168.183.200 3306 {delay_loop 6lb_algo rrlb_kind DRprotocol TCP
real_server 192.168.183.10 3306 {weight 1TCP_CHECK {connect_timeout 10retry 3delay_before_retry 5connect_port 3306}}
real_server 192.168.183.20 3306 {weight 1TCP_CHECK {connect_timeout 10retry 3delay_before_retry 5connect_port 3306}}
}[root@cll ~]# keepalived -t -f /etc/keepalived/conf.d/router.conf[root@cll ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.183.100:80 wrr-> 192.168.183.10:80            Route   1      0          0-> 192.168.183.20:80            Route   1      0          0
TCP  192.168.183.200:3306 rr-> 192.168.183.10:3306          Route   1      0          0-> 192.168.183.20:3306          Route   1      0          0

RS1/RS2配置

#添加vip
[root@cll ~]# ip a a 192.168.183.200 dev lo
[root@cll ~]# dnf install mariadb-server -y
#添加mysql——id
[root@cll ~]# vim /etc/my.cnf.d/mariadb-server.cnf
[root@cll ~]# systemctl start mariadb.service
#给mysql添加用户名和密码
[root@cll ~]# mysql -e "grant all on *.* to cll@'%' identified by 'cll';"
[root@cll ~]# systemctl restart mariadb.service

测试：

轮询登录mysql，KA或者RS中的其中一台down，另一台补上

C:\Users\cll12>mysql -ucll -pcll -h192.168.183.200
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 302
Server version: 5.5.5-10.5.16-MariaDB MariaDB ServerCopyright (c) 2000, 2024, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> select @@server_id-> ;
+-------------+
| @@server_id |
+-------------+
|          10 |
+-------------+
1 row in set (0.00 sec)mysql> quit
ByeC:\Users\cll12>mysql -ucll -pcll -h192.168.183.200
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 160
Server version: 5.5.5-10.5.16-MariaDB MariaDB ServerCopyright (c) 2000, 2024, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> select @@server_id-> ;
+-------------+
| @@server_id |
+-------------+
|          20 |
+-------------+
1 row in set (0.00 sec)

利用脚本实现主从角色切换

改配置文件

#编写脚本
[root@cll mnt]# cat check_cll.sh
#!/bin/bash
[ ! -f /mnt/cll ]
#添加权限
[root@rhel7-ka1 ~]# chmod +x /mnt/check_lee.sh
#修改keepalive配置文件vrrp_script CHECK_CLL {script "/mnt/check_cll.sh"interval 1weight -30fall 2rise 2timeout 2
}vrrp_instance VI_1 {state MASTERinterface eth0virtual_router_id 51priority 100
#   nopreemptadvert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.183.100/24 dev eth0 label eth0:0}#添加track_script {CHECK_CLL
}
}

测试