Keepalived 和 Firewalld

Posted by Sunday on 2019-07-11

准备

MASTER IP 192.168.1.7
BACKUP IP 192.168.1.8
VIP 192.168.1.200

1
2
3
4
5
yum install  keepalived 
systemctl stop firewalld
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf #开启允许绑定非本机的IP
sysctl -p

Keepalived

MASTER

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
global_defs {
notification_email {
root@localhost
}
notification_email_from ka@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka46
vrrp_mcast_group4 224.0.0.111
#vrrp_strict
}

vrrp_instance Intranet_1 {
state MASTER
interface em1
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass starsing
}
virtual_ipaddress {
192.168.1.200/24
}

#virtual_routes {
# default via 192.168.1.1
#}

notify_master "/etc/keepalived/notify.sh master"
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
}

BACKUP

注意以下几点
state 角色为 BACKUP
interface 为网卡的 ID,要根据机器确认
virtual_route_id 要与 MASTER 一致,默认为 51
priority 要比 MASTER 小

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
global_defs {
notification_email {
root@localhost
}
notification_email_from ka@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka46
vrrp_mcast_group4 224.0.0.111
#vrrp_strict
}

vrrp_instance Intranet_1 {
state BACKUP
interface em1
virtual_router_id 51
priority 95
advert_int 1
authentication {
auth_type PASS
auth_pass starsing
}
virtual_ipaddress {
192.168.1.200/24
}

#virtual_routes {
# default via 192.168.1.1
#}

notify_master "/etc/keepalived/notify.sh master"
notify_backup "/etc/keepalived/notify.sh backup"
notify_fault "/etc/keepalived/notify.sh fault"
}

NOTIFY

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/bin/bash
contact="root@localhost"
contact_xwx="sunday@sundayle.com"

notify() {
local mailsubject="$(hostname) to be $1, vip floating"
local mailbody="$(date +'%F %T'): vrrp transition, $(hostname) changed to be $1"
#echo "$mailbody" | mail -s "$mailsubject" $contact
echo "$mailbody" | mail -s "$mailsubject" $contact_xwx
}

case $1 in
master)
notify master
;;
backup)
notify backup
;;
fault)
notify fault
;;
*)
echo "Usage: $(basename $0) {master|backup|fault}"
exit 1
;;
esac

MASTER和BACKUP 启动keepalived

1
2
systemctl start keepalived
systemctl enable keepalived

此时防火墙是关闭状态,MASTER获得VIP。BACKUP没有。

1
2
[root@master ]# ip addr | grep 192.168.1.200
inet 192.168.1.200/24 scope global secondary em1

漂移规则:
默认 MASTER 会获得 VIP(192.168.1.200)。
当 MASTER 出问题时,VIP 会漂移到 BACKUP 服务器。
当 MASTER 重新启动后,VIP 又会漂移回 MASTER 服务器。

Firewalld

防火墙添加规则,默认不指定为224.0.0.18,这里修改了为224.0.0.111

1
2
systemctl stop keepalived
systemctl start firewalld
1
2
3
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
firewall-cmd --reload

查看这两条规则

1
2
3
4
[root@master ~]# firewall-cmd --direct --get-rules ipv4 filter INPUT
0 --in-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
[root@master ~]# firewall-cmd --direct --get-rules ipv4 filter OUTPUT
0 --out-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT

1
systemctl start keepalived

此时Master获得VIP,BACKUP没有,则防火墙放行vrrp正常。
若Master和Backup均获取到VIP,则防火墙配置,注意网卡接口和vrrp组播地址。

服务测试

1
2
3
4
5
6
7
8
9
[root@master ~]# yum install tcpdump
[root@master ~]# tcpdump -i em1 vrrp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:17:56.949963 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:17:57.950994 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:17:58.952063 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:17:59.953131 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:18:00.954206 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36

此时VIP在MASTER上。
如果MASTER停止keepalived,VIP会漂移到BACKUP上

1
systemctl stop keepalived

1
2
3
4
5
6
[root@master ~]# tcpdump -i em1 vrrp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:25:24.415708 IP 192.168.1.8 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:25:25.416790 IP 192.168.1.8 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:25:26.417831 IP 192.168.1.8 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36

此时VIP在BACKUP上。

配置日志

非必要

keepalived 默认将日志输出到系统日志/var/log/messages中,因为系统日志很多,查询问题时相对麻烦。
我们可以将 keepalived 的日志单独拿出来,这需要修改日志输出路径。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
vim /etc/sysconfig/keepalived

# Options for keepalived. See `keepalived --help' output and keepalived(8) and
# keepalived.conf(5) man pages for a list of all options. Here are the most
# common ones :
#
# --vrrp -P Only run with VRRP subsystem.
# --check -C Only run with Health-checker subsystem.
# --dont-release-vrrp -V Dont remove VRRP VIPs & VROUTEs on daemon stop.
# --dont-release-ipvs -I Dont remove IPVS topology on daemon stop.
# --dump-conf -d Dump the configuration data.
# --log-detail -D Detailed log messages.
# --log-facility -S 0-7 Set local syslog facility (default=LOG_DAEMON)
#

#KEEPALIVED_OPTIONS="-D"
KEEPALIVED_OPTIONS="-D -d -S 0"

把 KEEPALIVED_OPTIONS=”-D” 修改为 KEEPALIVED_OPTIONS=”-D -d -S 0”,其中 -S 指定 syslog 的 facility

配置 rsyslog.conf

1
2
3
vim /etc/rsyslog.conf 

local0.* /var/log/keepalived.log

1
2
systemctl restart rsyslog
systemctl restart keepalived

此时,可以从 /var/log/keepalived.log 查看日志了。

链接

CentOS 7 配置 Keepalived 实现双机热备