Keepalived 讲师:张士杰 http://www.magedu.com 本章内容 • 高可用集群 • KeepAlived 组成 • keepAlived 配置 • Keepalived 企业应用 高可用集群概念 • 集群类型: LB(Load Balance) #lvs/HAProxy/nginx(http/upstream, stream/upstream ) HA(High Availability) #高可用集群,数据库、Zookeeper、Redis SPoF: Single Point of Failure,解决单点故障 HPC #高性能集群(High Performance Computing) https://www.top500.org • 系统可用性:SLA(Service-Level Agreement) (指标)=99.9%, …, 99.999%,99.9999% • 系统故障: 硬件故障:设计缺陷、wear out(损耗)、自然灾害…… 软件故障:设计缺陷 高可用集群概念 • 提升系统高用性的解决方案之降低MTTR- Mean Time To Repair(平均故障时间) 解决方案:建立冗余机制 active/passive 主/备 active/active 双主 active –> HEARTBEAT –> passive active <–> HEARTBEAT <–> active • 高可用的是“服务” HA nginx service:vip/nginx process[/shared storage] 资源:组成一个高可用服务的“组件” (1) passive node的数量 (2) 资源切换 高可用集群概念 • shared storage: NAS(Network Attached Storage):网络附加存储,基于网络的共享文件系统SAN(Storage Area Network):存储区域网络,基于网络的块级别的共享 • Network partition:网络分区 quorum:法定人数 with quorum: > total/2 without quorum: <= total/2 隔离设备: fence 高可用集群概念 节点集群(TWO nodes Cluster) 辅助设备:ping node, quorum disk(仲裁设备) • Failover:故障切换,即某资源的主节点故障时,将资源转移至其它节点的操作• Failback:故障移回,即某资源的主节点故障后重新修改上线后,将之前已转移至其它节点的资源重新切回的过程 • HA Cluster实现方案: IS(Applicaiton Interface Specification)应用程序接口规范RHCS:Red Hat Cluster Suite红帽集群套件 heartbeat:基于心跳监测实现服务高可用pacemaker corosync:资源管理与故障转移vrrp(Virtual Router Redundancy Protocol):虚拟路由冗余协议,解决静态网关单点风 险软件层—keepalived 高可用集群-后端存储 https://access.redhat.com/documentation/zhcn/red_hat_enterprise_linux/5/html/cluster_suite_overview/s1-rhgfs-overview-cso
高可用集群-后端存储
JBOD ( Just a Bunch Of Disks )不是标准的 RAID 等级,它通常用来表示一个没有控制软件提供协调控制的磁盘集合, JBOD 将多个物理磁盘串联起来,提供一个巨大的逻辑磁盘, JBOD 的数据存放机制是由第一块磁盘开始按顺序往后存储,当前磁盘存储空间用完后,再依次往后面的磁盘存储数据, JBOD 存储性能完全等同于单块磁盘,而且也不提供数据安全保护,它只是简单提供一种扩展存储空间的机制, JBOD 可用存储容量等于所有成员磁盘的存储空间之和。
Keepalived简介 • keepalived: vrrp协议的软件实现,原生设计目的为了高可用ipvs服务 • 功能: • 基于vrrp协议完成地址流动 • 为vip地址所在的节点生成ipvs规则(在配置文件中预先定义) • 为ipvs集群的各RS做健康状态检测 • 基于脚本调用接口通过执行脚本完成脚本中定义的功能,进而影响集群事务,以此支持nginx、haproxy等服务
VRRP-网络层实现
Keepalived简介 • 组件: 用户空间核心组件:vrrp stack-VIP消息通告checkers-监测real serversystem call-标记real server权重SMTP-邮件组件ipvs wrapper-生成IPVS规则Netlink Reflector-网络接口WatchDog-监控进程 控制组件:配置文件解析器 IO复用器内存管理组件
Keepalived简介 • keepalived:vrrp协议:Virtual Router Redundancy Protocol• 术语:虚拟路由器:Virtual Router虚拟路由器标识:VRID(0-255),唯一标识虚拟路由器物理路由器: master:主设备backup:备用设备priority:优先级 VIP:Virtual IP=vip VMAC:Virutal MAC (00-00-5e-00-01-VRID) Keepalived简介 • 通告:心跳,优先级等;周期性 • 工作方式:抢占式,非抢占式 • 安全工作: 认证:无认证简单字符认证:预共享密钥 • 工作模式: 主/备:单虚拟路由器主/主:主/备(虚拟路由器1),备/主(虚拟路由器2) Keepalived环境准备 • 各节点时间必须同步• 关闭selinux和防火墙 Keepalived安装 • Keepalived安装: # yum install keepalived (CentOS) # apt-get install keepalived (Ubuntu) • 程序环境: • 主配置文件:/etc/keepalived/keepalived.conf • 主程序文件:/usr/sbin/keepalived • Unit File: • /usr/lib/systemd/system/keepalived.service (CentOS) • /lib/systemd/system/keepalived.service (Ubuntu) Unit File的环境配置文件: • /etc/sysconfig/keepalived KeepAlived配置 • 配置文件组件部分: • TOP HIERACHYGLOBAL CONFIGURATIONGlobal definitions VRRP CONFIGURATIONVRRP instance(s):即一个个的vrrp虚拟路由器 LVS CONFIGURATION Virtual server group(s) Virtual server(s):ipvs集群的vs和rs Keepalived配置 • 配置语法:配置虚拟路由器:vrrp_instance { • 配置参数: state MASTER|BACKUP:当前节点在此虚拟路由器上的初始状态,状态为MASTER或者BAC interface IFACE_NAME:绑定为当前虚拟路由器使用的物理接口 ens32,eth0,bond0,br0 virtual_router_id VRID:当前虚拟路由器惟一标识,范围是0-255 priority 100:当前物理节点在此虚拟路由器中的优先级;范围1-254 advert_int 1:vrrp通告的时间间隔,默认1s Keepalived配置 authentication { #认证机制auth_type AH|PASSauth_pass 仅前8位有效 } virtual_ipaddress { #虚拟IP<IPADDR / brd <IPADDR dev <STRING scope label 192.168.200.17/24 dev eth1192.168.200.18/24 dev eth2 label eth2:1 } track_interface { #配置监控网络接口,一旦出现故障,则转为FAULT状态实现地址转移eth0eth1 global_defs { notification_email { root $\textcircled{a}$ localhost #keepalived 发生故障切换时邮件发送的对象,可以按行区分写多个 • } notification_email_from keepalived@localhost smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id ha1.example.com • vrrp_skip_check_adv_addr #所有报文都检查比较消耗性能,此配置为如果收到的报文和上一个报文是同一个路由器则跳过检查报文中的源地址 • vrrp_strict #严格遵守VRRP协议,不允许状况:1,没有VIP地址,2.配置了单播邻居,3.在VRRP版本2中有IPv6地址.vrrp_garp_interval 0 #ARP报文发送延迟vrrp_gna_interval 0 #消息发送延迟vrrp_mcast_group4 224.0.0.18 #默认组播IP地址,224.0.0.0到239.255.255.255 • } #vrrp_iptables
组播配置示例-MASTER(下): vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 80 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111qwer } virtual_ipaddress { 192.168.7.248 dev eth0 label eth0:0 } 田印 . · • global_defs { notification_email { root $\textcircled{a}$ localhost } notification_email_from keepalived $\textcircled{2}$ localhost smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id ha2.example.com vrrp_skip_check_adv_addr # vrrp_strict #严格遵守VRRP协议。 vrrp_garp_interval 0 #ARP报文发送延迟 vrrp_gna_interval 0 #消息发送延迟 vrrp_mcast_group4 224.0.0.18 #组播IP地址,224.0.0.0到239.255.255. #vrrp_iptables 组播配置示例-BACKUP(下): vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 80 priority 90 advert_int 1 authentication { auth_type PASS auth_pass 1111qwer } virtual_ipaddress { 192.168.7.248 dev eth0 label eth0:0 } VIP 测试 • # iptables -D INPUT -s 0.0.0.0/0 -d 192.168.7.248 -j DROP #yum安装会自动生成防火墙策略,可以删除或禁止生成 [root@s2 keepalived]# tcpdump -i eth0-nn host 224.0.0.18 tcpdump: verbose output suppressed,use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:05:10.171787IP192.168.7.101>224.0.0.18:VRRPv2,Advertisement,vrid 1, prio 100, authtype simple, intvl 1s length 20 11:05:1117392 IP192168.7.101>2240.0.18:VRRPv2, Advertisement,vrid 1, prio 100, authtype simple,intvl is, length 20 11:05:12.174960 IP 192.168.7.101>224.0.0.18:VRRPv2,Advertisement,vrid1,prio100,authtype simple,intv 1s, length20 11:05:13.177004 IP 192.168.7.101 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 100, authtype simple, intvl 1s, length 20 11:05:14.179056IP192.168.7.101>224.0.0.18:VRRPv2, Advertisement,vrid 1,prio100,authtype simple,intv 1s, length 20 11:05:15.181030 IP 192.168.7.101 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 100, authtype simple, intvl 1s, length 20 11:05:16.183228 IP 192.168.7.101 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 100, authtype simple, intvl 1s, length 20 11:05:17.185245I192.168.7.101>224.0.0.18:VRRv2,Advertisement,vrid1,prio100,authtypesimple,intvl1s length20 11:05:18.187184 IP 192168.7.101>224.0.0.18:VRRPv2,Advertisement,vrid 1prio 100, authtype simple,intvl 1s, length 20 11:05:19.189323 IP 192.168.7.101>224.0.0.18:VRRPv2,Advertisement,vrid 1, prio100,authtype simple,intvl 1s, length20 11:05:20.191093 IP 192.168.7.101 > 224.0.0.18:VRRPv2, Advertisement, vrid 1, prio 100, authtype simple, intvl ls, length 20 11:05:21.193182 IP 192.168.7.101 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 100, authtype simple, intvl 1s, length 20 11:05:22.195389 9IP 192.168.7.101 > 224.0.0.18: VRRPv2,Advertisement, vrid 1, prio 100, authtype simple, intvl 1s, length 20 11:05:23.197183 IP 192.168.7.101 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 100, authtype simple, intvl 1s, length 20 11:05:24.199273IP192.168.7.101>224.0.0.18:VRRPv2, Advertisement, vrid 1, prio 100, authtype simple, intvl1s, length 20 [root@s2~]#ping192.168.7.248 PING 192.168.7.248(192.168.7.248)56(84)bytesofdata 64bytesfrom 192.168.7.248:icmp_seq=7 ttl=64 time=0.059ms 64 bytes from 192.168.7.248:icmp_seq=8 ttl=64 time=0.067 ms 64 bytes from 192.168.7.248:icmp_seq=9 ttl=64 time=0.068 ms 64 bytes from 192.168.7.248:icmp_seq=10 ttl=64 time=0.065 ms 非抢占 • nopreempt #关闭VIP抢占,需要各keepalived服务器state为BACKUP vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 88 priority 100 advert_int 1 nopreempt vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 88 priority 80 advert_int 1 nopreempt 抢占延迟模式 • preempt_delay 60s #抢占延迟模式,默认延迟300s,需要各keepalived服务器state为BACKUP vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 88 priority 100 advert_int 1 preempt_delay 60s #抢占延迟模式,默认延迟300s vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 88 priority 80 advert_int 1 VIP单播配置及示例 unicast_src_ip #指定单播的源IP unicast_peer { #指定单播的对方IP 目标主机IP • [root@s2 ~]# tcpdump -i eth0 host -nn 172.18.200.101 and host 172.18.200.102
Keepalivde 双主配置 • 两个或以上VIP分别运行在不同的keepalived服务器,以实现服务器并行提供web访问的目的,提高服务器资源利用率。
Keepalived通知配置 发件人配置: [root@s2 ~]# yum install mailx -y [root@s2 ~]# vim /etc/mail.rc set from=2973707860@qq.com set smtp=smtp.qq.com set smtp-auth-user=2973707860 qq.com set smtp-auth-password=mfcjxxjezawgdgee set smtp-auth $\c=$ login set ssl-verify=ignore Keepalived通知配置 • 定义通知脚本: notify_master |: 当前节点成为主节点时触发的脚本notify_backup |: 当前节点转为备节点时触发的脚本notify_fault |: 当前节点转为“失败”状态时触发的脚本notify |: 通用格式的通知触发机制,一个脚本可完成以上三种状态的转换时的通知 Keepalived通知脚本 [root@localhost keepalived]# cat /etc/keepalived/notify.sh
!/bin/bash¶
contact 2973707860@qq.com’ notify() { mailsubject= $"\$5$ (hostname) to be , vip 转移” mailbody=“$(date +‘%F %T’): vrrp transition, $(hostname) changed to be $1” echo “$mailbody” | mail -s “$mailsubject” $contact } case in master) notify master ;; backup) notify backup ;; fault) notify fault ;; *) echo “Usage: $(basename ) {master|backup|fault}” exit 1 ;; esac Keepalived通知配置 • 脚本的调用方法: notify_master “/etc/keepalived/notify.sh master” notify_backup “/etc/keepalived/notify.sh backup” notify_fault “/etc/keepalived/notify.sh fault” stte BACKUho virtual_router id81 priority60 advert_int1 unicast_srcip192.168.7.101 unicast_peer{ 192.168.7.102 1 authentication { auth_type PASS auth_pass 111lqwer 业学元 F virtual_ipaddress{ 禁止 192.168.7.249deveth0labeleth0:1 权子 notify_master “/etc/keepalived/notify.sh master” notify_backup”/etc/keepalived/notify.shbackup notify_fault”/etc/keepalived/notify.sh fault” [root@localhost keepalived]#hostname localhost.localdomain [root@localhost keepalived]# Keepalived通知验证 • 停止keepalived服务,验证IP 切换后是否收到通知邮件: 今天(4封) root localhostocadintomasterip转–2236anicostocdoaihangedto root localhostcintbebacui转-26aocotcinangedtbbku root localhostocadomaintmasterip转–22163anicostcmainhangedtobeser 口 root locahostcdintobebackuip转移-264ranocoocinangedtobbku KeepAlived与IPVS 虚拟服务器配置参数: virtual server (虚拟服务)的定义: virtual_server IP port #定义虚拟主机IP地址及其端口 virtual_server fwmark int #ipvs的防火墙打标,实现基于防火墙的负载均衡集群 virtual_server group string #将多个虚拟服务器定义成组,将组定义成虚拟服务virtual_server IP port{real_server {}} KeepAlived与IPVS delay_loop :检查后端服务器的时间间隔 lb_algo rr|wrr|lc|wlc|lblc|sh|dh:定义调度方法 lb_kind NAT|DR|TUN:集群的类型 persistence_timeout :持久连接时长 protocol TCP|UDP|SCTP:指定服务协议 sorry_server :所有RS故障时,备用服务器地址 real_server {weight RS权重notify_up | RS上线通知脚本notify_down | RS下线通知脚本HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHEC K { … }:定义当前主机的健康状态检测方法 应用层监测 • HTTP_GET|SSL_GET:应用层检测 HTTP_GET|SSL_GET { url { path URL_PATH>:定义要监控的URL status_code :判断上述检测机制为健康状态的响应码 } connect_timeout :客户端请求的超时时长, 等于haproxy的timeout server nb_get_retry :重试次数 delay_before_retry :重试之前的延迟时长 connect_ip :向当前RS哪个IP地址发起健康状态检测请求 connect_port :向当前RS的哪个PORT发起健康状态检测请求 bindto :发出健康状态检测请求时使用的源地址 bind_port :发出健康状态检测请求时使用的源端口
TCP监测 • 传输层检测 TCP_CHECK connect_ip :向当前RS的哪个IP地址发起健康状态检测请求 connect_port :向当前RS的哪个PORT发起健康状态检测请求 bindto :发出健康状态检测请求时使用的源地址 bind_port :发出健康状态检测请求时使用的源端口 connect_timeout :客户端请求的超时时长, 等于haproxy的timeout serv }