keepalived节点如果不在同一子网中,会出现不能自动组网的问题,以下3种方法,我使用了第一种,剩下的两种供大家参考
解决办法
1.unicast_peer和notify_script
参考地址:serverfault.com/questions/7…
一种方法是使用unicast_peer选项,让不同网段的keepalived实例通过单播通信,然后使用notify_script选项,调用一个脚本来移动一个IP Failover(由你的主机提供),并向你的提供商发送一个API请求,告诉它将你的IP Failover移动到另一个服务,当keepalived转换为MASTER时(有一个notify_master规则)
配置示例
global_defs {
vrrp_version 2
vrrp_garp_master_delay 1
vrrp_garp_master_refresh 60
script_user root
enable_script_security
}
vrrp_script chk_haproxy {
script "/etc/keepalived/scripts/check_haproxy.sh"
timeout 1
interval 5 # check every 5 second
fall 2 # require 2 failures for KO
rise 2 # require 2 successes for OK
}
vrrp_instance lb-vips {
state { {KEEPALIVED_STATE}}
interface { {KEEPALIVED_INTERFACE}}
virtual_router_id { {KEEPALIVED_VIRTUAL_ROUTER_ID}}
priority { {KEEPALIVED_PRIORITY}}
advert_int 1
unicast_src_ip { {KEEPALIVED_UNICAST_SRC}}
unicast_peer {
X.X.X.X # here you have all ip of other keepalived
X.X.X.X
}
authentication {
auth_type PASS
auth_pass { {KEEPALIVED_AUTH_PASSWORD}}
}
track_script {
chk_haproxy
}
notify "/etc/keepalived/scripts/notify_script.sh"
}
notify_script范例
notify_script是一个选项,用于指定一个脚本,当keepalived的状态发生变化时,会执行这个脚本。这个脚本可以用来做一些自定义的操作,比如发送邮件通知,调用API接口,或者执行其他命令。
notify_script的具体内容取决于你想要实现的功能,但是一般来说,它应该是一个可执行的文件,接受三个参数:
$1是keepalived的实例名称
$2是keepalived的状态(MASTER,BACKUP或FAULT)
$3是keepalived的类型(INSTANCE或GROUP)
#!/bin/bash
# Get the parameters
INSTANCE=$1
STATE=$2
TYPE=$3
# Define the IP Failover parameters
OVH_ENDPOINT=ovh-eu
OVH_APP_KEY=X.X.X.X
OVH_APP_SECRET=X.X.X.X
OVH_CONSUMER_KEY=X.X.X.X
FAILOVER_IP=X.X.X.X
FAILOVER_SERVICE=X.X.X.X
# Define the email parameters
EMAIL_FROM=myadmin@myserver
EMAIL_TO=myuser@mydomain
EMAIL_SUBJECT="Keepalived notification"
EMAIL_BODY="Keepalived $INSTANCE changed to state $STATE"
# If the state is MASTER, move the IP Failover to this server
if [ "$STATE" = "MASTER" ]; then
curl -X POST -H "X-Ovh-Application: $OVH_APP_KEY" -H "X-Ovh-Consumer: $OVH_CONSUMER_KEY" -H "X-Ovh-Signature: $OVH_APP_SECRET+$OVH_CONSUMER_KEY+POST+/dedicated/server/$FAILOVER_SERVICE/failover/$FAILOVER_IP+$(date +%s)" https://$OVH_ENDPOINT/api/dedicated/server/$FAILOVER_SERVICE/failover/$FAILOVER_IP -d "ipOnDestination=1.1.10.101"
fi
# Send an email notification using mailx command
echo "$EMAIL_BODY" | mailx -s "$EMAIL_SUBJECT" -r "$EMAIL_FROM" "$EMAIL_TO"
check_haproxy.sh范例
check_haproxy.sh是一个脚本,用于检查haproxy服务的状态,如果haproxy服务正常运行,就返回0,否则返回1。这个脚本可以用来作为keepalived的vrrp_script,让keepalived根据haproxy服务的状态来决定是否触发故障转移。
check_haproxy.sh的具体内容取决于你的haproxy服务的配置和运行方式,但是一般来说,它应该是一个可执行的文件,使用pidof或ps命令来检查haproxy进程是否存在,或者使用curl或nc命令来检查haproxy监听的端口是否响应。
#!/bin/bash
# Check if haproxy is running
pidof haproxy > /dev/null
# If haproxy is not running, return 1
if [ $? -ne 0 ]; then
exit 1
fi
# Check if haproxy is listening on port 80
nc -z localhost 80 > /dev/null
# If haproxy is not listening on port 80, return 1
if [ $? -ne 0 ]; then
exit 1
fi
# If haproxy is running and listening on port 80, return 0
exit 0
2. vrrp_sync_group
参考地址:stackoverflow.com/questions/6…
另一种方法是使用vrrp_sync_group选项,将两个或多个keepalived实例同步为一个组,然后在每个实例中指定不同的接口和虚拟IP地址,分别对应外部和内部网段。你还可以使用track_interface和track_script选项,来检测接口和服务的状态,并根据需要触发故障转移
配置示例
global_defs {
notification_email_from myadmin@myserver
smtp_server localhost
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_script check_nginx {
script "/usr/libexec/keepalived/check_nginx.sh"
interval 3
}
vrrp_sync_group link_instances {
group {
real
stop_duplicate
}
}
vrrp_instance real {
state BACKUP
interface eth0
virtual_router_id 1
priority 250 # This will be a lower value on the other router
version 3 # not necessary, but you may as well use the current protocol
advert_int 1
nopreempt
track_interface {
eth1
}
track_script {
check_nginx
}
unicast_src_ip 115.197.1.166
unicast_peer {
115.197.1.167
}
virtual_ipaddress {
115.197.1.170/32 dev eth0
}
}
vrrp_instance stop_duplicate {
state BACKUP
interface eth1
virtual_router_id 1
priority 255 version 3
advert_int 1
nopreempt
unicast_src_ip 192.168.0.3
unicast_peer {
192.168.0.4
}
virtual_ipaddress {
192.168.0.5/29
}
}
3. vrrp_sync_group和track_interface
有一种方法是禁用VRRP协议中的TTL检查,因为这个检查要求发送者和接收者都在同一个以太网段上,而单播模式下VRRP广告很可能会跨越不同的网络段。你可以在keepalived配置文件中添加vrrp_skip_check_adv_addr或者vrrp_strict选项来禁用TTL检查
vrrp_skip_check_adv_addr
or
vrrp_strict off
