1、keepalived基础
keepalived专为LVS和HAproxy设计的一款健康检查工具:
- 支持故障自动切换(Failover)
- 支持节点健康状态检查(Health Checking)
1.1 VRRP协议
VRRP协议:虚拟路由冗余协议
相关术语:
-
虚拟路由器:不是真正存在,而是虚构的。比如把路由1和路由2,合成一个组,这个组就是虚拟路由。
-
虚拟路由器标识:virtual_router_id,简称VRID。
- 范围:0-255
- 作用:标识路由是否是同一个组,同一个组的才能使用vrrp协议。
-
VIP:虚拟IP,也就是网关,对外提供服务的地址
-
VMAC:虚拟路由的mac地址
-
master、backup:主设备、备用设备
-
priority 优先级:优先级高的是主、低的是备。优先级255,直接默认成为主。
1.2 VRRP相关技术
vrrp报文的发送方式:不是单播、也不是广播,而是组播 ,默认地址是 224.0.0.18⭐⭐
通告:心跳线、优先级等;
三种工作方式:
- 抢占式:主挂了,备接管;原主如果好了,就立即再成为主
- 非抢占式:主挂了,备接管并称为主,原主如果好了,不会变成主,而是作为备
- 延迟抢占模式:主挂了,备接管;原主如果好了,过段时间等稳定了再成为主,不会立即抢过来。
主和备之间的报文是明文传输。
小拓展:Keepalived 官网
官网:http://keepalived.org/
1.3 keepalived 核心组件⭐⭐
官方文档:
https://keepalived.org/doc/
http://keepalived.org/documentation.html
- vrrp stack:发送心跳线。 VIP消息通告 虚拟ip
- checkers:检查后端服务器的健康性。简单来说就是 监控后端真实服务器 是否存活
- system call:keepalived中,除了LVS软件有特有的模块外,其他模块只有一个通用的模块,也就是脚本模块。实现 vrrp 协议状态转换时 调用脚本的功能
- SMTP:邮件组件(报警邮件)
- IPVS wrapper:自动生成LVS规则
- Netlink Reflector:网络接口 (将虚拟地址ip(vip)地址飘动)
小拓展: WatchDog:监控进程
- 控制组件:提供keepalived.conf 的解析器,完成Keepalived配置
- I/O复用器:针对网络目的而优化的自己的线程抽象
- 内存管理组件:为某些通用的内存管理功能(例如分配,重新分配,发布等)提供访问权限
2、yum和编译安装 keepalived⭐
2.1 yum安装:
yum install keepalived -y
注意:安装过程中,有问题不会报错。启动之后可以查看下状态,确认是否启动!
2.2 编译安装:
yum install gcc curl openssl-devel libnl3-devel net-snmp-devel -y //安装依赖包环境
wget https://keepalived.org/software/keepalived-2.2.2.tar.gz //官网下载安装包
tar xf keepalived-2.2.2.tar.gz
cd keepalived-2.2.2/
./configure --prefix=/usr/local/keepalived
make
make install
自动生成service文件
systemctl start keepalived //注意:开启会报错,因为缺少主配置文件/etc/keepalived/keepalived.conf
mkdir -p /etc/keepalived //自行创建文件夹
cp /usr/local/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/ //拷贝主配置文件
vim /etc/keepalived/keepalived.conf
21 interface ens33 //将eth0网卡改成ens33,网卡名称不对,不然还会报错。
systemctl start keepalived
小拓展1:使用sed替换网卡名称
sed -i 's/eth0/ens33/' /etc/keepalived/keepalived.conf
小拓展2:如何永久修改网卡名称?
grub2 配置文件位置:/etc/default/grub
[root@localhost ~]# vim /etc/default/grub #进入配置文件
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet net.ifnames=0" #在最后面添加"net.ifnames=0"的配置信息
GRUB_DISABLE_RECOVERY="true"
[root@localhost ~]# grub2-mkconfig -o /boot/grub2/grub.cfg #重新生成配置文件
3、keepalived 配置文件
| 名称 | 说明 |
|---|---|
| 软件包的名称 | keepalived |
| 主配置文件 | /etc/keepalived/keepalived.conf⭐ |
| 主程序文件 | /usr/sbin/keepalived |
| 配置文件示例(范例) | /usr/share/doc/keepalived/(yum安装的路径) |
主配置文件:分为三部分
-
全局配置块(GLOBAL CONFIGURATION)
- 定义邮件配置、route_id、vrrp配置、组播地址等
-
虚拟路由器设置(VRRP CONFIGURATION)
- 定义vrrp协议中,每个vrrp虚拟路由器的规则、基本信息
-
LVS设置(LVS CONFIGURATION)
- 调度服务器 的规则设置
- 真实服务器 的规则设置
3.1 全局配置
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
} //邮箱
notification_email_from Alexandre.Cassen@firewall.loc //发邮件的地址
smtp_server 127.0.0.1 //可以改成回环地址⭐
smtp_connect_timeout 30 //邮件服务器超时时间为30秒
router_id LVS_DEVEL //服务器唯一标识,LVS_DEVEL可以自定义⭐
vrrp_skip_check_adv_addr //同一类型的报文,检查过一次,确认是正常的,一段时间内就不检查了,这样可以提高效率,减少消耗。
vrrp_strict //严格模式。注释掉,不开启⭐
vrrp_garp_interval 0 //默认配置,0表示不延迟发送
vrrp_gna_interval 0 //对(不请自来)的消息延迟发送,
}
*****全局配置中没有的,可以自行添加*****
vrrp_mcast_group4 224.0.0.18 //组播地址,也可以自定义组播地址。⭐指定组播IP地址范围:224.0.0.0到239.255.255.255,默认值:224.0.0.18
*****防火墙规则,尽量不要添加*****
vrrp_iptables //防火墙策略
此项和vrrp_strict(严格模式)同时开启时,则不会添加防火墙规则;但如果注释掉vrrp_strict项,则无需启用此项配置,或者将此项同时注释!!
3.2 虚拟路由配置
vrrp_instance VI_1 {
state MASTER //指明此服务器是主还是备,备的话就是BACKUP,注意要大写!!!⭐
interface ens33 //监听的网卡,虚拟ip就配在此网卡上⭐
virtual_router_id 51 //虚拟路由器的组的标识,主从的标识要一致⭐
priority 100 //优先级,主高从低⭐
advert_int 1 //心跳线报文,1秒发送1次⭐
authentication {
auth_type PASS
auth_pass 1111 //主从之间的消息验证,明文的,不用改
}
virtual_ipaddress { //设置虚拟IP(VIP),可以设置多个⭐
192.168.125.123 //后面可以加子网掩码,不加,默认是32位
192.168.125.124
192.168.125.125
}
}
192.168.200.102/24 dev eth2 label eth2:1 //指定VIP的eth2网卡,并且虚拟接口是1
}
track_interface { //配置监控网络接口,一旦出现故障,则转为FAULT状态实现地址转移
eth0
eth1
3.3 LVS配置
virtual_server 192.168.125.123 80 { //虚拟Ip,跟上面设置的保持一致。
delay_loop 6 //后端健康性检查,6秒⭐
lb_algo rr //调度算法,轮询⭐
lb_kind NAT //LVS工作模式,是NAT模式⭐
persistence_timeout 0 //长连接,改成0⭐
protocol TCP //监听协议,tcp协议,udp的很少
real_server 192.168.201.100 443 { //真实服务器
weight 1 //权重⭐
SSL_GET { //检测方式⭐
url {
path /
digest ff20ad2481f97b1754ef3e12ecd3a9cc
}
url {
path /mrtg/
digest 9b3a0c85a887a256d6939da88aabd8cd
}
connect_port 80 //检测80端口⭐
connect_timeout 3 //连接超时,3秒⭐
nb_get_retry 3 //重试连接次数,3次,如果3次还没有回复,就认为是挂了⭐
delay_before_retry 3 //重试间隔时间是3秒⭐
}
4、LVS+keepalived 实验
使用LVS-DR模式
实验环境:
主:7-1 192.168.125.100
备:7-2 192.168.125.120
真实服务器1:7-3 192.168.125.130
真实服务器2:7-5 192.168.125.150
虚拟IP:192.168.125.123
客户端:7-6 192.168.125.160
7-3:
[root@7-3 ~]# systemctl stop firewalld
[root@7-3 ~]# setenforce 0
[root@7-3 ~]# yum install httpd -y
`关闭长连接:`
[root@7-3 ~]# systemctl start httpd
[root@7-3 ~]# vim /etc/httpd/conf/httpd.conf
keepalive off //可以写在最下面,注意keepalive不加d
[root@7-3 ~]# systemctl restart httpd
`准备页面:`
[root@7-3 ~]# cd /var/www/html
[root@7-3 html]# echo "7-3 keepalived" > index.html
7-5:
[root@7-5 ~]# systemctl stop firewalld
[root@7-5 ~]# setenforce 0
[root@7-5 ~]# yum install httpd -y
`关闭长连接:`
[root@7-5 ~]# systemctl start httpd
[root@7-5 ~]# vim /etc/httpd/conf/httpd.conf
keepalive off //可以写在最下面(G)
[root@7-5 ~]# systemctl restart httpd
`准备页面:`
[root@7-5 ~]# cd /var/www/html
[root@7-5 html]# echo "7-5 LVS" > index.html
注意 标记⭐的基本都是需要调整的
7-1:主
`1、安装软件:`
[root@7-1 ~]# yum install ipvsadm.x86_64 keepalived.x86_64 -y
[root@7-1 ~]# ipvsadm-save > /etc/sysconfig/ipvsadm //启动ipvsadm软件
[root@7-1 ~]# systemctl start ipvsadm
[root@7-1 ~]# systemctl status ipvsadm //查看状态是否启动
`2、验证一下7-3和7-5是否设置成功`
[root@7-1 ~]# curl 192.168.125.150
7-5 LVS
[root@7-1 ~]# curl 192.168.125.130
7-3 keepalived
`3、配置keepalived:`
[root@7-1 ~]# cd /etc/keepalived
[root@7-1 keepalived]# cp keepalived.conf keepalived.conf.bak //手残党做好备份!!!
[root@7-1 keepalived]# ls
keepalived.conf keepalived.conf.bak
[root@7-1 keepalived]# vim keepalived.conf //编辑配置文件
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1⭐
smtp_connect_timeout 30
router_id LVS_01⭐
vrrp_skip_check_adv_addr
#vrrp_strict⭐
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface ens33⭐
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.125.123⭐
}
}
virtual_server 192.168.125.123 80 {⭐
delay_loop 6
lb_algo rr
lb_kind DR⭐
persistence_timeout 0⭐
protocol TCP
real_server 192.168.125.130 80 {⭐
weight 1
TCP_CHECK {⭐
connect_port 80⭐
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.125.150 80 {⭐
weight 1
TCP_CHECK {⭐
connect_port 80⭐
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
} //一定一定注意括号的数量,并且括号要对齐!!!
[root@7-1 keepalived]# systemctl restart keepalived.service //重启
[root@7-1 keepalived]# ip a //查看虚拟IP
`将配置文件 远程拷贝到7-2`
[root@7-1 keepalived]# scp keepalived.conf 192.168.125.120:/etc/keepalived/
The authenticity of host '192.168.125.120 (192.168.125.120)' can't be established.
ECDSA key fingerprint is SHA256:WjsC0+WKTtKhSyTw1eKyRuxBCboW9Co4pRQeZ+OXTeM.
ECDSA key fingerprint is MD5:b7:93:96:0c:a2:ff:8a:ec:45:3f:bd:6e:ce:3a:0a:38.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.125.120' (ECDSA) to the list of known hosts.
root@192.168.125.120's password:
keepalived.conf 100% 1175 3.5MB/s 00:00
小拓展:ip a 可以查看虚拟IP的命令、ifconfig 看不到虚拟IP
7-2:备
[root@7-2 ~]# yum install ipvsadm.x86_64 keepalived.x86_64 -y
[root@7-2 ~]# ipvsadm-save > /etc/sysconfig/ipvsadm //启动ipvsadm软件
[root@7-2 ~]# systemctl start ipvsadm
[root@7-2 ~]# systemctl status ipvsadm //查看状态是否启动
[root@7-2 ~]# cd /etc/keepalived/
[root@7-2 keepalived]# cp keepalived.conf keepalived.conf.bak //备份
[root@7-2 keepalived]# vim keepalived.conf
`1、修改全局配置:`
router_id LVS_02
`2、虚拟路由配置:`
state BACKUP //改成备
priority 80 //优先级改小一点,80
`3、LVS配置:`
除上述外,其余无需修改
[root@7-2 keepalived]# systemctl restart keepalived.service //重启
[root@7-2 keepalived]# ip a //查看虚拟IP,但是看不到192.168.125.123的虚拟地址,因为谁是主,虚拟地址就在谁的上面。
7-6抓包验证 主备模式是否设置成功:
[root@7-6 ~]# tcpdump -i ens33 host 224.0.0.18 -nn //抓取组播地址224.0.0.18
①将7-1主 关闭,可以看到7-2备进行了接管:
systemctl stop keepalived.service
②将7-1打开,可以看到7-1又成为了主:
systemctl start keepalived.service
7-3和7-5设置:
`关闭ARP广播:`
[root@7-3 html]# vim /etc/sysctl.conf
[root@7-3 html]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.arp_ignore = 1
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
`添加虚拟网卡和虚拟IP:`
[root@7-3 html]# ifconfig ens33:0 192.168.125.123/24
7-6验证 通过虚拟IP,是否可以正常访问后端服务器
[root@7-6 ~]# curl 192.168.125.123
7-5 LVS
[root@7-6 ~]# curl 192.168.125.123
7-3 keepalived
//将主关闭后,仍然可以正常访问:
[root@7-6 ~]# curl 192.168.125.123
7-5 LVS
[root@7-6 ~]# curl 192.168.125.123
7-3 keepalived
5、抢占模式(基于上面大实验成功后)
抢占模式:
- 立即抢占模式:一个master、一个backup(也就是前面实验的)
- 非抢占模式:两个backup
- 延迟抢占模式:两个backup
5.1 立即抢占模式
默认的抢占模式:立即抢占
缺点:
- 会造成两次(退出和上线)网络动荡
- 有风险,立即抢占后,可能还会出现问题,不稳定
5.2 非抢占模式
nopreempt
`7-1:`
[root@7-1 keepalived]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP //都设为BACKUP⭐
interface ens33
virtual_router_id 51
priority 100 //优先级高⭐
advert_int 1
nopreempt //添加此行,意思为不抢占⭐
[root@7-1 keepalived]# systemctl restart keepalived.service
`7-2:`
[root@7-2 keepalived]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP //都设为BACKUP⭐
interface ens33
virtual_router_id 51
priority 80 //优先级低⭐
advert_int 1
nopreempt //不抢占⭐
[root@7-2 keepalived]# systemctl restart keepalived.service
5.3 延迟抢占模式
preempt_delay 30
preempt_delay //指定抢占延迟时间为多少秒,不加数字,默认延迟300s
*****注意:需要各keepalived服务器state为BACKUP,并且不要启用 vrrp_strict
`7-1:`
[root@7-1 keepalived]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP //都设为BACKUP⭐
interface ens33
virtual_router_id 51
priority 100 //优先级高
advert_int 1
preempt_delay 30 //抢占延迟模式,默认延迟300s⭐
[root@7-1 keepalived]# systemctl restart keepalived.service
`7-2:`
[root@7-2 keepalived]# vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state BACKUP //都设为BACKUP⭐
interface ens33
virtual_router_id 51
priority 80 //优先级低
advert_int 1
preempt_delay 30 //抢占延迟模式,默认延迟300s⭐
[root@7-2 keepalived]# systemctl restart keepalived.service
6、修改单播、多播地址
6.1 修改多播(组播)
vrrp_mcast_group4 234.6.6.6
7-1:
vim /etc/keepalived/keepalived.conf
vrrp_mcast_group4 192.168.125.223 //加在全局配置里
systemctl restart keepalived.service
7-2:
vim /etc/keepalived/keepalived.conf
vrrp_mcast_group4 192.168.125.223 //加在全局配置里
systemctl restart keepalived.service
6.2 修改单播
注意:修改单播时,要把多播的设置删掉!!!
设置在VIP配置的最后面,倒数第二行。
7-1:主
unicast_src_ip 192.168.125.100 //本机IP
unicast_peer {
192.168.125.120 //对方主机IP,可以添加多个
}
systemctl reload keepalived
注意:配置文件中的格式容易报错,这几行尽量不要复制,建议手敲!!!
7-2:从(和主是反的)
unicast_src_ip 192.168.125.120 //本机IP
unicast_peer {
192.168.125.100 //对面IP
}
systemctl reload keepalived
7-2抓包测试:
[root@7-2 keepalived]# tcpdump -i ens33 host 192.168.125.100 -nn //抓取7-1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
21:52:13.048129 IP 192.168.125.100 > 192.168.125.120: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20 //从7-1到7-2的,抓取成功
7、主备切换的 通知脚本
主备之间的切换,可以通知一下管理员,人工及时干预,以防出现纰漏。
当前节点成为主节点时触发的脚本
notify_master <STRING>|<QUOTED-STRING>
当前节点转为备节点时触发的脚本
notify_backup <STRING>|<QUOTED-STRING>
当前节点转为“失败”状态时触发的脚本
notify_fault <STRING>|<QUOTED-STRING>
通用格式的通知触发机制,一个脚本可完成以上三种状态的转换时的通知
notify <STRING>|<QUOTED-STRING>
当停止VRRP时触发的脚本
notify_stop <STRING>|<QUOTED-STRING>
编辑配置文件:
[root@7-1 ~]# vim /etc/keepalived/keepalived.conf
notify_master "/opt/keepalive.sh master" //如果主发生改变,就读取该脚本
notify_backup "/opt/keepalive.sh backup" //如果备发生改变,就读取该脚本
notify_fault "/opt/keepalive.sh fault"
//上面三行,可以放在单播设置前面
unicast_src_ip 192.168.125.100
unicast_peer {
192.168.125.120
}
[root@7-1 ~]# systemctl reload keepalived
#配置邮箱脚本
[root@localhost opt]#vim /etc/mail.rc //设置邮箱账号和密码
set from=940132245@qq.com
set smtp=smtp.qq.com
set smtp-auth-user=940132245@qq.com
set smtp-auth-password=zqvvpycmrhoubefa
[root@localhost opt]#vim keepalive.sh //创建keepalive.sh脚本
#!/bin/bash
#
contact='940132245@qq.com'
notify() {
mailsubject="$(hostname) to be $1, vip floating"
mailbody="$(date +'%F %T'): vrrp transition, $(hostname) changed to be $1"
echo "$mailbody" | mail -s "$mailsubject" $contact
}
case $1 in
master)
notify master
;;
backup)
notify backup
;;
fault)
notify fault
;;
*)
echo "Usage: $(basename $0) {master|backup|fault}"
exit 1
;;
esac
8、日志功能
[root@7-1 ~]# vim /etc/sysconfig/keepalived
KEEPALIVED_OPTIONS="-D -S 5" //-D显示详细的日志信息;-S生成日志文件 -S范围是0-7
[root@7-1 ~]# mkdir -p /etc/keepalived/log/ //新建存放日志的文件夹
[root@7-1 ~]# vim /etc/rsyslog.conf
# Save boot messages also to boot.log
local7.* /var/log/boot.log
local5.* /etc/keepalived/log/keep.log
[root@7-1 ~]# systemctl restart keepalived.service
[root@7-1 ~]# systemctl restart rsyslog.service
[root@7-1 ~]# cat /etc/keepalived/log/keep.log //查看日志文件
9、脑裂⭐⭐⭐
什么是脑裂:
因为防火墙规则的设置,可能会存在收不到心跳线,那么就会存在两个主。
存在两个主的坏处就是:会像“裂脑人”一样,争抢“共享资源”、争起“应用服务”,会发生严重后果。共享资源被瓜分、两边“服务”都起不来了;或者两边“服务”都起来了,但同时读写“共享存储”,导致数据损坏。
模拟脑裂:
7-2:备
iptables -A INPUT -s 192.168.125.100 -j REJECT //设置防火墙规则,备就会变成主,而对面的主也依然在,就会出现脑裂
如何预防keepalived脑裂问题:
- 同时使用串行电缆和以太网电缆连接、同时使用两条心跳线路,这样一条线路断了,另外一条还是好的,依然能传送心跳消息;
- 当检查脑裂时强行关闭一个心跳节点(这个功能需要特殊设备支持,如stonith、fence)相当于备节点接收不到心跳消息,通过单独的线路发送关机命令关闭主节点的电源。
10、nginx+keepalived 实验⭐⭐⭐
keepalived 可以和任何软件组合,形成高可用的架构
10.1 VRRP Script 模块
`vrrp script 模块`与`全局配置 global`同级别
vrrp_script <SCRIPT_NAME> { #定义一个检测脚本,在global_defs 之外配置
script <STRING>|<QUOTED-STRING> #shell命令或脚本路径(注意执行权限),如果值是0,将不会进行下面的操作
interval <INTEGER> #间隔时间,单位为秒,默认1秒
timeout <INTEGER> #超时时间
weight <INTEGER:-254..254> #减优先级。默认为0,如果设置此值为负数,当上面脚本返回值为非0时,会将此值与本节点权重相加可以降低本节点权重,即表示fall. 如果是正数,当脚本返回值为0,会将此值与本节点权重相加可以提高本节点权重,即表示 rise.通常使用负值
fall <INTEGER> #执行脚本连续几次都失败,则转换为失败,建议设为2以上
rise <INTEGER> #执行脚本连续几次都成功,把服务器从失败标记为成功
user USERNAME [GROUPNAME] #执行监测脚本的用户或组
init_fail #设置默认标记为失败状态,监测成功之后再转换为成功状态
}
使用vrrp script模块,需要手动编写脚本,实现记录故障的切换。共分为两步:
- 定义脚本
格式:
vrrp_script <SCRIPT_NAME> {
script <STRING>|<QUOTED-STRING> #此脚本返回值为非0时,会触发下面OPTIONS执行
OPTIONS
}
示例:
vrrp_script cxk { //定义脚本名称为cxk
script "/opt/nginx.sh" //脚本在/opt/下面执行
interval 10 //每隔10秒,运行上面的脚本
weight -30 //优先级自动减去30
fall 2 //脚本执行两次都是失败,那就判定为失败
rise 2 //连续测试两次都没问题,那就认定你是好了,才能让你变回主
}
- 调用脚本
track_script,加入监听模块。
track_script {
check_down
}
10.2 nginx+keepalived
- 后端真实服务器:设置相对简单,安装httpd软件和创建访问页面。
7-3:
[root@7-3 ~]# yum install httpd -y
[root@7-3 ~]# systemctl start httpd
[root@7-3 ~]# cd /var/www/html
[root@7-3 html]# echo "7-3 nginx" > index.html
7-5:
[root@7-5 ~]# yum install httpd -y
[root@7-5 ~]# systemctl start httpd
[root@7-5 ~]# cd /var/www/html
[root@7-5 html]# echo "7-5 keepalived" > index.html
- 调度服务器:设置负载均衡和反向代理
7-1:
[root@7-1 ~]# systemctl stop firewalld
[root@7-1 ~]# setenforce 0
[root@7-1 ~]# yum install epel-release.noarch -y
[root@7-1 ~]# yum install nginx -y
[root@7-1 ~]# systemctl start nginx
[root@7-1 ~]# vim /etc/nginx/nginx.conf
`负载均衡:`
upstream web {
server 192.168.125.130;
server 192.168.125.150;
}
`反向代理:`
location / {
proxy_pass http://web;
}
[root@7-1 ~]# nginx -s reload
[root@7-1 ~]# scp /etc/nginx/nginx.conf 192.168.125.120:/etc/nginx/
7-2:
[root@7-2 ~]# systemctl stop firewalld
[root@7-2 ~]# setenforce 0
[root@7-2 ~]# yum install epel-release.noarch -y
[root@7-2 ~]# yum install nginx -y
[root@7-2 ~]# systemctl start nginx
*****scp远程拷贝执行后,进行重启*****
[root@7-2 ~]# vim /etc/nginx/nginx.conf //查看下7-1远程拷贝的配置
[root@7-2 ~]# nginx -s reload
- 调度服务器:安装keepalived,并修改多处配置,后缀有⭐的部分,即为需要修改的部分。
7-1:
[root@7-1 ~]# yum install keepalived -y
[root@7-1 ~]# vim /etc/keepalived/keepalived.conf
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1⭐
smtp_connect_timeout 30
router_id LVS_01⭐
vrrp_skip_check_adv_addr
#vrrp_strict⭐
vrrp_garp_interval 0
vrrp_gna_interval 0
}
`加入脚本模块:`
vrrp_script check_down {
script "/etc/keepalived/ng.sh"
interval 1
weight -30
fall 3
rise 2
timeout 2
}
*****对上面脚本的解释说明*****⭐新增8行
vrrp_script check_down {
script "/etc/keepalived/ng.sh" //指明脚本的位置
interval 1 //每隔1s 执行一次检测
weight -30 //如果 脚本执行失败自动减少优先级30
fall 3 //3次不成功才标注为失败
rise 2 //nginx 重新起来后检测两次成功 才真的成功
timeout 2 //超时时间 2s
}
vrrp_instance VI_1 {
state MASTER
interface ens33⭐
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.125.123⭐
}
track_script { //新增3行⭐
check_down
}
}
[root@7-1 ~]# systemctl restart keepalived
[root@7-1 ~]# cd /etc/keepalived/
[root@7-1 keepalived]# vim ng.sh
killall -0 nginx //脚本内容,意为监测nginx是否活着
`增加执行权限:`
[root@7-1 keepalived]# chmod +x ng.sh
[root@7-1 keepalived]# scp /etc/keepalived/keepalived.conf 192.168.125.120:/etc/keepalived/
7-2:
[root@7-2 ~]# vim /etc/keepalived/keepalived.conf
*****修改下面两处*****
state BACKUP //改成备⭐
priority 80 //修改优先级,不能比主大,可以改成80⭐
[root@7-2 ~]# systemctl restart keepalived
[root@7-2 ~]# cd /etc/keepalived/
[root@7-2 keepalived]# vim ng.sh
killall -0 nginx
`增加执行权限:`
[root@7-2 keepalived]# chmod +x ng.sh
- 访问验证
7-6:
`正常访问:`
[root@7-6 ~]# systemctl stop firewalld
[root@7-6 ~]# setenforce 0
[root@7-6 ~]# curl 192.168.125.123
7-3 nginx
[root@7-6 ~]# curl 192.168.125.123
7-5 keepalived
[root@7-6 ~]# curl 192.168.125.123
7-3 nginx
[root@7-6 ~]# curl 192.168.125.123
7-5 keepalived
- 假设7-1主挂了,那么7-2就会接管,成为主,而7-1则成为备。
7-1:
[root@7-1 keepalived]# systemctl stop nginx
[root@7-1 keepalived]# systemctl stop keepalived //此时7-1就成为了备、7-2成为了主,可以用 ip a 查看一下
[root@7-1 keepalived]# killall -0 nginx //检查nginx是否还活着
[root@7-1 keepalived]# echo $? //0代表活着,1代表挂了
1
7-6:
[root@7-6 ~]# tcpdump -i ens33 host 224.0.0.18 -nn //可以抓包查看,流量从7-2发出,证实7-2就是主。
[root@7-6 ~]# curl 192.168.125.123
7-3 nginx
[root@7-6 ~]# curl 192.168.125.123
7-5 keepalived
[root@7-6 ~]# curl 192.168.125.123
7-3 nginx
[root@7-6 ~]# curl 192.168.125.123
7-5 keepalived
//7-1挂了,并不受影响,用户仍然可以正常访问,实验成功!
