Keepalived 实现 Nginx 双机热备(CentOS 7 版)
基于 CentOS 7 环境,通过 Keepalived 为 Nginx 搭建高可用集群,实现 VIP 自动漂移,解决单点故障问题
一、环境说明
| 节点 | 系统版本 | IP 地址 | 角色 | 网卡名称 | 虚拟IP(VIP) |
|---|---|---|---|---|---|
| Nginx01 | CentOS 7 64bit | 192.168.200.10 | 主节点 | ens33 | 192.168.200.12 |
| Nginx02 | CentOS 7 64bit | 192.168.200.20 | 备节点 | ens33 | 192.168.200.12 |
二、操作前置说明
以下标注「两台节点均执行」的步骤,需在 Nginx01 和 Nginx02 同时操作;标注「Nginx01/02 专属」的步骤,仅对应节点执行。
三、安装环境依赖(两台节点均执行)
# 安装编译依赖
yum -y install gcc gcc-c++ make libssl-devel popt-devel openssl-devel
# 安装 Nginx(若未安装)
yum -y install epel-release
yum -y install nginx
四、安装 Keepalived(两台节点均执行)
1. 下载并解压源码包
# 下载 Keepalived 2.3.4(官网源,若慢可换国内镜像)
wget https://www.keepalived.org/software/keepalived-2.3.4.tar.gz
# 解压
tar -zxvf keepalived-2.3.4.tar.gz
cd keepalived-2.3.4/
2. 编译安装
# 配置安装路径
./configure --prefix=/opt/keepalived
# 编译并安装
make && make install
3. 配置系统软链接与服务文件
# 软链 Keepalived 命令到系统路径
ln -s /opt/keepalived/sbin/keepalived /sbin/keepalived
# 创建配置目录并拷贝默认配置
mkdir -p /etc/keepalived
cp -rf /opt/keepalived/etc/keepalived/keepalived.conf.sample /etc/keepalived/keepalived.conf
# 拷贝 sysconfig 配置
cp /opt/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
# 创建 systemd 服务文件
cat > /usr/lib/systemd/system/keepalived.service <<EOF
[Unit]
Description=Keepalive Daemon (LVS and VRRP)
After=syslog.target network-online.target
Wants=network-online.target
ConditionFileNotEmpty=/etc/keepalived/keepalived.conf
[Service]
Type=forking
KillMode=process
EnvironmentFile=-/etc/sysconfig/keepalived
ExecStart=/sbin/keepalived $KEEPALIVED_OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
EOF
# 重新加载 systemd 配置
systemctl daemon-reload
4. 创建 Keepalived 故障切换脚本
# 创建脚本文件
vi /opt/keepalived/down.sh
粘贴以下脚本内容:
#!/bin/bash
pkill keepalived
赋予脚本执行权限:
chmod +x /opt/keepalived/down.sh
五、编辑 Keepalived 配置文件
1. Nginx01(主节点)专属配置
# 清空原有配置
> /etc/keepalived/keepalived.conf
# 编辑配置文件
vi /etc/keepalived/keepalived.conf
粘贴以下配置:
! Configuration File for keepalived
global_defs {
router_id NG_HA_MASTER # 主节点标识,与备节点区分
}
vrrp_instance VI_1 {
state MASTER # 角色为主节点
interface ens33 # 绑定VIP的网卡名称
virtual_router_id 66 # 虚拟路由ID,两台节点需一致(1-255)
priority 100 # 优先级,主节点高于备节点
advert_int 1 # 心跳检测间隔(秒)
# 单播配置(避免广播冲突)
unicast_src_ip 192.168.200.10 # 本机IP
unicast_peer {
192.168.200.20 # 对端(备节点)IP
}
# 认证配置
authentication {
auth_type PASS # 认证类型
auth_pass 1111 # 认证密码,两台节点需一致
}
# 虚拟IP配置
virtual_ipaddress {
192.168.200.12/32 # VIP地址(/32 避免子网冲突)
}
}
# 真实服务器健康检查(监控Nginx 80端口)
virtual_server 192.168.200.12 80 {
delay_loop 2 # 检查间隔(秒)
persistence_timeout 50 # 会话保持超时(秒)
protocol TCP # 协议类型
real_server 192.168.200.10 80 {
weight 3 # 权重
notify_down /opt/keepalived/down.sh # 节点故障时执行的脚本
# TCP端口检查
TCP_CHECK {
connect_timeout 3 # 连接超时(秒)
retry 3 # 重试次数
delay_before_retry 3 # 重试间隔(秒)
}
}
}
2. Nginx02(备节点)专属配置
# 清空原有配置
> /etc/keepalived/keepalived.conf
# 编辑配置文件
vi /etc/keepalived/keepalived.conf
粘贴以下配置:
! Configuration File for keepalived
global_defs {
router_id NG_HA_BACKUP # 备节点标识,与主节点区分
}
vrrp_instance VI_1 {
state BACKUP # 角色为备节点
interface ens33 # 绑定VIP的网卡名称
virtual_router_id 66 # 虚拟路由ID,与主节点一致
priority 50 # 优先级,低于主节点
advert_int 1 # 心跳检测间隔(秒)
# 单播配置
unicast_src_ip 192.168.200.20 # 本机IP
unicast_peer {
192.168.200.10 # 对端(主节点)IP
}
# 认证配置(与主节点一致)
authentication {
auth_type PASS
auth_pass 1111
}
# 虚拟IP配置(与主节点一致)
virtual_ipaddress {
192.168.200.12/32
}
}
# 真实服务器健康检查
virtual_server 192.168.200.12 80 {
delay_loop 2
persistence_timeout 50
protocol TCP
real_server 192.168.200.20 80 {
weight 3
notify_down /opt/keepalived/down.sh
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
}
六、启动服务并设置开机自启(两台节点均执行)
# 启动 Nginx
systemctl start nginx
systemctl enable nginx
# 启动 Keepalived
systemctl start keepalived
systemctl enable keepalived
# 验证服务状态
systemctl status keepalived
systemctl status nginx
七、验证 VIP 绑定(两台节点均执行)
ip a
预期输出(Nginx01 主节点)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
link/ether 00:0c:29:61:29:f3 brd ff:ff:ff:ff:ff:ff
inet 192.168.200.10/24 brd 192.168.200.255 scope global ens33
valid_lft forever preferred_lft forever
inet 192.168.200.12/32 scope global ens33 # VIP 绑定在主节点
valid_lft forever preferred_lft forever
预期输出(Nginx02 备节点)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
link/ether 00:0c:29:25:4e:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.200.21/24 brd 192.168.200.255 scope global ens33
valid_lft forever preferred_lft forever
# 备节点初始无 VIP
八、验证 VIP 漂移功能
1. 停止 Nginx01 主节点的 Nginx 服务
# 在 Nginx01 执行
pkill nginx
# 或 systemctl stop nginx
2. 查看 VIP 漂移结果
在 Nginx02 备节点执行 ip a,预期输出:
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
link/ether 00:0c:29:25:4e:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.200.21/24 brd 192.168.200.255 scope global ens33
valid_lft forever preferred_lft forever
inet 192.168.200.12/32 scope global ens33 # VIP 漂移到备节点
valid_lft forever preferred_lft forever
3. 恢复主节点 Nginx 服务(可选)
# 在 Nginx01 执行
systemctl start nginx
systemctl restart keepalived
执行后 VIP 会重新漂移回 Nginx01 主节点。
九、关键配置说明
| 配置项 | 作用说明 |
|---|---|
router_id | 节点唯一标识,主备节点需不同,仅用于日志区分 |
state MASTER/BACKUP | 节点角色标识,实际优先级(priority)决定 VIP 归属 |
virtual_router_id | 虚拟路由组 ID,主备节点必须一致,否则无法组成高可用组 |
priority | 节点优先级,数值越高优先级越高,主节点需高于备节点 |
unicast_peer | 单播心跳配置,替代广播模式,避免防火墙拦截 VRRP 报文 |
notify_down | 节点故障时执行的脚本,触发 VIP 漂移 |
TCP_CHECK | 端口健康检查,确保 Nginx 服务正常运行才会持有 VIP |
十、常见问题排查
1. VIP 无法绑定
-
检查网卡名称:执行
ip link show确认网卡为ens33; -
关闭防火墙/SELinux:
systemctl stop firewalld && systemctl disable firewalld setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config -
检查
virtual_router_id是否冲突:更换未被使用的 ID(如 67)。
2. VIP 漂移不生效
-
检查脚本权限:确保
/opt/keepalived/down.sh有执行权限(chmod +x); -
查看 Keepalived 日志:
journalctl -u keepalived -f -
验证 Nginx 端口:执行
telnet 192.168.200.10 80确认端口可通。
3. Keepalived 启动失败
-
检查配置文件语法:
keepalived -t -f /etc/keepalived/keepalived.conf -
检查依赖是否安装完整:重新执行
yum -y install gcc libssl-devel popt-devel。
