keepalived 高可用
一、什麼是高可用
高可用keepalived一般是指兩台機器啟動,有着完全相同的業務系統,當期中有一台機器down機了,另外一台機器(伺服器)就能夠快速的接管,維持正常狀态進行,對于正在通路的使用者是無感覺的。
二、高可用keepalived(可以用什麼)
1、硬體通常使用 **F5**
2、軟體通常使用 **keepalived**
三、keepalived是怎麼實作高可用的
keepalived軟體是基于VRRP協定來實作的,VRRP是虛拟路由備援協定,主要用于解決單點故障問題
#VRRP是如何誕生的,原理又是什麼
#舉例說明
比如公司的網絡是通過網關進行上網的,那麼如果該路由器故障了,網關無法轉發封包了,此時所有人都無法上網了,怎麼辦?
通常做法是給路由器增加一台北街店,但是問題是,如果我們的主網關master故障了,使用者是需要手動指向backup的,如果使用者過多修改起來會非常麻煩。
問題一:假設使用者将指向都修改為backup路由器,那麼master路由器修好了怎麼辦?
問題二:假設Master網關故障,我們将backup網關配置為master網關的ip是否可以?
其實是不行的,因為PC第一次通過ARP廣播尋找到Master網關的MAC位址與IP位址後,會将資訊寫到ARP的緩存表中,那麼PC之後連接配接都是通過那個緩存表的資訊去連接配接,然後進行資料包的轉發,即使我們修改了IP但是Mac位址是唯一的,pc的資料包依然會發送給master。(除非是PC的ARP快取記錄過期,再次發起ARP廣播的時候才能擷取新的backup對應的Mac位址與IP位址)
如何才能做到出現故障自動轉移,此時VRRP就出現了,我們的VRRP其實是通過軟體或者硬體的形式在Master和Backup外面增加一個虛拟的MAC位址(VMAC)與虛拟IP位址(VIP),那麼在這種情況下,PC請求VIP的時候,無論是Master處理還是Backup處理,PC僅會在ARP快取記錄中記錄VMAC與VIP的資訊。
#高可用keepalived核心概念
1、如何确定誰是主節點誰是背節點(選舉投票,優先級)
2、如果Master故障,Backup自動接管,那麼Master回複後會奪權嗎(搶占試、非搶占式)
3、如果兩台伺服器都認為自己是Master會出現什麼問題(腦裂)
四、keepalived 高可用環境配置
1.準備環境
主機 | IP | 身份 |
lb01 | 172.15.1.5 | master |
lb02 | 172.15.1.6 | backup |
keepaviled | 192.168.15.4 | VIP |
2.配置nfs挂載點,nginx配置共享目錄
#建立挂載點
[[email protected] ~]# vim /etc/exports
172.16.1.0/20(rw,sync,all_squash,anonuid=1000,anongid=1000) #配置檔案位置
#挂載
[[email protected] ~]# mount -t nfs 172.16.1.31:/nfs/keepalived /etc/nginx/conf.d/
# 重新開機nfs服務
[[email protected] nfs]# systemctl restart nfs-server rpcbind
3.安裝高可用keepalived(lb01與lb02)
[[email protected] ~]# yum install -y keepalived
[[email protected] ~]# yum install -y keepalived
4.配置nginx配置檔案
# 編寫NGINX配置檔案
[[email protected] ~]# cat /etc/nginx/conf.d/hzl.conf
upstream http {
server 172.16.1.7:8081;
server 172.16.1.8:8082;
server 172.16.1.9:8082;
}
server {
listen 443 ssl; #執行https進行通路
server_name _;
ssl_certificate /etc/nginx/cert/server.crt; #認證證書
ssl_certificate_key /etc/nginx/cert/server.key; #認證秘鑰
location / {
proxy_pass http://hzl; #代理連結池名稱
}
}
server {
listen 80;
server_name 192.168.15.5;
rewrite (.*) https://$server_name$request_uri; #比對所有格式
}
#配置檔案檢查,重新開機nginx
[[email protected] ~]#nginx -t
[[email protected] ~]# systemctl restart nginx
5.配置keepalived節點
#檢視配置keepalived檔案
[[email protected] ~]# rpm -qc keepalived
/etc/keepalived/keepalived.conf
/etc/sysconfig/keepalived
#配置主節點配置檔案master
[[email protected] ~]# vim /etc/keepalived/keepalived.conf
global_defs { #全局配置
router_id lb01 #身份驗證
}
vrrp_instance VI_1 {
state MASTER #狀态,隻有MASTER和BACKUP,MASTER是主,BACKUP是備
interface eth0 #網卡綁定,心跳檢測
virtual_router_id 51 #虛拟路由辨別,組id,把master和backup判斷為一組
priority 100 #優先級(真正判斷是主是從的條件)(值越大優先級越高)
advert_int 3 #檢測狀态間隔時間(機關是秒)
# nopreempt #表示非搶占式
authentication { #認證
auth_type PASS #認證方式
auth_pass 1314 #認證密碼指定
}
virtual_ipaddress {
192.168.15.4 #虛拟的VIP位址
}
}
#配置從節點配置檔案backup
[[email protected] ~]# vim /etc/keepalived/keepalived.conf
global_defs { #全局配置
router_id lb02 #辨別身份->名稱
}
vrrp_instance VI_1 {
state BACKUP #辨別角色狀态
interface eth0 #網卡綁定接口
virtual_router_id 51 #虛拟路由id
priority 50 #優先級
advert_int 3 #監測間隔時間
# nopreempt
authentication { #認證
auth_type PASS #認證方式
auth_pass 1314 #認證密碼
}
virtual_ipaddress {
192.168.15.4 #虛拟的VIP位址
}
}
#域名解析(測試通路)
192.168.15.4 www.linux.lb.com
6.配置差別
KEEPALIVED配置差別 | MASTER主節點 | BACKUP從節點 |
router_id(路由唯一辨別) | lb01 | lb02 |
state(角色狀态) | master | backup |
priority(優先級設定) | 100 | 50 |
7.啟動keepalived
#啟動時檢視日志
[[email protected] ~]# tail -f /var/log/messages
#先啟動從
[[email protected] ~]# systemctl start keepalived
#啟動時檢視日志
[[email protected] ~]# tail -f /var/log/messages
#再啟動主
[[email protected] ~]# systemctl start keepalived
8.配置keepalived日志
一、修改 /etc/sysconfig/keepalived
把KEEPALIVED_OPTIONS="-D" 修改為KEEPALIVED_OPTIONS="-D -d -S 0"
#其中-S指定syslog的facility
二、重新開機keepalived服務
[[email protected] ~]#service keepalived restart
[[email protected] ~]#systemctl restart keepalived
三、設定syslog,修改/etc/syslog.conf,添加内容如下
# keepalived -S 0
local0.* /var/log/keepalived.log
注:local0是l是字元L的小寫
五、高可用keepalived (搶占式與非搶占式)
1、節點啟動
#當兩個節點都啟動時
#由于節點的優先級高于節點backup,是以VIP在節點master上面
[[email protected] ~]# ip a | grep 192.168.15.4 #master接管(主節點)
inet 192.168.15.4 scope global eth0
#停止master主節點的keepalived
[[email protected] ~]# systemctl stop keepalived
#節點backup檢測不到節點master的心跳,主動接管VIP
[[email protected] ~]# ip a | grep 192.168.15.4 #backup接管(從節點)
inet 192.168.15.4/24 scope global eth0
#重新啟動master主節點
[[email protected] ~]# systemctl start keepalived
[[email protected] ~]# ip a | grep 192.168.15.4 #master接管,恢複之前狀态
inet 192.168.15.4/24 scope global eth0
2、配置非搶占式nopreempt
1.修改節點狀态,兩邊狀态都必須是**backup**
2.兩個節點都要加上 **nopreempt**
3.優先級仍保持不同
#注節點配置master
lobal_defs {
router_id lb01
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 3
***nopreempt***
authentication {
auth_type PASS
auth_pass 1314
}
virtual_ipaddress {
192.168.15.4
}
}
#從節點配置backup
lobal_defs {
router_id lb02
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 50
advert_int 3
***nopreempt***
authentication {
auth_type PASS
auth_pass 1314
}
virtual_ipaddress {
192.168.15.4
}
}
3、通過windows驗證mac位址切換
#檢視VIP在節master上面
[[email protected] ~]# ip a | grep 192.168.15.4
inet 192.168.15.4/24 scope global eth0
#windows檢視mac位址
C:\Users\admin> arp -a
#将節點master的keepalived停止
[[email protected] ~]# systemctl stop keepalived
#節點backup檢視VIP
[[email protected] ~]# ip a | grep 192.168.15.4
inet 192.168.15.4/24 scope global eth0
#再次檢視MAC位址
C:\Users\admin> arp -a
4、測試通路
#配置本地hosts
192.168.15.4 www.linux.lb.com
六、高可用keepalived(腦裂)
由于某些原因,導緻兩台keepalived高可用伺服器在指定時間内,無法檢測到對方是否存活,各自去調用資源,配置設定工作,而此時兩台伺服器都還活着并且在工作。
1、腦裂的故障
1.伺服器網線松動,網絡故障
2.伺服器硬體發生損壞,硬體故障
3.主備伺服器之間開啟了防火牆
2.開啟防火牆(兩台)
[[email protected] ~]# systemctl start firewalld
[[email protected] ~]# systemctl start firewalld
3、通路頁面測試
#通路浏覽器因為開啟防火牆,是以通路不了站點,需要配置開啟http服務
[[email protected] ~]# firewall-cmd --add-service=http
[[email protected] ~]# firewall-cmd --add-service=https
4、解決腦裂
#腦裂解決案列一:
#幹掉一台服務
[[email protected] ~]# systemctl stop keepalived
#檢測(判斷是否有腦裂現象)
#先做信任,免密登入
[[email protected] ~]# ssh-keygen #生成秘鑰
[[email protected] ~]# sh-copy-id 172.16.1.6
#編寫腳本
[[email protected] ~]# vim check_naolie.sh
#!/bin/sh
vip=192.168.15.4
lb02_ip=172.16.1.6
while true;do
ssh $lb02_ip 'ip a | grep 192.168.15.4' &>/dev/null
if [ $? -eq 0 -a `ip add|grep "$vip"|wc -l` -eq 1 ];then
echo "ha is split brain.warning."
else
echo "ha is ok"
fi
sleep 3
done
#腳本添加執行權限
[[email protected] ~]# chmod +x check_naolie.sh
#腦裂解決案列二:
#開啟防火牆
[[email protected] ~]# systemctl start firewalld
[[email protected] ~]# systemctl start firewalld
# 當主節點和從節點都提供服務的時候(腳本探測)
# 做免密
[[email protected] ~]# ssh-keygen #生成秘鑰
[[email protected] ~]# sh-copy-id 172.16.1.6
[[email protected] ~]# sh-copy-id 172.16.1.5
#腳本編寫
[[email protected] ~]# vim check_naolie.sh
#!/bin/bash
VIP="192.168.15.4"
MASTERIP="172.16.1.6"
BACKUPIP="172.16.1.5"
while true; do #循環腳本
# 探測VIP
PROBE='ip a | grep "${VIP}"'
ssh ${MASTERIP} "${PROBE}" > /dev/null
MASTER_STATU=$?
ssh ${BACKUPIP} "${PROBE}" > /dev/null
BACKUP_STATU=$?
if [[ $MASTER_STATU -eq 0 && $BACKUP_STATU -eq 0 ]];then
ssh ${BACKUPIP} "systemctl stop keepalived.service"
fi
sleep 3
done
#腳本添加執行權限
[[email protected] ~]# chmod +x check_naolie.sh
#引用補充:
-eq 等于
-ne 不等于
-ge 大于等于
-gt 大于
-le 小于等于
-lt 小于
七、高可用keepalived和nginx
1.域名解析到VIP
1.nginx預設監聽所有IP
2.nginx故障切換腳本
#如果nginx當機,使用者請求頁面會失敗,但是keepalive沒有關閉,VIP仍然在nginx挂掉了的機器上,導緻影響業務;
#我們應該編寫一個腳本,判斷nginx狀态,如果nginx挂掉,先嘗試重新開機nginx,如果啟動不了則關掉keepalived
# nginx檢測腳本一
[[email protected] ~]# vim /etc/keepalived/check_web.sh
#!/bin/bash
ps -ef | grep [n]ginx &>/dev/null
if [ $? -eq 1 ];then
systemctl start nginx &>/dev/null
sleep 3
ps -ef | grep [n]ginx &>/dev/null
if [ $? -eq 1 ];then
systemctl stop keepalived
fi
fi
#腳本優化:
[[email protected] ~]# vim /etc/keepalived/check_web.sh
#!/bin/sh
nginxpid=$(ps -C nginx --no-header|wc -l)
1#判斷Nginx是否存活,如果不存活則嘗試啟動Nginx
if [ $nginxpid -eq 0 ];then
systemctl start nginx
sleep 3
2#等待3秒後再次擷取一次Nginx狀态
nginxpid=$(ps -C nginx --no-header|wc -l)
3#再次進行判斷, 如Nginx還不存活則停止Keepalived,讓位址進行漂移,并退出腳本
if [ $nginxpid -eq 0 ];then
systemctl stop keepalived
fi
fi
[[email protected] keepalived]# chmod +x check_web.sh
# nginx檢測腳本二
[[email protected] ~]# vim /etc/keepalived/check_web.sh
#!/bin/bash
nginxnum=`ps -ef | grep [n]ginx | wc -l`
if [ $nginxnum -eq 0 ];then
systemctl start nginx
sleep 3
nginxnum=`ps -ef | grep [n]ginx | wc -l`
if [ $nginxnum -eq 0 ];then
systemctl stop keepalived.service
fi
fi
#腳本添權重限
[[email protected] keepalived]# chmod +x check_web.sh
3.調用腳本
[[email protected] ~]# vim /etc/keepalived/keepalived.conf
global_defs {
router_id lb01
}
#每5秒執行一次腳本,腳本執行完成時間不能超過5秒,否則會重新執行腳本,死循環
vrrp_script check_web {
script "/etc/keepalived/check_web.sh"
interval 5
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1314
}
virtual_ipaddress {
192.168.15.4
}
#調用計劃腳本
track_script {
check_web
}
}
#給腳本添權重限
[[email protected] keepalived]# chmod +x check_web.sh
#使用測試通路
192.168.15.4 www.linux.lb.com