https://github.com/acassen/keepalived/blob/master/doc/keepalived.conf.SYNOPSIS
配置概述
- 此檔案描述所有可獲得的Keepalived關鍵字。keepalived.conf檔案由三個配置部分組成 :
- Globals 配置
- VRRP 配置
- LVS 配置
- BFD 配置(2層轉發相關)
注釋
- 兩種有效的注釋字元串 : 如果要寫注釋就使用 # 或者 !
參數文法
<BOOL> 這些值中選一個:on|off|true|false|yes|no,或者省略,預設值為on
條件配置和配置id
1).config-id預設是節點名的第一部分。可以通過keepalived的-i或者--config-id來進行覆寫,任何以'@'開頭的配置行就是條件配置行。跟在@後面的那個單詞與-i(或者--config-id)指定的id名進行比較,如果不比對,則忽略。
2).另外,'@^'是一個消極的比較,如果其他配置都不比對,那麼就比對這個。
3).這樣做的目的是一個配置檔案可以被不同的系統使用,其中唯一的差別可能是router_id,vrrp執行個體優先級,可能還有接口名
例子:
global_defs
{
@main router_id main_router
@backup router_id backup_router
}
...
vrrp_instance VRRP1 {
...
@main unicast_src_ip 1.2.3.4
@backup unicast_src_ip 1.2.3.5
@backup2 unicast_src_ip 1.2.3.6
unicast_peer {
@^main 1.2.3.4
@^backup 1.2.3.5
@^backup2 1.2.3.6
}
}
4). 如果用-i main來調用keepalived(使用上面的配置),或者如果使用-i,配置id沒有指定,那麼配置id預設就是main.xxxx(xxx為其他字元串)那麼keepalived将會使用router_id為main_router。如果用-i backup來調用keepalived或者配置id為backup,那麼backup_router會被使用。如果沒有使用-i backup來調用keepalived或者配置id部位main或backup,而是-i帶了别的參數。那麼backup_router就不會被使用
5). 如果用-i backup調用keepalived,或者配置id為backup,則使用backup_router,如果沒有使用-i調用,則節點名不是main或backup或者帶的是其他參數,router_id則将不會被設定。
6). 配置id為main的unicast peers配置則為1.2.3.5和1.2.3.6.(1.2.3.4)
腳本
- 三種類型的腳本可以被配置執行。
- a. 通知腳本:當vrrp執行個體或vrrp組的狀态時發生變化,或者虛拟伺服器的狀态發生了up或者down時候調用的通知腳本
- b. vrrp跟蹤腳本:這些腳本的調用如果退出碼為非0會導緻vrrp執行個體退出,或者如果權值被指定,那麼将會加減vrrp執行個體相應的優先級
- c. lvs checker misc腳本:如果腳本以非零值退出,那麼會直接down調real server服務.
預設這些腳本會以使用者keepalived_script來執行,如果使用者不存在,且沒有指定root來執行。那就以每一個腳本的指定使用者/組來執行
為了能夠被SIGTERM終止,所有的腳本必須有寫權限。當父程序終止的時候,腳本會收到SIGTERM信号。keepalived會等待腳本運作結束
配置導入
這個可以讓支援多檔案導入.
include directive格式為:
include FILENAME
配置檔案文法解析
全局配置
這個塊有5個子塊
* Global definitions
* Static track groups
* Static addresses
* Static rules
* Static routes
Global definitions
The configuration block 如下:
global_defs { # 塊的辨別
notification_email { # 告警郵件位址
<EMAIL ADDRESS> # 标準郵件位址
<EMAIL ADDRESS>
...
}
notification_email_from <EMAIL ADDRESS> # 發件人(smtp協定)
# defaults to [email protected]<local host name>
smtp_server <ADDRESS>|<DOMAIN_NAME> [<PORT>]
# SMTP 伺服器IP位址或者域名
# 端口可選 (預設是25)
smtp_helo_name <HOST_NAME> # 指定在HELO消息中所使用的名稱。預設為本地主機名。
smtp_connect_timeout <INTEGER> # smtp伺服器連接配接逾時時間
smtp_alert <BOOL> # 設定所有smtp_alerts的預設狀态,當master狀态變遷時激活smtp通知
smtp_alert_vrrp <BOOL> # 設定vrrp的smtp_alerts的狀态
smtp_alert_checker <BOOL> # 設定checker的smtp_alerts的狀态
no_email_faults # 當處于fault狀态時不發送smtp alerts
router_id <STRING> # router辨別
vrrp_garp_interval <DECIMAL> # 預設的免費arp之間的發送間隔,機關秒,可以精确到毫秒
vrrp_gna_interval <DECIMAL> # 預設的ipv6 NA之間的發送間隔,機關秒,可以精确到毫秒
vrrp_mcast_group4 <IPv4 ADDRESS> # 指定發送VRRP多點傳播消息使用的IPV4多點傳播位址。預設是224.0.0.18
vrrp_mcast_group6 <IPv6 ADDRESS> # 指定發送VRRP多點傳播消息所使用的IPV6多點傳播位址。預設是ff02::12
vrrp_skip_check_adv_addr <BOOL> # 預設是不跳過檢查。檢查收到的VRRP通告中的所有位址,設定此指令的意思是,如果通告與接收的上一個通告來自相同的master路由器,則不執行檢查(跳過檢查)。
default_interface <INTERFACE> # 為static address設定預設接口,預設是eth0
lvs_sync_daemon <INTERFACE> <VRRP_INSTANCE> [id <SYNC_ID>] [maxlen <LEN>] [port <PORT>] [ttl <TTL>] [group <IP ADDR>]
# 設定LVS同步服務的相關内容。可以同步LVS的狀态資訊。
# INTERFACE:指定同步服務綁定的接口。
# VRRP_INSTANCE:指定同步服務綁定的VRRP執行個體。
# id <SYNC_ID>:指定同步服務所使用的SYNCID,隻有相同的SYNCID才會同步。範圍是0-255.
# maxlen:指定資料包的最大長度。範圍是1-65507
# port:指定同步所使用的UDP端口。
# group:指定多點傳播IP位址
# 注意:maxlen, port, ttl and group 隻能在Linux 4.3或者之後的版本使用.
lvs_flush # 在keepalived啟動時,重新整理所有已經存在的LVS配置。(在1.2.7版本上不可用,1.3.5可用)
vrrp_garp_master_delay <INTEGER> # 當轉換為MASTER狀态時,延遲多少秒發送第二組的免費ARP。預設為5s,0表示不發送第二組免的免費ARP。(在1.2.7版本上不可用,1.3.5可用)
vrrp_garp_master_repeat <INTEGER> # 當轉換為MASTER狀态時,在一組中一次發送的免費ARP數量。預設是5.
vrrp_garp_lower_prio_delay <INTEGER> # 當MASTER收到更低優先級的通告時,延遲多少秒發送第二組的免費ARP。
vrrp_garp_lower_prio_repeat <INTEGER> # 當MASTER收到更低優先級的通告時,在一組中一次發送的免費ARP數量。
vrrp_garp_master_refresh <INTEGER> # 當keepalived成為MASTER以後,重新整理免費ARP的最小時間間隔(會再次發送免費ARP)。預設是0,表示不會重新整理。
vrrp_garp_master_refresh_repeat <INTEGER> # 當keepalived成為MASTER以後,每次重新整理會發送多少個免費ARP。預設是1
vrrp_lower_prio_no_advert [<BOOL>] # 預設是false。如果收到低優先級的通告,不發送任何通告。
vrrp_higher_prio_send_advert [<BOOL>] # 如果我們是master,收到一個更高優先級的vrrp,在我們變成backup之前發送一個通告。這意味如果其他master設定了garp_lower_priority_repeat,他将重新發送免費arp資訊。這是為了解決出現雙master的情況,且最後一個看到的免費arp是從我們為您這裡發出的。
vrrp_version <INTEGER:2..3> # vrrp版本,預設是vrrp version 2
vrrp_iptables [keepalived_in [keepalived_out]] # 預設是INPUT,指定iptables chains添加。如果沒有指定,則不添加
vrrp_ipsets ipset4 [ipset6 [ipset_if6]] # 設定ipset的名字,如果沒設定就不被使用。預設值為keepalived
# 人如果ipset6沒有指定,那麼名字為ipset的名字後面加個6,如果ipset_if6沒有被指定,那就删除ipset6中的那個6,然後加上_if6
vrrp_check_unicast_src # 在單點傳播模式中,開啟對VRRP資料包的源位址做檢查,源位址必須是單點傳播鄰居之一。
vrrp_strict # 嚴格遵守VRRP協定。下列情況将會阻止啟動Keepalived:1. 沒有VIP位址。2. 單點傳播鄰居。3. 在VRRP版本2中有IPv6位址(1.2.7中無效,1.3.5有效)
vrrp_priority <INTEGER:-20..19> # 設定VRRP程序的優先級。
checker_priority <INTEGER:-20..19> # 設定checker程序的優先級。
bfd_priority <INTEGER:-20..19> # 設定BFD程序的優先級。(高版本才有BFD)
vrrp_no_swap # vrrp程序不能夠被交換
checker_no_swap # checker程序不能夠被交換
bfd_no_swap # checker程序不能夠被交換
vrrp_rt_priority <INTEGER:1..99> # 将vrrp子程序設定為在指定的優先級使用實時排程(1.3.5版本無此功能)
checker_rt_priority <INTEGER:1..99> # 将checker子程序設定為在指定的優先級使用實時排程(1.3.5版本無此功能)
bfd_rt_priority <INTEGER:1..99> # 将bfd子程序設定為在指定的優先級使用實時排程(1.3.5版本無此功能)
vrrp_rlimit_rtime <INTEGER> # 設定阻塞系統調用之間的CPU時間限制,以微秒為機關(預設為1000)
checker_rlimit_rtime <INTEGER> # 設定阻塞系統調用之間的CPU時間限制,以微秒為機關(預設為1000)e
bfd_rlimit_rtime <INTEGER> # 設定阻塞系統調用之間的CPU時間限制,以微秒為機關(預設為1000)
#
# 如果keepalived編譯了SNMP的支援
# 那麼以下的這些是可用的
# Note: keepalived, checker and rfc support can be
# individually enabled/disabled
snmp_socket <PROTOCOL>:<ADDRESS>[:<PORT>] # specify socket to use for connecting to SNMP master agent (default unix:/var/agentx/master)
# (see source module keepalived/vrrp/vrrp_snmp.c for more details)
enable_snmp_vrrp # enable SNMP handling of vrrp element of KEEPALIVED MIB
enable_snmp_checker # enable SNMP handling of checker element of KEEPALIVED MIB
enable_snmp_rfc # enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs
enable_snmp_rfcv2 # enable SNMP handling of RFC2787 VRRPv2 MIB
enable_snmp_rfcv3 # enable SNMP handling of RFC6527 VRRPv3 MIB
enable_traps # enable SNMP trap generation
#
enable_dbus # 使能DBus接口
dbus_service_name SERVICE_NAME # dbus服務名,預設是org.keepalived.Vrrp1
# 如果你想運作多個keepalived程序才有用
#
script_user USERNAME [GROUPNAME] # 設定運作腳本預設使用者群組。如果沒有指定,則預設使用者為keepalived_script(需要該使用者存在),否則為root使用者。預設groupname同username。
enable_script_security # 如果腳本路徑的任一部分對于非root使用者來說,都具有可寫權限,則不會以root身份運作腳本。
notify_fifo FIFO_NAME # 向FIFO寫入通知事件,輸出格式參見vrrp_notify_fifo和lvs_notify_fifo,有關詳細資訊,請參見vrrp_sync_group下的描述,doc/sample/sample_notify_fifo.sh的示例用法。
notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# keepalived運作的腳本,用來處理通知事件,FIFO名稱将作為最後一個參數傳遞給腳本
vrrp_notify_fifo FIFO_NAME # FIFO要将vrrp通知事件寫入(必須與其他FIFO名稱不同),寫入的字元串将是表單的一行:INSTANCE "VI_1" MASTER 100,并将以新的行字元結束。有關輸出的詳細資訊,請參見vrrp_sync_group下的描述。和doc/sample/sample_notify_fifo.sh的示例用法。
vrrp_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# keepalived運作的腳本,用來處理通知事件,FIFO名稱将作為最後一個參數傳遞給腳本
lvs_notify_fifo FIFO_NAME # FIFO要将notify healthchecker事件寫入(必須與其他FIFO名稱不同),所寫的字元串将是表單的一行:
# VS [192.168.201.15]:tcp:80 {UP|DOWN}
# RS [1.2.3.4]:tcp:80 [192.168.201.15]:tcp:80 {UP|DOWN}
# 以換行符為結束符.
lvs_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# script to be run by keepalived to process healthchecher notify events
# The FIFO name will be passed to the script as the last parameter
dynamic_interfaces # 允許配置包含啟動時不存在的接口。這允許keepalived使用可能被删除的接口,并恢複,也允許VMAC接口上的虛拟和靜态路由和規則
# The following options are only needed for large configurations, where either
# keepalived creates a large number of interface, or the system has a large
# number of interface. These options only need using if
# "Netlink: Receive buffer overrun" messages are seen in the system logs.
# If the buffer size needed exceeds the value in /proc/sys/net/core/rmem_max
# the corresponding force option will need to be set.
vrrp_netlink_cmd_rcv_bufs BYTES # Set netlink receive buffer size. This is useful for
vrrp_netlink_cmd_rcv_bufs_force <BOOL> # very large configurations where a large number of interfaces exist, and
vrrp_netlink_monitor_rcv_bufs BYTES # the initial read of the interfaces on the system causes a netlink buffer
vrrp_netlink_monitor_rcv_bufs_force <BOOL> # overrun.
lvs_netlink_cmd_rcv_bufs BYTES # The vrrp netlink command and monitor socket and the checker command
lvs_netlink_cmd_rcv_bufs_force <BOOL> # and monitor socket buffer sizes can be independently set.
lvs_netlink_monitor_rcv_bufs BYTES # The force flag means to use SO_RCVBUFFORCE, so that the buffer size can
lvs_netlink_monitor_rcv_bufs_force <BOOL> # exceed /proc/sys/net/core/rmem_max.
# When a socket is opened, the kernel configures the max rx buffer size for
# the socket to /proc/sys/net/core/rmem_default. On some systems this can be
# very large, and even generally this can be much larger than necessary.
# This isn't a problem so long as keepalived is reading all queued data from
# it's sockets, but if rmem_default was set sufficiently large, and if for
# some reason keepalived stopped reading, it could consume all system memory.
# The vrrp_rx_bufs_policy allows configuring of the rx bufs size when the
# sockets are opened. If the policy is MTU, the rx buf size is configured
# to the total of interface's MTU * vrrp_rx_bufs_multiplier for each vrrp
# instance using the socket. Likewise, if the policy is ADVERT, then it is
# the total of each vrrp instances advert packet size * multiplier.
# If policy is set to a number, the rx buf size is configured to that number.
vrrp_rx_bufs_policy [MTU|ADVERT|NUMBER] # default is to use system default
vrrp_rx_bufs_multiplier NUMBER # default 3
rs_init_notifies # Send notifies at startup for real servers that are starting up
no_checker_emails # Don't send an email every time a real server checker changes state;
# only send email when a real server is added or removed
}
net_namespace NAME # 設定命名空間
# The directory /var/run/keepalived will be created as an unshared mount point,
# for example for pid files.
# syslog entries will have _NAME appended to the ident.
# Note: the namespace cannot be changed on a configuration reload
namespace_with_ipsets # ipsets wasn't network namespace aware until Linux 3.13, and so if running with
# an earlier version of the kernel, by default use of ipsets is disabled if using
# a namespace and vrrp_ipsets isn't specified.
# This options overrides the default and allows ipsets to be used
# with a namespace on kernels prior to 3.13.
instance NAME # 如果多個keepalived執行個體在相同的名稱空間中運作,則會出現這種情況。在/var/run/keepalived中以名稱作為檔案名的一部分建立pid檔案。注意:在重新加載配置時不能更改執行個體名
use_pid_dir # Create pid files in /var/run/keepalived
linkbeat_use_polling # Use media link failure detection polling fashion
child_wait_time SECS # Time for main process to allow for child processes to exit on termination
# in seconds (default 5). This can be needed for very large configurations.
Static track groups
靜态跟蹤組用于允許vrrp執行個體跟蹤靜态位址路線和規則。如果一個靜态位址/路由/規則指定了一個跟蹤組,那麼如果删除了位址/路由/規則,位址/路由/規則不能被重新添加的情況下,則vrrp執行個體将轉換為備份或者故障狀态
track group的文法如下:
track_group GROUP1 {
group {
VI_1
VI_2
}
}
Static addresses
The configuration block looks like :
static_ipaddress { # block identification
# 沒有指定裝置則預設用eth0
# track_group規範是指一個指定的track_group,它列出了将跟蹤位址的vrrp執行個體,
# 即如果位址被删除且無法恢複,那麼vrrp執行個體将轉換為fault state。no_track意味着如果位址被删除,它将不會被恢複
# no_track意味着如果位址被删除,它将不會被恢複
# Note: the broadcast address may be specified as '-' or '+' to clear or set the host bits of the address.
<IP ADDRESS>[/<MASK>] [brd <IP ADDRESS>] [dev <STRING>] [scope <SCOPE>] [label <LABEL>] [peer <IP ADDRESS>] [home] [-nodad] [mngtmpaddr] [noprefixroute] [autojoin] [track_group GROUP|no_track]
<IP ADDRESS>[/<MASK>] ...
...
}
SCOPE can take the following values :
* site
* link
* host
* nowhere
* global
參考:doc/samples/keepalived.conf.vrrp.static_ipaddress
Static rules
static_rules { # block identification
# The syntax is that same as for ip rule add, without "ip rule add"
# with the addition of tunnel-id option (except shortened option names
# aren't supported due to ambiguities).
# For a description of track_group and no_track, see static_addresses
# NOTE: since rules without preferences can be added in different orders
# due to vrrp instances transitioning from master to backup etc, rules need
# to have a preference. If a preference is not specified, keepalived will
# assign one, but it will probably not be what you want.
from 192.168.28.0/24 to 192.168.29.0/26 table small iif p33p1 oif wlan0 tos 22 fwmark 24/12 preference 39 realms 30/20 track_group GROUP1
to 1:2:3:4:5:6:7:0/112 from 7:6:5:4:3:2::/96 table 6908 uidrange 10000-19999 no_track
to 1:2:3:4:6:6:7:0/112 from 8:6:5:4:3:2::/96 l3mdev protocol 12 ip_proto UDP sport 10-20 dport 20-30
}
Static routes
The configuration block looks like :
static_routes { # block identification
# 文法類似于 ip route add, 隻是沒有 "ip route add"
# (except shorted option names aren't supported due to ambiguities)
# For a description of track_group and no_track, see static_addresses
# Use "default" or "default6" to specify the default IPv4 or IPv6 route
192.168.100.0/24 table 6909 nexthop via 192.168.101.1 dev wlan0 onlink weight 1 nexthop via 192.168.101.2 dev wlan0 onlink weight 2
192.168.200.0/24 dev p33p1.2 table 6909 tos 0x04 protocol bird scope link priority 12 mtu 1000 hoplimit 100 advmss 101 rtt 102 rttvar 103 reordering 104 window 105 cwnd 106 ssthresh lock 107 realms PQA/0x14 rto_min 108 initcwnd 109 initrwnd 110 features ecn track_group GROUP1
2001:470:69e9:1:2::4 dev p33p1.2 table 6909 tos 0x04 protocol bird scope link priority 12 mtu 1000 hoplimit 100 advmss 101 rtt 102 rttvar 103 reordering 104 window 105 cwnd 106 ssthresh lock 107 rto_min 108 initcwnd 109 initrwnd 110 features ecn fastopen_no_cookie 1 no_track
}
參考:doc/samples/keepalived.conf.vrrp.static_ipaddress
VRRP configuration
This block is divided in 5 sub-blocks:
* VRRP scripts
* VRRP track files
* VRRP track BFDs
* VRRP synchronization group
* VRRP gratuitous ARP/NA intervals
* VRRP instance
VRRP scripts
The configuration block looks like :
vrrp_script <STRING> { # VRRP script declaration
script <QUOTED_STRING> # script to run periodically
interval <INTEGER> # run the script this every seconds
timeout <INTEGER> # script considered failed after 'timeout' seconds
weight <INTEGER:-253..253> # adjust priority by this weight
fall <INTEGER> # required number of failures for KO switch
rise <INTEGER> # required number of successes for OK switch
user USERNAME [GROUPNAME] # specify user/group to run script under
init_fail # assume script initially is in failed state
}
腳本将周期性地執行,每隔<interval>秒執行一次。它的退出代碼将被記錄為所有監視它的VRRP執行個體。注意,隻有在至少有一個VRRP執行個體監視腳本時,腳本才會被執行。預設權值等于0,這意味着監視腳本的任何VRRP執行個體在<fall>腳本連續失敗後将轉換到錯誤狀态。之後,<rise>連續成功将導緻VRRP執行個體離開錯誤狀态,除非它們也由于正在跟蹤的其他腳本或接口而處于錯誤狀态。一個正的權重意味着<rise> success将把<weight>添加到監視它的所有VRRP執行個體的優先級。相反,如果<fall>失敗,則從初始優先級中減去一個負值。
說白就是,某個vrrp執行個體裡面如果會周期性調用這個腳本,如果如果調用失敗了就會把優先級減去相應的權值,成功了優先級就會增加相應的權值
VRRP track files
The configuration block looks like:
vrrp_track_file <STRING> { # VRRP track file declaration
file <QUOTED_STRING> # file to monitor
weight <-254..254> # default weight (default is 1)
init_file [VALUE] [overwrite] # create the file and/or initialise the value
# This causes VALUE (default 0) to be written to
# the specified file at startup if the file doesn't
# exist, unless overwrite is specified in which case
# any existing file contents will be overwritten with
# the specified value.
}
The file will be read whenever it is modified. The value in the file
will be recorded for all VRRP instances and sync groups which monitor it.
Note that the file will only be read if at least one VRRP instance or
sync group monitors it.
A value will be read as a number in text from the file. If the weight
configured against the track_file is 0, a non-zero value in the file will
be treated as a failure status, and a zero value will be treated as
an OK status, otherwise the value will be multiplied by the weight configured
in the track_file statement. If the result is less than -253 any VRRP
instance or sync group monitoring the script will transition to the fault state
(the weight can be 254 to allow for a negative value being read from the file).
If the vrrp instance or sync group is not the address owner and the result is between
-253 and 253, the result will be added to the initial priority of the VRRP instance
(a negative value will reduce the priority), although the effective priority will
be limited to the range [1,254].
If a vrrp instance using a track_file is a member of a sync group, unless
sync_group_tracking_weight is set on the group weight 0 must be set.
Likewise, if the vrrp instance is the address owner, weight 0 must also be set.
BFD Configuration
This is an implementation of RFC5880 (Bidirectional forwarding detection),
and this can be configured to work between 2 keepalived instances, but using
unweighted track_bfds between a master/backup pair of VRRP instances means that
the VRRP instance will only be able to come up if both VRRP instance are running,
which somewhat defeats the purpose of VRRP.
This imlpementation has been tested with OpenBFDD (available at
https://github.com/dyninc/OpenBFDD).
The configuration block looks like :
bfd_instance <STRING> {
neighbor_ip <IP ADDRESS> # BFD Neighbor IP (synonym neighbour_ip)
source_ip <IP ADDRESS> # Source IP to use (optional)
mix_rx <INTEGER> # Required min RX interval, in ms
# (default is 10 ms)
min_tx <INTEGER> # Desired min TX interval, in ms
# (default is 10 ms)
idle_tx <INTEGER> # Desired idle TX interval, in ms
# (default is 1000 ms)
multiplier <INTEGER> # Number of missed packets after
# which the session is declared down
# (default is 5)
passive # Operate in passive mode (default is active)
ttl <INTEGER 0..255> # outgoing IPv4 ttl to use (default 255)
hoplimit <INTEGER 0..255> # outgoing IPv6 hoplimit to use (default 64)
max_hops <INTEGER 0..255> # maximum reduction of ttl/hoplimit in received packet (default 0)
# (255 disables hop count checking)
weight # Default tracking weight
vrrp|checker # Only notify vrrp or checker process. Default is notify both.
}
VRRP synchronization group
The configuration block looks like :
vrrp_sync_group <STRING> { # VRRP sync group declaration
group { # group of instance to sync together
<STRING> # a
<STRING> # set
... # of VRRP_Instance string
}
global_tracking # DEPRECATED. Use track_interface, track_script and
# track_file on vrrp_sync_groups instead.
sync_group_tracking_weight # allow sync groups to use differing weights. This
# probably WON'T WORK, but is a replacement for
# global_tracking in case different weights were used
# across different vrrp instances in the same sync
# group.
track_interface { # 如果下列接口有挂了的就把該執行個體狀态設定為fault
<STRING>
<STRING>
<STRING> weight <INTEGER:-253..253>
...
}
track_script { # Scripts state we monitor
<STRING>
<STRING> weight <INTEGER:-253..253>
...
}
track_file { # Files state we monitor
<STRING> # weight defaults to value configured in the vrrp_track_file
<STRING> weight <INTEGER: -254..254>
...
}
track_bfd { # BFD instance we monitor
<STRING>
<STRING>
<STRING> weight <INTEGER: -253..253>
...
}
# The username and groupname specify the user and group
# under which the scripts should be run. If username is
# specified, the group defaults to the group of the user.
# If username is not specified, they default to the
# global script_user and script_group
notify_master <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run during MASTER transit
notify_backup <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run during BACKUP transit
notify_fault <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run during FAULT transit
notify_stop <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when stopping vrrp
notify <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run during ANY state transit (1)
smtp_alert <BOOL> # Send email notification during state transit
# (default no, unless global smtp_alert/smtp_alert_vrrp set)
}
Synchronization group tracking scripts and files will update
the status/priority of all VRRP instances which are members of
the sync group.
(1) The "notify" script is called AFTER the corresponding notify_* script has
been called, and is given 4 additional arguments following the configured
arguments:
$(n-3) = A string indicating whether it's a "GROUP" or an "INSTANCE"
$(n-2) = The name of said group or instance
$(n-1) = The state it's transitioning to ("MASTER", "BACKUP", "FAULT" or "STOP")
$(n) = The priority value
$(n-3) and $(n-1) are ALWAYS sent in uppercase, and the possible strings sent are the
same ones listed above ("GROUP"/"INSTANCE", "MASTER"/"BACKUP"/"FAULT"/"STOP")
(note: STOP is only applicable to instances)
Important: for a SYNC group to run reliably, it is vital that all instances in
the group are MASTER or that they are all either BACKUP or FAULT. A
situation with half instances having higher priority on machine A
half others with higher priority on machine B will lead to constant
re-elections. For this reason, when instances are grouped, any
track scripts/files configured against member VRRP instances will have
their tracking weights automatically set to zero, in order to avoid
inconsistent priorities across instances.
(2) The notify fifo output is the same as the last 4 parameters for the "notify"
script, with the addition of "MASTER_RX_LOWER_PRI" instead of state for an
instance. This is used if a master needs to set some external state, such as
setting a secondary IP address when using Amazon AWS; if another keepalived
has transitioned to master due to a communications break, the lower priority
instance will have taken over the secondary IP address, and the proper master
needs to be able to restore it.
##### VRRP gratuitous ARP/NA intervals
```bash
This section allows the setting of delays between sending gratuitous ARPs
and unsolicited neighbour advertisements. This is intended for when an
upstream switch is unable to handle being flooded with ARPs/NAs.
Use interface when the limits apply on the single physical interface.
Use interfaces when a group of interfaces are linked to the same switch
and the limits apply to the switch as a whole.
Note: Only one of interface or interfaces should be used per block.
garp_group {
garp_interval <DECIMAL> # Sets the interval between Gratuitous ARP
# (in seconds, resolution microseconds)
gna_interval <DECIMAL> # Sets the default interval between unsolicited NA
# (in seconds, resolution microseconds)
interface <STRING> # The physical interface to which the intervals apply
interfaces { # A list of interfaces across which the delays are
<STRING> # aggregated.
<STRING>
...
}
}
If the global vrrp_garp_interval and/or vrrp_gna_interval are set, any
interfaces that aren't specified in a garp_group will inherit the global
settings.
VRRP instance
The configuration block looks like :
vrrp_instance <STRING> { # VRRP instance declaration
use_vmac [<NAME>] # Use VRRP Virtual MAC, optional NAME of interface
# NOTE: If sysctl net.ipv4.conf.all.rp_filter is set,
# and this vrrp_instance is an IPv4 instance, using
# this option will cause the individual interfaces to be
# updated to the greater of their current setting and
# all.rp_filter, as will default.rp_filter, and all.rp_filter
# will be set to 0.
# The original settings are restored on termination.
version <INTEGER:2..3> # VRRP version to use
vmac_xmit_base # Send/Recv VRRP messages from base
# interface instead of VMAC interface
native_ipv6 # Force instance to use IPv6 (this option is deprecated since
# the virtual addresses determine whether IPv4 or IPv6 is used)
state MASTER|BACKUP # Start-up default state
interface <STRING> # Binding interface
accept # Allow a non address-owner to process packets
# destined to VIPs and eVIPs. This is the default
# unless strict mode is set.
no_accept # Set non-accept mode (default if strict mode)
#
skip_check_adv_addr [BOOL] # See description of global vrrp_skip_check_adv_addr, which
# sets the default value. Defaults to vrrp_skip_check_adv_addr
track_interface { # Interfaces state we monitor
<STRING>
<STRING>
<STRING> weight <INTEGER:-253..253>
...
}
track_script { # Scripts state we monitor
<STRING>
<STRING> weight <INTEGER:-253..253>
...
}
track_file { # Files state we monitor
<STRING>
<STRING>
<STRING> weight <INTEGER: -254..254>
...
}
track_bfd { # BFD instance we monitor
<STRING>
<STRING>
<STRING> weight <INTEGER: -253..253>
...
}
dont_track_primary # (default unset) ignore VRRP interface faults.
# useful for cross-connect VRRP config.
mcast_src_ip <IP ADDRESS> # src_ip to use into the VRRP packets
unicast_src_ip <IP ADDRESS> # src_ip to use into the VRRP packets (alias to mcast_src_ip)
track_src_ip # if the configured src_ip doesn't exist or is removed
# put the instance into fault state
unicast_peer { # Do not use multicast, instead send VRRP
<IP ADDRESS> # adverts to following list of ip address
... # in unicast design fashion
}
old_unicast_checksum [never] # The checksum calculation when using VRRPv3 changed after v1.3.6.
# Setting this flag forces the old checksum algorithm to be used
# to maintain backward compatibility, although keepalived will
# attempt to maintain compatibility anyway if it sees an old
# version checksum. Specifying never will turn off autodetection
# of old checksums. [This option may not be enabled - check output
# of `keepalived -v` for OLD_CHKSUM_COMPAT.]
# The following garp parameters take their defaults from the global config for vrrp_garp_...
# See their descriptions for the meaning of the parameters.
garp_master_delay <INTEGER>
garp_master_repeat <INTEGER>
garp_lower_priority_delay <INTEGER>
garp_lower_priority_repeat <INTEGER>
garp_master_refresh <INTEGER>
garp_master_refresh_repeat <INTEGER>
virtual_router_id <INTEGER-1..255> # VRRP VRID
priority <INTEGER-1..255> # VRRP PRIO
advert_int <FLOAT> # VRRP Advert interval (use default)
lower_prio_no_advert [<BOOL>] # If a lower priority advert is received, don't
# send another advert. This causes adherence
# to the RFCs (defaults to global
# vrrp_lower_priority_dont_send_advert).
higher_prio_send_advert [<BOOL>] # If we are master and receive a higher priority
# advert, send an advert (which will be lower priority
# than the other master), before we transition to
# backup. This means that if the other master has
# garp_lower_priority_repeat set, it will resend garp
# messages. This is to get around the problem of their
# having been two simultaneous masters, and the last GARP
# messages seen were from us.
# Note: authentication was removed from the VRRPv2 specification by RFC3768 in 2004.
# Use of this option is non-compliant and can cause problems; avoid using if possible,
# except when using unicast, when it can be helpful.
authentication { # Authentication block
auth_type PASS|AH # Simple password or IPSEC AH
auth_pass <STRING> # Password string (up to 8 characters)
}
# For virutal_ipaddress and virtual_ipaddress_excluded most of the options match the options
# of the command ip address add, likewise for virtual_routes and virtual_rules and the
# respective ip route/rule add commands. no_track is specific to keepalived and means that the
# vrrp_instance will not transition out of master state if the address/route/rule is deleted
# and the address/route/rule will not be reinstated until the vrrp instance next transitions
# to master.
# The track_group option only applies to static addresses/routes/rules.
virtual_ipaddress { # VRRP IP addres block
<IP ADDRESS>[/<MASK>] [brd <IP ADDRESS>] [dev <STRING>] [scope <SCOPE>] [label <LABEL>] [peer <IP ADDRESS>] [home] [-nodad] [mngtmpaddr] [noprefixroute] [autojoin] [no_track]
<IP ADDRESS>[/<MASK>] ...
...
}
virtual_ipaddress_excluded { # VRRP IP excluded from VRRP packets
<IP ADDRESS>[/<MASK>] [brd <IP ADDRESS>] [dev <STRING>] [scope <SCOPE>] [label <LABEL>] [peer <IP ADDRESS>] [home] [-nodad] [mngtmpaddr] [noprefixroute] [autojoin] [no_track]
<IP ADDRESS>[/<MASK>] ...
...
}
promote_secondaries # Set the promote_secondaries flag on the interface to stop other
# addresses in the same CIDR being removed when 1 of them is removed
virtual_routes { # VRRP virtual routes
# The syntax is the same as static_routes with the additional option [no_track]
# and excluding track_group.
}
virtual_rules { # VRRP virtual rules
# The syntax is the same as static_rules with the additional option [no_track]
# and excluding track_group.
}
nopreempt # Override VRRP RFC preemption default
preempt_delay <FLOAT> # Seconds after startup or seeing a lower priority master
# until preemption. 0 (default) to 1,000
strict_mode [<BOOL>] # See description of global vrrp_strict
# If vrrp_strict is not specified, it takes the value of vrrp_strict
# If strict_mode without a parameter is specified, it defaults to on
debug <LEVEL> # Debug level. LEVEL is a number in the range 0 to 4.
notify_master <STRING>|<QUOTED-STRING> [username [groupname]]
# Same as vrrp_sync_group
notify_backup <STRING>|<QUOTED-STRING> [username [groupname]]
# Same as vrrp_sync_group
notify_fault <STRING>|<QUOTED-STRING> [username [groupname]]
# Same as vrrp_sync_group
notify_stop <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when stopping vrrp
notify <STRING>|<QUOTED-STRING> [username [groupname]]
# Same as vrrp_sync_group
notify_master_rx_lower_pri <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to run if a master receives a lower priority advert
smtp_alert <BOOL> # Same as vrrp_sync_group
# (default no, unless global smtp_alert/smtp_alert_vrrp set)
kernel_rx_buf_size # Set socket receive buffer size (see global_defs
# vrrp_rx_bufs_policy for explanation)
}
SCOPE can take the following values :
* site
* link
* host
* nowhere
* global
LABEL is optional and creates a name for the alias. For compatibility with
"ifconfig", it should be of the form <realdev>:<anytext>, for example
eth0:1 for an alias on eth0.
METRIC is optional and specify a route priority.
When a weight is specified in track_interface, instead of setting the vrrp
instance to the FAULT state in case of failure, its priority will be
increased by the weight when the interface is up (for positive weights),
or decreased by the weight's absolute value when the interface is down
(for negative weights). The weight must be comprised between -254 and +254
inclusive. 0 is the default behaviour which means that a failure implies a
FAULT state. The common practice is to use positive weights to count a
limited number of good services so that the server with the highest count
becomes master. Negative weights are better to count unexpected failures
among a high number of interfaces, as it will not saturate even with high
number of interfaces.
The same principle can be applied to track_script entries, except that an
unspecified weight means that the default weight declared in the script
will be used (which itself defaults to 0).
LVS configuration
This block is divided in 2 sub-block :
* Virtual server group
* Virtual server
* SSL config
Virtual server group
The configuration block looks like :
virtual_server_group <STRING> {
<IP ADDRESS> <PORT> # VIP VPORT
<IP ADDRESS> <PORT>
...
<IP ADDRESS RANGE> <PORT> # VIP range VPORT
<IP ADDRESS RANGE> <PORT>
...
fwmark <INTEGER> # fwmark
fwmark <INTEGER>
...
}
Note: <IP ADDRESS RANGE> has the form of : XXX.YYY.ZZZ.WWW-VVV, define
the IP address range starting at WWW and monotonaly incremented by
one to VVV. Example : 192.168.200.1-10 means .1 to .10 IP addresses.
Virtual server
The configuration block looks like :
A virtual_server can be either :
* vip vport declaration
* fwmark declaration
* group declaration
Note: Where an option can be configured for a virtual server, real server,
and possibly checker, the virtual server setting is the default for real servers,
and the real server setting is the default for checkers.
Note 2: Tunnelled real/sorry servers can differ from the address family of
the virtual server and non tunnelled real/sorry servers, which all have to be the
same. If a virtual server uses a fwmark, and all the real/sorry servers are
tunnelled, the address family of the virtual server will be the same as the
address family of the real/sorry servers if they are all the same, otherwise
it will default to IPv4 (use ip_family inet6 to override this).
virtual_server <IP ADDRESS> <PORT> { # VS IP/PORT declaration
virtual_server fwmark <INTEGER> { # VS fwmark declaration
virtual_server group <STRING> { # VS group declaration
ip_family inet|inet6 # Address family
delay_loop <INTEGER> # delay timer for service polling
lvs_sched rr|wrr|lc|wlc|lblc|sh|dh|fo|ovf|lblcr|sed|nq
# LVS scheduler used
hashed # Apply hashing
flag-1 # Apply scheduler flag 1
flag-2 # Apply scheduler flag 2
flag-3 # Apply scheduler flag 3
sh-port # Apply sh-port scheduler flag (only for sh scheduler,
# same as flag-2 for sh scheduler)
sh-fallback # Apply sh-fallback scheduler flag (only for sh scheduler,
# same as flag-1 for sh scheduler)
ops # Apply One-Packet-Scheduling (only for UDP)
lvs_method NAT|DR|TUN # default LVS method to use
persistence_engine <STRING> # LVS persistence engine name
persistence_timeout [<INTEGER>] # LVS persistence timeout, default 6 minutes
persistence_granularity <NETMASK> # LVS granularity mask
protocol TCP|UDP|SCTP # L4 protocol
ha_suspend # If VS IP address is not set, suspend
# healthcheckers activity
virtualhost <STRING> # Default VirtualHost string to use for
# HTTP_GET or SSL_GET
# Assume silently all RSs down and healthchecks
# failed on start. This helps preventing false
# positive actions on startup. Alpha mode is
# disabled by default.
alpha
# On daemon shutdown, consider quorum and RS
# down notifiers for execution, where appropriate.
# Omega mode is disabled by default.
omega
# Minimum total weight of all live servers in
# the pool necessary to operate VS with no
# quality regression. Defaults to 1.
quorum <INT>
# Tolerate this much weight units compared to the
# nominal quorum, when considering quorum gain
# or loss. A flap dampener. Defaults to 0.
hysteresis <INT>
# Script to launch when quorum is gained.
quorum_up <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when quorum is lost.
quorum_down <STRING>|<QUOTED-STRING> [username [groupname]]
sorry_server <IP ADDRESS> <PORT> # RS to add to LVS topology when the
# quorum isn't achieved.
# If a sorry server is configured, all
# real servers will be brought down when
# the quorum is not achieved.
sorry_server_inhibit # applies inhibit_on_failure behaviour
# to the sorry_server
sorry_server_lvs_method NAT|DR|TUN # LVS method to use for sorry server
retry <INTEGER> # number of retries before fail
delay_before_retry <INTEGER> # delay before retry (default 1 unless otherwise specified)
warmup <INTEGER> # random delay for maximum N seconds
delay_loop <INTEGER> # delay timer for service polling
inhibit_on_failure # Set weight to 0 on healthchecker failure
smtp_alert <BOOL> # Send email notification when quorum gained/lost
# (default no, unless global smtp_alert/smtp_alert_checker set)
real_server <IP ADDRESS> <PORT> { # RS declaration
weight <INTEGER> # weight to use (default: 1)
lvs_method NAT|DR|TUN # LVS method to use
notify_up <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when
# healthchecker consider service
# as up.
notify_down <STRING>|<QUOTED-STRING> [username [groupname]]
# Script to launch when
# healthchecker consider service
# as down.
uthreshold <INTEGER> # maximum number of connections to server
lthreshold <INTEGER> # minimum number of connections to server
alpha <BOOL> # see above
retry <INTEGER> # see above
delay_before_retry <INTEGER> # see above
warmup <INTEGER> # see above
delay_loop <INTEGER> # see above
inhibit_on_failure <BOOL> # see above
smtp_alert <BOOL> # Send email notification when quorum gained/lost
# (default yes, unless global smtp_alert/smtp_alert_checker set)
virtualhost <STRING> # Default VirtualHost string to use for
# HTTP_GET or SSL_GET (overrides
# virtual_server virtualhost)
# healthcheckers. Can be multiple of each type
# HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|DNS_CHECK|MISC_CHECK|BFD_CHECK
# All checkers have the following options, except MISC_CHECK which only has alpha onwards,
# and BFD_CHECK which has no standard options:
CHECKER_TYPE {
connect_ip <IP ADDRESS> # IP address to connect (default real_server address)
connect_port <PORT> # Port to connect (default real_server port)
bindto <IP ADDRESS> # IP address to bind to
bind_if <IFNAME> # Interface to bind to; needed if the bindto
# address is IPv6 link local
bind_port <PORT> # Port to bind to
connect_timeout <INTEGER> # Timeout connection
fwmark <INTEGER> # fwmark to set on socket (SO_MARK)
alpha <BOOL> # see above
retry <INTEGER> # number of retries before fail
delay_before_retry <INTEGER> # delay before retry (default 1 unless otherwise specified)
warmup <INTEGER> # random delay for maximum N seconds
delay_loop <INTEGER> # delay timer for service polling
}
# The following options are additional checker specific
HTTP_GET|SSL_GET { # HTTP and SSL healthcheckers
url { # A set of url to test
path <STRING> # Path
digest <STRING> # Digest computed with genhash
status_code <INTEGER> # status code returned into the HTTP
# header. If not specified, then any
# 2xx code is accepted.
virtualhost <STRING> # VirtualHost string to use. If not set
# uses virtualhost from checker or real
# or virtual_server.
}
url {
path <STRING>
digest <STRING>
status_code <INTEGER>
virtualhost <STRING>
}
...
virtualhost <STRING> # VirtualHost string to use. If not set
# uses virtualhost from real or
# virtual_server.
}
SSL_GET {
enable_sni # send Server Name Indication during SSL handshake
}
TCP_CHECK { # TCP healthchecker
# No additional options
}
SMTP_CHECK { # SMTP healthchecker
helo_name <STRING>|<QUOTED-STRING> # Host to use for the HELO request
}
DNS_CHECK { # DNS healthchecker
type A|NS|CNAME|SOA|MX|TXT|AAAA # DNS query type (default SOA)
name <STRING> # Domain name to use for the DNS query
}
MISC_CHECK { # MISC healthchecker
misc_path <STRING>|<QUOTED-STRING> # External system script or program
misc_timeout <INTEGER> # Script execution timeout
# If set, exit code from healthchecker is used
# to dynamically adjust the weight as follows:
# exit status 0: svc check success, weight
# unchanged.
# exit status 1: svc check failed.
# exit status 2-255: svc check success, weight
# changed to 2 less than exit status.
# (for example: exit status of 255 would set
# weight to 253)
# NOTE: do not have more than one dynamic MISC_CHECK per real_server.
misc_dynamic
user USERNAME [GROUPNAME] # Specify user/group to run script under
}
BFD_CHECK {
name <STRING> # the name of the bfd instance
}
}
}
SSL config
Parameters used for SSL_GET check.
If none of the parameters is specified, the SSL context will be auto generated.
SSL {
password <STRING> # password
ca <STRING> # ca file
certificate <STRING> # certificate file
key <STRING> # key file
}
![YarnProxyServer服務。在大資料領域中,Proxy甚至可以幫助用戶端通路和管理Yarn叢集。它的主要作用是在[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)