2004 version keepalived.conf introduction
程序员文章站
2022-07-12 17:30:46
...
注意由于1.5.3的man keepalived.conf还是用的2004版, 所以少了很多新功能的介绍, 后面再补充.
最新的配置的请参考源代码里面的doc下面的keepalived.conf.SYNOPSIS. NOTE_vrrp_vmac.txt.
截取man keepalived.conf, 简单的描述一下配置文件的使用.
keepalived.conf分成3个组成部分 :
GLOBAL CONFIGURATION
contains subblocks of Global definitions and Static routes
VRRPD CONFIGURATION
contains subblocks of VRRP synchronization group(s) and VRRP instance(s)
LVS CONFIGURATION
contains subblocks of Virtual server group(s) and Virtual server(s)
The subblocks contain arguments for ipvsadm(8). A knowlege of ipvsadm(8) will be helpful here.
并不是每个部分都需要配置, 看应用场景而定.
如果只拿来做IP地址漂移, 只需要配置前两个部分. 而不使用分组的话, 第二部分只需要配置instance部分.
[参考]
# man keepalived.conf
KEEPALIVED.CONF(5) KEEPALIVED.CONF(5)
NAME
/etc/keepalived/keepalived.conf - configuration file for keepalived
DESCRIPTION
keepalived.conf is the configuration file which describes all the keepalived keywords. keywords are placed in
hierachies of blocks (and subblocks), each layer being delimited by ’{’ and ’}’ pairs.
Comments start with ’#’ or ’!’ to the end of the line and can start anywhere in a line.
TOP HIERACHY
GLOBAL CONFIGURATION
VRRPD CONFIGURATION
LVS CONFIGURATION
GLOBAL CONFIGURATION
contains subblocks of Global definitions and Static routes
Global definitions
global_defs # Block id
{
notification_email # To:
{
[email protected]
...
}
# From: from address that will be in header
notification_email_from [email protected]
smtp_server 127.0.0.1 # IP
smtp_connect_timeout 30 # integer, seconds
router_id my_hostname # string identifying the machine, 无关紧要, 因为vrrp协议中不传输这个字段, 传输的是Vritual route id, 在vrrp instance中配置. 这里的route_id就是主机标示, 怎么配置都没有关系.
# (doesn’t have to be hostname).
vrrp_mcast_group4 224.0.0.18 # optional, default 224.0.0.18 # vrrp心跳的多播组. 如果广播域中有多个keepalived ha组的话, 不同的组建议使用不同的多播地址. 同时使用不同的虚拟路由器ID.
vrrp_mcast_group6 ff02::12 # optional, default ff02::12
enable_traps # enable SNMP traps
}
Static routes/addresses # 可以不配置, 例如静态地址已经由network服务来管理了. 已经配置了如ifcfg-eth0, ...
keepalived can configure static addresses and routes. These addresses are NOT moved by vrrpd, they stay on the
machine. If you already have IPs and routes on your machines and your machines can ping each other, you don’t
need this section.
The syntax is the same as for virtual addresses and virtual routes.
static_ipaddress
{
192.168.1.1/24 dev eth0 scope global
...
}
static_routes
{
192.168.2.0/24 via 192.168.1.100 dev eth0
...
}
VRRPD CONFIGURATION
contains subblocks of VRRP synchronization group(s) and VRRP instance(s)
VRRP synchronization group(s) # 可以不配置, 如果不需要以组的形式来failover的话. 什么情况下需要配置呢? 例如有多个虚拟IP, 某些虚拟IP必须同时启在一台主机上, 而不能分别起在不同的主机上面. 那么就可以用分组来解决. 当一个instance有问题时, 和这个instance在同一个组里的instance全部failover, 并且所有的instance应该是同一个状态. 例如master, backup or fault.
#string, name of group of IPs that failover together
vrrp_sync_group VG_1 {
group {
inside_network # name of vrrp_instance (below)
outside_network # One for each moveable IP.
...
}
# notify scripts and alerts are optional 当状态变更时, 调用对应的脚本. 如果结合postgresql流复制HA使用, 状态变成master后 , 在notify_master配置调用fence和pg_ctl promote的操作.
# 如果没有配置组的话, 在instance配置, 注意keepalived是否保证这些脚本运行成功呢?
# filenames of scripts to run on transitions
# can be unquoted (if just filename)
# or quoted (if has parameters)
# to MASTER transition
notify_master /path/to_master.sh
# to BACKUP transition
notify_backup /path/to_backup.sh
# FAULT transition
notify_fault "/path/fault.sh VG_1"
# for ANY state transition.
# "notify" script is called AFTER the # 注意 notify的参数自动添加, 不需要写在脚本后面
# notify_* script(s) and is executed
# with 3 arguments provided by keepalived
# (ie don’t include parameters in the notify line).
# arguments
# $1 = "GROUP"|"INSTANCE"
# $2 = name of group or instance
# $3 = target state of transition
# ("MASTER"|"BACKUP"|"FAULT")
notify /path/notify.sh
# Send email notifcation during state transition,
# using addresses in global_defs above.
smtp_alert
}
VRRP instance(s) # 注意这里是迎合前面的分组配置来进行的instance配置, 如果没有group的话, 这里也是需要配置的. 只是vrrp_instance inside_network可能改成其他的instance name.
describes the moveable IP for each instance of a group in vrrp_sync_group. Here are described two IPs (on
inside_network and on outside_network), on machine "my_hostname", which belong to the group VG_1 and which will
transition together on any state change.
#You will need to write another block for outside_network.
vrrp_instance inside_network {
# Initial state, MASTER|BACKUP # 这只是初始状态, 当其他主机起来后, 会发生选举操作, 优先级最高的选举为master.
# As soon as the other machine(s) come up, # 所以大家的初始状态都是MASTER也可以.
# an election will be held and the machine
# with the highest "priority" will become MASTER.
# So the entry here doesn’t matter a whole lot. # 初始状态, 和降级有关, MASTER不会降级, 而BACKUP可以降级.
state MASTER
# interface for inside_network, bound by vrrp , 绑定vrrp的端口, 也就是从这个端口发出vrrpd多播包.
interface eth0
# Use VRRP Virtual MAC.
use_vmac <VMAC_INTERFACE>
# Send/Recv VRRP messages from base interface instead of
# VMAC interface
vmac_xmit_base
# Ignore VRRP interface faults (default unset)
dont_track_primary
# optional, monitor these as well. 跟踪的端口, 以下端口被跟踪, 如果这里的端口DOWN的话, 那么当前的keepalived状态转换成fault.
# go to FAULT state if any of these go down.
track_interface {
eth0
eth1
...
}
# default IP for binding vrrpd is the primary IP, 隐藏vrrpd发出多播包的IP地址(这里是eth0的配置), 改成其他地址.
# on interface. If you want to hide location of vrrpd, 即修改源地址, 因为是多播, 所以源地址是啥无所谓.
# use this IP as src_addr for multicast or unicast vrrp , 可选配置项, 一般不需要
# packets. (since it’s multicast, vrrpd will get the reply
# packet no matter what src_addr is used).
# optional
mcast_src_ip <IPADDR>
unicast_src_ip <IPADDR>
# Do not send VRRP adverts over VRRP multicast group. 不使用多播发送vrrp心跳包, 而改为使用单播发送.
# Instead it sends adverts to the following list of 这里要配置的是单播组的IP, 即在这个单播组的机器会收到vrrp心跳包.
# ip addresses using unicast design fashion. It can 所以主备的keepalived都需要加进来.
# be cool to use VRRP FSM and features in a networking
# environement where multicast is not supported !
# IP Addresses specified can IPv4 as well as IPv6
unicast_peer {
<IPADDR>
...
}
# Binding interface for lvs syncd LVS相关的配置, 不使用lvs的话不需要.
lvs_sync_daemon_interface eth1
# delay for gratuitous ARP after transition to MASTER, 角色转换成master后, 延迟多长时间发送免费ARP包. 宣告IP和MAC对应关系, 主要用于告诉广播域的其他主机或路由器当前虚拟IP对应的MAC地址是什么.
garp_master_delay 10 # secs, default 5
# arbitary unique number 0..255 , 虚拟路由器ID, 用于区分同一个NIC接口下的多个vrrpd实例. 同一个广播域请使用不同的虚拟路由器ID
# used to differentiate multiple instances of vrrpd
# running on the same NIC (and hence same socket).
virtual_router_id 51 # 同一个HA环境中的master, backup需要配置一致的v route id. 用于标示关系.
# for electing MASTER, highest priority wins. 配置优先级
# to be MASTER, make 50 more than other machines.
priority 100
# VRRP Advert interval, secs (use default) 配置vrrp心跳间隔 , 秒.
advert_int 1
authentication { # Authentication block, 配置认证. 目前支持PASS和AH两种认证方法, PASS为明文传输密码, AH为ipsec 认证头认证, 不需要配置密码.
# PASS||AH
# PASS - Simple Passwd (suggested)
# AH - IPSEC (not recommended))
auth_type PASS
# Password for accessing vrrpd.
# should be the same for all machines.
# Only the first eight (8) characters are used.
auth_pass 1234
}
#addresses add|del on change to MASTER, to BACKUP.
#With the same entries on other machines,
#the opposite transition will be occuring. 虚拟IP地址, 当角色为主时, 自动up这些IP, 当角色为备时, 自动down掉这些IP.
# 具体UP在哪个接口, 都可以在这里配置.
virtual_ipaddress {
<IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE> label <LABEL>
192.168.200.17/24 dev eth1
192.168.200.18/24 dev eth2 label eth2:1
}
#VRRP IP excluded from VRRP # 排除心跳包发送的IP地址, 例如起了很多虚拟IP的话, 没有必要每个虚拟IP地址都发送心跳包. 没有必要发送心跳包的IP地址就配置在这里.
#optional.
#For cases with large numbers (eg 200) of IPs
#on the same interface. To decrease the number
#of packets sent in adverts, you can exclude
#most IPs from adverts.
#The IPs are add|del as for virtual_ipaddress.
virtual_ipaddress_excluded {
<IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
<IPADDR>/<MASK> brd <IPADDR> dev <STRING> scope <SCOPE>
...
}
# routes add|del when changing to MASTER, to BACKUP
# 路由配置, 当角色为主时, 自动添加这些路由, 当角色为备时, 自动删除这些路由.
virtual_routes {
# src <IPADDR> [to] <IPADDR>/<MASK> via|gw <IPADDR> [or <IPADDR>] dev <STRING> scope <SCOPE> tab
src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev eth1
192.168.110.0/24 via 192.168.200.254 dev eth1
192.168.111.0/24 dev eth2
192.168.112.0/24 via 192.168.100.254 192.168.113.0/24 via 192.168.200.254 or 192.168.100.254 dev
eth1 blackhole 192.168.114.0/24
}
# VRRP will normally preempt a lower priority,
# machine when a higher priority machine comes ,
# online. "nopreempt" allows the lower priority
# machine to maintain the master role, even when
# a higher priority machine comes back online.
# NOTE: For this to work, the initial state of this
# entry must be BACKUP.
nopreempt
# Seconds after startup until preemption,
# (if not disabled by "nopreempt").
# Range: 0 (default) to 1,000
# NOTE: For this to work, the initial state of this
# entry must be BACKUP. 有误, 和初始状态没有关系, 参考http://blog.163.com/[email protected]/blog/static/163877040201472511507986/
preempt_delay 300 # waits 5 minutes
# Debug level, not implemented yet.
debug
# notify scripts, alert as above 一些脚本, 当角色变成master后, 会调用notify_master. 其他类推. 无论状态变成什么, 都会在最后执行notify配置的脚本. 脚本有参数的话, 整个命令以及参数必须用双引号如"/path/to/script arg1 arg2"
notify_master <STRING>|<QUOTED-STRING>
notify_backup <STRING>|<QUOTED-STRING>
notify_fault <STRING>|<QUOTED-STRING>
notify <STRING>|<QUOTED-STRING>
smtp_alert
}
LVS CONFIGURATION # lvs相关的配置, 如果不使用LVS的话, 不需要配置 .
contains subblocks of Virtual server group(s) and Virtual server(s)
The subblocks contain arguments for ipvsadm(8). A knowlege of ipvsadm(8) will be helpful here.
Virtual server group(s)
# optional
# this groups allows a service on a real_server
# to belong to multiple virtual services
# and to be only health checked once.
# Only for very large LVSs.
virtual_server_group <STRING> {
#VIP port
<IPADDR> <PORT>
<IPADDR> <PORT>
...
#
# <IPADDR RANGE> has the form
# XXX.YYY.ZZZ.WWW-VVV eg 192.168.200.1-10
# range includes both .1 and .10 address
<IPADDR RANGE> <PORT># VIP range VPORT
<IPADDR RANGE> <PORT>
...
fwmark <INT> # fwmark
fwmark <INT>
... }
Virtual server(s)
A virtual_server can be a declaration of one of
vip vport (IPADDR PORT pair)
fwmark <INT>
(virtual server) group <STRING>
#setup service
virtual_server IP port |
virtual_server fwmark int |
virtual_server group string
{
# delay timer for service polling
delay_loop <INT>
# LVS scheduler
lb_algo rr|wrr|lc|wlc|lblc|sh|dh
# Enable One-Packet-Scheduling for UDP (-O in ipvsadm)
ops
# LVS forwarding method
lb_kind NAT|DR|TUN
# LVS persistence timeout, sec
persistence_timeout <INT>
# LVS granularity mask (-M in ipvsadm)
persistence_granularity <NETMASK>
# Only TCP is implemented
protocol TCP
# If VS IP address is not set,
# suspend healthchecker’s activity
ha_suspend
# VirtualHost string for HTTP_GET or SSL_GET
# eg virtualhost www.firewall.loc
virtualhost <STRING>
# Assume silently all RSs down and healthchecks
# failed on start. This helps preventing false
# positive actions on startup. Alpha mode is
# disabled by default.
alpha
# On daemon shutdown, consider quorum and RS
# down notifiers for execution, where appropriate.
# Omega mode is disabled by default.
omega
# Minimum total weight of all live servers in
# the pool necessary to operate VS with no
# quality regression. Defaults to 1.
quorum <INT>
# Tolerate this much weight units compared to the
# nominal quorum, when considering quorum gain
# or loss. A flap dampener. Defaults to 0.
hysteresis <INT>
# Script to launch when quorum is gained.
quorum_up <STRING>|<QUOTED-STRING>
# Script to launch when quorum is lost.
quorum_down <STRING>|<QUOTED-STRING>
# setup realserver(s)
# RS to add when all realservers are down
sorry_server <IPADDR> <PORT>
# applies inhibit_on_failure behaviour to the
# preceding sorry_server directive
sorry_server_inhibit
# one entry for each realserver
real_server <IPADDR> <PORT>
{
# relative weight to use, default: 1
weight <INT>
# Set weight to 0
# when healthchecker detects failure
inhibit_on_failure
# Script to launch when healthchecker
# considers service as up.
notify_up <STRING>|<QUOTED-STRING>
# Script to launch when healthchecker
# considers service as down.
notify_down <STRING>|<QUOTED-STRING>
# pick one healthchecker
# HTTP_GET|SSL_GET|TCP_CHECK|SMTP_CHECK|MISC_CHECK
# HTTP and SSL healthcheckers
HTTP_GET|SSL_GET
{
# A url to test
# can have multiple entries here
url {
#eg path / , or path /mrtg2/
path <STRING>
# healthcheck needs status_code
# or status_code and digest
# Digest computed with genhash
# eg digest 9b3a0c85a887a256d6939da88aabd8cd
digest <STRING>
# status code returned in the HTTP header
# eg status_code 200
status_code <INT>
}
# number of get retry
nb_get_retry <INT>
# delay before retry
delay_before_retry <INT>
# ======== generic connection options
# Optional IP address to connect to.
# The default is real server’s IP
connect_ip <IP ADDRESS>
# Optional port to connect to if not
# The default is real server’s port
connect_port <PORT>
# Optional interface to use to
# originate the connection
bindto <IP ADDRESS>
# Optional source port to
# originate the connection from
bind_port <PORT>
# Optional connection timeout in seconds.
# The default is 5 seconds
connect_timeout <INTEGER>
# Optional fwmark to mark all outgoing
# checker pakets with
fwmark <INTEGER>
# Optional random delay to begin initial check for
# maximum N seconds.
# Useful to scatter multiple simultaneous
# checks to the same RS. Enabled by default, with
# the maximum at delay_loop. Specify 0 to disable
warmup <INT>
} #HTTP_GET|SSL_GET
#TCP healthchecker (bind to IP port)
TCP_CHECK
{
# ======== generic connection options
# Optional IP address to connect to.
# The default is real server’s IP
connect_ip <IP ADDRESS>
# Optional port to connect to if not
# The default is real server’s port
connect_port <PORT>
# Optional interface to use to
# originate the connection
bindto <IP ADDRESS>
# Optional source port to
# originate the connection from
bind_port <PORT>
# Optional connection timeout in seconds.
# The default is 5 seconds
connect_timeout <INTEGER>
# Optional fwmark to mark all outgoing
# checker pakets with
fwmark <INTEGER>
# Optional random delay to begin initial check for
# maximum N seconds.
# Useful to scatter multiple simultaneous
# checks to the same RS. Enabled by default, with
# the maximum at delay_loop. Specify 0 to disable
warmup <INT>
} #TCP_CHECK
# SMTP healthchecker
SMTP_CHECK
{
# An optional host interface to check.
# If no host directives are present, only
# the ip address of the real server will
# be checked.
host {
# ======== generic connection options
# Optional IP address to connect to.
# The default is real server’s IP
connect_ip <IP ADDRESS>
# Optional port to connect to if not
# the default of 25
connect_port <PORT>
# Optional interface to use to
# originate the connection
bindto <IP ADDRESS>
# Optional source port to
# originate the connection from
bind_port <PORT>
# Optional per-host connection timeout.
# Default is outer-scope connect_timeout
connect_timeout <INTEGER>
# Optional fwmark to mark all outgoing
# checker pakets with
fwmark <INTEGER>
}
# Connection and read/write timeout
# in seconds. The default is 5 seconds
connect_timeout <INTEGER>
# Number of times to retry a failed check
retry <INTEGER>
# Delay in seconds before retrying
delay_before_retry <INTEGER>
# Optional string to use for the smtp HELO request
helo_name <STRING>|<QUOTED-STRING>
# Optional random delay to begin initial check for
# maximum N seconds.
# Useful to scatter multiple simultaneous
# checks to the same RS. Enabled by default, with
# the maximum at delay_loop. Specify 0 to disable
warmup <INT>
} #SMTP_CHECK
#MISC healthchecker, run a program
MISC_CHECK
{
# External system script or program
misc_path <STRING>|<QUOTED-STRING>
# Script execution timeout
misc_timeout <INT>
# Optional random delay to begin initial check for
# maximum N seconds.
# Useful to scatter multiple simultaneous
# checks to the same RS. Enabled by default, with
# the maximum at delay_loop. Specify 0 to disable
warmup <INT>
# If set, exit code from healthchecker is used
# to dynamically adjust the weight as follows:
# exit status 0: svc check success, weight
# unchanged.
# exit status 1: svc check failed.
# exit status 2-255: svc check success, weight
# changed to 2 less than exit status.
# (for example: exit status of 255 would set
# weight to 253)
misc_dynamic
}
} # realserver defn
} # virtual service
AUTHOR
Joseph Mack.
Information derived from doc/keepalived.conf.SYNOPSIS, doc/samples/keepalived.conf.* and Changelog by Alexandre
Cassen for keepalived-1.1.4, and from HOWTOs by Adam Fletcher and Vince Worthington.
SEE ALSO
ipvsadm(8), ip --help.
4th Berkeley Distribution Jan 2004 KEEPALIVED.CONF(5)
[参考]
上一篇: [10.02]T2分组配对