LVS原理详解及部署之四:keepalived介绍

一、keepalived原理介绍

keepalived简介

        Keepalived的功能有点像是两个人互相看着一个工作,如果一个人离开岗位另外一个人就会接替,这个keepalived就是他们之间保持这样“替换机制”的工具。keepalived是一个类似于layer3, 4 & 5交换机制的软件,也就是我们平时说的第3层、第4层和第5层交换。Keepalived的作用是检测web服务器的状态,如果有一台web服务器死机,或工作出现故障,Keepalived将检测到,并将有故障的web服务器从系统中剔除,当web服务器工作正常后Keepalived自动将web服务器加入到服务器群中,这些工作全部自动完成,不需要人工干涉,需要人工做的只是修复故障的web服务器。

        Keepalived服务主要有两大用途:heartbeat(高可用)&failover(健康检测)

        Keepalived服务主要截图vrrp来完成这些工作的,以下我就来介绍下VRRP协议是怎样的工作的,那么基本上keepalived的工作原理就是如此。

VRRP协议(VRRP Virtual Router Redundancy Protocol,虚拟路由冗余协议)

        VRRP协议过程简述:VRRP 将局域网的一组路由器(包括一个Master 即活动路由器和若干个Backup 即备份路由器)组织成一个虚拟路由器,称之为一个备份组。这个虚拟的路由器拥有自己的IP 地址10.100.10.1(这个IP 地址可以和备份组内的某个路由器的接口地址相同,相同的则称为ip拥有者),备份组内的路由器也有自己的IP 地址(如Master的IP 地址为10.100.10.2,Backup 的IP 地址为10.100.10.3)。局域网内的主机仅仅知道这个虚拟路由器的IP 地址10.100.10.1,而并不知道具体的Master 路由器的IP 地址10.100.10.2 以及Backup 路由器的IP 地址10.100.10.3。[1]它们将自己的缺省路由下一跳地址设置为该虚拟路由器的IP 地址10.100.10.1。于是,网络内的主机就通过这个虚拟的路由器来与其它网络进行通信。如果备份组内的Master 路由器坏掉,Backup 路由器将会通过选举策略选出一个新的Master 路由器,继续向网络内的主机提供路由服务。从而实现网络内的主机不间断地与外部网络进行通信。

        VRRP原理

        一个VRRP路由器有唯一的标识:VRID,范围为0—255该路由器对外表现为唯一的虚拟MAC地址,地址的格式为00-00-5E-00-01-[VRID]主控路由器负责对ARP请求用该MAC地址做应答这样,无论如何切换,保证给终端设备的是唯一一致的IP和MAC地址,减少了切换对终端设备的影响[3]

        VRRP控制报文只有一种:VRRP通告(advertisement)它使用IP多播数据包进行封装,组地址为224.0.0.18,发布范围只限于同一局域网内这保证了VRID在不同网络中可以重复使用为了减少网络带宽消耗只有主控路由器才可以周期性的发送VRRP通告报文备份路由器在连续三个通告间隔内收不到VRRP或收到优先级为0的通告后启动新的一轮VRRP选举[3]

        在VRRP路由器组中,按优先级选举主控路由器,VRRP协议中优先级范围是0—255若VRRP路由器的IP地址和虚拟路由器的接口IP地址相同,则称该虚拟路由器作VRRP组中的IP地址所有者;IP地址所有者自动具有最高优先级:255优先级0一般用在IP地址所有者主动放弃主控者角色时使用可配置的优先级范围为1—254优先级的配置原则可以依据链路的速度和成本路由器性能和可靠性以及其它管理策略设定主控路由器的选举中,高优先级的虚拟路由器获胜,因此,如果在VRRP组中有IP地址所有者,则它总是作为主控路由的角色出现对于相同优先级的候选路由器,按照IP地址大小顺序选举VRRP还提供了优先级抢占策略,如果配置了该策略,高优先级的备份路由器便会剥夺当前低优先级的主控路由器而成为新的主控路由器[3]

        为了保证VRRP协议的安全性,提供了两种安全认证措施:明文认证和IP头认证明文认证方式要求:在加入一个VRRP路由器组时,必须同时提供相同的VRID和明文密码适合于避免在局域网内的配置错误,但不能防止通过网络监听方式获得密码IP头认证的方式提供了更高的安全性,能够防止报文重放和修改等攻击。

二、部署keepalived作为web服务器的HA

  1. 部署两台apache web服务器
1
2
yum install httpd -y
/etc/init.d/httpd start
  1. 分别安装keepalived软件

        下载安装

1
2
3
4
5
6
7
wget http://www.keepalived.org/software/keepalived-1.2.8.tar.gz
tar -zxf keepalived-1.2.8.tar.gz
cd keepalived-1.2.8
ll
./configure --prefix=/usr/local/keepalived
make
make install

        配置keepalived的自启动&拷贝keepalived的执行程序

1
2
3
4
5
cp /usr/local/keepalive/sbin/keepalived/ /usr/sbin/
cp cp /usr/local/keepalived/sbin/keepalived /usr/sbin//usr/local/keepalived/sbin/keepalived
cp /usr/local/keepalived/sbin/keepalived /usr/sbin/
cp /usr/local/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
cp /usr/local/keepalived/etc/rc.d/init.d/keepalived /etc/init.d/
  1. 编辑主web和备web的keepalived配置文件

        主web服务器的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@localhost keepalived-1.2.8]# cat /etc/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email { #设置报警邮件地址,可多行每行一个。
752119102@qq.com
}
notification_email_from keepalived@localhost #设置邮件的发送地址
smtp_server 127.0.0.1 #设置SMTP server地址
smtp_connect_timeout 30 #设置SMTP 超时时间
router_id LVS_DEVEL #运行keepalived机器的一个标识
}
vrrp_instance VI_1 { #定义一个vrrp实例,不同实例的实例编号不一样。
state MASTER #定义在keepalived的角色MASTER表示为主服务器,BACKUP为备服务器。
interface eth0 #指定HA检测的网络接口
virtual_router_id 51 #虚拟路由标示,同一个实例里的路由标示相同,且唯一。MASTER和BACKUP的路由标识一样,且唯一。
priority 100 #定义此服务器在此虚拟路由器中的优先级,优先级大权限高
advert_int 1 #检测时间间隔
authentication { #设置验证类型和密码,主从的密码必须相同,要不两者不通讯。
auth_type PASS
auth_pass 1111
}
virtual_ipaddress { #设置虚拟IP地址,可以设置多个虚拟IP地址。
192.168.41.249
}
}

        备web服务器的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@localhost ~]# cat /etc/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
752119102@qq.com
}
notification_email_from keepalive@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.41.249
}
}

        启动keepalived服务

1
2
/etc/init.d/keepalived start
/etc/init.d/keepalived stop
  1. 查看keepalived日志信息

        主web服务器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Jan 14 20:27:41 localhost Keepalived_vrrp[20840]: Opening file '/etc/keepalived/keepalived.conf'.
Jan 14 20:27:41 localhost Keepalived_vrrp[20840]: Configuration is using : 36304 Bytes
Jan 14 20:27:41 localhost Keepalived_vrrp[20840]: Using LinkWatch kernel netlink reflector...
Jan 14 20:27:41 localhost Keepalived[20837]: Starting VRRP child process, pid=20840
Jan 14 20:27:41 localhost Keepalived_vrrp[20840]: VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(11,12)]
Jan 14 20:27:42 localhost Keepalived_vrrp[20840]: VRRP_Instance(VI_1) Transition to MASTER STATE
Jan 14 20:27:43 localhost Keepalived_vrrp[20840]: VRRP_Instance(VI_1) Entering MASTER STATE
Jan 14 20:27:43 localhost Keepalived_vrrp[20840]: VRRP_Instance(VI_1) setting protocol VIPs.
Jan 14 20:27:43 localhost Keepalived_vrrp[20840]: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 192.168.41.249
Jan 14 20:27:43 localhost Keepalived_vrrp[20840]: Netlink reflector reports IP 192.168.41.249 added
Jan 14 20:27:43 localhost avahi-daemon[3207]: Registering new address record for 192.168.41.249 on eth0.
Jan 14 20:27:43 localhost Keepalived_healthcheckers[20839]: Netlink reflector reports IP 192.168.41.249 added
Jan 14 20:27:44 localhost avahi-daemon[3207]: Invalid query packet.
Jan 14 20:27:46 localhost last message repeated 8 times
Jan 14 20:27:48 localhost Keepalived_vrrp[20840]: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 192.168.41.249
Jan 14 20:27:48 localhost avahi-daemon[3207]: Invalid query packet.

        备web服务器日志

1
2
3
4
5
6
Jan 14 19:55:26 localhost Keepalived_vrrp[19423]: Opening file '/etc/keepalived/keepalived.conf'.
Jan 14 19:55:26 localhost Keepalived_vrrp[19423]: Configuration is using : 36302 Bytes
Jan 14 19:55:26 localhost Keepalived_vrrp[19423]: Using LinkWatch kernel netlink reflector...
Jan 14 19:55:26 localhost Keepalived[19420]: Starting VRRP child process, pid=19423
Jan 14 19:55:26 localhost Keepalived_vrrp[19423]: VRRP_Instance(VI_1) Entering BACKUP STATE
Jan 14 19:55:26 localhost Keepalived_vrrp[19423]: VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(11,12)]

        当主web服务器的keepalived停掉后,及主keepalived重新启动时的日志:

1
2
3
4
5
6
7
8
9
10
11
Jan 14 20:25:57 localhost Keepalived_vrrp[19423]: VRRP_Instance(VI_1) Transition to MASTER STATE
Jan 14 20:25:58 localhost Keepalived_vrrp[19423]: VRRP_Instance(VI_1) Entering MASTER STATE
Jan 14 20:25:58 localhost Keepalived_vrrp[19423]: VRRP_Instance(VI_1) setting protocol VIPs.
Jan 14 20:25:58 localhost Keepalived_vrrp[19423]: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 192.168.41.249
Jan 14 20:25:58 localhost Keepalived_vrrp[19423]: Netlink reflector reports IP 192.168.41.249 added
Jan 14 20:25:58 localhost Keepalived_healthcheckers[19422]: Netlink reflector reports IP 192.168.41.249 added
Jan 14 20:26:03 localhost Keepalived_vrrp[19423]: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 192.168.41.249
###主keepalived重新启动后
Jan 14 20:27:42 localhost Keepalived_vrrp[19423]: VRRP_Instance(VI_1) Received higher prio advert
Jan 14 20:27:42 localhost Keepalived_vrrp[19423]: VRRP_Instance(VI_1) Entering BACKUP STATE
Jan 14 20:27:42 localhost Keepalived_vrrp[19423]: VRRP_Instance(VI_1) removing protocol VIPs.

        并且通过tcpdump vrrp能够看到两者之间的通讯

1
2
3
4
5
6
7
8
9
10
[root@localhost ~]# tcpdump vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:38:58.657600 IP 192.168.41.33 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
20:38:59.658287 IP 192.168.41.33 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
20:39:00.659280 IP 192.168.41.33 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
20:39:01.660358 IP 192.168.41.33 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
20:39:02.661203 IP 192.168.41.33 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
20:39:03.662205 IP 192.168.41.33 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
20:39:04.663129 IP 192.168.41.33 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20

三、脚本实现监控httpd服务

        目前keepalived能够实现当我们的主web宕机或者网络出现故障时进行切换,但如果仅是httpd进程出现故障,所以我们就需要写一点实时监控httpd进程状态的脚本,即如果进程出现问题我们就进行切换。

        脚本内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/bin/bash
while true
do
httpdpid=`ps -C httpd --no-heading |wc -l`
if [ $httpdpid -eq 0 ];then
/etc/init.d/httpd start
sleep 5
httpdpid=`ps -C httpd --no-heading |wc -l`
if [ $httpdpid -eq 0 ];then
/etc/init.d/keepalive stop
fi
fi
sleep 5
done

        即当我们的httpd进程被停止了,并且无法重启我们会将keepalived进行停止,让备web服务器进行接管,成为主WEB服务器提供服务。

        到此我们已经能够轻松的部署keepalived让它作为web服务器的HA.