< 内容 >
- RHEL8.4 ( firewalld, ZONE=trusted )を 使っています。
- ipvsadm は, 利用しません。(ネットでは ipvsadm+keepaliveの説明が多い)
- keepalived を VRRPクラスタ&IP切替え機能として使います。
- 設定内容は, 出来るだけシンプルに
- 古い記事に,よくある,認証削除
authentication was removed from the VRRPv2 specification by RFC3768 in 2004.
Use of this option is non-compliant and can cause problems; avoid using if possible, except when using unicast, where it can be helpful. - 設定ファイルは, INCLUDE方式で, 定義毎,ファイル分割にした。
- HAProxy 監視無し( keepalived 単独 )でも、動きます。
ホストダウン時の IP切替 として動きます。
vrrp_instance 内の track_process を削除してください。 - keepalived の systemd UNIT定義をカスタマイズし, secondary address を削除する処理を追加します。
(keepalived が, 異常終了した場合, secondary address が, 残ったままになる) - HAProxy 監視が プロセス数依存の箇所は改善したい。
< 環境 >
Operating System: Red Hat Enterprise Linux 8.4 (Ootpa)
Kernel: Linux 4.18.0-305.el8.x86_64
Architecture: x86-64
keepalived-2.1.5-6.el8.x86_64
haproxy-1.8.27-2.el8.x86_64
< keepalive systemd UNIT定義 >
/usr/lib/systemd/system/keepalived.service を 複写し, ExecStopPost= を 追加します。
/etc/systemd/system/keepalived.service
[Unit]
Description=VRRP High Availability Monitor
After=network-online.target syslog.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/keepalived.pid
KillMode=process
EnvironmentFile=-/etc/sysconfig/keepalived
ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/bash -c "/opt/Tools/keepalived/sbin/keepalived_ExecStopPost.sh"
RestartSec=10
[Install]
WantedBy=multi-user.target
< keepalive定義 >
/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
# String identifying the machine (doesn't have to be hostname).
# (default: local host name)
# router_id LVS_1
max_auto_priority 99
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0.001
vrrp_gna_interval 0.000001
}
include /etc/keepalived/conf.d/*.conf
< process monitor >
/etc/keepalived/conf.d/100.monitor_haproxy.conf
vrrp_track_process haproxy {
process haproxy
quorum 2
weight 0
}
< 仮想IP/MASTER側定義 >
/etc/keepalived/conf.d/200.vrrp_instance.conf
#
# 仮想IP(alias) 192.168.122.180/24
#
vrrp_instance VI_1 {
state MASTER
interface enp1s0
virtual_router_id 51
priority 100
advert_int 1
virtual_ipaddress {
192.168.122.180/24
}
track_process {
haproxy
}
}
< 仮想IP/BACKUP側定義 >
/etc/keepalived/conf.d/200.vrrp_instance.conf
#
# 仮想IP(alias) 192.168.122.180/24
#
vrrp_instance VI_1 {
state BACKUP
interface enp1s0
virtual_router_id 51
priority 50
advert_int 1
virtual_ipaddress {
192.168.122.180/24
}
track_process {
haproxy
}
}
< keepalived GLOBAL定義 >
/etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
frontend http_80
default_backend http_80
mode http
option httplog
option forwardfor except 127.0.0.0/8
bind *:80
use_backend SFWeb1 if { path_beg /Cx/SF/ }
default_backend http_80
#---------------------------------------------------------------------
backend http_80
mode http
stats enable
stats auth admin:adminpassword
stats hide-version
stats show-node
stats refresh 60s
stats uri /haproxy?statst
backend SFWeb1
mode http
balance roundrobin
option httpchk GET /Cx/SF/
cookie WEBSVR insert
server SFWEB1 192.168.200.1:80 weight 1 maxconn 1500 cookie 1 check
server SFWEB2 192.168.200.2:80 weight 1 maxconn 1500 cookie 2 check
< keepalived 異常終了時の alias IP 削除処理 >
- keepalived が 異常終了すると, alias IP が, 残るので、その対策処理
/opt/Tools/keepalived/sbin/keepalived_ExecStopPost.sh
#!/bin/bash
#
# 1. If multiple NICs are to be specified as processing targets, please write as follows.
# ( Example: NIC="enp1s0 enp2s0" )
# 2. If you do not specify a NIC, all "secondary" addresses will be removed.
# ( Example: NIC= )
#
NIC=enp1s0
# -----------------------------------------------------------------------
# secondary (alias) address を 削除する
#
# 戻り値 : (0)... 削除すべきアドレスは存在しなかった
# (1)... 幾つかの secondary アドレスを削除した
#
# <SAMPLE / ip addr show>
# inet 192.168.122.180/24 scope global secondary enp1s0
#
# -----------------------------------------------------------------------
function __f_l_remove_secondary_addr()
{
local IPA="$1"
local DEV="$2"
local RC=0
[[ -z "$IPA" ]] && return 1
/usr/sbin/ip addr del ${IPA} ${DEV:+dev} ${DEV}
RC=$?
[[ $RC -eq 0 ]] && /usr/bin/logger -t $(/usr/bin/basename $0) "[ INFO ] Removed secondary address ${IPA}."
return $RC
}
function __f_secondary_addresses_remaining()
{
local RRC=0
local RC=0
local IPA=
local DEV=
local I=
for (( RRC = 0 ; RRC == 0 ; ))
do
read -r a IPA c d e DEV Z
RRC=$?
[[ $RRC -ne 0 ]] && continue
[[ -z "$a" ]] && continue
if [[ -n "$NIC" ]] ; then
for I in $NIC
do
if [[ "$I" = "$DEV" ]] ; then
__f_l_remove_secondary_addr ${IPA} ${DEV}
RC=1
fi
done
else
__f_l_remove_secondary_addr ${IPA} ${DEV}
RC=1
fi
done
return $RC
}
# -----------------------------------------------------------------------
# MAIN
# -----------------------------------------------------------------------
__f_secondary_addresses_remaining <<EOF_MARK
$( /usr/sbin/ip addr show | /usr/bin/grep -e 'inet ' | /usr/bin/grep -e 'secondary ' 2>/dev/null )
EOF_MARK
exit 0