firewall keepalived

Keepalived 和 Firewalld

Posted by Sunday on 2019-07-11

准备

MASTER IP 192.168.1.7
BACKUP IP 192.168.1.8
VIP 192.168.1.200

1
2
3
4
5
yum install  keepalived 
systemctl stop firewalld
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf #开启允许绑定非本机的IP
sysctl -p

Keepalived

MASTER

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
global_defs {
   notification_email {
       root@localhost
   }
   notification_email_from ka@localhost
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id ka46
   vrrp_mcast_group4 224.0.0.111
   #vrrp_strict 
}
  
vrrp_instance Intranet_1 {
    state MASTER
    interface em1
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass starsing
    }
    virtual_ipaddress {
        192.168.1.200/24
    }

    #virtual_routes {
    #    default via 192.168.1.1
    #}

    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
}

BACKUP

注意以下几点
state 角色为 BACKUP
interface 为网卡的 ID,要根据机器确认
virtual_route_id 要与 MASTER 一致,默认为 51
priority 要比 MASTER 小

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
global_defs {
   notification_email {
       root@localhost
   }
   notification_email_from ka@localhost
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id ka46
   vrrp_mcast_group4 224.0.0.111
   #vrrp_strict 
}
  
vrrp_instance Intranet_1 {
    state BACKUP
    interface em1
    virtual_router_id 51
    priority 95
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass starsing
    }
    virtual_ipaddress {
        192.168.1.200/24
    }

    #virtual_routes {
    #    default via 192.168.1.1
    #}

    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
}

NOTIFY

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/bin/bash
contact="root@localhost"
contact_xwx="sunday@sundayle.com"
                
notify() {
    local mailsubject="$(hostname) to be $1, vip floating"
    local mailbody="$(date +'%F %T'): vrrp transition, $(hostname) changed to be $1"
    #echo "$mailbody" | mail -s "$mailsubject" $contact
    echo "$mailbody" | mail -s "$mailsubject" $contact_xwx
}
                
case $1 in
master)
    notify master   
    ;;
backup)
    notify backup   
    ;;
fault)
    notify fault    
    ;;
*)
    echo "Usage: $(basename $0) {master|backup|fault}"
    exit 1
    ;;
esac

MASTER和BACKUP 启动keepalived

1
2
systemctl start keepalived
systemctl enable keepalived

此时防火墙是关闭状态,MASTER获得VIP。BACKUP没有。

1
2
[root@master ]# ip addr | grep 192.168.1.200
    inet 192.168.1.200/24 scope global secondary em1

漂移规则:
默认 MASTER 会获得 VIP(192.168.1.200)。
当 MASTER 出问题时,VIP 会漂移到 BACKUP 服务器。
当 MASTER 重新启动后,VIP 又会漂移回 MASTER 服务器。

Firewalld

防火墙添加规则,默认不指定为224.0.0.18,这里修改了为224.0.0.111

1
2
systemctl stop keepalived
systemctl start firewalld

方式一:宽松

1
2
3
firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent
firewall-cmd --reload
firewall-cmd --list-all

方式二:严紧

1
2
3
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
firewall-cmd --reload

查看这两条规则

1
2
3
4
[root@master ~]# firewall-cmd --direct --get-rules ipv4 filter INPUT
0 --in-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT
[root@master ~]# firewall-cmd --direct --get-rules ipv4 filter OUTPUT
0 --out-interface em1 --destination 224.0.0.111 --protocol vrrp -j ACCEPT

1
systemctl start keepalived

此时Master获得VIP,BACKUP没有,则防火墙放行vrrp正常。
若Master和Backup均获取到VIP,则防火墙配置,注意网卡接口和vrrp组播地址。

服务测试

1
2
3
4
5
6
7
8
9
[root@master ~]# yum install tcpdump
[root@master ~]# tcpdump -i em1 vrrp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:17:56.949963 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:17:57.950994 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:17:58.952063 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:17:59.953131 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:18:00.954206 IP 192.168.1.7 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36

此时VIP在MASTER上。
如果MASTER停止keepalived,VIP会漂移到BACKUP上

1
systemctl stop keepalived

1
2
3
4
5
6
[root@master ~]# tcpdump -i em1 vrrp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:25:24.415708 IP 192.168.1.8 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:25:25.416790 IP 192.168.1.8 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36
16:25:26.417831 IP 192.168.1.8 > 224.0.0.111: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 36

此时VIP在BACKUP上。

配置日志

非必要

keepalived 默认将日志输出到系统日志/var/log/messages中,因为系统日志很多,查询问题时相对麻烦。
我们可以将 keepalived 的日志单独拿出来,这需要修改日志输出路径。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
vim /etc/sysconfig/keepalived

# Options for keepalived. See `keepalived --help' output and keepalived(8) and
# keepalived.conf(5) man pages for a list of all options. Here are the most
# common ones :
#
# --vrrp               -P    Only run with VRRP subsystem.
# --check              -C    Only run with Health-checker subsystem.
# --dont-release-vrrp  -V    Dont remove VRRP VIPs & VROUTEs on daemon stop.
# --dont-release-ipvs  -I    Dont remove IPVS topology on daemon stop.
# --dump-conf          -d    Dump the configuration data.
# --log-detail         -D    Detailed log messages.
# --log-facility       -S    0-7 Set local syslog facility (default=LOG_DAEMON)
#

#KEEPALIVED_OPTIONS="-D"
KEEPALIVED_OPTIONS="-D -d -S 0"

把 KEEPALIVED_OPTIONS=”-D” 修改为 KEEPALIVED_OPTIONS=”-D -d -S 0”,其中 -S 指定 syslog 的 facility

配置 rsyslog.conf

1
2
3
vim /etc/rsyslog.conf 

local0.*                                                /var/log/keepalived.log

1
2
systemctl restart rsyslog
systemctl restart keepalived

此时,可以从 /var/log/keepalived.log 查看日志了。

链接

CentOS 7 配置 Keepalived 实现双机热备

CATALOG
    FEATURED TAGS
    firewall keepalived
    FRIENDS