06-Keepalived配置详解本文档详细介绍Keepalived的配置用于实现VIP虚拟IP漂移确保服务高可用。VRRP机制说明VRRPVirtual Router Redundancy Protocol是一种容错协议通过竞选机制将多台路由设备组成一个虚拟路由器拥有同一个VIP。┌─────────────────────────────────────┐ │ 虚拟路由器 (VIP: 172.20.1.100) │ └─────────────────────────────────────┘ ▲ ▲ ▲ │ │ │ ┌──────┴───┐ ┌────┴───┐ ┌────┴────┐ │ MASTER │ │BACKUP1 │ │BACKUP2 │ │ Priority100│Priority90│Priority80│ │ 172.20.1.11│ │172.20.1.12│ │172.20.1.13│ └──────────┘ └─────────┘ └─────────┘竞选规则Priority优先级最高的成为MASTERPriority相同时接口IP地址大的优先MASTER故障时BACKUP自动接管VIP三个Keepalived配置详解1. keepalived_master.conf (Node1)cat /opt/cluster-deploy/config/keepalived/keepalived_master.conf EOF global_defs { router_id LVS_MASTER script_user root enable_script_security } ​ vrrp_script check_nginx { script /etc/keepalived/check_nginx.sh interval 3 weight -20 fall 2 rise 1 } ​ vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 100 priority 100 advert_int 1 nopreempt unicast_peer { 172.20.1.12 172.20.1.13 } authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 172.20.1.100/24 dev eth0 } track_script { check_nginx } notify_master /etc/keepalived/notify.sh master notify_backup /etc/keepalived/notify.sh backup notify_fault /etc/keepalived/notify.sh fault } EOF2. keepalived_backup.conf (Node2)cat /opt/cluster-deploy/config/keepalived/keepalived_backup.conf EOF global_defs { router_id LVS_BACKUP1 script_user root enable_script_security } ​ vrrp_script check_nginx { script /etc/keepalived/check_nginx.sh interval 3 weight -20 fall 2 rise 1 } ​ vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 100 priority 90 advert_int 1 nopreempt unicast_peer { 172.20.1.11 172.20.1.13 } authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 172.20.1.100/24 dev eth0 } track_script { check_nginx } notify_master /etc/keepalived/notify.sh master notify_backup /etc/keepalived/notify.sh backup notify_fault /etc/keepalived/notify.sh fault } EOF3. keepalived_backup2.conf (Node3)cat /opt/cluster-deploy/config/keepalived/keepalived_backup2.conf EOF global_defs { router_id LVS_BACKUP2 script_user root enable_script_security } ​ vrrp_script check_nginx { script /etc/keepalived/check_nginx.sh interval 3 weight -20 fall 2 rise 1 } ​ vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 100 priority 80 advert_int 1 nopreempt unicast_peer { 172.20.1.11 172.20.1.12 } authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 172.20.1.100/24 dev eth0 } track_script { check_nginx } notify_master /etc/keepalived/notify.sh master notify_backup /etc/keepalived/notify.sh backup notify_fault /etc/keepalived/notify.sh fault } EOF配置项详解global_defs 部分global_defs { router_id LVS_MASTER # 路由器ID唯一标识 script_user root # 脚本执行用户 enable_script_security # 启用脚本安全检查 }vrrp_script 部分vrrp_script check_nginx { script /etc/keepalived/check_nginx.sh # 检查脚本路径 interval 3 # 检查间隔秒 weight -20 # 检查失败时优先级减少量 fall 2 # 连续失败2次判定为失败 rise 1 # 连续成功1次判定为恢复 }weight参数说明-20Nginx检查失败时优先级减20公式新优先级 原优先级 weightNode1: 100-2080仍高于Backup2(80)可能不切换建议根据实际场景调整weight值vrrp_instance 部分vrrp_instance VI_1 { state MASTER # 初始状态MASTER/BACKUP interface eth0 # 绑定的物理网卡重要 virtual_router_id 100 # 虚拟路由器ID同一组必须相同 priority 100 # 优先级MASTER最高 advert_int 1 # 心跳间隔秒 nopreempt # 非抢占模式 unicast_peer { # 单播对等体 172.20.1.12 172.20.1.13 } authentication { # 认证配置 auth_type PASS # 认证类型PASS/AH auth_pass 1111 # 认证密码 } virtual_ipaddress { # 虚拟IP地址 172.20.1.100/24 dev eth0 } track_script { # 监控的脚本 check_nginx } notify_master /etc/keepalived/notify.sh master notify_backup /etc/keepalived/notify.sh backup notify_fault /etc/keepalived/notify.sh fault }关键参数说明参数说明注意事项interface绑定网卡必须与物理网卡一致不能是macvlan接口virtual_router_id虚拟路由ID0-255同一网段需唯一priority优先级MASTERBACKUP建议差值weightunicast_peer单播邻居包含所有对等节点的IPnopreempt非抢占恢复后不抢占VIP健康检查脚本check_nginx.shcat /opt/cluster-deploy/config/keepalived/check_nginx.sh EOF #!/bin/bash A$(ps -C nginx --no-headers | wc -l) if [ $A -eq 0 ];then exit 1 fi EOF ​ chmod x /opt/cluster-deploy/config/keepalived/check_nginx.shnotify.shcat /opt/cluster-deploy/config/keepalived/notify.sh EOF #!/bin/bash LOGFILE/var/log/keepalived-notify.log echo [$(date %Y-%m-%d %H:%M:%S)] State changed to: $1 $LOGFILE EOF chmod x /opt/cluster-deploy/config/keepalived/notify.shDocker Compose配置keepalived: image: ednxzu/keepalived:2.3.4 container_name: keepalived network_mode: service:nginx-lb privileged: true entrypoint: [/usr/sbin/keepalived, -f, /etc/keepalived/keepalived.conf, --dont-fork, --log-console] volumes: - ./config/keepalived/keepalived_master.conf:/etc/keepalived/keepalived.conf:ro - ./config/keepalived/check_nginx.sh:/etc/keepalived/check_nginx.sh:ro - ./config/keepalived/notify.sh:/etc/keepalived/notify.sh:ro restart: unless-stopped自定义entrypoint的原因重要排错经验osixia/keepalived镜像会覆盖配置文件osixia/keepalived镜像使用环境变量自动生成配置文件如果直接挂载配置文件会被忽略。解决方法使用自定义entrypoint绕过模板系统entrypoint: [/usr/sbin/keepalived, -f, /etc/keepalived/keepalived.conf, --dont-fork, --log-console]/usr/sbin/keepalivedKeepalived二进制文件路径-f /etc/keepalived/keepalived.conf指定配置文件--dont-fork前台运行容器需要--log-console输出日志到控制台服务IP分配节点nginx-lbkeepalived角色priorityNode1172.20.1.11MASTER100Node2172.20.1.12BACKUP90Node3172.20.1.13BACKUP80VIP漂移规则正常状态VIP在Node1MASTERNode1 Nginx故障优先级降为80Node2接管VIP优先级90最高Node1恢复后由于nopreempt不抢占VIP保持在Node2常见问题Q1: VIP无法绑定检查interface是否正确必须是物理网卡ens33检查网卡是否UP查看Keepalived日志docker logs keepalivedQ2: 多播/单播问题默认使用多播可能被交换机阻断使用unicast_peer改为单播Q3: 抢占问题使用nopreempt实现非抢占模式注意非抢占模式下BACKUP恢复后不会抢回VIPQ4: Keepalived容器状态异常检查hostname配置network_mode: service:xxx时不能设hostname使用network_mode: service:nginx-lb共享网络验证命令# 查看VIP绑定状态 docker exec keepalived ip addr show ens33 # 查看Keepalived日志 docker logs keepalived # 查看VRRP状态 docker exec keepalived cat /var/log/syslog | grep -i vrrp # 测试VIP连通性 ping -c 3 172.20.1.100下一步07-PHP服务配置详解.md - 了解PHP服务配置08-Redis配置详解.md - 了解Redis集群配置