A LAN client can determine which router is the next-hop gateway to reach the destination host in two modes: dynamic decision and static decision. Common dynamic route discovery modes are as follows: Proxy ARP: The client uses ARP to obtain the destination it wants to reach, and then a route responds to the ARP request with its MAC address. Routing Protocol — The client listens for dynamic Routing updates (e.g. through RIP or OSPF) and reconstructs its Routing table. ICMP Router Discovery Protocol (IRDP) client — The client host runs an ICMP Router Discovery client program.

The disadvantage of dynamic route discovery protocol is that it can cause some configuration and processing overhead on the client, and the switching process to another router is slow if the router fails. One solution to this problem is to statically configure the default routing device for the client, which greatly simplifies the process for the client, but also introduces single point of failure problems. When the default gateway is faulty, the LAN client can only communicate locally.

VRRP can share a virtual IP address (VIP) among a group of routers (a VRRP group) to solve the static configuration problem. In this case, the client only needs to use VIP as its default gateway.

Figure 1 shows A basic VLAN topology in which Routers A, B, and C form A VRRP group whose VIP is 10.0.0.1 and are configured on the physical interface of Router A, so Router A is the master Router and Router B and Router C are the backup routers. In VRRP groups, the master(router A) forwards packets destined for VIP addresses. Clients 1, 2, and 3 use VIP as their default gateways. If the master fails, the router with the highest priority among backup routers B and C becomes the master and takes over the VIP address. When the original Master router A comes online again, it becomes the Master router again.

VRRP is an “election” protocol that dynamically assigns the responsibility of a virtual router to other routers in the same VRRP group, thus eliminating the single point of failure of static route configuration.

VRRP terms:

VRRP Virtual routes (VRRP Routers) :

Advantages of VRRP:

Redundancy: Multiple router devices can be used as the default gateway of the LAN client, greatly reducing the possibility of the default gateway becoming a single point of failure. Load sharing: Allows traffic from LAN clients to be shared by multiple router devices. Multiple VRRP groups: A maximum of 255 VRRP groups can be configured on a physical interface of a router. Multiple IP addresses: Multiple IP addresses can be configured on a physical interface based on the alias of the interface, allowing the same physical interface to access multiple subnets. Preemption: Allows the backup with a higher priority to become the master if the master fails. Advertisement protocol: The multicast address 224.0.0.18 specified by IANA is used for VRRP advertisement. VRRP tracing: Based on the status of the interface, the VRRP priority is changed to determine the best VRRP router as the master.

IP Address Owner: If a VRRP device uses the IP Address of a virtual router as the real interface Address, the device is called the IP Address Owner. If the IP address owner is available, it usually becomes Master.

Keepalived mainly provides loadbalancing and high-availability functions. For loadbalancing, it relies on the Linux virtual service kernel module (ipvs), while for high availability, it implements failover between multiple machines through VRRP protocol.

Keepalived is roughly divided into two layers

User space WatchDog: monitors the checkers and VRRP processes. If the WatchDog is shut down unexpectedly, the service automatically restarts. VRRP Stack: Load A FailOver between load balancers fails. Checkers: healthchecking for real servers is keepalived’s main feature. In other words, you can have no VRRP Stack, but healthchecking is a must. IPVS wrapper: users send specified rules to the kernel IPVS code Netlink Reflector: used to set VRRP VIP addresses. 2. The kernel space includes IPVS (IP virtual server for load balancing of network services) and NetLink (for advanced routing and other related network functions)

All functions of Keepalived are implemented by configuring the keepalive.conf file.

Simply put, Keepalived provides high availability in the event a server fails and can be quickly switched to another server for service in order for the standby node to be switched to the primary node in some cases

For example, the two most important elements of a Web server when serving externally (the two factors of contention)

1. IP Because we mainly rely on IP to access web services, so if the primary node fails, we can transfer the IP to the standby node, which can be used as the entrance to access services. In this way, the external service IP will not be affected, or the IP is just used by the device changes for customers It doesn’t affect them

2. Storage (if there is no concurrent access control function is the file system is likely to happen two servers at the same time to write Because the file system is mount file on to the server Modify the data through the data loaded into memory If you have two servers At the same time the paper base The file system is not notice This can cause data inconsistencies (solutions such as distributed file systems block level storage shared storage NFS SAN samba etc.)

But Keepalived basically doesn’t involve storage

In the premise of doing high availability

1. Define an NTP server to ensure time synchronization between the active and standby servers. 2. Ensure that iptables and Selinux do not affect the experiment. 3. (Optional) Nodes can communicate with each other using host names. The node name must be the same as the host name resolved in the hosts file. # uname -n to obtain the same host name as resolved; 4. (Optional) Trust communication between nodes through SSH based on key authentication.Copy the code

Keepalived main configuration file/etc/keepalived/keepalived conf unit file/usr/lib/systemd/system/keepalived. Service

Keepalived provides high availability examples

1. LVS load balancing high availability can be directly configured in the configuration file. Configuration File for keepalived

global_defs { notification_email { [email protected] } notification_email_from [email protected] smtp_connect_timeout 3 smtp_server 127.0.0.1 router_id LVS_DEVEL}

Vrrp_script chk_schedown {script “[[-f/etc/keepalived/down]] && exit 1 | | exit 0” file if there are 2 priority 2 2 s interval detection weight -2 }

Vrrp_instance VI_1 {interface eth0 # Eth0 state MASTER priority 101 virtual_router_id 51 garp_master_delay 1

Authentication {auth_type PASS auth_pass password} track_interface {eth0} virtual_ipaddress {172.16.100.1/16 dev eth0 label eth0:0 } track_script { chk_schedown }Copy the code

}

Virtual_server 172.16.100.1 80 {Define v-server delay_loop 6 Health check interval, in seconds lb_ALgo RR load balancing scheduling algorithm, Generally, WRR, RR, and WLC LB_kind Dr Load balancing forwarding rules are used. Generally includes DR, NAT, the top three persistence_timeout 50 session to keep time, keep the session, is put forward the user requests to the same server, or had just submitted on 1 account password, will jump to another server 2 protocol TCP protocol specified for TCP

Sorry_server 192.168.200.200 1358 adding a standby server. Sorry server takes effect when all RS fail real_server 172.16.100.11 80 {define r-server weight 1 HTTP_GET {url {Verify whether the real server is alive according to the URL path / status_code 200} connect_timeout 3 nb_get_retry 3 delay_before_retry 3}} real_server 172.16.100.12 80 {weight 1 HTTP_GET { url { path / status_code 200 } connect_timeout 3 nb_get_retry 3 delay_before_retry 3 } }Copy the code

}

To use TCP_CHECK to check the health status of each realserver, the above definition of realserver can also be replaced with the following: Virtual_server 172.16.100.1 80 {delay_loop 6 lb_algo RR lb_kind DR Persistence_timeout 300 protocol TCP

Sorry_server 127.0.0.1 80 real_server 172.16.100.11 80 {weight 1 TCP_CHECK {tcp_port 80 connect_timeout 3}} Real_server 172.16.100.12 80 {weight 1 TCP_CHECK {connect_port 80 connect_timeout 3}}Copy the code

}

2. High availability of Nginx

Notes the configuration of LVS using the NGINx load balancing nginx master model

1. Master nginx configuration

events { worker_connections 1024; }

http { log_format main ‘remote_user [request” ‘ ‘body_bytes_sent “http_user_agent” “$http_x_forwarded_for”‘;

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;


include /etc/nginx/conf.d/*.conf;

upstream webserver{
Copy the code

Server 192.168.117.129; Server 192.168.117.133; }

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {  
         proxy_pass http://webserver;
      }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}
Copy the code

}

Master 1 Keeplived configuration

[root@node1 ~]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived

Global_defs {notification_email {root@localhost} notification_email_from ka@root smtp_server 127.0.0.1 smtp_connect_timeout 30 }

vrrp_ script chk_nginx{ script “killall -0 nginx &> /dev/null” interval 1 weight -2 }

vrrp_instance VI_1 { state MASTER interface eno16777736 virtual_router_id 51 priority 100 advert_int 1 authentication { Auth_type PASS auth_pass e7FA32A1} virtual_ipAddress {192.168.117.150/24 dev eno16777736 label eno1677736:0} track_script{ chk_nginx }

notify_master “/etc/keepalived/notify.sh master” notify_backup “/etc/keepalived/notify.sh backup” notify_fault “/etc/keepalived/notify.sh fault”

}

vrrp_instance VI_2 { state BACKUP interface eno16777736 virtual_router_id 151 priority 99 advert_int 1 authentication { Auth_type PASS auth_pass e7fa32A2} virtual_ipaddress {192.168.117.155/24 dev eno16777736 label eno16777736:1} track_script{ chk_nginx }

notify_master “/etc/keepalived/notify.sh master” notify_backup “/etc/keepalived/notify.sh backup” notify_fault “/etc/keepalived/notify.sh fault”

}

2. Configure keepalive for active 2

[root@yunjisuandaniouck ~]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived

Global_defs {notification_email {root@localhost} notification_email_from ka@root smtp_server 127.0.0.1 smtp_connect_timeout 30 }

vrrp_ script chk_nginx{ script “killall -0 nginx &> /dev/null” interval 1 weight -2 }

vrrp_instance VI_1 { state BACKUP interface ens33 virtual_router_id 51 priority 99 advert_int 1 authentication { Auth_type PASS auth_pass e7FA32A1} virtual_ipaddress {192.168.117.150/24 dev ens33 label ens33:0} track_script{ chk_nginx }

notify_master “/etc/keepalived/notify.sh master” notify_backup “/etc/keepalived/notify.sh backup” notify_fault “/etc/keepalived/notify.sh fault”

}

vrrp_instance VI_2 { state MASTER interface ens33 virtual_router_id 151 priority 100 advert_int 1 authentication { Auth_type PASS auth_pass e7fa32A2} virtual_ipaddress {192.168.117.155/24 dev ens33 label ens33:1} track_script{ chk_nginx }

notify_master “/etc/keepalived/notify.sh master” notify_backup “/etc/keepalived/notify.sh backup” notify_fault “/etc/keepalived/notify.sh fault”

}

Master 2 Nginx configuration

[root@yunjisuandaniouck ~]# cat /etc/nginx/nginx.conf

user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events { worker_connections 1024; }

http { log_format main ‘remote_user [request” ‘ ‘body_bytes_sent “http_user_agent” “$http_x_forwarded_for”‘;

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
Copy the code

Upstream webserver {server 192.168.117.129; Server 192.168.117.133; }

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
Copy the code

proxy_pass http://webserver; }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}
Copy the code

Both nginx load balers work together with nginx1 at 192.168.117.150 and Nginx2 at 192.168.117.155. Whichever one is accessed will be called to the responsive real-server according to the defined algorithmic mechanism if one of the hosts is down You can move the IP that provides the service to a server with the same high availability so that the IP address of the failed server can also access the corresponding service because they have the same Nginx configuration

Summary: 1. Log? Custom 2. Each VRrP_instance needs a dedicated multicast address 3. In 4.7, you can use status to view keepalive status information

~]# cat /etc/keepalived/keepalived.conf

Keepalived dual main model in one

! Configuration File for keepalived

Global_defs {notification_email {root@localhost # specify the email address} notification_email_from ka@root # Who is the sender of the message? Smtp_server 127.0.0.1

Vrrp_ script chk_nginx{# define script “killall-0 nginx &> /dev/null” # killall-0 check whether the service is online interval 1 # check weight once a second -2 # execute failed weight -2}

Vrrp_instance VI_1 {# VRRP instance 1 state MASTER interface eno16777736 Virtual_Router_id 51 route ID Priority 100 # advert_int 1 # Default value: 1 second Interval for sending VRRP heartbeat packets Authentication {# Define the authentication mode to prevent other ARP broadcasts from affecting heartbeat authentication Only the heartbeat that passes the authentication is accepted. Others consider that the authentication mode is simple auth_pass E7fa32a1 # The authentication password can be generated using OpenSSL to prevent conflicts with other authentication passwords Eno1677736:0} track_script{# define executable script file chk_nginx}

Notify_master “/ etc/keepalived/notify sh master” | notify_backup “/ etc/keepalived/notify sh backup” three designated | this is home to the configuration script The parameters of the execution and the corresponding situation In notify_fault master to give priority to and send them to the script file “/ etc/keepalived/notify sh fault” |

}

Vrrp_instance VI_2 {# instance 2 state BACKUP interface eno16777736 virtual_router_id 151 priority 99 advert_int 1 Authentication {auth_type PASS auth_pass e7FA32A2} virtual_ipAddress {192.168.117.155/24 dev eno16777736 label eno16777736:1 } track_script{ chk_nginx }

Notify_master “/ etc/keepalived/notify sh master” function: when become the master, to specify the user and group execute the script. Notify_backup “/ etc/keepalived/notify sh backup” function: when become backup, to specify the user and group execute the script. Notify_fault “/ etc/keepalived/notify sh fault” function: when the synchronous group of fault, to specify the user and group execute the script.

}

Virtual_server 192.168.200.100 443 {delay_loop 6 lb_ALgo RR lb_kind NAT persistence_timeout 50 protocol TCP

Real_server 192.168.201.100 443 {weight 1 SSL_GET {{url path/digest ff20ad2481f97b1754ef3e12ecd3a9cc # based on signature certification It is very nice But if change the site of the code that is about to change digest} url 9 b3a0c85a887a256d6939da88aabd8cd} {path/MRTG/digest connect_timeout. 3 Nb_get_retry 3 Number of retry attempts delay_before_retry 3 Delay before retry attempts}}Copy the code

}

Virtual_server 10.10.10.2 1358 {delay_loop 6 lb_algo RR Lb_kind NAT persistence_timeout 50 protocol TCP

Sorry_server 192.168.200.200 1358 real_server 192.168.200.2 1358 {weight 1 HTTP_GET {url {path /testurl/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d } url { path /testurl2/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d } url { path /testurl3/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d } connect_timeout 3 nb_get_retry 3 delay_before_retry 3 }} real_server 192.168.200.3 1358 {weight 1 HTTP_GET {url {path /testurl/test.jsp digest 640205b7b0fc66c1ea91c463fac6334c } url { path /testurl2/test.jsp digest 640205b7b0fc66c1ea91c463fac6334c } connect_timeout 3 nb_get_retry 3 delay_before_retry 3 } }Copy the code

}

Virtual_server 10.10.10.3 1358 {delay_loop 3 lb_algo RR lb_kind NAT persistence_timeout 50 protocol TCP

Real_server 192.168.200.4 1358 {weight 1 HTTP_GET {url {path/testURL /test.jsp digest 640205b7b0fc66c1ea91c463fac6334d } url { path /testurl2/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d } url { path /testurl3/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d } connect_timeout 3 nb_get_retry 3 delay_before_retry 3 } } Real_server 192.168.200.5 1358 {weight 1 HTTP_GET {url {path/testURL /test.jsp digest 640205b7b0fc66c1ea91c463fac6334d } url { path /testurl2/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d } url { path /testurl3/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d } connect_timeout 3 nb_get_retry 3 delay_before_retry 3 } }Copy the code

}