keepalived

keepalived 使用純 C 語言寫成。軟件圍繞中心的 I/O 多路復用器設計提供實時的網(wǎng)絡。它的設計重點是在各個元素之間實現(xiàn)模塊化，為了保證穩(wěn)定性和健壯性，守護進程被分成三個獨立的進程。整體設計基于一個簡單的父進程，父進程負責 fork 并監(jiān)控子進程。兩個子進程，一個負責 VRRP 框架，另一個負責健康檢查。

成都創(chuàng)新互聯(lián)服務項目包括招遠網(wǎng)站建設、招遠網(wǎng)站制作、招遠網(wǎng)頁制作以及招遠網(wǎng)絡營銷策劃等。多年來，我們專注于互聯(lián)網(wǎng)行業(yè)，利用自身積累的技術(shù)優(yōu)勢、行業(yè)經(jīng)驗、深度合作伙伴關(guān)系等，向廣大中小型企業(yè)、政府機構(gòu)等提供互聯(lián)網(wǎng)行業(yè)的解決方案，招遠網(wǎng)站推廣取得了明顯的社會效益與經(jīng)濟效益。目前，我們服務的客戶以成都為中心已經(jīng)輻射到招遠省份的部分城市，未來相信會繼續(xù)擴大服務區(qū)域并繼續(xù)獲得客戶的支持與信任！

每個子進程有自己的 I/O 調(diào)度多路復用器，這樣可以優(yōu)化 VRRP 調(diào)度，因為 VRRP 調(diào)度比健康檢查更敏感。另一方面，這個分開的設計使得健康檢查機制對外部函數(shù)庫的使用最小化，最小化自身的動作并且讓主循環(huán)空閑來避免自身引起的故障。父進程的監(jiān)控框架叫做 watchdog，它的設計是：每個子進程打開一個 UNIX 套接字等待請求，當守護進程啟動后，父進程連接這些 UNIX 套接字并周期性（5s）地發(fā)送 hello 包到子進程。如果父進程無法發(fā)送 hello 包到遠程連接的 UNIX 套機字，它會簡單地重啟子進程。watchdog 的設計有兩個好處，首先 hello 包從父進程發(fā)送到遠程連接的子進程是通過 I/O 多路復用器調(diào)度，這樣它就能夠檢測子進程調(diào)度框架中的死循環(huán)。第二個好處是可以使用 sysV 信號檢測子進程是否死掉。當啟動服務的時候，進程列表：

Control Plane

Keepalived configuration is done throught the file keepalived.conf. A compiler design is used for parsing. Parser work with a keyword tree hierarchy for mapping each configuration keyword with specifics handler. A central multi-level recursive function read the configuration file and traverse the keyword tree. During parsing, configuration file is translated into an internal memory representation.

Scheduler - I/O Multiplexer

All the event are scheduled into the same process. Keepalived is a single process. Keepalived is a network routing software, it is so closed to I/O. The design used here is a central select(...) that is in charge of scheduling all internal task. POSIX thread libs are NOT used. This framework provide its own thread abstraction optimized for networking purpose.

Memory Management

This framework provides acces to some generic memory managements functions like allocation, reallocation, release,... This framework can be used in two mode : normal_mode & debug_mode. When using debug_mode it provide a strong way to eradicate and track memory leaks. This low level env provide buffer under-run protection by tracking allocation memory and released. All the buffer used are length fixed to prevent against eventual buffer-overflow.

Core component

This framework define some common and global libraries that are used in all the code. Those libraries are : html parsing, link-list, timer, vector, string formating, buffer dump, networking utils, daemon management, pid handling, low level TCP layer4. The goal here is to factorize code to the max to limite as possible code duplication to increase modularity.

WatchDog

This framework provide children processes monitoring (VRRP & Healthchecking). Each child accept connection to its own watchdog unix domain socket. Parent process send "hello" messages to this child unix domain socket. Hello messages are sent using I/O multiplexer on the parent side and accepted/processed using I/O multiplexer on children side. If parent detect broken pipe it test using sysV signal if child is still alive and restart it.

Checkers

This is one of the main Keepalived functionnality. Checkers are in charge of realserver healthchecking. A checker test if realserver is alive, this test end on a binary decision : remove or add realserver from/into the LVS topology. The internal checker design is realtime networking software, it use a fully multi-threaded FSM design (Finite State Machine). This checker stack provide LVS topology manipulation accoring to layer4 to layer5/7 test results. Its run in an independent process monitored by parent process.

VRRP Stack

The other most important Keepalived functionnality. VRRP (Virtual Router Redundancy Protocol :RFC2338) is focused on director takeover, it provide low-level design for router backup. It implements full IETF RFC2338 standard with some provisions and extensions for LVS and Firewall design. It implements the vrrp_sync_group extension that guarantee persistence routing path after protocol takeover. It implements IPSEC-AH using MD5-96bit crypto provision for securing protocol adverts exchange. For more informations on VRRP please read the RFC. Important things : VRRP code can be used without the LVS support, it has been designed for independant use.Its run in an independent process monitored by parent process.

System Call

This framework offer the ability to launch extra system script. It is mainly used in the MISC checker. In VRRP framework it provides the ability to launch extra script during protocol state transition. The system call is done into a forked process to not pertube the global scheduling timer.

SMTP

The SMTP protocol is used for administration notification. It implements the IETFRFC821using a multi-threaded FSM design. Administration notifications are sent for healthcheckers activities and VRRP protocol state transition. SMTP is commonly used and can be interfaced with any other notification sub-system such as GSM-SMS, pagers, ...

IPVS wrapper

This framework is used for sending rules to the Kernel IPVS code. It provides translation between Keepalived internal data representation and IPVS rule_user representation. It uses the IPVS libipvs to keep generic integration with IPVS code.

Netlink Reflector

Same as IPVS wrapper. Keepalived work with its own network interface representation. IP address and interface flags are set and monitored through kernel Netlink channel. The Netlink messaging sub-system is used for setting VRRP VIPs. On the other hand, the Netlink kernel messaging broadcast capability is used to reflect into our userspace Keepalived internal data representation any events related to interfaces. So any other userspace (others program) netlink manipulation is reflected to our Keepalived data representation via Netlink Kernel broadcast (RTMGRP_LINK & RTMGRP_IPV4_IFADDR).

IPVS

The Linux Kernel code provided by Wensong fromLinuxVirtualServer.orgOpenSource Project.

NETLINK

The Linux Kernel code provided by Alexey Kuznetov with its very nice advanced routing framework and sub-system capabilities.

keepalived.conf

全局配置

全局配置包括兩個子配置：全局定義（global definition）和靜態(tài)路由配置（static ipaddress/routers）

1.全局定義配置

global_defs { notification_email { admin@example.com } notification_email_from admin@example.com smtp_server 127.0.0.1 stmp_connect_timeout 30 router_id LVS_DEVEL }

global_defs：全局配置標識
notification_email：表示 keepalived 在發(fā)生諸如切換時需要發(fā)送 email 通知，以及 email 發(fā)送給哪些郵件地址，郵件地址可以是多個，每行一個
notification_email_from：表示發(fā)送通知郵件時，郵件的發(fā)送者
smtp_server：表示發(fā)送郵件時 smtp 服務器地址，這里可以使用本地的 sendmail 來實現(xiàn)
smtp_connect_timeout：連接 smtp 的超時時間
router_id：機器標識

2.靜態(tài)地址和路由配置

static_ipaddress { 192.168.1.1/24 brd + dev eth0 scope global 192.168.1.2/24 brd + dev eth1 scope global } static_routes { src $SRC_IP to $DST_IP dev $SRC_DEVICE src $SRC_IP to $DST_IP via $GW dev $SRC_DEVICE }

這里的配置實際上和系統(tǒng)里面命令配置 IP 地址和路由一樣，例如：192.168.1.1/24 brd + dev eth0 scope global 相當于 ip addr add192.168.1.1/24 brd + dev eth0 scope global。就是給 eth0 配置 IP 地址，路由同理。一般這個區(qū)域不需要配置
這里實際上就是給服務器配置真實的 IP 地址和路由，在復雜環(huán)境下可能需要配置，一般不會用這個來配置

VRRP 配置

VRRP 配置包括三類：VRRP 同步組（synchorization group）、VRRP 實例（VRRP Instance）、VRRP 腳本

1.VRRP 同步組配置

vrrp_sync_group VG_1 { group { http mysql } notify_master /path/to/to_master.sh notify_backup /path_to/to_backup.sh notify_fault "/path/fault.sh VG_1" notify /path/to/notify.sh smtp_alert }

group：VRRP 組。http 和 mysql 是實例名，和下面的實例名一致
notify_master：表示當切換到 Master 狀態(tài)時要執(zhí)行的腳本
notify_backup：表示當切換到 Backup 狀態(tài)時要執(zhí)行的腳本
notify_fault：錯誤時要執(zhí)行的腳本
smtp_alert：表示切換時給 global_defs 中定義的郵件地址發(fā)送郵件通知

2.VRRP 實例配置

vrrp_instance http { state MASTER interface eth0 dont_track_primary track_interface { eth0 eth1 } mcast_src_ip garp_master_delay 10 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS autp_pass 1234 } virtual_ipaddress { #/ brd dev scope label 192.168.200.17/24 dev eth1 192.168.200.18/24 dev eth2 label eth2:1 } virtual_routes { # src [to] / via|gw dev scope tab src 192.168.100.1 to 192.168.109.0/24 via 192.168.200.254 dev eth1 192.168.110.0/24 via 192.168.200.254 dev eth1 192.168.111.0/24 dev eth2 192.168.112.0/24 via 192.168.100.254 } notify_master /path/to/to_master.sh notify_backup /path_to/to_backup.sh notify_fault "/path/fault.sh VG_1" nopreempt preemtp_delay 300 debug }

state：指定 Instance 的初始狀態(tài)，但是啟動之后還是要通過優(yōu)先級競選選定 Master
interface：實例綁定的網(wǎng)卡，因為在配置虛擬 IP 的時候必須是在已有的網(wǎng)卡上添加的
dont_track_primary：忽略 VRRP 的 interface 錯誤
track_interface：跟蹤接口，設置額外的監(jiān)控，里面任意一塊網(wǎng)卡出現(xiàn)問題，都會進入故障（FAULT）狀態(tài)，例如，用 nginx 做負載均衡的時候，內(nèi)外網(wǎng)必須工作正常，如果內(nèi)網(wǎng)出了問題，這個 LB 也無法運作，所以必須對內(nèi)外網(wǎng)同時做健康檢查
mcast_src_ip：發(fā)送多播數(shù)據(jù)包時的源 IP 地址，這里實際上就是在哪個地址上發(fā)送 VRRP 通告，這個非常重要，一定要選擇穩(wěn)定的網(wǎng)卡端口來發(fā)送，這里相當于 heartbeat 的心跳端口。如果沒有設置就使用默認的綁定的網(wǎng)卡的 IP，也就是 interface 指定的地址
garp_master_delay：在切換到 Master 狀態(tài)后，延遲進行 gratuitous ARP 請求
virtual_router_id：設置 VRID，相同的 VRID 為一組，它將決定多播的 MAC 地址
priority 100：設置本節(jié)點的優(yōu)先級
advert_int：檢查間隔，默認為 1 秒
virtual_ipaddress：LVS 的 VIP
virtual_routes：虛擬路由
lvs_sync_daemon_interface：LVS syncd 綁定的網(wǎng)卡
authentication：設置認證
auth_type：認證方式，可以是 PASS 或 AH 兩種方式
auth_pass：認證密碼
nopreempt：設置不搶占，這里只能設置在 state 為 BACKUP 的節(jié)點上，而且這個節(jié)點的優(yōu)先級必須比其他節(jié)點高
preempt_delay：搶占延遲
debug：debug 級別
notify_master：和synchorization group 里設置的含義一樣，可以單獨設置

3.VRRP 腳本

vrrp_script check_running { script "/usr/local/bin/check_running" # 執(zhí)行的腳本 interval 10 # 執(zhí)行腳本的時間間隔 weight 10 # 檢測失敗優(yōu)先級操作 10 表示優(yōu)先級 +10，-10 表示優(yōu)先級 -10 fall 2 # 檢測嘗試次數(shù)，也就是認定服務器 down 的檢測次數(shù) rise 1 # 認定服務器 up 的次數(shù) } vrrp_instance http { state BACKUP smtp_alert interface eth0 virtual_router_id 101 priority 90 advert_int 3 authentication { auth_type PASS auth_pass whatever } virtual_ipaddress { 1.1.1.1 } track_script { check_running weight 20 } }

首先在 vrrp_script 區(qū)域定義腳本名字、腳本執(zhí)行間隔和腳本執(zhí)行的優(yōu)先級變更，然后在實例里面引用。注意：VRRP 腳本和 VRRP 實例屬于同一級別

LVS配置

LVS 的配置是用于 keepalived + LVS 集成，如果沒有配置 LVS 就無需配置這段。這里 LVS 的配置并不是指真的 LVS 然后用 ipvsadm 來配置它，而是用 keepalived 的配置文件來配置 LVS

這里 LVS 的配置也有兩個：虛擬主機組配置和虛擬主機配置

1.虛擬主機組配置

這個配置是可選的，這里配置主要是為了讓一臺 realsever 上的某個服務可以屬于多個 Virtual Server，并且只做一次健康檢查

virtual_server_group { # VIP port fwmark }

2.虛擬主機配置

virtual server 可以用下面三種的任意一種來配置：

1. virtual server IP port 2. virtual server fwmark int 3. virtual server group string

virtual_server 172.16.100.1 80 { # 設置一個 virtual server：VIP:PORT delay_loop 6 # 服務輪詢的時間間隔 lb_algo rr|wrr|lc|wlc|lblc|sh|sh # LVS 調(diào)度算法 lb_kind NAT|DR|TUN # LVS 集群模式 nat_mask 255.255.255.0 persistent_timeout 50 # 會話保持時間（秒） persistent_granularity # LVS 會話保持粒度，ipvsadm 中的 -M 參數(shù)，默認是 0xffffffff，即每個客戶端都會話保持 protocol TCP # 協(xié)議 sorry_server # 備用機，就是當所有后端 realserver 節(jié)點都不可用時，就用這里的設置 real_server { # 后端真實節(jié)點主機的權(quán)重等設置 weight 1 inhibit_on_failure # 表示在節(jié)點失敗后，把它權(quán)重設置為 0 而不是從 IPVS 中刪除 notify_up | # 檢查服務器正常（up）后要執(zhí)行的腳本 notify_down | # 檢查服務器失敗（down）后要執(zhí)行的腳本 HTTP_GET|SSL_GET { # 健康檢查的方式 url { # 要檢測的 url，可以有多個 path # 測試頁面的 URI 路徑 digest # 摘要碼 status_code # 返回狀態(tài)碼 } connect_port # realserver 提供服務的端口 bindto # realserver 提供服務的地址 connect_timeout # 連接超時時間 nb_get_retry # 重試次數(shù) delay_before_retry # 重試間隔 } TCP_CHECK { connect_port bindto connect_timeout } SMTP_CHECK { host { connect_ip connect_port bindto } connect_timeout retry delay_before_retry helo_name | } MISC_CHECK { misc_path | # 外部程序或腳本 misc_timeout # 腳本或程序執(zhí)行超時時間 misc_dynamic # 通過執(zhí)行的程序或腳本返回的狀態(tài)碼動態(tài)調(diào)整 weight 值，使權(quán)重根據(jù)真實的后端壓力來適當調(diào)整 } # 返回 0：健康檢查沒問題，不修改權(quán)重 } # 返回 1：健康檢查失敗，權(quán)重設置為 0 } # 返回 2-255：健康檢查沒問題，但是權(quán)重修改為返回代碼-2