补充比较杂
1、当master服务恢复正常之后,backup机器收到消息,然后让出vip
下面是master机器服务恢复正常后,backup机器的Keepalived日志
收到master的消息通知,对方优先级是150,自己的是100,然后进入backup状态,移除vip
Apr 12 19:10:28 data-1-2 Keepalived_vrrp[13309]: Sending gratuitous ARP on eth0 for 10.0.1.63 Apr 12 19:10:28 data-1-2 Keepalived_vrrp[13309]: Sending gratuitous ARP on eth0 for 10.0.1.63 Apr 12 19:10:28 data-1-2 Keepalived_vrrp[13309]: Sending gratuitous ARP on eth0 for 10.0.1.63 Apr 13 10:40:14 data-1-2 Keepalived_vrrp[13309]: VRRP_Instance(VI_1) Received advert with higher priority 150, ours 100 Apr 13 10:40:14 data-1-2 Keepalived_vrrp[13309]: VRRP_Instance(VI_1) Entering BACKUP STATE Apr 13 10:40:14 data-1-2 Keepalived_vrrp[13309]: VRRP_Instance(VI_1) removing protocol VIPs.
2、启动Keepalived服务,可以看到3个进程
[root@data-1-1 ~]# ps -ef |grep keep root 6592 1 0 Apr12 ? 00:00:01 /application/keepalived-1.3.5/sbin/keepalived -D -d -S 0 root 6593 6592 0 Apr12 ? 00:00:01 /application/keepalived-1.3.5/sbin/keepalived -D -d -S 0 root 6594 6592 0 Apr12 ? 00:00:13 /application/keepalived-1.3.5/sbin/keepalived -D -d -S 0 root 6664 6020 0 Apr12 pts/2 00:00:01 tail -F /var/log/keepalived.log root 19467 5979 0 10:45 pts/1 00:00:00 grep --colour=auto keep [root@data-1-1 ~]#
3、cat追加内容和覆盖内容,以及内容含有$变量符号的处理方式
转自http://www.361way.com/cat-eof-cover-append/4298.html
(1)覆盖
方式1
#!/bin/bash cat << EOF > /root/test.txt Hello! My site is www.361way.com My site is www.91it.org Test for cat and EOF! EOF
方式2
我喜欢这种
#!/bin/bash cat > /root/test.txt <<EOF Hello! My site is www.361way.com My site is www.91it.org Test for cat and EOF! EOF
(2)追加
覆盖的写法基本和追加一样,不同的是单重定向号变成双重定向号
方式1
#!/bin/bash cat << EOF >> /root/test.txt Hello! My site is www.361way.com My site is www.91it.org Test for cat and EOF! EOF
方式2
#!/bin/bash cat >> /root/test.txt <<EOF Hello! My site is www.361way.com My site is www.91it.org Test for cat and EOF! EOF
需要注意的是,不论是覆盖还是追加,在涉及到变量操作时是需要进行转义的,例如:
#!/bin/bash cat <<EOF >> /root/a.txt PATH=$PATH:$HOME/bin export ORACLE_BASE=/u01/app/oracle export ORACLE_HOME=$ORACLE_BASE/10.2.0/db_1 export ORACLE_SID=yqpt export PATH=$PATH:$ORACLE_HOME/bin export NLS_LANG="AMERICAN_AMERICA.AL32UTF8" EOF
4、正常安装之后的Keepalived服务启动日志
可以看到启动读取的配置文件和根据配置文件打印的详细信息
有些配置不在配置文件中写,它会自动按照默认配置补充上去
配置文件是单播的启动日志
下面可以看到已经涉及单播了 VRRP check unicast_src = false
vrrp_check_unicast_src:在单播模式中,开启对VRRP数据包的源地址做检查,源地址必须是单播邻居之一
Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6453]: Stopped Apr 12 16:27:12 data-1-2 Keepalived[6451]: Stopped Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2 Apr 12 16:27:12 data-1-2 Keepalived[6602]: Starting Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2 Apr 12 16:27:12 data-1-2 Keepalived[6602]: Unable to resolve default script username 'keepalived_script' - ignoring Apr 12 16:27:12 data-1-2 Keepalived[6602]: Opening file '/etc/keepalived/keepalived.conf'. Apr 12 16:27:12 data-1-2 Keepalived[6603]: Starting Healthcheck child process, pid=6604 Apr 12 16:27:12 data-1-2 Keepalived_healthcheckers[6604]: Initializing ipvs Apr 12 16:27:12 data-1-2 Keepalived[6603]: Starting VRRP child process, pid=6605 Apr 12 16:27:12 data-1-2 Keepalived_healthcheckers[6604]: Opening file '/etc/keepalived/keepalived.conf'. Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Registering Kernel netlink reflector Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Registering Kernel netlink command channel Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Registering gratuitous ARP shared channel Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Opening file '/etc/keepalived/keepalived.conf'. Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP_Instance(VI_1) removing protocol VIPs. Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: WARNING - script `killall` resolved by path search to `/usr/bin/killall`. Please specify full path. Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: SECURITY VIOLATION - scripts are being executed but script_security not enabled. Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: ------< Global definitions >------ Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Router ID = Haproxy_2 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Smtp server = 127.0.0.1 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Smtp server port = 25 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Smtp HELO name = data-1-2 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Smtp server connection timeout = 3 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Email notification from = Haproxy_KeepAlived@163.com Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Email notification = 525031638@qq.com Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Default interface = eth0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: LVS flush = false Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP IPv4 mcast group = 224.0.0.18 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP IPv6 mcast group = ff02::12 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP delay = 5 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP repeat = 5 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP refresh timer = 0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP refresh repeat = 1 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP lower priority delay = 5 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP lower priority repeat = 5 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Send advert after receive lower priority advert = true Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Send advert after receive higher priority advert = false Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP interval = 0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous NA interval = 0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP default protocol version = 2 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Iptables input chain = INPUT Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP check unicast_src = false Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP skip check advert addresses = false Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP strict mode = false Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP process priority = 0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP don't swap = false Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Checker process priority = 0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Checker don't swap = false Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Network namespace = (default) Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Script security disabled Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Default script uid:gid 0:0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: ------< VRRP Topology >------ Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP Instance = VI_1 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Using VRRPv2 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Want State = BACKUP Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Running on device = eth0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Skip checking advert IP addresses = no Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Enforcing strict VRRP compliance = no Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Using src_ip = 10.0.1.62 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP delay = 5 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP repeat = 5 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP refresh timer = 0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP refresh repeat = 1 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP lower priority delay = 5 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Gratuitous ARP lower priority repeat = 5 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Send advert after receive lower priority advert = true Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Send advert after receive higher priority advert = false Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Virtual Router ID = 80 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Priority = 100 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Advert interval = 5 sec Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Accept enabled Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Promote_secondaries disabled Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Authentication type = SIMPLE_PASSWORD Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Password = ha_keep Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Tracked scripts = 1 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: chk_haproxy weight 0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Unicast Peer = 1 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: 10.0.1.61 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Virtual IP = 1 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: 10.0.1.63/24 dev eth0 scope global Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: ------< VRRP Scripts >------ Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP Script = chk_haproxy Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Command = /usr/bin/killall -0 haproxy Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Interval = 3 sec Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Timeout = 0 sec Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Weight = 0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Rise = 1 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Fall = 1 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Insecure = no Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Status = INIT Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: ------< NIC >------ Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Name = eth0 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: index = 2 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: IPv4 address = 10.0.1.62 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: IPv6 address = :: Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: MAC = 00:50:56:9d:50:d7 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: is UP Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: is RUNNING Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: MTU = 1500 Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: HW Type = ETHERNET Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: Using LinkWatch kernel netlink reflector... Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP_Instance(VI_1) Entering BACKUP STATE Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP sockpool: [ifindex(2), proto(112), unicast(1), fd(10,11)] Apr 12 16:27:12 data-1-2 Keepalived_vrrp[6605]: VRRP_Script(chk_haproxy) succeeded Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: ------< Global definitions >------ Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Router ID = Haproxy_2 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Smtp server = 127.0.0.1 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Smtp server port = 25 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Smtp HELO name = data-1-2 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Smtp server connection timeout = 3 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Email notification from = Haproxy_KeepAlived@163.com Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Email notification = 525031638@qq.com Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Default interface = eth0 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: LVS flush = false Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP IPv4 mcast group = 224.0.0.18 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP IPv6 mcast group = ff02::12 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP delay = 5 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP repeat = 5 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP refresh timer = 0 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP refresh repeat = 1 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP lower priority delay = 4294 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP lower priority repeat = -1 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Send advert after receive lower priority advert = true Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Send advert after receive higher priority advert = false Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous ARP interval = 0 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Gratuitous NA interval = 0 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP default protocol version = 2 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Iptables input chain = INPUT Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP check unicast_src = false Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP skip check advert addresses = false Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP strict mode = false Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP process priority = 0 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: VRRP don't swap = false Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Checker process priority = 0 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Checker don't swap = false Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Network namespace = (default) Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Script security disabled Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Default script uid:gid 0:0 Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: ------< SSL definitions >------ Apr 12 16:27:13 data-1-2 Keepalived_healthcheckers[6604]: Using autogen SSL context
5、配置单播和组播通信区别
配置两个节点之间为单播方式,backup收到的数据包是下面形式
[root@data-1-2 keepalived]# tcpdump -vvv -i any host 10.0.1.61
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
13:11:21.084843 IP (tos 0xc0, ttl 255, id 3, offset 0, flags [none], proto VRRP (112), length 40)
10.0.1.61 > data-1-2: vrrp 10.0.1.61 > data-1-2: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
13:11:26.085600 IP (tos 0xc0, ttl 255, id 4, offset 0, flags [none], proto VRRP (112), length 40)
10.0.1.61 > data-1-2: vrrp 10.0.1.61 > data-1-2: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
13:11:31.086772 IP (tos 0xc0, ttl 255, id 5, offset 0, flags [none], proto VRRP (112), length 40)
10.0.1.61 > data-1-2: vrrp 10.0.1.61 > data-1-2: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@data-1-2 keepalived]#
配置两个节点为组播,backup机器收到的数据包是下面形式
可以看到是vrrp.mcast.net
[root@data-1-2 keepalived]# tcpdump -vvv -i any host 10.0.1.61
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
13:08:15.571761 IP (tos 0xc0, ttl 255, id 1455, offset 0, flags [none], proto VRRP (112), length 40)
10.0.1.61 > vrrp.mcast.net: vrrp 10.0.1.61 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
13:08:20.572496 IP (tos 0xc0, ttl 255, id 1456, offset 0, flags [none], proto VRRP (112), length 40)
10.0.1.61 > vrrp.mcast.net: vrrp 10.0.1.61 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
13:08:25.573351 IP (tos 0xc0, ttl 255, id 1457, offset 0, flags [none], proto VRRP (112), length 40)
10.0.1.61 > vrrp.mcast.net: vrrp 10.0.1.61 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 80, prio 150, authtype simple, intvl 5s, length 20, addrs: 10.0.1.63 auth "ha_keep^@"
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
[root@data-1-2 keepalived]#
6、查看Keepalived编译参数
大部分用不到
[root@data-1-1 tools]# tar xfz keepalived-1.3.5.tar.gz
[root@data-1-1 tools]# cd keepalived-1.3.5
[root@data-1-1 keepalived-1.3.5]# ./configure --help
`configure' configures Keepalived 1.3.5 to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking ...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
--datadir=DIR read-only architecture-independent data [DATAROOTDIR]
--infodir=DIR info documentation [DATAROOTDIR/info]
--localedir=DIR locale-dependent data [DATAROOTDIR/locale]
--mandir=DIR man documentation [DATAROOTDIR/man]
--docdir=DIR documentation root [DATAROOTDIR/doc/keepalived]
--htmldir=DIR html documentation [DOCDIR]
--dvidir=DIR dvi documentation [DOCDIR]
--pdfdir=DIR pdf documentation [DOCDIR]
--psdir=DIR ps documentation [DOCDIR]
Program names:
--program-prefix=PREFIX prepend PREFIX to installed program names
--program-suffix=SUFFIX append SUFFIX to installed program names
--program-transform-name=PROGRAM run sed PROGRAM on installed program names
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-silent-rules less verbose build output (undo: "make V=1")
--disable-silent-rules verbose build output (undo: "make V=0")
--disable-lvs-syncd do not use LVS synchronization daemon
--disable-lvs do not use the LVS framework
--disable-lvs-64bit-stats
do not use the LVS 64-bit stats
--disable-vrrp do not use the VRRP framework
--disable-fwmark compile without SO_MARK support
--enable-snmp compile with SNMP support
--enable-snmp-vrrp compile with SNMP vrrp support
--enable-snmp-keepalived
obsolete - use --enable-snmp-vrrp
--enable-snmp-checker compile with SNMP checker support
--enable-snmp-rfc compile with SNMP RFC2787 (VRRPv2) and SNMP RFC6527
(VRRPv3) support
--enable-snmp-rfcv2 compile with SNMP RFC2787 (VRRPv2) support
--enable-snmp-rfcv3 compile with SNMP RFC6257 (VRRPv3) support
--disable-snmp-reply-v3-for-v2
disable RFC6257 responses for VRRPv2 instances
--enable-dbus compile with dbus support
--enable-dbus-create-instance
compile with dbus support for creating instances
--enable-sha1 compile with SHA1 support
--disable-vrrp-auth compile without VRRP authentication
--disable-routes compile without ip rules/routes
--enable-dynamic-linking
compile with/without dynamically linked
libiptc/libipset
--enable-libiptc-dynamic
compile with libiptc dynamically linked
--disable-libipset-dynamic
compile with libipset statically linked
--enable-libxtables-dynamic
compile with libxtables dynamically linked
--enable-libnl-dynamic compile with libnl dynamically linked
--disable-libiptc compile without libiptc
--disable-libipset compile without libipset
--disable-libnl compile without libnl
--enable-mem-check compile with memory alloc checking
--enable-mem-check-log compile with memory alloc checking wriging to syslog
--enable-debug compile with debugging flags
--enable-stacktrace compile with stacktrace support
--enable-profile compile with profiling flags
--enable-conversion-checks
compile with conversion warnings if sensible
--enable-force-conversion-checks
compile with conversion warnings
--enable-Werror compile with warnings being errors
--enable-dependency-tracking
do not reject slow dependency extractors
--disable-dependency-tracking
speeds up one-time build
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-kernel-dir=DIR path to linux kernel source directory
--with-init=(upstart|systemd|SYSV|SUSE|openrc)
specify init type
--with-systemdsystemunitdir=DIR
Directory for systemd service files
Some influential environment variables:
PKG_CONFIG path to pkg-config utility
PKG_CONFIG_PATH
directories to add to pkg-config's search path
PKG_CONFIG_LIBDIR
path overriding pkg-config's built-in search path
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
LIBS libraries to pass to the linker, e.g. -l<library>
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <keepalived-devel@lists.sourceforge.net>.
Keepalived home page: <http://www.keepalived.org/>.
[root@data-1-1 keepalived-1.3.5]#
7、Keepalived修改日志文件输出路径
keepalived默认输出的日志在/var/log/messages
这里修改,让它输出到/var/log/keepalived.log
编译安装的1.3.5版本
看到启动脚本默认读取的是/application/keepalived-1.3.5/etc/sysconfig/keepalived这个文件
但是别的一些默认读取的是/etc/sysconfig/keepalived
都改了
最下面添加一行
-S指定一个syslog设备接收,0表示local0设备
-D是详细日志
-d是dump配置文件内容到日志中
sed -i s#'KEEPALIVED_OPTIONS="-D"'#'KEEPALIVED_OPTIONS="-D -d -S 0"'#g /etc/sysconfig/keepalived /bin/cp /application/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
配置完毕后需要在syslog.conf文件里添加一行,如下
上面配置文件表示syslog让local0接收,local0接收后往后面的/var/log/keepalived.log里面接收
.* 表示所有状态都打
cat >> /etc/rsyslog.conf << EOF #keepalived local0.* /var/log/keepalived.log EOF [root@data-1-1 keepalived]# tail -2 /etc/rsyslog.conf #keepalived local0.* /var/log/keepalived.log [root@data-1-1 keepalived]#
重启rsyslog服务
[root@data-1-1 keepalived]# systemctl restart rsyslog [root@data-1-1 keepalived]#
8、安装一些工具
安装tcpdump,它是个抓包工具,有时候会用到
安装psmisc包,安装之后多了 fuser, killall,pstree等命令,Keepalived的配置文件中健康检查能用到它
yum install tcpdump -y yum install psmisc -y
9、为同一个虚拟IP服务的实例,虚拟路由id必须一致
同一集群的keepalived的主、备机的virtual_router_id 必须相同,取值0-255
但是同一内网中不应有相同virtual_router_id的集群
10、多实例的Keepalived配置文件参考
这样两个机器都在工作,不至于类似单实例有资源浪费的情况
机器1的Keepalived配置
VI_1是master,VI_2是backup
! Configuration File for keepalived
global_defs {
notification_email {
12345@qq.com
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 10.0.0.1
smtp_connect_timeout 30
router_id LVS_1
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.136/24
10.0.0.137/24
10.0.0.138/24
}
}
vrrp_instance VI_2 {
state BACKUP
interface eth0
virtual_router_id 52
priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.140/24
10.0.0.141/24
}
}
机器2的Keepalived配置
VI_1是backup,VI_2是master
! Configuration File for keepalived
global_defs {
notification_email {
12345@qq.com
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 10.0.0.1
smtp_connect_timeout 30
router_id LVS_2
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.136/24
10.0.0.137/24
10.0.0.138/24
}
}
vrrp_instance VI_2 {
state MASTER
interface eth0
virtual_router_id 52
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.140/24
10.0.0.141/24
}
}
11、编译Keepalived中出现如下warning不用理会
系统出现警告信息“*** WARNING - this build will not support IPVS with IPv6. Please install libnl/libnl-3 dev libraries to support IPv6 with IPVS.”,具体日志如下
Keepalived configuration ------------------------ Keepalived version : 1.3.5 Compiler : gcc Preprocessor flags : Compiler flags : -Wall -Wunused -Wstrict-prototypes -Wextra -g -O2 Linker flags : Extra Lib : -lcrypto -lssl Use IPVS Framework : Yes IPVS use libnl : No IPVS syncd attributes : No IPVS 64 bit stats : No fwmark socket support : Yes Use VRRP Framework : Yes Use VRRP VMAC : Yes Use VRRP authentication : Yes With ip rules/routes : Yes SNMP vrrp support : No SNMP checker support : No SNMP RFCv2 support : No SNMP RFCv3 support : No DBUS support : No SHA1 support : No Use Debug flags : No Stacktrace support : No Memory alloc check : No libnl version : None Use IPv4 devconf : No Use libiptc : No Use libipset : No init type : upstart Build genhash : Yes Build documentation : No *** WARNING - this build will not support IPVS with IPv6. Please install libnl/libnl-3 dev libraries to support IPv6 with IPVS.
很多人通过安装下面依赖解决它,我觉得没必要,因为压根用不到ipv6的东西
解决方案一:(在线安装)
执行yum命令yum -y install libnl libnl-devel解决上述警告问题
执行yum命令yum install -y libnfnetlink-devel解决上述错误问题
12、阿里云下载镜像得路径注意下,是isos
https://mirrors.aliyun.com/centos/7.4.1708/isos/x86_64/
13、Keepalived中配置文件也可以自定义监控脚本
#自定义监控脚本
vrrp_script chk_haproxy {
script "/etc/keepalived/check_haproxy.sh"
interval 5
weight 2
}
14、Keepalived和haproxy配置文件详解
来自下面链接
https://blog.csdn.net/HzSunshine/article/details/61673572
简单参考下
! Configuration File for keepalived
global_defs {
#设置报警通知邮件地址,可以设置多个
notification_email {
msun1996@163.com
}
#设置邮件的发送地址
notification_email_from keepalived@msun.com
#设置smtp server的地址,该地址必须是存在的
smtp_server 127.0.0.1
#设置连接smtp server的超时时间
smtp_connect_timeout 30
#运行Keepalived服务器的标识,发邮件时显示在邮件标题中的信息
router_id HAProxy_msun
}
# 检测haproxy脚本
vrrp_script chk_haproxy {
script "/etc/keepalived/check_haproxy.sh"
interval 2
#下面方法相对更优
#script "killall -0 haproxy" #killall (安装 yum install psmisc -y)
#interval 2
#weghit 2 #权值脚本成功时(0)等于priority+weghit #否则为priority
}
#定义VRRP实例,实例名自定义
vrrp_instance haproxy_msun {
#指定Keepalived的角色,MASTER为主服务器,BACKUP为备用服务器
state MASTER #从设置为BACKUP
#指定HA监测的接口
interface eno16777736
#虚拟路由标识,这个标识是一个数字(1-255),在一个VRRP实例中主备服务器ID必须一样
virtual_router_id 68
#优先级,数字越大优先级越高,在一个实例中主服务>器优先级要高于备服务器
priority 100 #从设置为99
#设置主备之间同步检查的时间间隔单位秒
advert_int 1
#设置验证类型和密码
authentication {
#验证类型有两种{PASS|HA}
auth_type PASS
#设置验证密码,在一个实例中主备密码保持一样
auth_pass 1689
}
track_script {
chk_haproxy # 执行监控的服务
}
#定义虚拟IP地址,可以有多个,每行一个
virtual_ipaddress {
192.168.1.160
}
}
haproxy配置文件详解1
简单参考下
global
#全区日志配置 使用rsyslog的local3设备
log 127.0.0.1 local3 info
#工作目录(安全)
chroot /var/lib/haproxy
#pid文件存储目录
pidfile /var/run/haproxy.pid
#后台进程数量
nbproc 1
#每个进程最大并发数
maxconn 40000
user haproxy
group haproxy
#后台程序模式工作
daemon
defaults
mode http
#后端连接重试次数,超出标识不可用
retries 3
#连接服务器最长等待时间
timeout connect 10s
#客户端发送请求最长等待时间
timeout client 30s
#服务器会复客户端最长等待时间
timeout server 30s
#对后端服务器的检测超时时间
timeout check 10s
#定义HAProxy监控页面
listen admin_stats
bind 0.0.0.0:9188
mode http
log 127.0.0.1 local3 err
#HAProxy监控页面统计自动刷新时间。
stats refresh 30s
#设置监控页面URL路径。 http://IP:9188/haproxy-status可查看
stats uri /haproxy-status
#统计页面密码框提示信息
stats realm welcome login Haproxy
#登录统计页面用户和密码
stats auth admin:123456
#隐藏HAProxy版本信息
stats hide-version
#设置TURE后可在监控页面手工启动关闭后端真实服务器
stats admin if TRUE
#定义前端虚拟节点
frontend www
#监听端口
bind *:80
mode http
#启用日志记录HTTP请求。
option httplog
#启用后后端服务器可以获得客户端IP
option forwardfor
#客户端和服务器完成一次连接请求后,HAProxy主动关闭TCP链接(优化选项)
option httpclose
#使用全局日志配置
log global
#指定后端服务池(backend定义htmpool)
default_backend htmpool
#定义后端真实服务器
backend htmpool
mode http
#用于cookie保持环境。(如后端服务器故障,客户端cookie不会刷新,用此来把用户请求强制定向到正常服务器)
option redispatch
#负载均衡很高时,自动结束当前队列处理时间长的连接
option abortonclose
#负载均衡算法
balance roundrobin
#允许向cookie插入SERVERID.下面server可以使用cookie定义
cookie SERVERID
#启用HTTP服务状态检测功能 (后端服务器一定要存在此文件,不然haproxy认为其故障)
option httpchk GET /index.html
#后端服务设置
server web1 192.168.1.186:80 cookie server1 weight 6 check inter 2000 rise 2 fall 3
server web2 192.168.1.188:80 cookie server2 weight 6 check inter 2000 rise 2 fall 3
haproxy配置文件参考2
来自http://blog.chinaunix.net/uid-25266990-id-3989321.html
这里主要看下acl规则
#vim /etc/haproxy/haproxy.cfg
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log 127.0.0.1 local0 #日志输出配置,所有日志都记录在本机,通过local0输出
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096 #最大连接数
chroot /usr/share/haproxy #改变当前工作目录。
uid 99 #所属用户的uid
gid 99 #所属运行的gid
daemon #以后台形式运行haproxy
#debug
#quiet
defaults
log global
mode http
#默认的模式mode { tcp|http|health },tcp是4层,http是7层,health只会返回OK
option httplog
option dontlognull
option redispatch
#当serverId对应的服务器挂掉后,强制定向到其他健康的服务器
option abortonclose
#当服务器负载很高的时候,自动结束掉当前队列处理比较久的链接
retries 3 #两次连接失败就认为是服务器不可用
maxconn 2000 #默认的最大连接数
#timeout http-keep-alive 10s
# timeout queue 1m
contimeout 5000 #连接超时
clitimeout 50000 #客户端超时
srvtimeout 50000 #服务器超时
timeout check 5s #心跳检测超时
stats refresh 30s #统计页面自动刷新时间
stats uri /stats #统计页面url
stats realm baison-test-Haproxy #统计页面密码框上提示文本
stats auth admin:admin123 #统计页面用户名和密码设置
stats hide-version #隐藏统计页面上HAProxy的版本信息
frontend www
bind *:80
#这里建议使用bind *:80的方式,要不然做集群高可用的时候有问题,vip切换到其他机器就不能访问了。
acl web hdr(host) -i www.zhirs.com
#acl后面是规则名称,-i是要访问的域名,如果访问www.zhirs.com这个域名就分发到下面的webserver 的作用域。
acl img hdr(host) -i img.zhirs.com
#如果访问img.baison.com.cn就分发到imgserver这个作用域。
use_backend webserver if web
use_backend imgserver if img
backend webserver #webserver作用域
mode http
balance roundrobin
#banlance roundrobin 轮询,balance source 保存session值,支持static-rr,leastconn,first,uri等参数
option httpchk /index.html
#检测文件,如果分发到后台index.html访问不到就不再分发给它
server web01 192.168.137.201:80 check inter 2000 fall 3 weight 30
server web01 192.168.137.202:80 check inter 2000 fall 3 weight 20
server web01 192.168.137.203:80 check inter 2000 fall 3 weight 10
backend imgserver
mode http
option httpchk /index.php
balance roundrobin
server img01 192.168.137.101:80 check inter 2000 fall 3
server img02 192.168.137.102:80 check inter 2000 fall 3
haproxy参考配置3
来自
https://blog.csdn.net/sj349781478/article/details/78862315
global
log 127.0.0.1 local0 #[日志输出配置,所有日志都记录在本机,通过local0输出]
log 127.0.0.1 local1 notice #定义haproxy 日志级别[error warringinfo debug]
daemon #以后台形式运行harpoxy
nbproc 1 #设置进程数量
maxconn 4096 #默认最大连接数,需考虑ulimit-n限制
#user haproxy #运行haproxy的用户
#group haproxy #运行haproxy的用户所在的组
#pidfile /var/run/haproxy.pid #haproxy 进程PID文件
#ulimit-n 819200 #ulimit 的数量限制
#chroot /usr/share/haproxy #chroot运行路径
#debug #haproxy 调试级别,建议只在开启单进程的时候调试
#quiet
########默认配置############
defaults
log global
mode http #默认的模式mode { tcp|http|health },tcp是4层,http是7层,health只会返回OK
option httplog #日志类别,采用httplog
option dontlognull #不记录健康检查日志信息
retries 2 #两次连接失败就认为是服务器不可用,也可以通过后面设置
#option forwardfor #如果后端服务器需要获得客户端真实ip需要配置的参数,可以从Http Header中获得客户端ip
option httpclose #每次请求完毕后主动关闭http通道,haproxy不支持keep-alive,只能模拟这种模式的实现
#option redispatch #当serverId对应的服务器挂掉后,强制定向到其他健康的服务器,以后将不支持
option abortonclose #当服务器负载很高的时候,自动结束掉当前队列处理比较久的链接
maxconn 4096 #默认的最大连接数
timeout connect 5000ms #连接超时
timeout client 30000ms #客户端超时
timeout server 30000ms #服务器超时
#timeout check 2000 #心跳检测超时
#timeout http-keep-alive10s #默认持久连接超时时间
#timeout http-request 10s #默认http请求超时时间
#timeout queue 1m #默认队列超时时间
balance roundrobin #设置默认负载均衡方式,轮询方式
#balance source #设置默认负载均衡方式,类似于nginx的ip_hash
#balnace leastconn #设置默认负载均衡方式,最小连接数
########统计页面配置########
listen stats
bind 0.0.0.0:1080 #设置Frontend和Backend的组合体,监控组的名称,按需要自定义名称
mode http #http的7层模式
option httplog #采用http日志格式
#log 127.0.0.1 local0 err #错误日志记录
maxconn 10 #默认的最大连接数
stats refresh 30s #统计页面自动刷新时间
stats uri /stats #统计页面url
stats realm XingCloud Haproxy #统计页面密码框上提示文本
stats auth admin:admin #设置监控页面的用户和密码:admin,可以设置多个用户名
stats auth Frank:Frank #设置监控页面的用户和密码:Frank
stats hide-version #隐藏统计页面上HAProxy的版本信息
stats admin if TRUE #设置手工启动/禁用,后端服务器(haproxy-1.4.9以后版本)
########设置haproxy 错误页面#####
#errorfile 403 /home/haproxy/haproxy/errorfiles/403.http
#errorfile 500 /home/haproxy/haproxy/errorfiles/500.http
#errorfile 502 /home/haproxy/haproxy/errorfiles/502.http
#errorfile 503 /home/haproxy/haproxy/errorfiles/503.http
#errorfile 504 /home/haproxy/haproxy/errorfiles/504.http
########frontend前端配置##############
frontend main
bind *:80 #这里建议使用bind *:80的方式,要不然做集群高可用的时候有问题,vip切换到其他机器就不能访问了。
acl web hdr(host) -i www.abc.com #acl后面是规则名称,-i为忽略大小写,后面跟的是要访问的域名,如果访问www.abc.com这个域名,就触发web规则,。
acl img hdr(host) -i img.abc.com #如果访问img.abc.com这个域名,就触发img规则。
use_backend webserver if web #如果上面定义的web规则被触发,即访问www.abc.com,就将请求分发到webserver这个作用域。
use_backend imgserver if img #如果上面定义的img规则被触发,即访问img.abc.com,就将请求分发到imgserver这个作用域。
default_backend dynamic #不满足则响应backend的默认页面
########backend后端配置##############
backend webserver #webserver作用域
mode http
balance roundrobin #balance roundrobin 负载轮询,balance source 保存session值,支持static-rr,leastconn,first,uri等参数
option httpchk /index.html HTTP/1.0 #健康检查, 检测文件,如果分发到后台index.html访问不到就不再分发给它
server web1 10.16.0.9:8085 cookie 1 weight 5 check inter 2000 rise 2 fall 3
server web2 10.16.0.10:8085 cookie 2 weight 3 check inter 2000 rise 2 fall 3
#cookie 1表示serverid为1,check inter 1500 是检测心跳频率
#rise 2是2次正确认为服务器可用,fall 3是3次失败认为服务器不可用,weight代表权重
backend imgserver
mode http
option httpchk /index.php
balance roundrobin
server img01 192.168.137.101:80 check inter 2000 fall 3
server img02 192.168.137.102:80 check inter 2000 fall 3
backend dynamic
balance roundrobin
server test1 192.168.1.23:80 check maxconn 2000
server test2 192.168.1.24:80 check maxconn 2000
listen tcptest
bind 0.0.0.0:5222
mode tcp
option tcplog #采用tcp日志格式
balance source
#log 127.0.0.1 local0 debug
server s1 192.168.100.204:7222 weight 1
server s2 192.168.100.208:7222 weight 1
15、如果两台Keepalived机器必须开启防火墙的话
假设这里不使用firewalld,使用的是iptables
需要添加源地址信任。不然无法收到心跳报文
master机器添加backup机器的信任
[root@data-1-1 ~]# iptables -I INPUT -s 10.0.1.62 -j ACCEPT [root@data-1-1 ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.1.62 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@data-1-1 ~]#
backup机器添加下来自master机器的信任
[root@data-1-2 ~]# iptables -I INPUT -s 10.0.1.61 -j ACCEPT [root@data-1-2 ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.1.61 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@data-1-2 ~]#
16、模拟裂脑
假如backup机器防火墙设置不当,没允许master的报文。它收不到master的心跳报文,就认为master机器服务down机或者Keepalived服务死掉了
它会自动添加vip,可以看到最后10.0.1.63这个vip自动配置上了。这样就出现裂脑了
[root@data-1-2 ~]# iptables -L -n -t filter --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:18181
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8181
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 ACCEPT all -- 10.0.1.61 0.0.0.0/0
5 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@data-1-2 ~]# iptables -D INPUT 4
[root@data-1-2 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:18181
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8181
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@data-1-2 ~]# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:9d:50:d7 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.62/24 brd 10.0.1.255 scope global eth0
valid_lft forever preferred_lft forever
[root@data-1-2 ~]# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:9d:50:d7 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.62/24 brd 10.0.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.0.1.63/24 scope global secondary eth0
valid_lft forever preferred_lft forever
[root@data-1-2 ~]#
而此时master机器也没释放资源
[root@data-1-1 ~]# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:9d:0b:ee brd ff:ff:ff:ff:ff:ff
inet 10.0.1.61/24 brd 10.0.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.0.1.63/24 scope global secondary eth0
valid_lft forever preferred_lft forever
[root@data-1-1 ~]#
修复规则,放行来自master机器的数据包,裂脑情况消失
[root@data-1-2 ~]# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:9d:50:d7 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.62/24 brd 10.0.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.0.1.63/24 scope global secondary eth0
valid_lft forever preferred_lft forever
[root@data-1-2 ~]# iptables -I INPUT -s 10.0.1.61 -j ACCEPT
[root@data-1-2 ~]# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:50:56:9d:50:d7 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.62/24 brd 10.0.1.255 scope global eth0
valid_lft forever preferred_lft forever
[root@data-1-2 ~]#
下面是一些常用的添加防火墙规则的命令
iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -I INPUT -p tcp --dport 8181 -j ACCEPT iptables -I INPUT -p tcp --dport 18181 -j ACCEPT iptables -A INPUT -j DROP