赞
踩
- [root@ha01 /etc/keepalived]$uname -a
- Linux ha01 5.10.0-182.0.0.95.oe2203sp3.x86_64 #1 SMP Sat Dec 30 13:10:36 CST 2023 x86_64 x86_64 x86_64 GNU/Linux
主备服务器ha01 ha02(如果没有两块网卡可以用一块,也可以虚拟机添加一块网卡.)
- #检查网络IP相关信息
- [root@ha01 /etc/keepalived]$ip a |grep ens
- 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- inet 192.168.59.238/24 brd 192.168.59.255 scope global noprefixroute ens33
- 3: ens35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- inet 192.168.61.238/24 brd 192.168.61.255 scope global noprefixroute ens35
- #↓
- [root@ha02 /etc/sysconfig/network-scripts]$ip a |grep ens
- 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- inet 192.168.59.239/24 brd 192.168.59.255 scope global noprefixroute ens33
- 3: ens35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- inet 192.168.61.239/24 brd 192.168.61.255 scope global noprefixroute ens35
[root@ha01 ~]$yum -y install keepalived haproxy
原始配置文件备份
- [root@ha01 ~]$cd /etc/keepalived/
- [root@ha01 /etc/keepalived]$cp keepalived.conf keepalived.conf.bak
主节点ha01修改配置文件
- [root@ha01 /etc/keepalived]$cat keepalived.conf
- ! Configuration File for keepalived
- global_defs {
- #↓指定运行脚本的用户为root
- script_user root
- #↓启动脚本安全检查,防止恶意脚本执行
- enable_script_security
- #↓ 主备节点设置不同的 router_id,以便于管理和监控
- router_id ha01
- }
- #↓定义一个检查脚本
- vrrp_script check_haproxy {
- #↓指定脚本路径
- script "/etc/keepalived/check_apiserver.sh"
- #↓设置脚本执行间隔为3秒
- interval 3
- # ↓script中的指令执行失败或返回值非0时,则相应的vrrp_instance的priority会减少20,此时主节点优先级减20后,值已经低于备节点,就会发生主备切换。
- weight -20
- #↓脚本连续失败两次出发权重减少的情况
- fall 2
- #↓当脚本连续成功两次恢复主节点优先级
- rise 2
- }
- #
- vrrp_instance VI_1 {
- #↓设置该实例的状态为master(主节点)
- state MASTER
- # ↓不抢占,允许一个priority比较低的节点作为master,即使有priority更高的节点已经启动。
- nopreempt
- #↓指定绑定网卡的名称(使用nmcli con查看)
- interface ens33
- #↓ 主备节点上相同的值。virtual_router_id 是用来标识一个特定的 VRRP (Virtual Router Redundancy Protocol)组的,同一个 VRRP 组中的所有节点都应使用相同的 virtual_router_id。
- virtual_router_id 52
- # 如果 script执行失败,则此将降为90(与上面设置的权重一起使用,如果脚本失败会将priority的值减少20)
- priority 110
- # 设置 VRRP 广播消息的时间间隔。目前设置为2秒检查一次,根据您的网络环境和需求。
- advert_int 2
- #↓认证信息使用密码认证类型,密码是2222(主备节点数值相同)
- authentication {
- auth_type PASS
- auth_pass 2222
- }
- #↓单播模式,主节点IP
- unicast_src_ip 192.168.59.238
- unicast_peer {
- # 备节点的IP
- 192.168.59.239
- }
- virtual_ipaddress {
- # VIP
- 192.168.59.240
- }
- #↓跟踪脚本用于检查haproxy的状态.
- track_script {
- check_haproxy
- }
- }
从节点修改配置文件
- #具体参数配置信息参考ha01,修改的部分权重和ip信息.
- [root@ha02 /etc/keepalived]$cat keepalived.conf
- ! Configuration File for keepalived
- global_defs {
- script_user root
- enable_script_security
- # 主备节点设置不同的 router_id,以便于管理和监控
- router_id ha02
- }
- vrrp_script check_haproxy {
- # script
- script "/etc/keepalived/check_apiserver.sh"
- interval 3
- # script中的指令执行失败或返回值非0时,则相应的vrrp_instance的priority会减少20,此时主节点优先级减20后,值已经低于备节点,就会发生主备切换。
- weight -20
- fall 2
- rise 2
- }
- vrrp_instance VI_1 {
- state BACKUP
- # 不抢占,允许一个priority比较低的节点作为master,即使有priority更高的节点已经启动。
- nopreempt
- interface ens33
- # 主备节点上相同的值。virtual_router_id 是用来标识一个特定的 VRRP (Virtual Router Redundancy Protocol)组的,同一个 VRRP 组中的所有节点都应使用相同的 virtual_router_id。
- virtual_router_id 52
- # 如果 script执行失败,则此将降为80
- priority 100
- # 设置 VRRP 广播消息的时间间隔。目前设置为2秒检查一次,根据您的网络环境和需求。
- advert_int 2
- authentication {
- auth_type PASS
- auth_pass 2222
- }
- # 单播模式备节点IP
- unicast_src_ip 192.168.59.239
- unicast_peer {
- # 备节点的IP
- 192.168.59.238
- }
- virtual_ipaddress {
- 192.168.59.240
- }
-
- track_script {
- check_haproxy
- }
- }
两台机器上编写的检查脚本是一样的.(ha01,ha02)
- [root@ha01 /etc/keepalived]$pwd
- /etc/keepalived
- [root@ha01 /etc/keepalived]$cat ./check_apiserver.sh
- #!/bin/sh
-
- errorExit() {
- echo "*** $*" 1>&2
- exit 1
- }
-
- curl --silent --max-time 2 --insecure https://localhost:6443/ -o /dev/null || errorExit "Error GET https://localhost:6443/"
- if ip addr | grep -q 192.168.59.240; then
- curl --silent --max-time 2 --insecure https://192.168.59.240:6443/ -o /dev/null || errorExit "Error GET https://192.168.59.240:6443/"
- fi
配置haproxy配置文件
ha01
- [root@ha01 /etc/haproxy]$cat haproxy.cfg
- #---------------------------------------------------------------------
- # Example configuration for a possible web application. See the
- # full configuration options online.
- #
- # https://www.haproxy.org/download/1.8/doc/configuration.txt
- #
- #---------------------------------------------------------------------
-
- #---------------------------------------------------------------------
- # Global settings
- #---------------------------------------------------------------------
- global
- #↓日志输出地址为本地,类型为local2
- log 127.0.0.1 local2
- #↓haproxy进程根目录是/var/lib/haproxy18
- chroot /var/lib/haproxy18
- #↓pid文件存放位置
- pidfile /var/run/haproxy18.pid
- #↓最大连接数
- maxconn 5000
- #↓运行用户
- user haproxy
- #↓运行用户组
- group haproxy
- #↓守护进程的方式运行
- daemon
- #↓socket文件存放位置
- # turn on stats unix socket
- stats socket /var/lib/haproxy18/stats
-
- #---------------------------------------------------------------------
- # common defaults that all the 'listen' and 'backend' sections will
- # use if not designated in their block
- #---------------------------------------------------------------------
- #↓默认配置字段
- defaults
- #↓使用http连接模式
- mode http
- #↓全局日志模式
- log global
- #↓http日志记录形式
- option httplog
- #↓不记录空请求
- option dontlognull # 不记录无内容长度的响应。
- # option http-server-close # HAProxy 在完成 HTTP 请求/响应交换后关闭与后端服务器的连接,而不是保持长连接。这样可以确保每个请求都有一个明确的结束,并且后端服务器不会因为长时间没有活动而主动关闭连接。然而,这也可能导致更高的连接建立开销,尤其是在高并发场景下。
- option forwardfor except 127.0.0.0/8
- option redispatch # 当一个请求已经被分配给某个后端服务器,但由于某种原因(如服务器故障、超时等)无法处理该请求时,HAProxy 将尝试将请求重新分配给另一个健康的后端服务器,而不是直接返回错误给客户端。这有助于提高系统的可用性和容错能力。在某些情况下,例如使用了会话持久化(cookie 或源地址粘滞)的情况下,这项功能尤其有用。
- retries 2 # 在服务器标记为不可用之前,尝试重新发送请求的最大次数;可以将 retries 设置为一个较小的值。
- timeout http-request 5s # 如果在该时间内没有收到完整的 HTTP 请求头,HAProxy 将关闭客户端连接。
- timeout queue 1m # 请求在队列中等待代理的时间限制。
- timeout connect 5s # 连接到后端服务器的超时时间;可以减少到 2s 或更低,以便更快地检测到无法连接的后端服务器。
- timeout client 60s # 客户端(浏览器)的整个会话超时时间。
- timeout server 60s # 后端服务器的整个会话超时时间,值太小,比如15s,可能会影响kubectl logs 查看报`error: unexpected EOF`。
- timeout http-keep-alive 60s # HTTP KeepAlive 的超时时间。
- timeout check 2s # 可以减少到 2s 或更低,以便更快地进行健康检查。
- maxconn 6000 # 最大并发连接数。
-
- #↓定义一个前端,名字是k8s-api
- frontend k8s-api
- #↓监听端口是所有网络接口(无论公网私网)都可以使用该端口进行通信
- bind 0.0.0.0:6443
- #↓启动本地监听端口.只适用于本地.
- bind 127.0.0.1:6443
- #↓使用哪种模式进行负载均衡
- mode tcp
- #mode http
- #↓启用tcp日志记录功能
- option tcplog
- #option httplog
- #↓表示处理tcp请求时延迟5s检查球球内容.
- tcp-request inspect-delay 5s
- #↓默认的后端名称是k8s-api
- default_backend k8s-master
- #---------------------------------------------------------------------
- # static backend for serving up images, stylesheets and such
- #---------------------------------------------------------------------
- #backend static
- # balance roundrobin
- # server static 127.0.0.1:4331 check
-
- #---------------------------------------------------------------------
- # round robin balancing between the various backends
- #---------------------------------------------------------------------
- #↓后端代理服务名称
- backend k8s-master
- #↓健康检查路径
- option httpchk GET /healthz
- #↓指定返回状态码
- http-check expect status 200
- #↓使用tcp模式进行负载均衡
- mode tcp
- #↓启用ssl检查功能,验证客户端与服务端ssl/tls链接是否有效
- option ssl-hello-chk
- #↓日志记录类型是tcplog
- option tcplog
- #↓负载均衡策略师轮询算法
- balance roundrobin
- #↓后端的服务器ip和端口,并且启用健康检查功能,这里有三台服务器.
- server k8s01 192.168.59.241:6443 check
- server k8s02 192.168.59.242:6443 check
- server k8s03 192.168.59.243:6443 check
ha02 haproxy文件配置
- #Example configuration for a possible web application. See the
- # full configuration options online.
- #
- # https://www.haproxy.org/download/1.8/doc/configuration.txt
- #
- #---------------------------------------------------------------------
-
- #---------------------------------------------------------------------
- # Global settings
- #---------------------------------------------------------------------
- global
- # to have these messages end up in /var/log/haproxy.log you will
- # need to:
- #
- # 1) configure syslog to accept network log events. This is done
- # by adding the '-r' option to the SYSLOGD_OPTIONS in
- # /etc/sysconfig/syslog
- #
- # 2) configure local2 events to go to the /var/log/haproxy.log
- # file. A line like the following can be added to
- # /etc/sysconfig/syslog
- #
- # local2.* /var/log/haproxy.log
- #
- log 127.0.0.1 local2
-
- chroot /var/lib/haproxy18
- pidfile /var/run/haproxy18.pid
- maxconn 5000
- user haproxy
- group haproxy
- daemon
-
- # turn on stats unix socket
- stats socket /var/lib/haproxy18/stats
-
- #---------------------------------------------------------------------
- # common defaults that all the 'listen' and 'backend' sections will
- # use if not designated in their block
- #---------------------------------------------------------------------
- defaults
- mode http
- log global
- option httplog
- option dontlognull
- option http-server-close
- option forwardfor except 127.0.0.0/8
- option redispatch
- retries 2
- timeout http-request 5s
- timeout queue 1m
- timeout connect 5s
- timeout client 60s
- timeout server 60s
- timeout http-keep-alive 60s
- timeout check 2s
- maxconn 6000
-
- #---------------------------------------------------------------------
- # main frontend which proxys to the backends
- #---------------------------------------------------------------------
- #frontend main
- # bind *:5000
- # acl url_static path_beg -i /static /images /javascript /stylesheets
- # acl url_static path_end -i .jpg .gif .png .css .js
- #
- # use_backend static if url_static
- # default_backend app
-
- frontend k8s-api
- bind 0.0.0.0:6443
- bind 127.0.0.1:6443
- mode tcp
- option tcplog
- tcp-request inspect-delay 5s
- default_backend k8s-api
- #---------------------------------------------------------------------
- # static backend for serving up images, stylesheets and such
- #---------------------------------------------------------------------
- #backend static
- # balance roundrobin
- # server static 127.0.0.1:4331 check
-
- #---------------------------------------------------------------------
- # round robin balancing between the various backends
- #---------------------------------------------------------------------
- backend k8s-api
- mode tcp
- option tcplog
- option tcp-check
- balance roundrobin
- server k8s01 192.168.59.241:6443 check
- server k8s02 192.168.59.242:6443 check
- server k8s03 192.168.59.243:6443 check
- #启动haproxy
- [root@ha01 /etc/haproxy]$ haproxy -f /etc/haproxy/haproxy.cfg
- #检查进程
- [root@ha01 /etc/haproxy]$ps -ef |grep hap
- haproxy 1955 1 0 15:07 ? 00:00:00 haproxy -f /etc/haproxy/haproxy.cfg
- root 2664 1229 0 15:27 pts/0 00:00:00 grep --color=auto hap
- #检查端口
- [root@ha01 /etc/haproxy]$netstat -lntup|grep haproxy
- tcp 0 0 127.0.0.1:6443 0.0.0.0:* LISTEN 1955/haproxy
- tcp 0 0 0.0.0.0:6443 0.0.0.0:* LISTEN 1955/haproxy
- udp 0 0 0.0.0.0:43905 0.0.0.0:* 1955/haproxy
- #启动keepalived
- [root@ha01 /etc/keepalived]$keepalived -f /etc/keepalived/keepalived.conf
- #查看进程
- [root@ha01 /etc/haproxy]$ps -ef |grep keep
- root 2012 1 0 15:13 ? 00:00:00 keepalived -f /etc/keepalived/keepalived.conf
- root 2469 2012 0 15:23 ? 00:00:00 keepalived -f /etc/keepalived/keepalived.conf
- root 2735 1229 0 15:29 pts/0 00:00:00 grep --color=auto keep
- #查看ip状态
- #ha01
- [root@ha01 /etc/keepalived]$ip a |grep ens
- 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- inet 192.168.59.238/24 brd 192.168.59.255 scope global noprefixroute ens33
- inet 192.168.59.240/32 scope global ens33
- 3: ens35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- inet 192.168.61.238/24 brd 192.168.61.255 scope global noprefixroute ens35
-
- #ha02
- [root@ha02 /etc/haproxy]$ip a |grep ens
- 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- inet 192.168.59.239/24 brd 192.168.59.255 scope global noprefixroute ens33
- 3: ens35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- inet 192.168.61.239/24 brd 192.168.61.255 scope global noprefixroute ens35
-
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。