当健康和在线时,为什么虚拟IP地址不会从备份系统中丢失?
看起来两个系统都在广播vrrp广告.来自备份系统上的tcpdump:
betaproxyslc01.fakecorp.com > vrrp.mcast.net: vrrp betaproxyslc01.fakecorp.com > vrrp.mcast.net: VRRPv2,Advertisement,vrid 51, prio 150,authtype simple,intvl 1s,length 20,>addrs: virtual-app.fakecorp.com auth “password”
15:52:24.541637 IP (tos 0xc0,ttl 255,id 1611,offset 0,flags [none],proto VRRP (112),length 40)betaproxyslc02.fakecorp.com > vrrp.mcast.net: vrrp betaproxyslc02.fakecorp.com > vrrp.mcast.net: VRRPv2, prio 100, authtype simple,>addrs: virtual-app.fakecorp.com auth “password”
15:52:25.410073 IP (tos 0xc0,id 1779,length 40)
但是使用ip addr命令在两台主机上显示虚拟IP地址.
这是配置:
global_defs {
notification_email {
me@fakecorp.com
}
notification_email_from keepalived@betaproxyslc01.fakecorp.com
smtp_server mysmtpserver.fakecorp.com
smtp_connect_timeout 30
router_id BETAPROXYSLC01
}
vrrp_script chk_haproxy{
script "killall -0 haproxy"
interval 2 # check every 2 seconds
weight 2 # add 2 points of prio if OK
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 150
advert_int 1
notify /usr/local/bin/notify.sh
authentication {
auth_type PASS
auth_pass keep0ut!
}
virtual_ipaddress {
10.10.0.40
}
track_script{
chk_haproxy
}
}
在BACKUP服务器上,router_id不同,状态为BACKUP,优先级为100.其他设置相同.
这是在CentOS 7上安装的,使用Keepalived v1.2.10(06 / 10,2014),一个Hyper-V来宾VM,带有3.10.0-123.8.1.el7.x86_64内核.
解决方法
因此,您只需要允许具有这些特定参数的传入和传出流量,以便VRRP正常工作.通常提到的防火墙规则是多余的,并且不必要地广泛制定.
我建议你使用这些防火墙规则:
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT firewall-cmd --reload
[1] http://tools.ietf.org/html/rfc5798#section-5.1.1.2
[2] http://tools.ietf.org/html/rfc5798#section-5.1.1.4
