keepalived+haproxy
16849 ワード
一.172.17.60.39ホストにhaproxy+keepalivedを配備します。
1.haproxy環境のインストール
[root@myhost ~]#yum -y install libnl libnl-devel libnfnetlink libnfnetlink-devel kernel-devel popt-devel openssl-devel gcc[root@myhost ~]#systemctl stop firewalld[root@myhost ~]#systemctl disable firewalld[root@myhost ~]#setenforce 0[root@myhost ~]#mkdir -pv/services/current_apps
[root@myhost ~]#mkdir -pv/services/download_soft_v
[root@myhost ~]#cd/services/download_soft_v
2.haproxy-1.8.13バージョンをダウンロードして解凍する
[root@myhost download_soft_v]#wget -c http://10.10.9.250/Linux-SYS/haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#tar zxvf haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#cd haproxy-1.8.13
3.uname-aでシステムバージョン情報を確認する(変更)×××)
[[email protected]]make TARGET=linux310 USE_OPENSSL=1 ADDLIB=-lz PREFIX=/services/current_apps/haproxy-1.8.13
4.指定したディレクトリにmake installでインストール
[[email protected]]make install PREFIX=/services/current_apps/haproxy-1.8.13
5.haproxyユーザーと関連ディレクトリの作成
[[email protected]]useradd -s/sbin/nologin haproxy
[[email protected]]mkdir -pv/var/lib/haproxy
[[email protected]]mkdir -pv/services/current_apps/haproxy-1.8.13/ssl
[[email protected]]chown -R haproxy:haproxy/var/lib/haproxy
[[email protected]]cp/services/download_soft_v/haproxy-1.8.13/examples/haproxy.init/etc/init.d/haproxy
[[email protected]]chmod +x/etc/init.d/haproxy
[[email protected]]ln -sf/services/current_apps/haproxy-1.8.13/etc/haproxy
[[email protected]]ln -s/etc/haproxy/sbin/haproxy/usr/sbin/
6.haproxyログディレクトリの設定
[[email protected]]mkdir -pv/services/haproxy_logs
[[email protected]]echo 'local0.*/services/haproxy_logs/haproxy.log'>>/etc/rsyslog.conf
7.rsyslogを編集してUDPを開き(下の2行の前の番号を除く)、local 0を追加する.none
[[email protected]]vi/etc/rsyslog.conf $ModLoad imudp
$UDPServerRun 514
*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages
8.再起動rsyslogの変更
[[email protected]]systemctl restart rsyslog
9.haproxyログカットを設定し、このファイルを空にし、次のコードを貼り付けます。
[[email protected]]vi/etc/logrotate.d/haproxy /services/haproxy_logs/haproxy.log {
daily
rotate 30
missingok
notifempty
dateext
compress
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
service haproxy reload
endscript
}
10.カーネル最適化とip転送の設定
[[email protected]]echo "net.ipv4.ip_nonlocal_bind = 1">>/etc/sysctl.conf [[email protected]]echo "net.ipv4.ip_forward = 1">>/etc/sysctl.conf [[email protected]]sysctl -p
11.haproxyを構成する.cfg、次のコードをコピー
[[email protected]]vi/etc/haproxy/haproxy.cfg global
log 127.0.0.1 local0 info
log 127.0.0.1 local1 notice
maxconn 75535
ulimit-n 655350
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
nbproc 8 # CPU
#-----------------------------------
# status page.
#-----------------------------------
defaults
log global
mode http
option httplog
retries 3
maxconn 75535
balance leastconn
timeout connect 30s
timeout client 60s
timeout server 60s
timeout http-request 30s
timeout http-keep-alive 30s
timeout queue 1m
timeout check 30s
frontend web_in
bind *:80
no option http-server-close
option forwardfor
acl mzj_web_zxft_acl path_beg -i /zxft
acl mzj_web_jzcx_acl path_beg -i /jzcx
acl mzj_web_login_acl path_beg -i /login
acl mzj_web_welfare_acl path_beg -i /welfare
acl mzj_web_xzsp-web_acl path_beg -i /xzsp-web
acl mzj_web_volunteer_acl path_beg -i /volunteer
acl mzj_web_edu_acl path_beg -i /edu
acl mzj_web_shsw_acl path_beg -i /shsw
acl mzj_web_acl hdr_reg(host) -i mzj.sh.gov.cn
use_backend mzj_web_zxft if mzj_web_zxft_acl
use_backend mzj_web_login if mzj_web_login_acl
use_backend mzj_web_jzcx if mzj_web_jzcx_acl
use_backend mzj_web_welfare if mzj_web_welfare_acl
use_backend mzj_web_xzsp-web if mzj_web_xzsp-web_acl
use_backend mzj_web_volunteer if mzj_web_volunteer_acl
use_backend mzj_web_edu if mzj_web_edu_acl
use_backend mzj_web_shsw if mzj_web_shsw_acl
use_backend mzj_web if mzj_web_acl
default_backend refuse-url
#((
capture request header Host len 64
capture request header User-Agent len 128
capture request header X-Forwarded-For len 100
capture request header Referer len 200
capture response header Server len 40
capture response header Server-ID len 40
\#capture
log-format %ci:%cp\ %si:%sp\ %B\ %U\ %ST\ %r\ %b\ %f\ %bi\ %hrl\ %hsl\
#))
#
backend refuse-url
mode http
balance source
server refuse-url 192.168.3.55:80 check rise 2 inter 5000 fall 3
backend mzj_web
mode http
balance roundrobin
cookie SERVERID
server 60.66_80 172.17.60.66:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_login
mode http
balance roundrobin
cookie SERVERID
server 181.45_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_jzcx
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_welfare
mode http
balance roundrobin
cookie SERVERID
server 60.15_80 172.17.60.15:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_xzsp-web
mode http
balance roundrobin
cookie SERVERID
server 60.12_80 172.17.60.12:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_zxft
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_volunteer
mode http
balance roundrobin
cookie SERVERID
server 60.9_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_edu
mode http
balance roundrobin
cookie SERVERID
server 60.29_3001 172.17.60.29:3001 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_shsw
mode http
balance roundrobin
cookie SERVERID
server 60.29_80 172.17.60.29:80 cookie web1 inter 3000 rise 3 fall 3 check
#-----------------------------------
# monitor status page.
#-----------------------------------
listen stats
bind 0.0.0.0:8011
mode http
stats enable
stats refresh 60s
stats hide-version
stats uri / hastats
stats realm Haproxy \ statistic
stats auth admin:wdit2017
timeout connect 10000
timeout client 50000
timeout server 50000
bind-process 1
12.POSTとディレクトリ権限の設定
[[email protected]]chown -R haproxy:haproxy/etc/haproxy
[[email protected]]chkconfig haproxy on
13.keepalivedのダウンロード
[root@myhost haproxy-1.8.13]cd/services/download_soft_v
[root@myhost download_soft_v]wget -c http://104.225.234.20/keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]tar -zxvf keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]cd keepalived-2.0.11
14.コンパイルインストール
[root@myhost keepalived-2.0.11]./configure --prefix=/services/current_apps/keepalived-2.0.11
[root@myhost keepalived-2.0.11]make && make install
15.keepalived環境の設定
[root@myhost keepalived-2.0.11]cp/services/download_soft_v/keepalived-2.0.11/keepalived/etc/init.d/keepalived/etc/init.d/
[root@myhost keepalived-2.0.11]ln -sf/services/current_apps/keepalived-2.0.11/etc/keepalived
[root@myhost keepalived-2.0.11]ln -s/etc/keepalived/sbin/keepalived/usr/sbin/
[root@myhost keepalived-2.0.11]chkconfig keepalived on
[root@myhost keepalived-2.0.11]mkdir -pv/etc/keepalived/script
16.検出haスクリプトファイルの編集
[root@myhost keepalived-2.0.11]vi/etc/keepalived/script/check_haproxy_process.sh#!/bin/bashif [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then/etc/init.d/haproxy startfi sleep 5if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then/etc/init.d/keepalived stop fi
17.notify-masterを編集する.shスクリプト
[root@myhost keepalived-2.0.11]vi/etc/keepalived/script/notify-master.sh#!/bin/bashHOST_IP="/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'
"echo "uptime; ip addr show eth0; echo
"| mail -s "${HOST_IP}-HA change to master."[email protected]
18.2つのスクリプト権限の追加
[root@myhost keepalived-2.0.11]chmod +x/etc/keepalived/script/check_haproxy_process.sh[root@myhost keepalived-2.0.11]chmod +x/etc/keepalived/script/notify-master.sh
19.編集/usr/lib/systemd/system/keepalived.サービス、unitを次の部分に置き換えます。
root@myhost keepalived-2.0.11]vi/usr/lib/systemd/system/keepalived.service
[Unit]
Description=LVS and VRRP High Availability Monitor
After=syslog.target network-online.target haproxy.service
Requires=haproxy.service
20.vi/root/ulimitを編集する.sh,以下のコードを貼り付ける
[root@myhost keepalived-2.0.11]vi/root/ulimit.sh #!/bin/bash
DATE=`date +%F`
### Limits.conf
cp -f /etc/security/limits.conf /etc/security/limits.conf_$(date +%F)
if [ $? -eq 0 ];then
cat >/etc/security/limits.conf</etc/security/limits.d/90-nproc.conf</etc/sysctl.conf<
21.ulimitスクリプトの実行
[root@myhost keepalived-2.0.11]sh/root/ulimit.sh
22.編集policy.sh
[root@myhost keepalived-2.0.11]vi/root/policy.sh#!/bin/bashsed -i '25c PASS_MAX_DAYS 90'/etc/login.defssed -i '27c PASS_MIN_LEN 7'/etc/login.defssed -i '$a\TMOUT=600'/etc/profilesed -i 's/#PermitRootLogin yes/PermitRootLogin no/g'/etc/ssh/sshd_configuseradd mzjecho "wdit@123"|passwd --stdin mzj sed -i '91a mzj ALL=(ALL) NOPASSWD:ALL'/etc/sudoersfor i in adm lp sync shutdown halt mail uucp operator games gopher;do usermod -L $i;doneservice sshd restart
23.実行policy.sh
[root@myhost keepalived-2.0.11]sh/root/policy.sh
24.keepalivedプライマリプロファイルの編集
[root@myhost keepalived-2.0.11]vi/etc/keepalived/keepalived.conf ! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
router_id HAProxy_CIIE_Slave
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 36.1 {
state BACKUP
interface eth0
virtual_router_id 202
priority 90
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}
25.サービスを開始し、自ら起動する
[root@myhost keepalived-2.0.11]service keepalived restart[root@myhost keepalived-2.0.11]systemctl enable haproxy
二.172.17.60.41ホストにhaproxy+keepalivedを配備します。
1.手順1~23をそっくり繰り返す
2.編集/etc/keepalived/keepalived.confファイルに以下のコードを貼り付けます
[root@myhost keepalived-2.0.11]vi/etc/keepalived/keepalived.conf ! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
#router_id MUST BE different in the same network
router_id HAProxy_CIIE_Master
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 60.77 {
state MASTER
interface eth0
#ID MUST BE different in the same network
virtual_router_id 202
priority 100
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}
3.サービスを開始し、自ら起動する
[root@myhost keepalived-2.0.11]service keepalived restart[root@myhost keepalived-2.0.11]systemctl enable haproxy
$ModLoad imudp
$UDPServerRun 514
*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages
/services/haproxy_logs/haproxy.log {
daily
rotate 30
missingok
notifempty
dateext
compress
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
service haproxy reload
endscript
}
global
log 127.0.0.1 local0 info
log 127.0.0.1 local1 notice
maxconn 75535
ulimit-n 655350
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
nbproc 8 # CPU
#-----------------------------------
# status page.
#-----------------------------------
defaults
log global
mode http
option httplog
retries 3
maxconn 75535
balance leastconn
timeout connect 30s
timeout client 60s
timeout server 60s
timeout http-request 30s
timeout http-keep-alive 30s
timeout queue 1m
timeout check 30s
frontend web_in
bind *:80
no option http-server-close
option forwardfor
acl mzj_web_zxft_acl path_beg -i /zxft
acl mzj_web_jzcx_acl path_beg -i /jzcx
acl mzj_web_login_acl path_beg -i /login
acl mzj_web_welfare_acl path_beg -i /welfare
acl mzj_web_xzsp-web_acl path_beg -i /xzsp-web
acl mzj_web_volunteer_acl path_beg -i /volunteer
acl mzj_web_edu_acl path_beg -i /edu
acl mzj_web_shsw_acl path_beg -i /shsw
acl mzj_web_acl hdr_reg(host) -i mzj.sh.gov.cn
use_backend mzj_web_zxft if mzj_web_zxft_acl
use_backend mzj_web_login if mzj_web_login_acl
use_backend mzj_web_jzcx if mzj_web_jzcx_acl
use_backend mzj_web_welfare if mzj_web_welfare_acl
use_backend mzj_web_xzsp-web if mzj_web_xzsp-web_acl
use_backend mzj_web_volunteer if mzj_web_volunteer_acl
use_backend mzj_web_edu if mzj_web_edu_acl
use_backend mzj_web_shsw if mzj_web_shsw_acl
use_backend mzj_web if mzj_web_acl
default_backend refuse-url
#((
capture request header Host len 64
capture request header User-Agent len 128
capture request header X-Forwarded-For len 100
capture request header Referer len 200
capture response header Server len 40
capture response header Server-ID len 40
\#capture
log-format %ci:%cp\ %si:%sp\ %B\ %U\ %ST\ %r\ %b\ %f\ %bi\ %hrl\ %hsl\
#))
#
backend refuse-url
mode http
balance source
server refuse-url 192.168.3.55:80 check rise 2 inter 5000 fall 3
backend mzj_web
mode http
balance roundrobin
cookie SERVERID
server 60.66_80 172.17.60.66:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_login
mode http
balance roundrobin
cookie SERVERID
server 181.45_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_jzcx
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_welfare
mode http
balance roundrobin
cookie SERVERID
server 60.15_80 172.17.60.15:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_xzsp-web
mode http
balance roundrobin
cookie SERVERID
server 60.12_80 172.17.60.12:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_zxft
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_volunteer
mode http
balance roundrobin
cookie SERVERID
server 60.9_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_edu
mode http
balance roundrobin
cookie SERVERID
server 60.29_3001 172.17.60.29:3001 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_shsw
mode http
balance roundrobin
cookie SERVERID
server 60.29_80 172.17.60.29:80 cookie web1 inter 3000 rise 3 fall 3 check
#-----------------------------------
# monitor status page.
#-----------------------------------
listen stats
bind 0.0.0.0:8011
mode http
stats enable
stats refresh 60s
stats hide-version
stats uri / hastats
stats realm Haproxy \ statistic
stats auth admin:wdit2017
timeout connect 10000
timeout client 50000
timeout server 50000
bind-process 1
#!/bin/bash
DATE=`date +%F`
### Limits.conf
cp -f /etc/security/limits.conf /etc/security/limits.conf_$(date +%F)
if [ $? -eq 0 ];then
cat >/etc/security/limits.conf</etc/security/limits.d/90-nproc.conf</etc/sysctl.conf<
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
router_id HAProxy_CIIE_Slave
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 36.1 {
state BACKUP
interface eth0
virtual_router_id 202
priority 90
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
#router_id MUST BE different in the same network
router_id HAProxy_CIIE_Master
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 60.77 {
state MASTER
interface eth0
#ID MUST BE different in the same network
virtual_router_id 202
priority 100
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}