keepalived+haproxy


一.172.17.60.39ホストにhaproxy+keepalivedを配備します。


1.haproxy環境のインストール


[root@myhost ~]#yum -y install libnl libnl-devel libnfnetlink libnfnetlink-devel kernel-devel popt-devel openssl-devel gcc[root@myhost ~]#systemctl stop firewalld[root@myhost ~]#systemctl disable firewalld[root@myhost ~]#setenforce 0[root@myhost ~]#mkdir -pv/services/current_apps
[root@myhost ~]#mkdir -pv/services/download_soft_v
[root@myhost ~]#cd/services/download_soft_v

2.haproxy-1.8.13バージョンをダウンロードして解凍する


[root@myhost download_soft_v]#wget -c http://10.10.9.250/Linux-SYS/haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#tar zxvf haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#cd haproxy-1.8.13

3.uname-aでシステムバージョン情報を確認する(変更)×××)


[[email protected]]make TARGET=linux310 USE_OPENSSL=1 ADDLIB=-lz PREFIX=/services/current_apps/haproxy-1.8.13

4.指定したディレクトリにmake installでインストール


[[email protected]]make install PREFIX=/services/current_apps/haproxy-1.8.13

5.haproxyユーザーと関連ディレクトリの作成


[[email protected]]useradd -s/sbin/nologin haproxy
[[email protected]]mkdir -pv/var/lib/haproxy
[[email protected]]mkdir -pv/services/current_apps/haproxy-1.8.13/ssl
[[email protected]]chown -R haproxy:haproxy/var/lib/haproxy
[[email protected]]cp/services/download_soft_v/haproxy-1.8.13/examples/haproxy.init/etc/init.d/haproxy
[[email protected]]chmod +x/etc/init.d/haproxy
[[email protected]]ln -sf/services/current_apps/haproxy-1.8.13/etc/haproxy
[[email protected]]ln -s/etc/haproxy/sbin/haproxy/usr/sbin/

6.haproxyログディレクトリの設定


[[email protected]]mkdir -pv/services/haproxy_logs
[[email protected]]echo 'local0.*/services/haproxy_logs/haproxy.log'>>/etc/rsyslog.conf

7.rsyslogを編集してUDPを開き(下の2行の前の番号を除く)、local 0を追加する.none


[[email protected]]vi/etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages

8.再起動rsyslogの変更


[[email protected]]systemctl restart rsyslog

9.haproxyログカットを設定し、このファイルを空にし、次のコードを貼り付けます。


[[email protected]]vi/etc/logrotate.d/haproxy
            /services/haproxy_logs/haproxy.log {
            daily
            rotate 30
            missingok
            notifempty
            dateext
            compress
            sharedscripts
            postrotate
            /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
            /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
            service haproxy reload
            endscript
            }

10.カーネル最適化とip転送の設定


[[email protected]]echo "net.ipv4.ip_nonlocal_bind = 1">>/etc/sysctl.conf [[email protected]]echo "net.ipv4.ip_forward = 1">>/etc/sysctl.conf [[email protected]]sysctl -p

11.haproxyを構成する.cfg、次のコードをコピー


[[email protected]]vi/etc/haproxy/haproxy.cfg
global
                log 127.0.0.1   local0 info
                log 127.0.0.1   local1 notice
                maxconn 75535
                ulimit-n 655350
                chroot /var/lib/haproxy
                pidfile /var/run/haproxy.pid
                user haproxy
                group haproxy
                daemon
                nbproc 8    #    CPU    

#-----------------------------------
# status page.
#-----------------------------------
defaults
                log global
                mode    http
                option  httplog
                retries 3
                maxconn 75535
                balance leastconn
                timeout connect 30s
                timeout client  60s
                timeout server  60s
                timeout http-request    30s
                timeout http-keep-alive 30s
                timeout queue           1m
                timeout check           30s
frontend web_in
                bind *:80
                no option http-server-close
                option forwardfor

                acl mzj_web_zxft_acl path_beg -i /zxft
                acl mzj_web_jzcx_acl path_beg -i /jzcx
                acl mzj_web_login_acl path_beg -i /login
                acl mzj_web_welfare_acl path_beg -i /welfare
                acl mzj_web_xzsp-web_acl path_beg -i /xzsp-web
                acl mzj_web_volunteer_acl path_beg -i /volunteer
                acl mzj_web_edu_acl path_beg -i /edu
                acl mzj_web_shsw_acl path_beg -i /shsw
                acl mzj_web_acl hdr_reg(host) -i mzj.sh.gov.cn

                use_backend mzj_web_zxft if mzj_web_zxft_acl
                use_backend mzj_web_login if mzj_web_login_acl
                use_backend mzj_web_jzcx if mzj_web_jzcx_acl
                use_backend mzj_web_welfare if mzj_web_welfare_acl
                use_backend mzj_web_xzsp-web if mzj_web_xzsp-web_acl
                use_backend mzj_web_volunteer if mzj_web_volunteer_acl
                use_backend mzj_web_edu if mzj_web_edu_acl
                use_backend mzj_web_shsw if mzj_web_shsw_acl
                use_backend mzj_web if mzj_web_acl
default_backend refuse-url

#((
        capture request header Host len 64
        capture request header User-Agent len 128
        capture request header X-Forwarded-For len 100
        capture request header Referer len 200
        capture response header Server len 40
        capture response header Server-ID len 40
        \#capture    
        log-format %ci:%cp\ %si:%sp\ %B\ %U\ %ST\ %r\ %b\ %f\ %bi\ %hrl\ %hsl\
#))

#
backend refuse-url
                mode http
                balance source
                server refuse-url 192.168.3.55:80 check rise 2 inter 5000 fall 3
backend mzj_web
                mode http
                balance roundrobin
                cookie SERVERID
                server 60.66_80 172.17.60.66:80   cookie web1 inter 3000 rise 3 fall 3  check

backend mzj_web_login
                mode http
                balance roundrobin
                cookie SERVERID
                server 181.45_80 172.17.60.9:80   cookie web1 inter 3000 rise 3 fall 3  check

backend mzj_web_jzcx
                mode http
                balance roundrobin
                cookie SERVERID
                server 60.5_80 172.17.60.5:80  cookie web1 inter 3000 rise 3 fall 3  check

backend mzj_web_welfare
                mode http
                balance roundrobin
                cookie SERVERID
                server 60.15_80 172.17.60.15:80   cookie web1 inter 3000 rise 3 fall 3  check

backend mzj_web_xzsp-web
                mode http
                balance roundrobin
                cookie SERVERID
                server 60.12_80 172.17.60.12:80   cookie web1 inter 3000 rise 3 fall 3  check

backend mzj_web_zxft
                mode http
                balance roundrobin
                cookie SERVERID
                server 60.5_80 172.17.60.5:80   cookie web1 inter 3000 rise 3 fall 3  check

backend mzj_web_volunteer
                mode http
                balance roundrobin
                cookie SERVERID
                server 60.9_80 172.17.60.9:80   cookie web1 inter 3000 rise 3 fall 3  check

backend mzj_web_edu
                mode http
                balance roundrobin
                cookie SERVERID
                server 60.29_3001 172.17.60.29:3001   cookie web1 inter 3000 rise 3 fall 3  check

backend mzj_web_shsw
                mode http
                balance roundrobin
                cookie SERVERID
                server 60.29_80 172.17.60.29:80 cookie web1 inter 3000 rise 3 fall 3  check

#-----------------------------------
# monitor status page.
#-----------------------------------
listen stats
                bind 0.0.0.0:8011
                mode http
                stats enable
                stats refresh 60s
                stats hide-version
                stats uri / hastats
                stats realm Haproxy \ statistic
                stats auth admin:wdit2017
                timeout connect 10000
                timeout client  50000
                timeout server  50000
                bind-process    1

12.POSTとディレクトリ権限の設定


[[email protected]]chown -R haproxy:haproxy/etc/haproxy
[[email protected]]chkconfig haproxy on

13.keepalivedのダウンロード


[root@myhost haproxy-1.8.13]cd/services/download_soft_v
[root@myhost download_soft_v]wget -c http://104.225.234.20/keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]tar -zxvf keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]cd keepalived-2.0.11

14.コンパイルインストール


[root@myhost keepalived-2.0.11]./configure --prefix=/services/current_apps/keepalived-2.0.11
[root@myhost keepalived-2.0.11]make && make install

15.keepalived環境の設定


[root@myhost keepalived-2.0.11]cp/services/download_soft_v/keepalived-2.0.11/keepalived/etc/init.d/keepalived/etc/init.d/
[root@myhost keepalived-2.0.11]ln -sf/services/current_apps/keepalived-2.0.11/etc/keepalived
[root@myhost keepalived-2.0.11]ln -s/etc/keepalived/sbin/keepalived/usr/sbin/
[root@myhost keepalived-2.0.11]chkconfig keepalived on
[root@myhost keepalived-2.0.11]mkdir -pv/etc/keepalived/script

16.検出haスクリプトファイルの編集


[root@myhost keepalived-2.0.11]vi/etc/keepalived/script/check_haproxy_process.sh#!/bin/bashif [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then/etc/init.d/haproxy startfi sleep 5if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then/etc/init.d/keepalived stop fi

17.notify-masterを編集する.shスクリプト


[root@myhost keepalived-2.0.11]vi/etc/keepalived/script/notify-master.sh#!/bin/bashHOST_IP="/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://' "echo "uptime; ip addr show eth0; echo "| mail -s "${HOST_IP}-HA change to master."[email protected]

18.2つのスクリプト権限の追加


[root@myhost keepalived-2.0.11]chmod +x/etc/keepalived/script/check_haproxy_process.sh[root@myhost keepalived-2.0.11]chmod +x/etc/keepalived/script/notify-master.sh

19.編集/usr/lib/systemd/system/keepalived.サービス、unitを次の部分に置き換えます。


root@myhost keepalived-2.0.11]vi/usr/lib/systemd/system/keepalived.service
[Unit]
Description=LVS and VRRP High Availability Monitor
After=syslog.target network-online.target haproxy.service
Requires=haproxy.service

20.vi/root/ulimitを編集する.sh,以下のコードを貼り付ける


[root@myhost keepalived-2.0.11]vi/root/ulimit.sh
#!/bin/bash
    DATE=`date +%F`

### Limits.conf
    cp -f /etc/security/limits.conf /etc/security/limits.conf_$(date +%F)
    if [ $? -eq 0 ];then
    cat >/etc/security/limits.conf</etc/security/limits.d/90-nproc.conf</etc/sysctl.conf<

21.ulimitスクリプトの実行


[root@myhost keepalived-2.0.11]sh/root/ulimit.sh

22.編集policy.sh


[root@myhost keepalived-2.0.11]vi/root/policy.sh#!/bin/bashsed -i '25c PASS_MAX_DAYS 90'/etc/login.defssed -i '27c PASS_MIN_LEN 7'/etc/login.defssed -i '$a\TMOUT=600'/etc/profilesed -i 's/#PermitRootLogin yes/PermitRootLogin no/g'/etc/ssh/sshd_configuseradd mzjecho "wdit@123"|passwd --stdin mzj sed -i '91a mzj ALL=(ALL) NOPASSWD:ALL'/etc/sudoersfor i in adm lp sync shutdown halt mail uucp operator games gopher;do usermod -L $i;doneservice sshd restart

23.実行policy.sh


[root@myhost keepalived-2.0.11]sh/root/policy.sh

24.keepalivedプライマリプロファイルの編集


[root@myhost keepalived-2.0.11]vi/etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
        notification_email {
        [email protected]
        }

        notification_email_from [email protected]
        smtp_server mail.wdit.com.cn
        smtp_connect_timeout 60
        router_id HAProxy_CIIE_Slave
}

vrrp_script chk_haproxy_process {
     script "/etc/keepalived/script/check_haproxy_process.sh"
     interval 10
     weight 2
}

vrrp_instance 36.1 {
        state BACKUP
        interface eth0
        virtual_router_id 202
        priority 90
        advert_int 1
        smtp_alert
        authentication {
                auth_type PASS
                auth_pass 1111
        }
        track_script {
                chk_haproxy_process
        }
        virtual_ipaddress {
                172.17.60.77/32 dev eth0 scope global
        }
                notify_master "/etc/keepalived/script/notify-master.sh"

}

25.サービスを開始し、自ら起動する


[root@myhost keepalived-2.0.11]service keepalived restart[root@myhost keepalived-2.0.11]systemctl enable haproxy

二.172.17.60.41ホストにhaproxy+keepalivedを配備します。


1.手順1~23をそっくり繰り返す


2.編集/etc/keepalived/keepalived.confファイルに以下のコードを貼り付けます


[root@myhost keepalived-2.0.11]vi/etc/keepalived/keepalived.conf
        ! Configuration File for keepalived

        global_defs {
                notification_email {
                [email protected]
                }

                notification_email_from [email protected]
                smtp_server mail.wdit.com.cn
                smtp_connect_timeout 60
                #router_id MUST BE different in the same network
                router_id HAProxy_CIIE_Master
                }

vrrp_script chk_haproxy_process {
     script "/etc/keepalived/script/check_haproxy_process.sh"
     interval 10
     weight 2
}

vrrp_instance 60.77 {
        state MASTER
        interface eth0
                #ID MUST BE different in the same network
        virtual_router_id 202
        priority 100
        advert_int 1
        smtp_alert
        authentication {
                auth_type PASS
 auth_pass 1111
        }
        track_script {
                chk_haproxy_process
        }
        virtual_ipaddress {
                172.17.60.77/32 dev eth0 scope global
        }
        notify_master "/etc/keepalived/script/notify-master.sh"
}

3.サービスを開始し、自ら起動する


[root@myhost keepalived-2.0.11]service keepalived restart[root@myhost keepalived-2.0.11]systemctl enable haproxy