一、环境规划
-
操作系统:CentOS6.5 x86_64
-
内核版本:2.6.32-504.el6.x86_64
-
Nginx版本:nginx-1.8.0-1.el6.ngx.x86_64
-
Keepalived版本:keepalived-1.2.19
前端双Nginx+Keepalived,Nginx反向代理到后端tomcat集群实现负载均衡,Keepalived实现集群高可用,主nginx故障后虚拟IP自动漂移到备nginx。
主nginx:192.168.60.48
备nginx:192.168.60.49
虚拟IP:192.168.60.50
后端tomcat集群:192.168.60.51、192.168.60.52、192.168.60.53
后端每个主机都开启两个端口提供业务:16915、16916
二、安装
前端两台主机分别安装nginx和keepalived。
1)编译安装keepalived
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | # 安装依赖 yum install kernel-* gcc make openssl-* # 下载keepalived-1.2.19.tar.gz wget http: //www .keepalived.org /software/keepalived-1 .2.19. tar .gz # 解压 tar xvzf keepalived-1.2.19. tar .gz cd keepalived-1.2.19 # 配置 . /configure --sysconfdir= /etc --with-kernel- dir = /usr/src/kernels/2 .6.32-504.el6.x86_64 # 编译并安装 make && make install # 查看keepalived版本,验证安装成功 keepalived - v # 设置开机自启动 chkconfig keepalived on |
注:用yum也可安装keepalived,不过版本要低一些。
2)RPM包安装Nginx
官方nginx yum源:
| 1 2 3 4 5 | [nginx] name=nginx repo baseurl=http: //nginx .org /packages/centos/ $releasever/$basearch/ enabled=1 gpgcheck=0 |
yum源设置好后直接安装即可:
| 1 2 | yum install nginx chkconfig nginx on |
三、配置
1)前端两台主机nginx的配置完全一样
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | # vim /etc/nginx/conf.d/upstream.conf upstream tomcatclu_16915 { server 192.168.60.51:16915; server 192.168.60.52:16915; server 192.168.60.53:16915; ip_hash; } upstream tomcatclu_16916 { server 192.168.60.51:16916; server 192.168.60.52:16916; server 192.168.60.53:16916; ip_hash; } # vim /etc/nginx/conf.d/server.conf server { listen 16915; server_name _; location / { proxy_pass http: //tomcatclu_16915 ; } location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; # 要允许公司ip访问nginx status allow 192.168.252.0 /24 ; deny all; } } server { listen 16916; server_name _; location / { proxy_pass http: //tomcatclu_16916 ; } location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; # 要允许公司ip访问nginx status allow 192.168.252.0 /24 ; deny all; } } |
2)nginx_master的keepalived配置
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | [root@nginx_master ~] # vim /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id nginx-ha1 } vrrp_script check_nginx { # 检查nginx状态的脚本,文章后面给出 script "/data/script/check_nginx.sh" # 执行间隔2秒 interval 2 } vrrp_instance VI_1 { # 两台主机都是BACKUP state BACKUP interface eth0 # 同一keepalived集群的virtual_router_id 必须相同,默认51 virtual_router_id 55 # 主的优先级高 priority 100 advert_int 1 # 不抢占:如果集群里已存在MASTER状态的主机,即使优先级高于MASTER也不抢占为MASTER。只在优先级高的主机上设置即可。 nopreempt authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { # 虚拟IP 192.168.60.50 } track_script { check_nginx } } |
3)nginx_slave的keepalived配置
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | [root@nginx_slave ~] # vim /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id nginx-ha2 } vrrp_script check_nginx { script "/data/script/check_nginx.sh" interval 2 } vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 55 # 备的优先级低 priority 80 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.60.50 } track_script { check_nginx } } |
4)防火墙设置
| 1 2 3 | # iptables放行组播地址流量: iptables -I INPUT -d 224.0.0.18 -j ACCEPT service iptables save |
VRRP报文是通过IP多播形式发送的,组播地址224.0.0.18是VRRP报文的目的地址。
本实验里,两个主机都是BACKUP,如果同时启动keepalived,VRRP协议通过竞选使优先级高的主机做为MASTER。如果防火墙没有允许VRRP报文通过的话,两个BACKUP都会成为MASTER,你会发现两个主机都启动了虚拟IP。 5)部署nginx状态检查脚本check_nginx.sh/data/script/check_nginx.sh检查脚本内容如下:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | #!/bin/bash # check nginx server status # http://qicheng0211.blog.51cto.com # nginx端口 PORTS= "16915 16916" function check_ports { for port in $PORTS; do nc -z 127.0.0.1 $port | grep -q succeeded [ "${PIPESTATUS[1]}" - eq 0 ] && mark=${mark}1 done # 如果mark值为空说明两个端口都不通。 # 如果mark等于1,说明有一个端口是通的。 # 如果mark等于11,说明两个端口都是通的。 echo $mark } ret1=$(check_ports) # 如果nginx端口不通,会尝试重启一次nginx if [ "$ret1" != 11 ]; then /sbin/service nginx stop /sbin/service nginx start sleep 1 ret2=$(check_ports) # 如果还是有端口不通,表示nginx服务不正常,则停掉keepalived,使VIP发生切换 [ "$ret2" != 11 ] && /etc/init .d /keepalived stop fi |
大家根据自个的环境编写nginx状态检查脚本,不一定要照搬。
给脚本设置可执行权限:
| 1 | chmod +x /data/script/check_nginx .sh |
补充一点:如果nginx恢复正常后,keepalived不能自动启动,需要编写一个脚本完成这项工作:判断nginx正常后,拉起keepalived。脚本放到cron里每分钟执行。
6)开启keepalived的日志
编辑/etc/sysconfig/keepalived:
| 1 | KEEPALIVED_OPTIONS= "-D -d -S 0" |
编辑/etc/rsyslog.conf:
| 1 2 | # 配置文件最后面加上下面一行 local0.* /var/log/keepalived .log |
重启rsyslog:
| 1 | service rsyslog restart |
按上面配置后,keepalived会把日志记录到/var/log/keepalived.log。
7)启动服务
| 1 2 3 4 5 6 7 8 | # 先检查nginx配置文件正确性 nginx -t # 启动nginx服务 service nginx start # 同时启动keepalived服务 service keepalived start # 过一会查看虚拟IP是否在nginx_master主机上 ip a |
四、验证
nginx_master和nginx_slave同时启动keepalived,观察日志/var/log/keepalived.log,你会发现nginx_master抢占为MASTER,绑定了虚拟IP192.168.60.50。
nginx_master:
nginx_slave:
我们在同网段的其他机器上去arping一下虚拟IP的MAC,发现是nginx_master eth0的mac:
下面我们把nginx_master的keepalived服务停掉或者重启系统,同时不断的ping虚拟IP。经过一个请求超时的间隔,虚拟IP会漂移到nginx_slave上面:
nginx_slave:
我们再去arping一下虚拟IP的MAC,发现变成了nginx_slave eth0的mac:
查看nginx_slave的日志keepalived.log,nginx_slave在成为MASTER的同时发送了免费ARP(gratuitous ARP),更新了以太网邻居的ARP快速缓存:
| 1 2 3 | VRRP_Instance(VI_1) Entering MASTER STATE VRRP_Instance(VI_1) setting protocol VIPs. VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 192.168.60.50 |
最后把nginx_master的keepalived服务开启,虚拟IP并没有漂移回到nginx_master,这是因为nginx_master开启了不抢占模式,即使优先级高,也不会抢占MASTER。