我有一个简单的 keepalived 两个服务器配置。主/备份选择工作正常,但我无法从备份服务器连接到 VIP。当我尝试连接时,在主服务器上我可以看到来自备份服务器的 ARP 请求和来自主服务器的响应;在备份服务器上,我只看到请求(即,我看不到来自主服务器的 ARP 响应)。
主控keepalived.conf:
vrrp_script haproxy-check {
script "/usr/bin/pgrep python"
interval 5
}
vrrp_instance haproxy-vip {
state MASTER
priority 101
interface eth0
virtual_router_id 47
advert_int 3
unicast_src_ip 192.168.122.4
unicast_peer {
192.168.122.9
}
virtual_ipaddress {
192.168.122.250
}
track_script {
haproxy-check weight 20
}
}
备份keepalived.conf:
vrrp_script haproxy-check {
script "/usr/bin/pgrep python"
interval 5
}
vrrp_instance haproxy-vip {
state BACKUP
priority 99
interface eth0
virtual_router_id 47
advert_int 3
unicast_src_ip 192.168.122.9
unicast_peer {
192.168.122.4
}
virtual_ipaddress {
192.168.122.250
}
track_script {
haproxy-check weight 20
}
}
master 上的 ip 地址:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1458 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:9e:e8:18 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.4/24 brd 192.168.122.255 scope global noprefixroute dynamic eth0
valid_lft 55567sec preferred_lft 55567sec
inet 192.168.122.250/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::571a:df5f:930c:2b57/64 scope link noprefixroute
valid_lft forever preferred_lft forever
并在备份时:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1458 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:2e:59:3d brd ff:ff:ff:ff:ff:ff
inet 192.168.122.9/24 brd 192.168.122.255 scope global noprefixroute dynamic eth0
valid_lft 79982sec preferred_lft 79982sec
inet6 fe80::f816:3eff:fe2e:593d/64 scope link
valid_lft forever preferred_lft forever
来自 master 的 tcpdump:
# tcpdump -nni eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:44:06.299398 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:06.299435 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:07.298939 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:07.298985 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:08.300920 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:08.300954 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:09.303039 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:09.303062 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
并从备份中:
# tcpdump -nni eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:44:39.430367 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:40.431810 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:41.433847 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:42.435979 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:43.437814 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
我不认为这是防火墙问题(iptables -L | grep -i arp没有显示任何内容),是否存在可能导致问题的内核设置?对于调试有什么建议吗?
操作系统是Centos 7,keepalived是2.1.5。
答案1
我刚刚意识到这个问题,因为它是在其他人提出的问题中提到的GitHub。我不记得在以下位置看到过这个问题keepalived-用户keepalived这可能是发布相关问题的最佳位置。
VRRP 部分keepalived配置 IP 地址(并且在某些情况下(但不是此配置)配置nftables或iptables规则)。一旦keepalived完成,内核就会处理任何数据包的传输和接收。
我看不出配置有任何问题keepalived。
您的问题似乎与备份系统上未收到 ARP 回复有关,这超出了 的范围keepalived,因此您需要在其他地方进行调查以了解未收到回复的原因。
答案2
我在一台服务器上同一 VLAN 上的多个 VIP 上遇到了非常非常类似的问题:
https://github.com/acassen/keepalived/issues/1876
如 doc/source/software_design.rst 中所述
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 1
解决了 IP 目标的问题。