keepalived 没有到主机的路由,防火墙问题?

keepalived 没有到主机的路由,防火墙问题?

我有一个简单的 keepalived 两个服务器配置。主/备份选择工作正常,但我无法从备份服务器连接到 VIP。当我尝试连接时,在主服务器上我可以看到来自备份服务器的 ARP 请求和来自主服务器的响应;在备份服务器上,我只看到请求(即,我看不到来自主服务器的 ARP 响应)。

主控keepalived.conf:

vrrp_script haproxy-check {
    script "/usr/bin/pgrep python"
    interval 5
}
 
vrrp_instance haproxy-vip {
    state MASTER
    priority 101
    interface eth0
    virtual_router_id 47
    advert_int 3
 
    unicast_src_ip 192.168.122.4
    unicast_peer {
        192.168.122.9
    }
 
    virtual_ipaddress {
        192.168.122.250
    }
 
    track_script {
        haproxy-check weight 20
    }
}

备份keepalived.conf:

vrrp_script haproxy-check {
    script "/usr/bin/pgrep python"
    interval 5
}

vrrp_instance haproxy-vip {
    state BACKUP
    priority 99
    interface eth0
    virtual_router_id 47
    advert_int 3

    unicast_src_ip 192.168.122.9
    unicast_peer {
        192.168.122.4
    }

    virtual_ipaddress {
        192.168.122.250
    }

    track_script {
        haproxy-check weight 20
    }
}

master 上的 ip 地址:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1458 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:9e:e8:18 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.4/24 brd 192.168.122.255 scope global noprefixroute dynamic eth0
       valid_lft 55567sec preferred_lft 55567sec
    inet 192.168.122.250/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::571a:df5f:930c:2b57/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

并在备份时:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1458 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:2e:59:3d brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.9/24 brd 192.168.122.255 scope global noprefixroute dynamic eth0
       valid_lft 79982sec preferred_lft 79982sec
    inet6 fe80::f816:3eff:fe2e:593d/64 scope link 
       valid_lft forever preferred_lft forever

来自 master 的 tcpdump:

# tcpdump -nni eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:44:06.299398 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:06.299435 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:07.298939 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:07.298985 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:08.300920 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:08.300954 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:09.303039 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:09.303062 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28

并从备份中:

# tcpdump -nni eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:44:39.430367 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:40.431810 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:41.433847 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:42.435979 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:43.437814 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28

我不认为这是防火墙问题(iptables -L | grep -i arp没有显示任何内容),是否存在可能导致问题的内核设置?对于调试有什么建议吗?

操作系统是Centos 7,keepalived是2.1.5。

答案1

我刚刚意识到这个问题,因为它是在其他人提出的问题中提到的GitHub。我不记得在以下位置看到过这个问题keepalived-用户keepalived这可能是发布相关问题的最佳位置。

VRRP 部分keepalived配置 IP 地址(并​​且在某些情况下(但不是此配置)配置nftablesiptables规则)。一旦keepalived完成,内核就会处理任何数据包的传输和接收。

我看不出配置有任何问题keepalived

您的问题似乎与备份系统上未收到 ARP 回复有关,这超出了 的范围keepalived,因此您需要在其他地方进行调查以了解未收到回复的原因。

答案2

我在一台服务器上同一 VLAN 上的多个 VIP 上遇到了非常非常类似的问题:

https://github.com/acassen/keepalived/issues/1876

如 doc/source/software_design.rst 中所述

net.ipv4.conf.all.arp_ignore = 1

net.ipv4.conf.all.arp_announce = 1

解决了 IP 目标的问题。

相关内容