官网: https://www.keepalived.org/manpage.html
1、描述
keepalived.conf 是描述所有Keepalived关键字的配置文件。关键字放在块和子块的层次结构中,每一层由“{”和“}”对分隔。注释以“#”或“!”到队伍的末尾,可以从队伍的任何地方开始。关键字“包含”允许包含其他配置文件,从主配置文件,或从随后包含的文件。
include 的指令格式为:
include FILENAME
文件名可以是一个完全限定的或相对的路径名,并且可以包含通配符,如果glob()支持的话,包括csh风格的大括号表达式,如
"{foo/{,cat,dog},bar}"
打开包含的文件后,当前目录被设置为文件本身的目录,因此从文件中包含的任何相对路径都相对于包含文件本身的目录。
2、参数语法
<BOOL> 是 on|off|true|false|yes|no 中的一种.
<TIMER> 是一个以秒为单位的时间值,包括小数秒,如2.71828或3;定时器的分辨率是微秒。
3、脚本
这里有三类脚本可以被配置为可执行的
a、 当vrrp实例或vrrp组更改状态或虚拟服务器仲裁在向上和向下之间更改时运行的通知脚本。
b、vrrp跟踪脚本将导致vrrp实例进入它,它们退出一个非零的存在状态,或者如果指定了一个权值,就会从该vrrp实例的优先级中添加或减去这个权值。
c、LVS检查程序misc脚本,如果它们以非零状态退出,将导致实际服务器崩溃。
默认情况下,如果该用户存在,脚本将由用户keepalived_script执行,如果不存在,则由根用户执行,但是对于每个脚本,可以指定执行脚本的用户/组。
如果脚本是用根权限执行的,那么就会有重大的安全隐患,特别是如果脚本本身是非根用户可修改或可替换的。因此,在启动时进行安全检查,以确保如果脚本是由根用户执行的,那么它不能被非根用户修改或替换。
应该编写所有脚本,以便在收到SIGTERM信号时终止。如果它们的父termi-nates脚本将发送SIGTERM,或者是keepalived正在等待退出状态的脚本已经运行了太长时间。
4、最高层级
Keepalived配置文件是围绕一组配置块来连接的。每个块都有一个特定的守护进程家庭功能。这些特性:
GLOBAL CONFIGURATION
BFD CONFIGURATION
VRRPD CONFIGURATION
LVS CONFIGURATION
5、全局配置
包含全局定义、Linkbeat接口、静态跟踪组、静态地址、静态路由和静态规则的子块
6、全局定义
# Following are global daemon facilities for running
# keepalived in a separate network namespace:
# --
# Set the network namespace to run in.
# The directory /var/run/keepalived will be created as an
# unshared mount point, for example for pid files.
# syslog entries will have _NAME appended to the ident.
# Note: the namespace cannot be changed on a configuration reload.
net_namespace NAME
# ipsets wasn't network namespace aware until Linux 3.13, and so
# if running with # an earlier version of the kernel, by default
# use of ipsets is disabled if using a namespace and vrrp_ipsets
# has not been specified. This options overrides the default and
# allows ipsets to be used with a namespace on kernels prior to 3.13.
namespace_with_ipsets
# If multiple instances of keepalived are run in the same namespace,
# this will create pid files with NAME as part of the file names,
# in /var/run/keepalived.
# Note: the instance name cannot be changed on a configuration reload
instance NAME
# Create pid files in /var/run/keepalived
use_pid_dir
# Poll to detect media link failure using ETHTOOL, MII or ioctl interface
# otherwise uses netlink interface.
linkbeat_use_polling
# Time for main process to allow for child processes to exit on termination
# in seconds. This can be needed for very large configurations.
# (default: 5)
child_wait_time SECS
# Global definitions configuration block
global_defs {
# Set the process names of the keepalived processes to the default values:
# keepalived, keepalived_vrrp, keepalived_ipvs, keepalived_bfd
process_names
# Specify the individual process names
process_name NAME
vrrp_process_name NAME
ipvs_process_name NAME
bfd_process_name NAME
# Set of email To: notify
notification_email {
admin@example1.com
...
}
# email from address that will be in the header
# (default: keepalived@<local host name>)
notification_email_from admin@example.com
# Remote SMTP server used to send notification email.
# IP address or domain name with optional port number.
# (default port number: 25)
smtp_server 127.0.0.1 [<PORT>]
# Name to use in HELO messages.
# (default: local host name)
smtp_helo_name <STRING>
# SMTP server connection timeout in seconds.
smtp_connect_timeout 30
# Sets default state for all smtp_alerts
smtp_alert <BOOL>
# Sets default state for vrrp smtp_alerts
smtp_alert_vrrp <BOOL>
# Sets default state for checker smtp_alerts
smtp_alert_checker <BOOL>
# Sets logging all checker failes while checker up
checker_log_all_failures <BOOL>
# If set, keepalived only removes virtual servers at shutdown
# (the kernel will remove the real servers). This is faster
# for large configurations.
checker_shutdown_vs_only
# Don't send smtp alerts for fault conditions
no_email_faults
# String identifying the machine (doesn't have to be hostname).
# (default: local host name)
router_id <STRING>
# Multicast Group to use for IPv4 VRRP adverts
# (default: 224.0.0.18)
vrrp_mcast_group4 224.0.0.18
# Multicast Group to use for IPv6 VRRP adverts
# (default: ff02::12)
vrrp_mcast_group6 ff02::12
# sets the default interface for static addresses.
# (default: eth0)
default_interface p33p1.3
# Sync daemon as provided by IPVS kernel code only support
# a single daemon instance at a time to synchronize connection table.
# Binding interface, vrrp instance and optional
# syncid for lvs syncd
# syncid (0 to 255) for lvs syncd
# maxlen (1..65507) maximum packet length
# port (1..65535) UDP port number to use
# ttl (1..255)
# group - multicast group address (IPv4 or IPv6)
# NOTE: maxlen, port, ttl and group are only available on Linux 4.3 or later.
lvs_sync_daemon <INTERFACE> <VRRP_INSTANCE> [id <SYNC_ID>] [maxlen <LEN>] \
[port <PORT>] [ttl <TTL>] [group <IP ADDR>]
# flush any existing LVS configuration at startup
lvs_flush
# flush remaining LVS configuration at shutdown
lvs_flush_onstop
# delay for second set of gratuitous ARPs after transition to MASTER.
# in seconds, 0 for no second set.
# (default: 5)
vrrp_garp_master_delay 10
# number of gratuitous ARP messages to send at a time after
# transition to MASTER.
# (default: 5)
vrrp_garp_master_repeat 1
# delay for second set of gratuitous ARPs after lower priority
# advert received when MASTER.
vrrp_garp_lower_prio_delay 10
# number of gratuitous ARP messages to send at a time after
# lower priority advert received when MASTER.
vrrp_garp_lower_prio_repeat 1
# minimum time interval for refreshing gratuitous ARPs while MASTER.
# in seconds.
# (default: 0 (no refreshing))
vrrp_garp_master_refresh 60
# number of gratuitous ARP messages to send at a time while MASTER
# (default: 1)
vrrp_garp_master_refresh_repeat 2
# Delay in ms between gratuitous ARP messages sent on an interface
# decimal, seconds (resolution usecs).
# (default: 0)
vrrp_garp_interval 0.001
# Delay in ms between unsolicited NA messages sent on an interface
# decimal, seconds (resolution usecs).
# (default: 0)
vrrp_gna_interval 0.000001
# By default keepalived sends 5 gratuitions ARP/NA messages at a
# time, and after transitioning to MASTER sends a second block of
# 5 messages 5 seconds later.
# With modern switches this is unnecessary, so setting vrrp_min_garp
# causes only one ARP/NA message to be sent, with no repeat 5 seconds
# later.
vrrp_min_garp [<BOOL>]
# If a lower priority advert is received, don't send another advert.
# This causes adherence to the RFCs. Defaults to false, unless
# strict_mode is set.
vrrp_lower_prio_no_advert [<BOOL>]
# If we are master and receive a higher priority advert, send an advert
# (which will be lower priority than the other master), before we
# transition to backup. This means that if the other master has
# garp_lower_priority_repeat set, it will resend garp messages.
# This is to get around the problem of their having been two simultaneous
# masters, and the last GARP messages seen were from us.
vrrp_higher_prio_send_advert [<BOOL>]
# Set the default VRRP version to use
# (default: 2 , but IPv6 instances will use version 3)
vrrp_version <2 or 3>
# Specify the iptables chain for ensuring a version 3 instance
# doesn't respond on addresses that it doesn't own.
# Note: it is necessary for the specified chain to exist in
# the iptables and/or ip6tables configuration, and for the chain
# to be called from an appropriate point in the iptables configuration.
# It will probably be necessary to have this filtering after accepting
# any ESTABLISHED,RELATED packets, because IPv4 might select the VIP as
# the source address for outgoing connections.
# (default: INPUT)
vrrp_iptables keepalived
# or for outbound filtering as well
# Note, outbound filtering won't work with IPv4, since the VIP can be
# selected as the source address for an outgoing connection. With IPv6
# this is unlikely since the addresses are deprecated.
vrrp_iptables keepalived_in keepalived_out
# or to not add any iptables rules:
vrrp_iptables
# Keepalived may have the option to use ipsets in conjunction with
# iptables. If so, then the ipset names can be specified, defaults
# as below. If no names are specified, ipsets will not be used,
# otherwise any omitted names will be constructed by adding "_if"
# and/or "6" and _igmp/_mld to previously specified names.
vrrp_ipsets [keepalived [keepalived6 [keepalived_if6 [keepalived_igmp [keepalived_mld]]]]]
# Use nftables to implement no_accept mode and only send IGMP/MLD
# messages on the parent interface of a VMAC.
# TABLENAME must not exist, and must be different for each
# instance of keepalived running in the same network namespace.
# Default tablename is keepalived, and priority is -1.
# keepalived will create base chains in the table.
# counters means counters are added to the rules (primarily for
# debugging purposes).
# ifindex means create IPv6 link local sets using ifindex rather
# than ifnames. This is the default unless the vrrp_instance has
# set dont_track_primary. The alternative is to use interface names
# as part of the set key, but the nft utility prior to v0.8.3 will
# then not output interface names properly.
nftables [TABLENAME]
nftables_priority PRIORITY
nftables_counters
nftables_ifindex
# The following enables checking that when in unicast mode, the
# source address of a VRRP packet is one of our unicast peers.
vrrp_check_unicast_src
# Checking all the addresses in a received VRRP advert can be time
# consuming. Setting this flag means the check won't be carried out
# if the advert is from the same master router as the previous advert
# received.
# (default: don't skip)
vrrp_skip_check_adv_addr
# Enforce strict VRRP protocol compliance. This will prohibit:
# 0 VIPs
# unicast peers
# IPv6 addresses in VRRP version 2
vrrp_strict
# Send vrrp instance priority notifications on notify FIFOs.
vrrp_notify_priority_changes <BOOL>
# The following options can be used if vrrp, checker or bfd processes
# are timing out. This can be seen by a backup vrrp instance becoming
# master even when the master is still running because the master or
# backup system is too busy to process vrrp packets.
# --
# Set the vrrp child process priority (Negative values increase priority)
vrrp_priority <-20 to 19>
# Set the checker child process priority
checker_priority <-20 to 19>
# Set the BFD child process priority
bfd_priority <-20 to 19>
# Set the vrrp child process non swappable
vrrp_no_swap
# Set the checker child process non swappable
checker_no_swap
# Set the BFD child process non swappable
bfd_no_swap
# The following options can be used to force vrrp, checker and bfd
# processes to run on a restricted CPU set.
# You can either bind processes to a single CPU or define a set of
# cpu. In that last case Linux kernel will be restricted to that cpu
# set during scheduling. Forcing process binding to single CPU can
# increase performances on heavy loaded box.
# INTEGER following configuration keyword are representing cpu_id
# as shown in /proc/cpuinfo on line "processor:"
# --
# Set CPU Affinity for the vrrp child process
vrrp_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
# Set CPU Affinity for the checker child process
checker_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
# Set CPU Affinity for the bfd child process
bfd_cpu_affinity <INTEGER> [<INTERGER>]...[<INTEGER>]
# Set the vrrp child process to use real-time scheduling
# at the specified priority
vrrp_rt_priority <1..99>
# Set the checker child process to use real-time scheduling
# at the specified priority
checker_rt_priority <1..99>
# Set the BFD child process to use real-time scheduling
# at the specified priority
bfd_rt_priority <1..99>
# Set the limit on CPU time between blocking system calls,
# in microseconds
# (default: 1000)
vrrp_rlimit_rtime >=1
checker_rlimit_rtime >=1
bfd_rlimit_rtime >=1
# If Keepalived has been build with SNMP support, the following
# keywords are available.
# Note: Keepalived, checker and RFC support can be individually
# enabled/disabled
# --
# Specify socket to use for connecting to SNMP master agent
# (see source module keepalived/vrrp/vrrp_snmp.c for more details)
# (default: unix:/var/agentx/master)
snmp_socket udp:1.2.3.4:705
# enable SNMP handling of vrrp element of KEEPALIVED MIB
enable_snmp_vrrp
# enable SNMP handling of checker element of KEEPALIVED MIB
enable_snmp_checker
# enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs
enable_snmp_rfc
# enable SNMP handling of RFC2787 VRRP MIB
enable_snmp_rfcv2
# enable SNMP handling of RFC6527 VRRP MIB
enable_snmp_rfcv3
# enable SNMP traps
enable_traps
# If Keepalived has been build with DBus support, the following
# keywords are available.
# --
# Enable the DBus interface
enable_dbus
# Name of DBus service
# Useful if you want to run multiple keepalived processes with DBus enabled
# (default: org.keepalived.Vrrp1)
dbus_service_name SERVICE_NAME
# Specify the default username/groupname to run scripts under.
# If this option is not specified, the user defaults to keepalived_script
# if that user exists, otherwise root.
# If groupname is not specified, it defaults to the user's group.
script_user username [groupname]
# Don't run scripts configured to be run as root if any part of the path
# is writable by a non-root user.
enable_script_security
# Rather than using notify scripts, specifying a fifo allows more
# efficient processing of notify events, and guarantees that they
# will be delivered in the correct sequence.
# NOTE: the FIFO names must all be different
# --
# FIFO to write notify events to
# See vrrp_notify_fifo and lvs_notify_fifo for format of output
# For further details, see the description under vrrp_sync_group.
# see doc/samples/sample_notify_fifo.sh for sample usage.
notify_fifo FIFO_NAME [username [groupname]]
# script to be run by keepalived to process notify events
# The FIFO name will be passed to the script as the last parameter
notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# FIFO to write vrrp notify events to.
# The string written will be a line of the form: INSTANCE "VI_1" MASTER 100
# and will be terminated with a new line character.
# For further details of the output, see the description under vrrp_sync_group
# and doc/samples/sample_notify_fifo.sh for sample usage.
vrrp_notify_fifo FIFO_NAME [username [groupname]]
# script to be run by keepalived to process vrrp notify events
# The FIFO name will be passed to the script as the last parameter
vrrp_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# FIFO to write notify healthchecker events to
# The string written will be a line of the form:
# VS [192.168.201.15]:tcp:80 {UP|DOWN}
# RS [1.2.3.4]:tcp:80 [192.168.201.15]:tcp:80 {UP|DOWN}
# and will be terminated with a new line character.
lvs_notify_fifo FIFO_NAME [username [groupname]]
# script to be run by keepalived to process healthchecher notify events
# The FIFO name will be passed to the script as the last parameter
lvs_notify_fifo_script STRING|QUOTED_STRING [username [groupname]]
# Allow configuration to include interfaces that don't exist at startup.
# This allows keepalived to work with interfaces that may be deleted and restored
# and also allows virtual and static routes and rules on VMAC interfaces.
# allow_if_changes allows an interface to be deleted and recreated with a
# different type or underlying interface, eg changing from vlan to macvlan
# or changing a macvlan from eth1 to eth2. This is predominantly used for
# reporting duplicate VRID errors at startup if allow_if_changes is not set.
dynamic_interfaces [allow_if_changes]
# The following options are only needed for large configurations, where either
# keepalived creates a large number of interface, or the system has a large
# number of interface. These options only need using if
# "Netlink: Receive buffer overrun" messages are seen in the system logs.
# If the buffer size needed exceeds the value in /proc/sys/net/core/rmem_max
# the corresponding force option will need to be set.
# --
# Set netlink receive buffer size. This is useful for
# very large configurations where a large number of interfaces exist, and
# the initial read of the interfaces on the system causes a netlink buffer
# overrun.
vrrp_netlink_cmd_rcv_bufs BYTES
vrrp_netlink_cmd_rcv_bufs_force <BOOL>
vrrp_netlink_monitor_rcv_bufs BYTES
vrrp_netlink_monitor_rcv_bufs_force <BOOL>
# The vrrp netlink command and monitor socket the checker command and
# and monitor socket and process monitor buffer sizes can be independently set.
# The force flag means to use SO_RCVBUFFORCE, so that the buffer size
# can exceed /proc/sys/net/core/rmem_max.
lvs_netlink_cmd_rcv_bufs BYTES
lvs_netlink_cmd_rcv_bufs_force <BOOL>
lvs_netlink_monitor_rcv_bufs BYTES
lvs_netlink_monitor_rcv_bufs_force <BOOL>
# As a guide for process_monitor_rcv_bufs for 1400 processes terminating
# simultaneously, 212992 (the default on some systems) is insufficient, whereas
# 500000 is sufficient.
process_monitor_rcv_bufs BYTES
process_monitor_rcv_bufs_force <BOOL>
# When a socket is opened, the kernel configures the max rx buffer size for
# the socket to /proc/sys/net/core/rmem_default. On some systems this can be
# very large, and even generally this can be much larger than necessary.
# This isn't a problem so long as keepalived is reading all queued data from
# it's sockets, but if rmem_default was set sufficiently large, and if for
# some reason keepalived stopped reading, it could consume all system memory.
# The vrrp_rx_bufs_policy allows configuring of the rx bufs size when the
# sockets are opened. If the policy is MTU, the rx buf size is configured
# to the total of interface's MTU * vrrp_rx_bufs_multiplier for each vrrp
# instance using the socket. Likewise, if the policy is ADVERT, then it is
# the total of each vrrp instances advert packet size * multiplier.
# (default: use system default)
vrrp_rx_bufs_policy [MTU|ADVERT|NUMBER]
# (default: 3)
vrrp_rx_bufs_multiplier NUMBER
# Send notifies at startup for real servers that are starting up
rs_init_notifies
# Don't send an email every time a real server checker changes state;
# only send email when a real server is added or removed
no_checker_emails
# The umask to use for creating files. The number can be specified in hex,
# octal or decimal. BITS are I{R|W|X}{USR|GRP|OTH}, e.g. IRGRP, separated
# by '|'s. The default umask is IWGRP | IWOTH. This option cannot override
# the command-line option.
umask [NUMBER|BITS]
# On some systems when bond interfaces are created, they can start
# passing traffic and then have a several second gap when they stop
# passing traffic inbound. This can mean that if keepalived is started
# at boot time, i.e. at the same time as bond interfaces are being
# created, keepalived doesn't receive adverts and hence can become master
# despite an instance with higher priority sending adverts. This option
# specifies a delay in seconds before vrrp instances start up after
# keepalived starts,
vrrp_startup_delay 5.5
# Specify random seed for ${_RANDOM}, to make configurations repeatable
# (default is to use a seed based on the time, so that each time a
# different configuration will be generated).
random_seed UNSIGNED_INT
}