Docker容器化高可用架构部署方案（七）

06-Keepalived配置详解

本文档详细介绍Keepalived的配置，用于实现VIP（虚拟IP）漂移，确保服务高可用。

VRRP机制说明

VRRP（Virtual Router Redundancy Protocol）是一种容错协议，通过竞选机制将多台路由设备组成一个虚拟路由器，拥有同一个VIP。

┌─────────────────────────────────────┐ │ 虚拟路由器 (VIP: 172.20.1.100) │ └─────────────────────────────────────┘ ▲ ▲ ▲ │ │ │ ┌──────┴───┐ ┌────┴───┐ ┌────┴────┐ │ MASTER │ │BACKUP1 │ │BACKUP2 │ │ Priority=100│Priority=90│Priority=80│ │ 172.20.1.11│ │172.20.1.12│ │172.20.1.13│ └──────────┘ └─────────┘ └─────────┘

竞选规则

1. Priority（优先级）最高的成为MASTER

2. Priority相同时，接口IP地址大的优先

3. MASTER故障时，BACKUP自动接管VIP

三个Keepalived配置详解

1. keepalived_master.conf (Node1)

cat > /opt/cluster-deploy/config/keepalived/keepalived_master.conf << 'EOF' global_defs { router_id LVS_MASTER script_user root enable_script_security } ​ vrrp_script check_nginx { script "/etc/keepalived/check_nginx.sh" interval 3 weight -20 fall 2 rise 1 } ​ vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 100 priority 100 advert_int 1 nopreempt unicast_peer { 172.20.1.12 172.20.1.13 } authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 172.20.1.100/24 dev eth0 } track_script { check_nginx } notify_master "/etc/keepalived/notify.sh master" notify_backup "/etc/keepalived/notify.sh backup" notify_fault "/etc/keepalived/notify.sh fault" } EOF

2. keepalived_backup.conf (Node2)

cat > /opt/cluster-deploy/config/keepalived/keepalived_backup.conf << 'EOF' global_defs { router_id LVS_BACKUP1 script_user root enable_script_security } ​ vrrp_script check_nginx { script "/etc/keepalived/check_nginx.sh" interval 3 weight -20 fall 2 rise 1 } ​ vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 100 priority 90 advert_int 1 nopreempt unicast_peer { 172.20.1.11 172.20.1.13 } authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 172.20.1.100/24 dev eth0 } track_script { check_nginx } notify_master "/etc/keepalived/notify.sh master" notify_backup "/etc/keepalived/notify.sh backup" notify_fault "/etc/keepalived/notify.sh fault" } EOF

3. keepalived_backup2.conf (Node3)

cat > /opt/cluster-deploy/config/keepalived/keepalived_backup2.conf << 'EOF' global_defs { router_id LVS_BACKUP2 script_user root enable_script_security } ​ vrrp_script check_nginx { script "/etc/keepalived/check_nginx.sh" interval 3 weight -20 fall 2 rise 1 } ​ vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 100 priority 80 advert_int 1 nopreempt unicast_peer { 172.20.1.11 172.20.1.12 } authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 172.20.1.100/24 dev eth0 } track_script { check_nginx } notify_master "/etc/keepalived/notify.sh master" notify_backup "/etc/keepalived/notify.sh backup" notify_fault "/etc/keepalived/notify.sh fault" } EOF

配置项详解

global_defs 部分

global_defs { router_id LVS_MASTER # 路由器ID，唯一标识 script_user root # 脚本执行用户 enable_script_security # 启用脚本安全检查 }

vrrp_script 部分

vrrp_script check_nginx { script "/etc/keepalived/check_nginx.sh" # 检查脚本路径 interval 3 # 检查间隔（秒） weight -20 # 检查失败时优先级减少量 fall 2 # 连续失败2次判定为失败 rise 1 # 连续成功1次判定为恢复 }

weight参数说明：

• -20：Nginx检查失败时，优先级减20

• 公式：新优先级 = 原优先级 + weight

• Node1: 100-20=80，仍高于Backup2(80)，可能不切换

• 建议：根据实际场景调整weight值

vrrp_instance 部分

vrrp_instance VI_1 { state MASTER # 初始状态：MASTER/BACKUP interface eth0 # 绑定的物理网卡（重要！） virtual_router_id 100 # 虚拟路由器ID，同一组必须相同 priority 100 # 优先级，MASTER最高 advert_int 1 # 心跳间隔（秒） nopreempt # 非抢占模式 unicast_peer { # 单播对等体 172.20.1.12 172.20.1.13 } authentication { # 认证配置 auth_type PASS # 认证类型：PASS/AH auth_pass 1111 # 认证密码 } virtual_ipaddress { # 虚拟IP地址 172.20.1.100/24 dev eth0 } track_script { # 监控的脚本 check_nginx } notify_master "/etc/keepalived/notify.sh master" notify_backup "/etc/keepalived/notify.sh backup" notify_fault "/etc/keepalived/notify.sh fault" }

关键参数说明

健康检查脚本

check_nginx.sh

cat > /opt/cluster-deploy/config/keepalived/check_nginx.sh << 'EOF' #!/bin/bash A=$(ps -C nginx --no-headers | wc -l) if [ "$A" -eq 0 ];then exit 1 fi EOF ​ chmod +x /opt/cluster-deploy/config/keepalived/check_nginx.sh

notify.sh

cat > /opt/cluster-deploy/config/keepalived/notify.sh << 'EOF' #!/bin/bash LOGFILE=/var/log/keepalived-notify.log echo "[$(date '+%Y-%m-%d %H:%M:%S')] State changed to: $1" >> $LOGFILE EOF chmod +x /opt/cluster-deploy/config/keepalived/notify.sh

Docker Compose配置

keepalived: image: ednxzu/keepalived:2.3.4 container_name: keepalived network_mode: service:nginx-lb privileged: true entrypoint: ["/usr/sbin/keepalived", "-f", "/etc/keepalived/keepalived.conf", "--dont-fork", "--log-console"] volumes: - ./config/keepalived/keepalived_master.conf:/etc/keepalived/keepalived.conf:ro - ./config/keepalived/check_nginx.sh:/etc/keepalived/check_nginx.sh:ro - ./config/keepalived/notify.sh:/etc/keepalived/notify.sh:ro restart: unless-stopped

自定义entrypoint的原因

重要排错经验：osixia/keepalived镜像会覆盖配置文件

osixia/keepalived镜像使用环境变量自动生成配置文件，如果直接挂载配置文件会被忽略。

解决方法

使用自定义entrypoint绕过模板系统：

entrypoint: ["/usr/sbin/keepalived", "-f", "/etc/keepalived/keepalived.conf", "--dont-fork", "--log-console"]

• /usr/sbin/keepalived：Keepalived二进制文件路径

• -f /etc/keepalived/keepalived.conf：指定配置文件

• --dont-fork：前台运行（容器需要）

• --log-console：输出日志到控制台

服务IP分配

VIP漂移规则

1. 正常状态：VIP在Node1（MASTER）

2. Node1 Nginx故障：优先级降为80

3. Node2接管VIP（优先级90最高）

4. Node1恢复后：由于nopreempt，不抢占，VIP保持在Node2

常见问题

Q1: VIP无法绑定

• 检查interface是否正确（必须是物理网卡ens33）

• 检查网卡是否UP

• 查看Keepalived日志：docker logs keepalived

Q2: 多播/单播问题

• 默认使用多播，可能被交换机阻断

• 使用unicast_peer改为单播

Q3: 抢占问题

• 使用nopreempt实现非抢占模式

• 注意：非抢占模式下，BACKUP恢复后不会抢回VIP

Q4: Keepalived容器状态异常

• 检查hostname配置：network_mode: service:xxx时不能设hostname

• 使用network_mode: service:nginx-lb共享网络

验证命令

# 查看VIP绑定状态 docker exec keepalived ip addr show ens33 # 查看Keepalived日志 docker logs keepalived # 查看VRRP状态 docker exec keepalived cat /var/log/syslog | grep -i vrrp # 测试VIP连通性 ping -c 3 172.20.1.100

下一步

• 07-PHP服务配置详解.md - 了解PHP服务配置

• 08-Redis配置详解.md - 了解Redis集群配置