RKE搭建k8s-1.20.15集群之 nginx+keepalive+vip配置
nginx安装和配置,主从服务都需要安装
直接使用了rpm包部署。
nginx配置
vi /etc/nginx/nginx.conf 新增如下信息:
stream {
# 添加socket转发的代理
upstream socket_proxy {
hash $remote_addr consistent;
# 转发的目的地址和端口
server 192.168.111.150:6443 weight=5 max_fails=3 fail_timeout=30s;
server 192.168.111.151:6443 weight=5 max_fails=3 fail_timeout=30s;
server 192.168.111.152:6443 weight=5 max_fails=3 fail_timeout=30s;
}
# 提供转发的服务,即访问localhost:1935,会跳转至代理socket_proxy指定的转发地址
server {
listen 16443;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass socket_proxy;
}
}
启动、开机自启服务
systemctl start nginx && systemctl enable nginx
keepalived安装和配置
安装keepalived
yum install -y keepalived
修改配置文件
cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
vi /etc/keepalived/keepalived.conf
主服务的配置文件信息:
k8s-master01
global_defs {
# 路由id:当前安装keepalived的节点主机标识符,保证全局唯一
router_id k8s-master01
}
vrrp_script check_web {
script "/etc/keepalived/check_web.sh" # 脚本存放的位置
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
# 主机=MASTER;备用机=BACKUP
state MASTER
# 该实例绑定的网卡名称
interface ens192
# 集群号 保证主备节点一致
virtual_router_id 51
# 权重,master值 > backup值
priority 100
# 主备组播报发送间隔时间2秒
advert_int 2
# 抢占模式,(nopreempt非抢占模式),配置为抢占模式时,当节点权重降低时,另外一个高权重节点会抢占服务,发生切换;
# 如果为非抢占模式,上面配置的检查脚本在检查到服务失败后,降低权重,但是不会发生切换。
nopreempt
# 认证权限密码,防止非法节点进入
authentication {
auth_type PASS
auth_pass K8SHA_AUTH_PASS
}
# 虚拟出来的ip,可以有多个(vip)
virtual_ipaddress {
192.168.111.155
}
# 调用监控脚本
track_script {
check_web
}
}
从服务的配置文件信息:
k8s-master02:
global_defs {
# 路由id:当前安装keepalived的节点主机标识符,保证全局唯一
router_id k8s-master02
}
vrrp_script check_web {
script "/etc/keepalived/check_web.sh" # 脚本存放的位置
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
# 主机=MASTER;备用机=BACKUP
state BACKUP
# 该实例绑定的网卡名称
interface ens192
# 集群号 保证主备节点一致
virtual_router_id 51
# 权重,master值 > backup值
priority 100
# 主备组播报发送间隔时间2秒
advert_int 2
# 抢占模式,(nopreempt非抢占模式),配置为抢占模式时,当节点权重降低时,另外一个高权重节点会抢占服务,发生切换;
# 如果为非抢占模式,上面配置的检查脚本在检查到服务失败后,降低权重,但是不会发生切换。
nopreempt
# 认证权限密码,防止非法节点进入
authentication {
auth_type PASS
auth_pass K8SHA_AUTH_PASS
}
# 虚拟出来的ip,可以有多个(vip)
virtual_ipaddress {
192.168.111.155
}
# 调用监控脚本
track_script {
check_web
}
}
k8s-master03:
global_defs {
# 路由id:当前安装keepalived的节点主机标识符,保证全局唯一
router_id k8s-master03
}
vrrp_script check_web {
script "/etc/keepalived/check_web.sh" # 脚本存放的位置
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
# 主机=MASTER;备用机=BACKUP
state BACKUP
# 该实例绑定的网卡名称
interface ens192
# 集群号 保证主备节点一致
virtual_router_id 51
# 权重,master值 > backup值
priority 100
# 主备组播报发送间隔时间2秒
advert_int 2
# 抢占模式,(nopreempt非抢占模式),配置为抢占模式时,当节点权重降低时,另外一个高权重节点会抢占服务,发生切换;
# 如果为非抢占模式,上面配置的检查脚本在检查到服务失败后,降低权重,但是不会发生切换。
nopreempt
# 认证权限密码,防止非法节点进入
authentication {
auth_type PASS
auth_pass K8SHA_AUTH_PASS
}
# 虚拟出来的ip,可以有多个(vip)
virtual_ipaddress {
192.168.111.155
}
# 调用监控脚本
track_script {
check_web
}
}
编写nginx监控脚本
如果nginx服务停止,keepalived服务也停止,并切换到备主机
脚本如下:vi /etc/keepalived/check_web.sh
#!/bin/bash
num=`ps -C nginx --no-header |wc -l`
if [ $num -eq 0 ]
then
systemctl restart nginx
sleep 10
num=`ps -C nginx --no-header |wc -l`
if [ $num -eq 0 ]
then
systemctl stop keepalived
fi
fi
启动、开机自启keepalived服务
systemctl start keepalived
systemctl enable keepalived
查看keepalived服务状态;查看虚拟IP生效情况
[root@k8s-master03 nginx]# ps -ef|grep keepalived
root 6284 1 0 17:13 ? 00:00:00 /usr/sbin/keepalived -D
root 6285 6284 0 17:13 ? 00:00:00 /usr/sbin/keepalived -D
root 6286 6284 0 17:13 ? 00:00:00 /usr/sbin/keepalived -D
root 27508 14143 0 17:34 pts/0 00:00:00 grep --color=auto keepalived
[root@k8s-master03 nginx]# ip a | grep 155
inet 192.168.111.155/32 scope global ens192
[root@k8s-master03 nginx]# ip a | grep 155 -C 10
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
inet 10.42.195.0/32 scope global tunl0
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:8d:20:f1 brd ff:ff:ff:ff:ff:ff
inet 192.168.111.152/24 brd 192.168.111.255 scope global noprefixroute ens192
valid_lft forever preferred_lft forever
inet 192.168.111.155/32 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::d2e5:502d:a1fe:cae3/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:e6:8d:b4 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:e6:8d:b4 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
[root@k8s-master03 nginx]#
[root@k8s-master03 nginx]#
[root@k8s-master03 nginx]# hostname -I
10.42.195.0 192.168.111.152 192.168.111.155 192.168.122.1 172.17.0.1
脑裂预防
check_gateway.sh脚本如下:
#!/bin/bash
export PATH=$PATH:/usr/sbin
#脑裂检查及控制:第三方仲裁机制,使用ping网关ip方式
#循环次数
CHECK_TIME=3
#虚拟ip
VIP=$1
#网关ip(根据实际环境修改)
GATEWAY=192.168.111.254
#本机网卡
eth=ens192
#服务器和网关通信状态 0=失败,1=成功
keepalived_communication_status=1
#是否获取vip状态 0=失败,1=成功
get_vip_status=1
#keepalived服务状态 0=未运行,1=运行中
keepalived_service_status=1
#服务状态运行中字符串
active_status_str='active (running)'
echo "开始执行脚本 check_gateway.sh $VIP;时间:"
date
#查看是否获取vip状态
function check_get_vip_status() {
#通过ip add命令查看ip信息,搜索$VIP,统计行数,是否等于1
if [ $(ip add | grep "$VIP" | wc -l) -eq 1 ]; then
get_vip_status=1
else
get_vip_status=0
fi
return $get_vip_status
}
#检查通信状态
function check_keepalived_status() {
#检测$VIP 能否ping通$GATEWAY:使用$eth网络设备(-I $eth),发送数据包5(-c 5),源地址$VIP询问目的地[vip] $GATEWAY [网关地址 公用参考ip](-s $VIP $GATEWAY) 日志不保存 >/dev/null 2>&1
/sbin/arping -I $eth -c 5 -s $VIP $GATEWAY >/dev/null 2>&1
#判断上一步执行结果 等于0成功
if [ $? = 0 ]; then
keepalived_communication_status=1
else
keepalived_communication_status=0
fi
return $keepalived_communication_status
}
#检查keepalived服务状态
function check_keepalived_service_status() {
#通过systemctl status keepalived.service命令查看keepalived服务状态,搜索$active_status_str,统计行数,是否等于1
if [ $(systemctl status keepalived.service | grep "$active_status_str" | wc -l) -eq 1 ]; then
keepalived_service_status=1
else
keepalived_service_status=0
fi
return $keepalived_service_status
}
#循环执行
#判断$CHECK_TIME 不等于 0
while [ $CHECK_TIME -ne 0 ]; do
#执行check_get_vip_status获取get_vip_status
check_get_vip_status
#未获取vip
if [ $get_vip_status = 0 ]; then
#修改CHECK_TIME值 结束循环
CHECK_TIME=0
#检查服务状态 执行check_keepalived_service_status获取keepalived_service_status
if [ $keepalived_service_status = 0 ]; then
echo "执行脚本 check_gateway.sh $VIP;启动keepalived服务"
systemctl start keepalived.service
fi
echo "执行脚本 check_gateway.sh $VIP;执行结果:未获取vip,无需处理,脚本执行结束,时间:"
date
#正常运行程序并退出程序
exit 0
fi
#$CHECK_TIME = $CHECK_TIME-1
let "CHECK_TIME -= 1"
#执行check_keepalived_status获取keepalived_communication_status
check_keepalived_status
#判断 $keepalived_communication_status = 1 通信成功
if [ $keepalived_communication_status = 1 ]; then
#修改CHECK_TIME值 结束循环
CHECK_TIME=0
#检查服务状态 执行check_keepalived_service_status获取keepalived_service_status
check_keepalived_service_status
if [ $keepalived_service_status = 0 ]; then
echo "执行脚本 check_gateway.sh $VIP;启动keepalived服务"
systemctl start keepalived.service
fi
echo "执行脚本 check_gateway.sh $VIP;GATEWAY=$GATEWAY,执行结果:通信正常,无需处理,脚本执行结束,时间:"
date
#正常运行程序并退出程序
exit 0
fi
#通信失败&&连续3次
if [ $keepalived_communication_status -eq 0 ] && [ $CHECK_TIME -eq 0 ]; then
#关闭keepalived
echo "执行脚本 check_gateway.sh $VIP;关闭keepalived服务"
systemctl stop keepalived.service
echo "执行脚本 check_gateway.sh $VIP;GATEWAY=$GATEWAY,执行结果:通信失败&&连续3次 关闭keepalived,脚本执行结束,时间:"
date
#非正常运行程序并退出程序
exit 1
fi
sleep 3
done
测试
sh /etc/keepalived/check_gateway.sh 192.168.111.155
Linux定时任务
crontab -e
#1分1次 延迟10秒实现(时间自定义) keepalived服务脑裂脚本
* * * * * sleep 10; bash /etc/keepalived/check_gateway.sh 192.168.111.155